Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Free Resources

Difficulty IndexLearn — Free ChaptersIT GlossaryFree Tools & LabsStudy GuidesCareer RoadmapsBrowse by VendorCisco Command ReferenceCCNA Scenarios

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004DomainsSecurity Architecture
CAS-004Free — No Signup

Security Architecture

Practice CAS-004 Security Architecture questions with full explanations on every answer.

142questions

Start practicing

Security Architecture — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CAS-004 Domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity ArchitectureSecurity Engineering and CryptographySecurity OperationsGovernance, Risk, and ComplianceGovernance, Risk and ComplianceSecurity Engineering

Practice Security Architecture questions

10Q20Q30Q50Q

All CAS-004 Security Architecture questions (142)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A company is implementing a zero trust architecture. Which of the following BEST describes the principle of micro-segmentation in this model?

2

An organization is adopting a cloud-first strategy and wants to ensure proper security responsibilities are understood. Which concept defines the division of security responsibilities between the cloud provider and the customer?

3

A security architect is designing a hybrid cloud environment with workloads in AWS and on-premises. The architect needs to ensure secure, low-latency connectivity between the two environments without traversing the internet. Which solution should be used?

4

A company is deploying a cloud access security broker (CASB) to gain visibility into shadow IT. Which mode of operation would allow the CASB to inspect traffic without requiring proxy configuration on endpoints?

5

A security analyst needs to ensure that only authorized containers run in a Kubernetes cluster. Which Kubernetes native security control should be configured?

6

An organization is concerned about quantum computer attacks on its current cryptographic infrastructure. Which of the following NIST-approved post-quantum cryptographic algorithms is designed for key encapsulation?

7

During a security assessment, a penetration tester discovers that a web application fails to validate the size of user input, leading to a buffer overflow. Which application security control would have BEST prevented this vulnerability?

8

An organization wants to enforce that only signed container images are deployed in production. Which of the following should be implemented?

9

A company is deploying a SASE architecture. Which component is responsible for securing web traffic and enforcing acceptable use policies at the edge?

10

A security architect is designing a PKI for a large enterprise. Which component is used to protect private keys and perform cryptographic operations in a tamper-resistant environment?

11

During an API security review, an assessor finds that the API uses JSON Web Tokens (JWT) with a symmetric key shared among multiple services. Which of the following is the MOST significant security concern?

12

An organization wants to enforce consistent security policies across multiple cloud providers (AWS, Azure, GCP). Which tool is designed to continuously monitor and remediate misconfigurations in cloud environments?

13

A security architect is designing a supply chain security program. Which TWO of the following are essential components of a software bill of materials (SBOM) strategy? (Select TWO.)

14

An organization is migrating to a zero trust model and wants to implement identity-centric security. Which THREE of the following are key principles of an identity-centric zero trust approach? (Select THREE.)

15

A company is implementing a defense-in-depth strategy for its web application. Which THREE of the following are layers that should be included? (Select THREE.)

16

A security architect is designing a zero-trust architecture for a multi-cloud environment. Which principle is essential for enforcing identity-centric micro-segmentation?

17

An organization is adopting a cloud-first strategy and needs to ensure compliance with SOC 2. Which cloud service model places the most responsibility on the customer for security?

18

A security engineer is deploying a Cloud Access Security Broker (CASB) to protect a SaaS application. Which deployment mode allows the CASB to inspect encrypted traffic without requiring client software?

19

A company needs to connect its on-premises data center to a public cloud provider with low latency and high bandwidth while avoiding the public internet. Which connectivity method should be used?

20

A security architect is reviewing a Secure Access Service Edge (SASE) implementation. Which component of SASE provides security inspection for all traffic, regardless of location?

21

During a secure SDLC, a development team wants to identify vulnerabilities in running code. Which type of testing should be performed?

22

A security team is hardening a Kubernetes cluster. Which control should be implemented to restrict a container's system calls to only those required by the application?

23

An organization wants to protect cryptographic keys used for TLS termination. Which hardware solution should be deployed to prevent key extraction?

24

A security architect is designing a public key infrastructure (PKI). Which component is responsible for issuing and revoking certificates?

25

A company is preparing for post-quantum cryptography migration. According to NIST PQC standards, which algorithm is a candidate for key encapsulation?

26

An enterprise is implementing a cloud security posture management (CSPM) solution. What is the primary function of CSPM?

27

A security analyst is investigating an API that uses JSON Web Tokens (JWT) for authentication. Which field in a JWT contains the token expiration time?

28

A security architect is implementing network segmentation in a hybrid cloud environment. Which TWO controls are most effective for reducing east-west traffic risks?

29

A DevSecOps team is integrating security into the CI/CD pipeline. Which THREE practices should be included to ensure supply chain security?

30

An organization is deploying a cloud workload protection platform (CWPP). Which TWO capabilities are essential for protecting workloads in a hybrid cloud?

31

A security architect is designing a zero trust architecture for a corporate network. Which principle is fundamental to the zero trust model?

32

A company is migrating to a public cloud and wants to ensure they understand their security responsibilities. According to the shared responsibility model, which of the following is typically the responsibility of the cloud customer?

33

An organization is implementing a CASB to secure their SaaS applications. Which CASB deployment mode is most appropriate for monitoring and controlling data in transit between users and cloud apps without modifying the user's device?

34

A security engineer is designing a secure hybrid cloud connection between an on-premises data center and AWS. Which service provides a dedicated, private network connection that bypasses the public internet?

35

An organization is adopting SASE to converge network and security functions. Which component of SASE provides secure web gateway (SWG) capabilities?

36

During a threat modeling exercise for a new web application, the team identifies that the application uses JWT for authentication. Which vulnerability is most likely if the server does not properly verify the JWT signature?

37

A security architect is implementing defense-in-depth for a critical application. Which of the following is an example of a detective control?

38

A company is deploying containers in a Kubernetes cluster and needs to enforce that containers run with reduced capabilities. Which Linux security feature should be configured to drop unnecessary capabilities?

39

An organization is concerned about future quantum computer attacks on their public key infrastructure. Which NIST-standardized algorithm is designed for digital signatures and is resistant to quantum attacks?

40

A security team is hardening a Kubernetes cluster. Which resource should be used to define fine-grained rules for which pods can communicate with each other?

41

A company uses an API gateway to manage their microservices. Which security control should the gateway enforce to prevent abuse from excessive API calls?

42

A security administrator needs to ensure that only authorized devices can access the corporate network. Which technology would best enforce this requirement at the network access layer?

43

A security architect is evaluating a CSPM tool for a multi-cloud environment. Which TWO capabilities should the architect consider essential for the CSPM? (Choose two.)

44

An organization is implementing a software-defined perimeter (SDP) for zero trust network access. Which THREE characteristics are typical of an SDP architecture? (Choose three.)

45

A security team is implementing a secure SDLC for a new application. Which THREE activities should be included as part of the development phase? (Choose three.)

46

A security architect is implementing a zero trust model for a financial services company. The goal is to prevent lateral movement in the data center. Which approach best achieves this objective?

47

A company uses a hybrid cloud model with workloads on AWS and on-premises. They need to ensure secure connectivity between the two environments with high bandwidth and low latency, bypassing the public internet. Which solution should they implement?

48

An organization is deploying a containerized application on Kubernetes and must enforce that only approved container images are allowed to run, and that containers cannot escalate privileges. Which combination of controls should the architect implement?

49

Which technology is used to discover and control cloud applications, enforce security policies, and provide visibility into cloud usage?

50

A security architect is designing a cryptographic system for a government agency that must protect classified data for the next 30 years. The agency is concerned about the threat from quantum computers. Which NIST post-quantum cryptography algorithm is recommended for key encapsulation?

51

An organization is implementing a Secure Access Service Edge (SASE) architecture to support remote workers. Which key capability does SASE provide that traditional VPNs lack?

52

A DevOps team integrates security into the CI/CD pipeline. They want to identify vulnerabilities in open-source libraries used by their application. Which tool or practice is specifically designed for this purpose?

53

In the shared responsibility model for cloud security, which of the following is typically the responsibility of the customer when using an Infrastructure as a Service (IaaS) model?

54

A security architect is designing a PKI for an organization that requires high assurance certificates. The architect needs to protect the root CA private key. Which solution provides the highest level of security for the root CA key?

55

An organization uses a multi-cloud strategy with workloads on AWS, Azure, and GCP. They need a single tool to monitor and enforce security configurations across all cloud environments. Which cloud security solution is best suited for this requirement?

56

Which of the following best describes the security benefit of using an API gateway in a microservices architecture?

57

A company is migrating to immutable infrastructure for its production environment. The security architect needs to ensure that any changes to the infrastructure are made by replacing instances, not by modifying existing ones. Which security advantage does immutable infrastructure provide?

58

A security architect is evaluating an API security strategy for a SaaS application that supports OAuth 2.0. Which TWO controls should the architect recommend to protect against token interception and replay attacks?

59

A global company must comply with data residency regulations that require customer data to stay within specific geographic boundaries. The company uses a multi-cloud architecture. Which THREE strategies should the architect implement to ensure compliance?

60

An organization is hardening its Kubernetes cluster. Which THREE of the following are effective controls to limit the blast radius of a compromised container?

61

Which of the following is a core principle of the Zero Trust security model?

62

A security architect is designing a cloud security strategy for a company that uses multiple cloud providers. The architect needs a solution that provides visibility into cloud application usage, enforces security policies, and protects data. Which technology is most appropriate?

63

An organization is implementing a hybrid cloud architecture and must ensure secure connectivity between its on-premises network and a public cloud VPC. The traffic includes sensitive data that must not traverse the internet. The solution must provide high bandwidth and low latency. Which connectivity option should the architect choose?

64

A company is adopting a defense-in-depth strategy. Which of the following is an example of a preventive control at the network layer?

65

An organization is implementing a Secure Access Service Edge (SASE) architecture. Which of the following is a key component of SASE?

66

A security architect is designing an API security strategy for a microservices-based application. The architect needs to ensure that only authenticated and authorized clients can invoke APIs, and that rate limiting is enforced to prevent abuse. Which technology should be placed in front of the microservices?

67

Which of the following is a cloud-native security control provided by a cloud service provider to manage user permissions and access to resources?

68

An organization is deploying containerized applications and needs to enforce security policies that restrict the system calls a container can make. Which Linux security module should be used?

69

A company is migrating sensitive workloads to the cloud and must comply with FedRAMP requirements. Which of the following is the most appropriate cloud deployment model?

70

A security architect is designing a PKI for a large organization. The architect wants to ensure that private keys are stored securely and that cryptographic operations are performed in a tamper-resistant environment. Which solution should be used?

71

In the shared responsibility model for cloud security, which of the following is typically the responsibility of the customer?

72

An organization wants to implement infrastructure as code (IaC) with immutable infrastructure. Which security benefit does immutable infrastructure provide?

73

A security architect is implementing a zero trust architecture for a corporate network. Which TWO principles are fundamental to the zero trust approach? (Choose two.)

74

A company is developing a secure software development lifecycle (SDLC) and wants to integrate security testing early. Which THREE techniques should be used to find vulnerabilities in code during development? (Choose three.)

75

An organization is deploying a Kubernetes cluster and needs to harden security. Which THREE controls should be implemented? (Choose three.)

76

In a zero trust architecture, which concept ensures that an attacker who compromises one segment cannot move laterally to other segments?

77

A security architect is designing a hybrid cloud environment. The organization requires low-latency, private connectivity between on-premises and a public cloud provider, bypassing the public internet. Which solution best meets this requirement?

78

An organization is migrating critical workloads to the cloud and must comply with FedRAMP. Which cloud service model provides the most customer control over security configuration while still leveraging the provider's FedRAMP authorization?

79

A company uses a CASB to monitor cloud application usage. Which primary function does a CASB provide for enforcing security policies between users and cloud services?

80

A security architect is implementing an API gateway to protect microservices. Which security capability is uniquely provided by an API gateway compared to a traditional web application firewall (WAF)?

81

An organization wants to implement an immutable infrastructure for its containerized applications. Which security benefit is most directly achieved by immutability?

82

In the shared responsibility model for cloud security, which of the following is generally the responsibility of the cloud customer?

83

A security architect is evaluating a SASE solution. Which component of SASE is primarily responsible for inspecting encrypted traffic for threats?

84

During a secure SDLC, a security architect wants to identify design flaws early. Which activity is most appropriate for the design phase?

85

To protect against quantum computing attacks, a security architect is planning to transition to post-quantum cryptography. Which algorithm has been selected by NIST for general encryption (key encapsulation) in the PQC standard?

86

A company uses Kubernetes for container orchestration. Which security control should be implemented to enforce that only specific images from a trusted registry can run in the cluster?

87

Which cryptographic best practice ensures that a private key remains protected even if the server it is stored on is compromised?

88

A security architect is designing a defense-in-depth strategy for a cloud-native application. Which TWO controls are most effective for protecting east-west traffic between microservices?

89

An organization is implementing a zero trust architecture and needs to enforce identity-centric access for all resources. Which THREE components are essential to this approach?

90

A security architect is reviewing supply chain security for a software product. Which TWO artifacts are most important for verifying the integrity and provenance of third-party components?

91

A security architect is designing a zero trust architecture for a financial services company. Which component is MOST critical to enforce identity-centric access control in a zero trust model?

92

In a cloud shared responsibility model, which of the following is typically the customer's responsibility for IaaS?

93

A company is migrating to AWS and needs to comply with SOC 2. Which cloud-native service would BEST help monitor and enforce security configurations across the AWS environment?

94

A security architect is designing a secure connectivity solution between an on-premises data center and a public cloud provider. The solution must provide low latency, high bandwidth, and avoid traversing the public internet. Which approach BEST meets these requirements?

95

An organization is implementing SASE to secure remote user access. Which component of SASE is responsible for enforcing identity-based access policies and inspecting traffic?

96

A security engineer is integrating API security for a RESTful service. Which mechanism is used to verify that the API request has not been tampered with and originates from a legitimate client?

97

During a secure SDLC, a development team is reviewing code for security flaws early in the development process. Which type of testing is MOST appropriate for identifying vulnerabilities in source code before it is compiled?

98

A container security team wants to enforce that containers run with the least privileges possible. Which Linux security module can be used to restrict system calls available to a container?

99

An organization is designing a PKI to issue certificates to thousands of IoT devices. Which architectural decision will BEST support automated certificate lifecycle management?

100

A security analyst is reviewing a Kubernetes cluster and wants to ensure that only authorized users can create or modify pods. Which Kubernetes object should be configured to enforce this?

101

A company must protect cryptographic keys used to sign financial transactions. The solution must be FIPS 140-2 Level 3 compliant and provide tamper-resistant hardware. Which technology should be deployed?

102

An organization is planning to adopt quantum-resistant cryptography. According to NIST PQC standards, which algorithm is recommended for digital signatures?

103

A security architect is evaluating Cloud Security Posture Management (CSPM) tools. Which TWO capabilities are typically provided by CSPM? (Choose two.)

104

A company is implementing a defense-in-depth strategy for its web application. Which THREE security controls should be included in the architecture? (Choose three.)

105

An organization is architecting a hybrid cloud environment with AWS and on-premises resources. Which THREE considerations are essential for meeting data residency requirements? (Choose three.)

106

Which of the following is a key principle of the zero trust security model?

107

A company is migrating its workloads to a public cloud and wants to ensure it understands the division of security responsibilities. Which model defines the demarcation of security controls between the cloud provider and the customer?

108

An organization is implementing network segmentation to limit lateral movement. It wants to isolate application tiers at the virtual network level in a cloud environment. Which technology enforces policies on east-west traffic between VMs in different subnets?

109

A security architect is designing a secure connection between an on-premises data center and a cloud provider's virtual network. The connection must be private, low-latency, and not traverse the public internet. Which solution should they recommend?

110

Which of the following is a primary function of a Cloud Access Security Broker (CASB)?

111

An organization is adopting a DevSecOps approach and wants to integrate security early in the development lifecycle. Which practice involves creating visual representations of threats and identifying potential attack vectors during the design phase?

112

A company is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run in the cluster. Which Kubernetes resource should be used to enforce policies on what containers can run, including image source restrictions?

113

Which of the following is a benefit of using an immutable infrastructure approach?

114

An organization uses a hardware security module (HSM) to protect cryptographic keys. Which aspect of key management does an HSM primarily address?

115

A security architect is evaluating a SASE solution. Which capability is expected to be part of a SASE platform?

116

An organization must comply with FedRAMP requirements for a cloud service. Which aspect of cloud security is most directly assessed under FedRAMP?

117

Which of the following is a key feature of TLS 1.3 compared to earlier versions?

118

A security architect is designing a zero trust network architecture and needs to implement micro-segmentation. Which TWO of the following techniques are commonly used to achieve micro-segmentation? (Select TWO).

119

An organization is planning to adopt quantum-resistant cryptography. According to NIST PQC standards, which THREE algorithms are currently selected for standardization? (Select THREE).

120

A company is implementing API security for its web services. Which THREE of the following are considered best practices for securing APIs? (Select THREE).

121

A security architect is designing a zero trust architecture for a financial institution. Which principle is fundamental to the zero trust model?

122

A company is migrating critical workloads to AWS and must secure data at rest. They need to maintain control over the encryption keys. Which service should they use to meet this requirement?

123

An organization is adopting a SASE architecture to provide secure access to cloud applications. Which component is essential for enforcing security policies based on user identity and device posture?

124

A security analyst is reviewing a Kubernetes cluster's security configuration. Which component should be used to ensure that only authorized pods can communicate with each other?

125

During a threat modeling exercise for a new web application, the team identifies a risk of API abuse due to lack of rate limiting. Which security control should be implemented at the API gateway to mitigate this risk?

126

A company is required to comply with FedRAMP for its cloud deployment. Which of the following is a key requirement for FedRAMP compliance?

127

An enterprise is securing a hybrid cloud environment with on-premises and AWS workloads. They need to ensure that on-premises systems can privately access VPC resources without traversing the public internet. Which AWS service should they use?

128

A security architect is designing a defense-in-depth strategy for a web application. Which combination of controls provides overlapping protection against SQL injection attacks?

129

A company uses a multi-cloud strategy with workloads in AWS and Azure. They need a centralized solution to enforce consistent security policies across both cloud environments. Which type of tool should they deploy?

130

An organization is migrating to an immutable infrastructure model for its containerized applications. Which practice is essential to ensure the integrity of the immutable infrastructure?

131

A security engineer is hardening a Kubernetes environment. Which THREE of the following are effective controls for securing the cluster? (Select THREE.)

132

Which TWO of the following are key benefits of using a software-defined perimeter (SDP) in a zero trust architecture? (Select TWO.)

133

A security architect is evaluating cryptographic agility for a system that must be resistant to quantum computing attacks. Which TWO algorithms are part of the NIST PQC standards? (Select TWO.)

134

A company is implementing a secure SDLC and wants to integrate application security testing early. Which THREE tools are most appropriate for shift-left security? (Select THREE.)

135

An organization is designing a PKI for certificate lifecycle management. Which TWO practices are critical for maintaining the security of the certificate authority (CA)? (Select TWO.)

136

A multinational corporation is adopting a zero trust architecture for its enterprise network. The security team is evaluating mechanisms to enforce granular access controls and segment workloads. Which TWO components are most critical for implementing a zero trust model? (Choose TWO.)

137

A security architect is designing a cloud security strategy for a healthcare organization that uses a hybrid cloud environment with AWS and Azure. The organization must comply with HIPAA and needs to protect sensitive patient data. Which THREE cloud security controls should be prioritized? (Choose THREE.)

138

A company is migrating critical applications to a multi-cloud architecture using AWS and Google Cloud Platform (GCP). The security team must ensure secure connectivity between on-premises data centers and cloud environments while meeting data residency requirements in the EU. Which TWO solutions should the architect implement to address these requirements? (Choose TWO.)

139

A financial institution is implementing a secure software development lifecycle (SSDLC) for a new web application that will handle sensitive transactions. The security architect must ensure that application security testing is integrated into the development process. Which THREE testing techniques should be used to identify vulnerabilities early and throughout the lifecycle? (Choose THREE.)

140

A security architect is designing a Kubernetes cluster for a government agency that requires high security and compliance with FedRAMP. The cluster will host microservices processing sensitive data. Which TWO configurations are most critical for hardening the Kubernetes environment? (Choose TWO.)

141

An organization is planning to modernize its cryptographic infrastructure to protect sensitive data for the next 10 years. The security architect must consider future threats from quantum computing. Which TWO quantum-resistant algorithms should the architect prioritize for key encapsulation and digital signatures? (Choose TWO.)

142

A security architect is reviewing API security for a financial services platform that uses OAuth 2.0 for authorization and JWTs for token exchange. The platform must protect against common API threats such as token theft and injection attacks. Which TWO controls should be implemented to mitigate these specific threats? (Choose TWO.)

Practice all 142 Security Architecture questions

Other CAS-004 exam domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecuritySecurity Engineering and CryptographySecurity OperationsGovernance, Risk, and ComplianceGovernance, Risk and ComplianceSecurity Engineering

Frequently asked questions

What does the Security Architecture domain cover on the CAS-004 exam?

The Security Architecture domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.

How many Security Architecture questions are in the CAS-004 question bank?

The Courseiva CAS-004 question bank contains 142 questions in the Security Architecture domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Architecture for CAS-004?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Architecture questions for CAS-004?

Yes — the session launcher on this page draws questions exclusively from the Security Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CAS-004 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CS0-003SY0-701CISSP