Practice CAS-004 Security Architecture questions with full explanations on every answer.
Start practicing
Security Architecture — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A company is implementing a zero trust architecture. Which of the following BEST describes the principle of micro-segmentation in this model?
2An organization is adopting a cloud-first strategy and wants to ensure proper security responsibilities are understood. Which concept defines the division of security responsibilities between the cloud provider and the customer?
3A security architect is designing a hybrid cloud environment with workloads in AWS and on-premises. The architect needs to ensure secure, low-latency connectivity between the two environments without traversing the internet. Which solution should be used?
4A company is deploying a cloud access security broker (CASB) to gain visibility into shadow IT. Which mode of operation would allow the CASB to inspect traffic without requiring proxy configuration on endpoints?
5A security analyst needs to ensure that only authorized containers run in a Kubernetes cluster. Which Kubernetes native security control should be configured?
6An organization is concerned about quantum computer attacks on its current cryptographic infrastructure. Which of the following NIST-approved post-quantum cryptographic algorithms is designed for key encapsulation?
7During a security assessment, a penetration tester discovers that a web application fails to validate the size of user input, leading to a buffer overflow. Which application security control would have BEST prevented this vulnerability?
8An organization wants to enforce that only signed container images are deployed in production. Which of the following should be implemented?
9A company is deploying a SASE architecture. Which component is responsible for securing web traffic and enforcing acceptable use policies at the edge?
10A security architect is designing a PKI for a large enterprise. Which component is used to protect private keys and perform cryptographic operations in a tamper-resistant environment?
11During an API security review, an assessor finds that the API uses JSON Web Tokens (JWT) with a symmetric key shared among multiple services. Which of the following is the MOST significant security concern?
12An organization wants to enforce consistent security policies across multiple cloud providers (AWS, Azure, GCP). Which tool is designed to continuously monitor and remediate misconfigurations in cloud environments?
13A security architect is designing a supply chain security program. Which TWO of the following are essential components of a software bill of materials (SBOM) strategy? (Select TWO.)
14An organization is migrating to a zero trust model and wants to implement identity-centric security. Which THREE of the following are key principles of an identity-centric zero trust approach? (Select THREE.)
15A company is implementing a defense-in-depth strategy for its web application. Which THREE of the following are layers that should be included? (Select THREE.)
16A security architect is designing a zero-trust architecture for a multi-cloud environment. Which principle is essential for enforcing identity-centric micro-segmentation?
17An organization is adopting a cloud-first strategy and needs to ensure compliance with SOC 2. Which cloud service model places the most responsibility on the customer for security?
18A security engineer is deploying a Cloud Access Security Broker (CASB) to protect a SaaS application. Which deployment mode allows the CASB to inspect encrypted traffic without requiring client software?
19A company needs to connect its on-premises data center to a public cloud provider with low latency and high bandwidth while avoiding the public internet. Which connectivity method should be used?
20A security architect is reviewing a Secure Access Service Edge (SASE) implementation. Which component of SASE provides security inspection for all traffic, regardless of location?
21During a secure SDLC, a development team wants to identify vulnerabilities in running code. Which type of testing should be performed?
22A security team is hardening a Kubernetes cluster. Which control should be implemented to restrict a container's system calls to only those required by the application?
23An organization wants to protect cryptographic keys used for TLS termination. Which hardware solution should be deployed to prevent key extraction?
24A security architect is designing a public key infrastructure (PKI). Which component is responsible for issuing and revoking certificates?
25A company is preparing for post-quantum cryptography migration. According to NIST PQC standards, which algorithm is a candidate for key encapsulation?
26An enterprise is implementing a cloud security posture management (CSPM) solution. What is the primary function of CSPM?
27A security analyst is investigating an API that uses JSON Web Tokens (JWT) for authentication. Which field in a JWT contains the token expiration time?
28A security architect is implementing network segmentation in a hybrid cloud environment. Which TWO controls are most effective for reducing east-west traffic risks?
29A DevSecOps team is integrating security into the CI/CD pipeline. Which THREE practices should be included to ensure supply chain security?
30An organization is deploying a cloud workload protection platform (CWPP). Which TWO capabilities are essential for protecting workloads in a hybrid cloud?
31A security architect is designing a zero trust architecture for a corporate network. Which principle is fundamental to the zero trust model?
32A company is migrating to a public cloud and wants to ensure they understand their security responsibilities. According to the shared responsibility model, which of the following is typically the responsibility of the cloud customer?
33An organization is implementing a CASB to secure their SaaS applications. Which CASB deployment mode is most appropriate for monitoring and controlling data in transit between users and cloud apps without modifying the user's device?
34A security engineer is designing a secure hybrid cloud connection between an on-premises data center and AWS. Which service provides a dedicated, private network connection that bypasses the public internet?
35An organization is adopting SASE to converge network and security functions. Which component of SASE provides secure web gateway (SWG) capabilities?
36During a threat modeling exercise for a new web application, the team identifies that the application uses JWT for authentication. Which vulnerability is most likely if the server does not properly verify the JWT signature?
37A security architect is implementing defense-in-depth for a critical application. Which of the following is an example of a detective control?
38A company is deploying containers in a Kubernetes cluster and needs to enforce that containers run with reduced capabilities. Which Linux security feature should be configured to drop unnecessary capabilities?
39An organization is concerned about future quantum computer attacks on their public key infrastructure. Which NIST-standardized algorithm is designed for digital signatures and is resistant to quantum attacks?
40A security team is hardening a Kubernetes cluster. Which resource should be used to define fine-grained rules for which pods can communicate with each other?
41A company uses an API gateway to manage their microservices. Which security control should the gateway enforce to prevent abuse from excessive API calls?
42A security administrator needs to ensure that only authorized devices can access the corporate network. Which technology would best enforce this requirement at the network access layer?
43A security architect is evaluating a CSPM tool for a multi-cloud environment. Which TWO capabilities should the architect consider essential for the CSPM? (Choose two.)
44An organization is implementing a software-defined perimeter (SDP) for zero trust network access. Which THREE characteristics are typical of an SDP architecture? (Choose three.)
45A security team is implementing a secure SDLC for a new application. Which THREE activities should be included as part of the development phase? (Choose three.)
46A security architect is implementing a zero trust model for a financial services company. The goal is to prevent lateral movement in the data center. Which approach best achieves this objective?
47A company uses a hybrid cloud model with workloads on AWS and on-premises. They need to ensure secure connectivity between the two environments with high bandwidth and low latency, bypassing the public internet. Which solution should they implement?
48An organization is deploying a containerized application on Kubernetes and must enforce that only approved container images are allowed to run, and that containers cannot escalate privileges. Which combination of controls should the architect implement?
49Which technology is used to discover and control cloud applications, enforce security policies, and provide visibility into cloud usage?
50A security architect is designing a cryptographic system for a government agency that must protect classified data for the next 30 years. The agency is concerned about the threat from quantum computers. Which NIST post-quantum cryptography algorithm is recommended for key encapsulation?
51An organization is implementing a Secure Access Service Edge (SASE) architecture to support remote workers. Which key capability does SASE provide that traditional VPNs lack?
52A DevOps team integrates security into the CI/CD pipeline. They want to identify vulnerabilities in open-source libraries used by their application. Which tool or practice is specifically designed for this purpose?
53In the shared responsibility model for cloud security, which of the following is typically the responsibility of the customer when using an Infrastructure as a Service (IaaS) model?
54A security architect is designing a PKI for an organization that requires high assurance certificates. The architect needs to protect the root CA private key. Which solution provides the highest level of security for the root CA key?
55An organization uses a multi-cloud strategy with workloads on AWS, Azure, and GCP. They need a single tool to monitor and enforce security configurations across all cloud environments. Which cloud security solution is best suited for this requirement?
56Which of the following best describes the security benefit of using an API gateway in a microservices architecture?
57A company is migrating to immutable infrastructure for its production environment. The security architect needs to ensure that any changes to the infrastructure are made by replacing instances, not by modifying existing ones. Which security advantage does immutable infrastructure provide?
58A security architect is evaluating an API security strategy for a SaaS application that supports OAuth 2.0. Which TWO controls should the architect recommend to protect against token interception and replay attacks?
59A global company must comply with data residency regulations that require customer data to stay within specific geographic boundaries. The company uses a multi-cloud architecture. Which THREE strategies should the architect implement to ensure compliance?
60An organization is hardening its Kubernetes cluster. Which THREE of the following are effective controls to limit the blast radius of a compromised container?
61Which of the following is a core principle of the Zero Trust security model?
62A security architect is designing a cloud security strategy for a company that uses multiple cloud providers. The architect needs a solution that provides visibility into cloud application usage, enforces security policies, and protects data. Which technology is most appropriate?
63An organization is implementing a hybrid cloud architecture and must ensure secure connectivity between its on-premises network and a public cloud VPC. The traffic includes sensitive data that must not traverse the internet. The solution must provide high bandwidth and low latency. Which connectivity option should the architect choose?
64A company is adopting a defense-in-depth strategy. Which of the following is an example of a preventive control at the network layer?
65An organization is implementing a Secure Access Service Edge (SASE) architecture. Which of the following is a key component of SASE?
66A security architect is designing an API security strategy for a microservices-based application. The architect needs to ensure that only authenticated and authorized clients can invoke APIs, and that rate limiting is enforced to prevent abuse. Which technology should be placed in front of the microservices?
67Which of the following is a cloud-native security control provided by a cloud service provider to manage user permissions and access to resources?
68An organization is deploying containerized applications and needs to enforce security policies that restrict the system calls a container can make. Which Linux security module should be used?
69A company is migrating sensitive workloads to the cloud and must comply with FedRAMP requirements. Which of the following is the most appropriate cloud deployment model?
70A security architect is designing a PKI for a large organization. The architect wants to ensure that private keys are stored securely and that cryptographic operations are performed in a tamper-resistant environment. Which solution should be used?
71In the shared responsibility model for cloud security, which of the following is typically the responsibility of the customer?
72An organization wants to implement infrastructure as code (IaC) with immutable infrastructure. Which security benefit does immutable infrastructure provide?
73A security architect is implementing a zero trust architecture for a corporate network. Which TWO principles are fundamental to the zero trust approach? (Choose two.)
74A company is developing a secure software development lifecycle (SDLC) and wants to integrate security testing early. Which THREE techniques should be used to find vulnerabilities in code during development? (Choose three.)
75An organization is deploying a Kubernetes cluster and needs to harden security. Which THREE controls should be implemented? (Choose three.)
76In a zero trust architecture, which concept ensures that an attacker who compromises one segment cannot move laterally to other segments?
77A security architect is designing a hybrid cloud environment. The organization requires low-latency, private connectivity between on-premises and a public cloud provider, bypassing the public internet. Which solution best meets this requirement?
78An organization is migrating critical workloads to the cloud and must comply with FedRAMP. Which cloud service model provides the most customer control over security configuration while still leveraging the provider's FedRAMP authorization?
79A company uses a CASB to monitor cloud application usage. Which primary function does a CASB provide for enforcing security policies between users and cloud services?
80A security architect is implementing an API gateway to protect microservices. Which security capability is uniquely provided by an API gateway compared to a traditional web application firewall (WAF)?
81An organization wants to implement an immutable infrastructure for its containerized applications. Which security benefit is most directly achieved by immutability?
82In the shared responsibility model for cloud security, which of the following is generally the responsibility of the cloud customer?
83A security architect is evaluating a SASE solution. Which component of SASE is primarily responsible for inspecting encrypted traffic for threats?
84During a secure SDLC, a security architect wants to identify design flaws early. Which activity is most appropriate for the design phase?
85To protect against quantum computing attacks, a security architect is planning to transition to post-quantum cryptography. Which algorithm has been selected by NIST for general encryption (key encapsulation) in the PQC standard?
86A company uses Kubernetes for container orchestration. Which security control should be implemented to enforce that only specific images from a trusted registry can run in the cluster?
87Which cryptographic best practice ensures that a private key remains protected even if the server it is stored on is compromised?
88A security architect is designing a defense-in-depth strategy for a cloud-native application. Which TWO controls are most effective for protecting east-west traffic between microservices?
89An organization is implementing a zero trust architecture and needs to enforce identity-centric access for all resources. Which THREE components are essential to this approach?
90A security architect is reviewing supply chain security for a software product. Which TWO artifacts are most important for verifying the integrity and provenance of third-party components?
91A security architect is designing a zero trust architecture for a financial services company. Which component is MOST critical to enforce identity-centric access control in a zero trust model?
92In a cloud shared responsibility model, which of the following is typically the customer's responsibility for IaaS?
93A company is migrating to AWS and needs to comply with SOC 2. Which cloud-native service would BEST help monitor and enforce security configurations across the AWS environment?
94A security architect is designing a secure connectivity solution between an on-premises data center and a public cloud provider. The solution must provide low latency, high bandwidth, and avoid traversing the public internet. Which approach BEST meets these requirements?
95An organization is implementing SASE to secure remote user access. Which component of SASE is responsible for enforcing identity-based access policies and inspecting traffic?
96A security engineer is integrating API security for a RESTful service. Which mechanism is used to verify that the API request has not been tampered with and originates from a legitimate client?
97During a secure SDLC, a development team is reviewing code for security flaws early in the development process. Which type of testing is MOST appropriate for identifying vulnerabilities in source code before it is compiled?
98A container security team wants to enforce that containers run with the least privileges possible. Which Linux security module can be used to restrict system calls available to a container?
99An organization is designing a PKI to issue certificates to thousands of IoT devices. Which architectural decision will BEST support automated certificate lifecycle management?
100A security analyst is reviewing a Kubernetes cluster and wants to ensure that only authorized users can create or modify pods. Which Kubernetes object should be configured to enforce this?
101A company must protect cryptographic keys used to sign financial transactions. The solution must be FIPS 140-2 Level 3 compliant and provide tamper-resistant hardware. Which technology should be deployed?
102An organization is planning to adopt quantum-resistant cryptography. According to NIST PQC standards, which algorithm is recommended for digital signatures?
103A security architect is evaluating Cloud Security Posture Management (CSPM) tools. Which TWO capabilities are typically provided by CSPM? (Choose two.)
104A company is implementing a defense-in-depth strategy for its web application. Which THREE security controls should be included in the architecture? (Choose three.)
105An organization is architecting a hybrid cloud environment with AWS and on-premises resources. Which THREE considerations are essential for meeting data residency requirements? (Choose three.)
106Which of the following is a key principle of the zero trust security model?
107A company is migrating its workloads to a public cloud and wants to ensure it understands the division of security responsibilities. Which model defines the demarcation of security controls between the cloud provider and the customer?
108An organization is implementing network segmentation to limit lateral movement. It wants to isolate application tiers at the virtual network level in a cloud environment. Which technology enforces policies on east-west traffic between VMs in different subnets?
109A security architect is designing a secure connection between an on-premises data center and a cloud provider's virtual network. The connection must be private, low-latency, and not traverse the public internet. Which solution should they recommend?
110Which of the following is a primary function of a Cloud Access Security Broker (CASB)?
111An organization is adopting a DevSecOps approach and wants to integrate security early in the development lifecycle. Which practice involves creating visual representations of threats and identifying potential attack vectors during the design phase?
112A company is deploying containerized applications on Kubernetes and needs to ensure that only authorized images are run in the cluster. Which Kubernetes resource should be used to enforce policies on what containers can run, including image source restrictions?
113Which of the following is a benefit of using an immutable infrastructure approach?
114An organization uses a hardware security module (HSM) to protect cryptographic keys. Which aspect of key management does an HSM primarily address?
115A security architect is evaluating a SASE solution. Which capability is expected to be part of a SASE platform?
116An organization must comply with FedRAMP requirements for a cloud service. Which aspect of cloud security is most directly assessed under FedRAMP?
117Which of the following is a key feature of TLS 1.3 compared to earlier versions?
118A security architect is designing a zero trust network architecture and needs to implement micro-segmentation. Which TWO of the following techniques are commonly used to achieve micro-segmentation? (Select TWO).
119An organization is planning to adopt quantum-resistant cryptography. According to NIST PQC standards, which THREE algorithms are currently selected for standardization? (Select THREE).
120A company is implementing API security for its web services. Which THREE of the following are considered best practices for securing APIs? (Select THREE).
121A security architect is designing a zero trust architecture for a financial institution. Which principle is fundamental to the zero trust model?
122A company is migrating critical workloads to AWS and must secure data at rest. They need to maintain control over the encryption keys. Which service should they use to meet this requirement?
123An organization is adopting a SASE architecture to provide secure access to cloud applications. Which component is essential for enforcing security policies based on user identity and device posture?
124A security analyst is reviewing a Kubernetes cluster's security configuration. Which component should be used to ensure that only authorized pods can communicate with each other?
125During a threat modeling exercise for a new web application, the team identifies a risk of API abuse due to lack of rate limiting. Which security control should be implemented at the API gateway to mitigate this risk?
126A company is required to comply with FedRAMP for its cloud deployment. Which of the following is a key requirement for FedRAMP compliance?
127An enterprise is securing a hybrid cloud environment with on-premises and AWS workloads. They need to ensure that on-premises systems can privately access VPC resources without traversing the public internet. Which AWS service should they use?
128A security architect is designing a defense-in-depth strategy for a web application. Which combination of controls provides overlapping protection against SQL injection attacks?
129A company uses a multi-cloud strategy with workloads in AWS and Azure. They need a centralized solution to enforce consistent security policies across both cloud environments. Which type of tool should they deploy?
130An organization is migrating to an immutable infrastructure model for its containerized applications. Which practice is essential to ensure the integrity of the immutable infrastructure?
131A security engineer is hardening a Kubernetes environment. Which THREE of the following are effective controls for securing the cluster? (Select THREE.)
132Which TWO of the following are key benefits of using a software-defined perimeter (SDP) in a zero trust architecture? (Select TWO.)
133A security architect is evaluating cryptographic agility for a system that must be resistant to quantum computing attacks. Which TWO algorithms are part of the NIST PQC standards? (Select TWO.)
134A company is implementing a secure SDLC and wants to integrate application security testing early. Which THREE tools are most appropriate for shift-left security? (Select THREE.)
135An organization is designing a PKI for certificate lifecycle management. Which TWO practices are critical for maintaining the security of the certificate authority (CA)? (Select TWO.)
136A multinational corporation is adopting a zero trust architecture for its enterprise network. The security team is evaluating mechanisms to enforce granular access controls and segment workloads. Which TWO components are most critical for implementing a zero trust model? (Choose TWO.)
137A security architect is designing a cloud security strategy for a healthcare organization that uses a hybrid cloud environment with AWS and Azure. The organization must comply with HIPAA and needs to protect sensitive patient data. Which THREE cloud security controls should be prioritized? (Choose THREE.)
138A company is migrating critical applications to a multi-cloud architecture using AWS and Google Cloud Platform (GCP). The security team must ensure secure connectivity between on-premises data centers and cloud environments while meeting data residency requirements in the EU. Which TWO solutions should the architect implement to address these requirements? (Choose TWO.)
139A financial institution is implementing a secure software development lifecycle (SSDLC) for a new web application that will handle sensitive transactions. The security architect must ensure that application security testing is integrated into the development process. Which THREE testing techniques should be used to identify vulnerabilities early and throughout the lifecycle? (Choose THREE.)
140A security architect is designing a Kubernetes cluster for a government agency that requires high security and compliance with FedRAMP. The cluster will host microservices processing sensitive data. Which TWO configurations are most critical for hardening the Kubernetes environment? (Choose TWO.)
141An organization is planning to modernize its cryptographic infrastructure to protect sensitive data for the next 10 years. The security architect must consider future threats from quantum computing. Which TWO quantum-resistant algorithms should the architect prioritize for key encapsulation and digital signatures? (Choose TWO.)
142A security architect is reviewing API security for a financial services platform that uses OAuth 2.0 for authorization and JWTs for token exchange. The platform must protect against common API threats such as token theft and injection attacks. Which TWO controls should be implemented to mitigate these specific threats? (Choose TWO.)
The Security Architecture domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.
The Courseiva CAS-004 question bank contains 142 questions in the Security Architecture domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Security Architecture domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included