Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004DomainsSecurity Engineering
CAS-004Free — No Signup

Security Engineering

Practice CAS-004 Security Engineering questions with full explanations on every answer.

97questions

Start practicing

Security Engineering — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

CAS-004 Domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity Operations

Practice Security Engineering questions

10Q20Q30Q50Q

All CAS-004 Security Engineering questions (97)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?

2

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

3

An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?

4

A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?

5

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

6

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

7

Which THREE of the following are common vulnerabilities in IoT devices? (Select THREE.)

8

A security analyst is reviewing an AppArmor profile for an application. Based on the exhibit, which action would the application be denied?

9

A network administrator is troubleshooting connectivity issues. Based on the exhibit, which of the following is true about the iptables rules?

10

A company is designing a new data center with high availability requirements. The network team proposes using virtualized network functions (VNFs) on commodity hardware to reduce costs. Which security consideration is MOST important when implementing this design?

11

A security engineer is hardening a Linux web server. The team requires that the web server process cannot run with root privileges and that any file it writes must have minimal permissions. Which two controls should be implemented together? (Select TWO).

12

An organization wants to implement a solution that ensures data cannot be read if a storage device is physically stolen. Which encryption approach BEST meets this requirement?

13

A network administrator is configuring a firewall rule set. The requirement is to allow inbound HTTPS traffic from the internet to a web server at 10.1.1.10, and to allow the web server to respond. All other inbound traffic should be blocked. Which rule set accomplishes this?

14

A security analyst reviews logs from a web application firewall (WAF) and notices that an attacker is bypassing the WAF by encoding malicious payloads using base64 and then sending them in HTTP headers. Which WAF configuration change would BEST detect and block such attacks?

15

Which TWO of the following are considered secure design principles for cryptographic systems?

16

Which THREE of the following are common techniques to mitigate side-channel attacks?

17

An administrator runs the above iptables command on a Linux server. The server is directly connected to the internet. Which of the following is the MOST significant security issue with this configuration?

18

A security engineer is reviewing an S3 bucket policy for a bucket named 'corporate-data'. The policy is shown. Which of the following describes a vulnerability in this configuration?

19

A security architect is designing a web application that handles sensitive customer data. The application must ensure that if one server is compromised, the attacker cannot access the private keys used for TLS termination. Which of the following approaches best meets this requirement?

20

A security engineer needs to implement a solution that will detect and block command-and-control (C2) traffic from malware on the internal network. The solution must be able to inspect encrypted traffic and operate at the network layer. Which of the following is the BEST choice?

21

A security analyst reviews the syslog messages from the company's ASA firewall. Based on the exhibit, which of the following is the MOST likely cause of the denied traffic?

22

A security architect is designing a secure software development pipeline. The organization wants to ensure that code is thoroughly analyzed before deployment. Which TWO of the following should be integrated into the pipeline to identify vulnerabilities early? (Select TWO.)

23

An organization is deploying a new cloud-based application that processes personally identifiable information (PII). The security team must ensure data at rest is encrypted. Which THREE of the following controls should be implemented to protect the data? (Select THREE.)

24

A small business has a single physical server running multiple virtual machines (VMs) using Type 2 hypervisor software on a Windows Server host. The host is not joined to a domain. The VMs include an Active Directory domain controller, a file server, and a web server. The company recently suffered a ransomware attack that encrypted all data on the file server VM. The IT administrator restored the file server from a backup, but the ransomware returned within hours. Analysis shows that the ransomware is now spreading to other VMs. The administrator suspects that the hypervisor host itself may be compromised. Which of the following is the MOST effective immediate action to contain the spread and secure the environment?

25

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a public-facing e-commerce site. The site has been experiencing intermittent false positives that block legitimate customers during checkout. The WAF is deployed in blocking mode with a rule set that includes SQL injection and cross-site scripting (XSS) signatures. The engineer notices that legitimate credit card numbers containing the string 'OR' are being blocked. The site uses HTTPS and input validation on the server side. Which of the following actions would BEST resolve the false positives while maintaining security?

26

A security engineer is designing a secure enclave for processing sensitive personally identifiable information (PII). The enclave must protect data at rest and in use, and must support attestation to verify its integrity. Which THREE technologies should the engineer incorporate? (Choose three.)

27

A security analyst reviews the ACL rules above. A host at 10.0.1.5 attempts to SSH (port 22) to a server at 10.0.2.10. What is the result?

28

A company's development team uses a CI/CD pipeline hosted in a public cloud. The pipeline builds container images, pushes them to a private registry, and deploys them to a Kubernetes cluster. A security engineer must ensure that only signed and vulnerability-scanned images are deployed. The engineer has configured the registry to require signatures and the CI/CD pipeline to scan images. However, deployments are still failing because unsigned images are being pulled. The engineer discovers that developers can push images directly to the registry bypassing the CI/CD pipeline and that Kubernetes nodes can pull images without signature verification. Which of the following should the engineer implement to enforce image signing and scanning?

29

Drag and drop the steps to respond to a ransomware incident in the correct order.

30

Drag and drop the steps to implement a DLP policy to prevent credit card data exfiltration via email into the correct order.

31

Match each command-line tool to its primary function.

32

Match each cloud service model to its scope.

33

A security engineer needs to implement a solution that provides both confidentiality and integrity for data at rest. Which cryptographic method BEST meets these requirements?

34

A company is deploying IoT sensors in a remote area with limited connectivity. The sensors must be able to securely transmit data using minimal bandwidth. Which protocol should the engineer choose?

35

During a security assessment, the engineer discovers that a network appliance's firmware updates are signed using a 1024-bit RSA key. The appliance was manufactured in 2015. What is the primary security concern?

36

An organization wants to implement a zero-trust architecture for remote access. Which of the following is the MOST important component?

37

A financial institution needs to ensure that transaction logs are tamper-proof after creation. Which solution should be implemented?

38

A cloud security architect is designing a multi-region active-active application. The application must maintain high availability even if an entire AWS region fails. Which architecture BEST meets this requirement?

39

A small business wants to protect endpoints from malware without incurring per-device licensing costs. Which approach is MOST cost-effective?

40

During a penetration test, an engineer discovers that the application uses client-side JavaScript to validate input before submission. What is the MOST significant vulnerability?

41

An organization is migrating to a hybrid cloud model. The security policy mandates that all keys used for data encryption must be managed on-premises. Which key management solution should be used?

42

A security engineer is designing a secure wireless network for a corporate office. Which TWO configurations should be implemented to maximize security?

43

An incident responder is analyzing a compromised server. Which THREE indicators are MOST likely to confirm a successful attack?

44

A security team is implementing controls to meet PCI DSS requirements for cardholder data. Which THREE controls are required?

45

The security engineer notices that SSH login attempts to 192.168.1.1 from the untrust zone are being blocked. Which policy misconfiguration is MOST likely causing this?

46

The engineer needs to prevent brute-force attacks while allowing legitimate access. Which security control is MOST effective?

47

A security analyst reviews this configuration and identifies a vulnerability. What is the MOST critical issue?

48

A security architect needs to protect sensitive data in use within a server's memory from other processes. Which technology should be implemented?

49

A company has implemented a hardware security module (HSM) to manage cryptographic keys for a payment processing system. Which of the following best describes an advantage of using an HSM over software-based key storage?

50

During a security assessment, a penetration tester discovers that a web application uses a custom encryption algorithm to protect session tokens. According to secure engineering principles, what is the primary concern?

51

An organization is deploying a new application that processes sensitive user data. The security team recommends using a dedicated cryptographic module. Which standard should the module comply with to ensure it is validated for security?

52

A security engineer is designing a secure boot process for embedded devices. Which component is responsible for verifying the signature of the bootloader before execution?

53

An organization wants to implement a zero-trust architecture for remote access. Which component is most critical for enforcing least-privilege access to internal applications?

54

A company wants to ensure that only authorized code runs on its point-of-sale (POS) terminals. Which technology should be implemented?

55

A security engineer is deploying a wireless network for a high-security facility. Which protocol should be used to provide the strongest authentication and encryption for client devices?

56

During a security incident, a forensic analyst needs to acquire a memory dump from a Linux server without altering the system state. Which tool is most appropriate for this task?

57

A security engineer is evaluating options for securing firmware updates on IoT devices. Which TWO methods provide integrity verification of the update?

58

Which THREE of the following are key components of a zero-trust security architecture? (Select THREE).

59

A cloud security architect is designing a key management system for a multi-tenant SaaS application. Which TWO practices are essential for ensuring cryptographic key security? (Select TWO).

60

Refer to the exhibit. A security engineer is reviewing an X.509 certificate used for TLS. Which security concern should the engineer identify?

61

Refer to the exhibit. A security analyst is reviewing the firewall rule set for a corporate network. Which misconfiguration is present?

62

Refer to the exhibit. A cloud security engineer is reviewing an AWS S3 bucket policy. What security issue does the policy contain?

63

A security architect is designing a secure enclave for a high-value application. Which of the following is the BEST approach to isolate the application from the rest of the network?

64

A security engineer must select a cryptographic algorithm to ensure non-repudiation for digitally signed documents. Which algorithm is most appropriate?

65

A company deploys a web application behind a WAF. The security team discovers that the WAF allows traffic from a known malicious IP. After investigating, they find the WAF is configured to allow all traffic from a specific country for business reasons. Which of the following is the BEST course of action?

66

A security engineer is implementing a solution to securely store and manage cryptographic keys for a fleet of IoT devices. The devices have limited processing power and cannot perform asymmetric operations. Which of the following is the BEST approach?

67

A security architect is designing a zero-trust network architecture. Which of the following is a fundamental principle of zero trust?

68

A company's security team is reviewing the integration of a legacy application that only supports NTLM authentication. The infrastructure must be updated to meet modern security standards. Which of the following is the BEST approach to mitigate the risk of using NTLM?

69

During a security assessment, a penetration tester discovers that a web application's session tokens are predictable. The application uses a custom session management system. Which of the following is the MOST effective remediation to ensure secure session tokens?

70

A security engineer is tasked with designing a cryptographic solution to protect data at rest in a multi-tenant cloud storage system. Each tenant's data must be encrypted with a unique key, and the system must support key rotation with minimal performance impact. Which of the following is the BEST approach?

71

Which of the following is the primary purpose of implementing a public key infrastructure (PKI)?

72

Which TWO of the following are advantages of using a hardware security module (HSM) over a software-based cryptographic module? (Select exactly 2.)

73

Which TWO of the following are valid techniques to mitigate the risk of side-channel attacks on cryptographic implementations? (Select exactly 2.)

74

Which THREE of the following are essential components of a secure software development lifecycle (SSDLC) to ensure security engineering? (Select exactly 3.)

75

An engineer reviews the TLS configuration for a web server. Which of the following is a security concern present in this configuration?

76

A security engineer is evaluating the use of AES-256-GCM for encrypting sensitive data in transit. They note that the Additional Authenticated Data (AAD) field is empty. What is the security implication?

77

An OpenVPN configuration file is shown. A security auditor recommends replacing the cipher and auth directives. Which of the following is the BEST replacement pair from a security engineering perspective?

78

A security engineer is designing a secure communication channel between two internal systems over an untrusted network. Which protocol should be used to ensure both confidentiality and integrity of data in transit?

79

An organization is deploying hardware security modules (HSMs) to protect cryptographic keys used for digital signatures. Which attack vector is most effectively mitigated by using an HSM compared to storing keys in software?

80

A company is implementing single sign-on using SAML 2.0. A security architect is reviewing the authentication flow and notices that the identity provider (IdP) does not digitally sign the SAML assertions. Which of the following is the most significant security risk?

81

A network administrator is configuring a firewall to allow only necessary traffic to a web server. The server should be accessible from the internet on port 443 and from a management subnet on port 22. Which firewall rule ensures least privilege?

82

A data loss prevention (DLP) solution is being implemented to prevent sensitive data from leaving the corporate network. Which of the following is the most effective approach for detecting structured data like credit card numbers in outbound traffic?

83

During a security review, it is discovered that a critical application uses hardcoded cryptographic keys. The development team refactors the code to retrieve keys from a centralized key management system (KMS) using role-based access control. Which additional practice should be implemented to minimize the risk of key compromise?

84

A company is deploying a wireless network for guests. Which security measure is most important to prevent unauthorized users from accessing internal resources?

85

A virtualization administrator needs to ensure that virtual machines (VMs) from different customers cannot communicate with each other unless explicitly allowed. Which network security control should be implemented on the hypervisor?

86

A security architect is evaluating web application firewall (WAF) features to protect against common attacks. Which TWO of the following attacks can a WAF most effectively prevent?

87

A company is implementing a zero-trust network architecture. Which THREE of the following are critical components of this approach?

88

An organization is implementing a public key infrastructure (PKI). Which THREE of the following are essential components?

89

A large enterprise recently migrated its critical applications to a hybrid cloud environment. The security team is concerned about the risk of privileged account abuse. They have implemented a privileged access management (PAM) solution that rotates passwords for service accounts after each use. However, during a incident response drill, the team discovers that an attacker who compromised a jump server was able to access multiple administrative consoles without re-authentication. Investigation reveals that the PAM solution uses session recording but does not enforce session termination; instead, it relies on the lifecycle of the token issued during initial authentication. The attacker captured a valid token and reused it from a different machine. Which of the following is the most effective remediation?

90

A financial institution is required to comply with PCI DSS and uses a mix of legacy and modern applications. The security architect proposes to segment the network so that the cardholder data environment (CDE) is isolated. However, a legacy application in a non-CDE segment must send data to a database in the CDE. The legacy application cannot be modified and communicates via clear-text protocols. Which of the following is the most secure solution that maintains compliance?

91

A small business uses an on-premises Active Directory for user authentication. They want to enable employees to use their corporate credentials to access a SaaS application that supports SAML 2.0. The security administrator needs to set up a federation between the on-premises AD and the SaaS provider. Which of the following components must be deployed on-premises to act as a bridge between AD and the SAML identity provider?

92

A company is deploying a new web application that handles sensitive customer data. The application is built using a microservices architecture running in containers on a Kubernetes cluster. The security team wants to implement mutual TLS (mTLS) for service-to-service communication. However, they are concerned about the operational overhead of certificate management. Which approach minimizes management overhead while still ensuring strong authentication?

93

A large financial organization is migrating its on-premises authentication infrastructure to a cloud-based identity provider (IdP) to support a hybrid workforce. Currently, on-premises Active Directory is used with smart cards for authentication. The cloud IdP will support SAML 2.0 and OAuth 2.0. The security team requires that all authentication to cloud applications be protected by hardware-backed keys and that user credentials never leave the on-premises network. The solution must also support FIDO2 authentication for passwordless logins. During a pilot, users report that after authenticating to the cloud IdP using their smart cards, they are prompted again for credentials when accessing certain cloud applications. The logs show that the cloud IdP is issuing multiple authentication requests to the on-premises AD Federation Services (AD FS). The CISO is concerned about performance and security of repeated authentication. As a security architect, what is the best course of action?

94

A defense contractor is developing a new secure messaging application for classified communications. The application must ensure end-to-end encryption, perfect forward secrecy, and resistance to quantum computing attacks. The development team proposes using ECDH for key exchange and AES-256-GCM for message encryption. The security architect reviews the design and identifies a weakness: the current key exchange does not authenticate the public keys, making it vulnerable to man-in-the-middle attacks. The team suggests adding digital signatures using RSA-2048. However, the architect is concerned about quantum resistance. What should the architect recommend?

95

A security engineer is hardening a Linux server. Which TWO of the following are best practices for preventing privilege escalation attacks?

96

Refer to the exhibit. A security analyst reviews the following firewall rule on a border firewall. Which vulnerability is present?

97

A financial company is expanding its hybrid cloud architecture. They have an AWS VPC connected to an on-premises network via an IPsec VPN using IKEv2. The on-premises firewall is a Cisco ASA. Recently, users report intermittent connectivity to cloud resources. The security team reviews logs and finds the following message on the ASA: 'no matching crypto map entry for traffic from on-prem to cloud'. The team also suspects potential data leakage due to occasional unencrypted traffic. The corporate policy requires all traffic between environments to be encrypted. The engineer has verified that the IKEv2 proposals match on both sides. The cloud side uses a virtual private gateway with a static route to the on-premises network. Which of the following should the engineer do FIRST to resolve the issue?

Practice all 97 Security Engineering questions

Other CAS-004 exam domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity ArchitectureSecurity Operations

Frequently asked questions

What does the Security Engineering domain cover on the CAS-004 exam?

The Security Engineering domain covers the key concepts tested in this area of the CAS-004 exam blueprint published by CompTIA. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all CAS-004 domains — no account required.

How many Security Engineering questions are in the CAS-004 question bank?

The Courseiva CAS-004 question bank contains 97 questions in the Security Engineering domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Security Engineering for CAS-004?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Security Engineering questions for CAS-004?

Yes — the session launcher on this page draws questions exclusively from the Security Engineering domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your CAS-004 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

CS0-003SY0-701CISSP