Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004Exam Questions

CompTIA · Free Practice Questions · Last reviewed May 2026

CAS-004 Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

90 exam questions
165 min time limit
Pass: 700/1000 / 1000
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Scripting, Containers and Automation2. Application Environment, Configuration and Security3. Governance, Risk and Compliance4. Security Engineering5. Security Architecture6. Security Operations
1

Domain 1: Scripting, Containers and Automation

All Scripting, Containers and Automation questions
Q1
easyFull explanation →

Which of the following is the primary security benefit of using immutable infrastructure in automated deployments?

A

Reduces operational costs by reusing existing servers

B

Eliminates configuration drift and unauthorized changes

C

Increases system performance through hardware acceleration

D

Simplifies monitoring by reducing the number of servers

Why: Immutable infrastructure ensures that servers are never modified after deployment; instead, updates are made by replacing the entire instance with a new, pre-configured image. This eliminates configuration drift because any unauthorized or unintended changes are wiped out on the next deployment cycle, enforcing a consistent, known-good state across all environments.
Q2
mediumFull explanation →

A security analyst is writing a script to scan container images for known vulnerabilities before deployment. Which of the following best practices should the analyst implement to ensure the script runs securely?

A

Hardcode API keys into the script for simplicity

B

Use parameterized queries or input sanitization for any user-supplied data

C

Run the script with root privileges to ensure it has access to all images

D

Store credentials in a world-readable configuration file

Why: Option B is correct because input sanitization and parameterized queries prevent injection attacks when the script processes user-supplied data, such as image names or tags. In the context of container scanning, unsanitized input could lead to command injection or SQL injection if the script queries a vulnerability database. This aligns with secure coding practices for automation scripts, ensuring that the script does not inadvertently execute malicious commands or expose sensitive data.
Q3
hardFull explanation →

An organization implements a CI/CD pipeline that automatically builds and deploys containerized microservices. Which of the following is the most effective method to ensure that only signed, trusted container images are deployed to production?

A

Implement a private container registry with access controls

B

Enable content trust and require signatures on all images

C

Run vulnerability scanning on all images before deployment

D

Use an admission controller that checks image labels

Why: Option B is correct because enabling content trust (e.g., Docker Content Trust or Notary) cryptographically signs container images, ensuring that only images signed by a trusted publisher can be deployed. This directly enforces integrity and authenticity in the CI/CD pipeline, preventing unauthorized or tampered images from reaching production.
Q4
mediumFull explanation →

A DevOps engineer is automating the deployment of a web application using containers. Which of the following security practices should be implemented to reduce the attack surface of the containers? (Select TWO.)

A

Run containers as a non-root user

B

Build images with embedded database credentials

C

Use minimal base images like Alpine or distroless

D

Expose port 22 for SSH debugging

E

Grant all Linux capabilities to the container

Why: Running containers as a non-root user (option A) is a fundamental security best practice because it limits the privileges available to processes inside the container. If an attacker compromises the application, they will not have root access to the host or the container runtime, reducing the potential for privilege escalation or host-level damage. This aligns with the principle of least privilege, which is critical for container security.
Q5
hardFull explanation →

A security administrator is reviewing a Python script used to automate compliance checks across cloud resources. The script uses environment variables for API tokens. Which of the following are secure coding practices that should be implemented in this script? (Select TWO.)

A

Use try-except blocks to handle exceptions gracefully

B

Use os.system() to run shell commands for resource management

C

Hardcode API tokens as fallback if environment variables are missing

D

Validate that required environment variables exist before proceeding

E

Log the API tokens for troubleshooting purposes

Why: Option A is correct because using try-except blocks in Python allows the script to catch and handle exceptions (e.g., missing environment variables, API call failures) gracefully without crashing. This is a fundamental secure coding practice that prevents unhandled errors from exposing sensitive information or causing unpredictable behavior in automated compliance checks.
Q6
hardFull explanation →

Match each automation security concept with its correct description.

A

Immutable infrastructure

B

Infrastructure as Code

C

Secret management

D

Container orchestration

Why: Immutable infrastructure prevents drift by never modifying deployed instances. Infrastructure as Code allows version-controlled, repeatable deployments. Secret management securely handles credentials. Orchestration coordinates container deployment but is not specifically about drift prevention.

Want more Scripting, Containers and Automation practice?

Practice this domain
2

Domain 2: Application Environment, Configuration and Security

All Application Environment, Configuration and Security questions
Q1
easyFull explanation →

Which of the following is the primary purpose of input validation in application security?

A

To improve application performance by filtering out large inputs

B

To prevent injection attacks by ensuring data conforms to expected formats

C

To encrypt user input before storing it in the database

D

To log all user input for auditing purposes

Why: Input validation is a security control that ensures user-supplied data matches expected formats, types, lengths, and ranges before processing. By rejecting malformed input, it directly prevents injection attacks (e.g., SQL injection, XSS, command injection) where an attacker embeds malicious code within input fields. This aligns with OWASP's top application security risks and is a foundational defense-in-depth measure.
Q2
mediumFull explanation →

A security architect is designing a microservices application that uses JWTs for authentication. Which of the following is the most critical security concern regarding JWT handling?

A

Token expiration not being enforced

B

The JWT being transmitted over HTTP instead of HTTPS

C

The server not validating the JWT's 'alg' header properly

D

The JWT containing personally identifiable information (PII)

Why: Option C is correct because a failure to validate the JWT's 'alg' header can allow an attacker to change the algorithm to 'none' or from an asymmetric algorithm (e.g., RS256) to a symmetric one (e.g., HS256), potentially bypassing signature verification. This vulnerability, known as a JWT algorithm confusion attack, is a critical security concern because it directly undermines the integrity and authenticity of the token, which is the core security mechanism for authentication in microservices.
Q3
hardFull explanation →

During a security review, you find that a web application uses a Content Security Policy (CSP) header with the value: 'default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com;'. Which attack is the application still vulnerable to?

A

Cross-site request forgery (CSRF)

B

Cross-site scripting (XSS) via inline script injection

C

SQL injection

D

Man-in-the-middle (MITM) attack due to CDN inclusion

Why: Option B is correct because the CSP includes 'unsafe-inline' in the script-src directive, which explicitly allows inline scripts. This bypasses the primary protection CSP offers against XSS, as an attacker can inject malicious JavaScript directly into the HTML (e.g., via a <script> tag or event handler) without violating the policy. The 'self' source only restricts external scripts to the same origin, but inline scripts remain permitted, leaving the application vulnerable to stored, reflected, or DOM-based XSS attacks.
Q4
mediumFull explanation →

An application uses a relational database and constructs SQL queries by concatenating user input. Which secure coding practice should be implemented to mitigate SQL injection?

A

Use stored procedures exclusively

B

Escape all user input with a database-specific escaping function

C

Implement parameterized queries / prepared statements

D

Use an ORM (Object-Relational Mapping) framework

Why: Parameterized queries (prepared statements) separate SQL logic from user data by using placeholders (e.g., `?` in MySQLi or `:param` in PDO). The database driver automatically escapes the input values, ensuring they are treated as data, not executable code. This directly prevents SQL injection because the query structure is fixed before user input is bound.
Q5
hardFull explanation →

A DevOps team is implementing a CI/CD pipeline for a Java application. They want to ensure that all dependencies are scanned for known vulnerabilities before deployment. Which type of tool should they integrate into the pipeline?

A

Static Application Security Testing (SAST)

B

Dynamic Application Security Testing (DAST)

C

Software Composition Analysis (SCA)

D

Interactive Application Security Testing (IAST)

Why: Software Composition Analysis (SCA) is the correct tool because it specifically analyzes open-source and third-party libraries (dependencies) for known vulnerabilities by cross-referencing them against databases like the National Vulnerability Database (NVD). In a CI/CD pipeline for a Java application, SCA tools (e.g., OWASP Dependency-Check, Snyk) scan build artifacts such as pom.xml or build.gradle to identify vulnerable components before deployment.
Q6
mediumFull explanation →

Which two of the following are effective mitigations against XML External Entity (XXE) injection attacks? (Select the two best options.)

A

Disable Document Type Definition (DTD) processing in the XML parser

B

Use a blacklist to filter out dangerous XML tags

C

Validate all XML input against a schema

D

Use a JSON or other less complex data format instead of XML

Why: Option A is correct because XXE attacks exploit the XML parser's ability to process external entities defined in a DTD. By disabling DTD processing entirely, the parser cannot resolve or fetch external resources, which neutralizes the primary vector for XXE injection. This is a standard security hardening step for XML parsers like libxml2, Xerces, or .NET's XmlReader, often achieved by setting properties such as `LIBXML_NOENT` to false or `XmlReaderSettings.DtdProcessing` to `Prohibit`.

Want more Application Environment, Configuration and Security practice?

Practice this domain
3

Domain 3: Governance, Risk and Compliance

All Governance, Risk and Compliance questions
Q1
mediumFull explanation →

A global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?

A

Adopt a unified control framework such as NIST SP 800-53

Allows mapping to multiple regulations

B

Focus only on the most stringent regulation

C

Implement automated GRC tools without changing controls

D

Maintain separate control sets for each regulation

Why: Adopting a unified control framework such as NIST SP 800-53 allows the firm to map controls from GDPR and SOX into a single, comprehensive set, reducing duplication and ensuring consistent compliance. This approach leverages the framework's catalog of controls, which can be tailored to meet the specific requirements of multiple regulations simultaneously, aligning with the CISO's goal of consolidation.
Q2
hardFull explanation →

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

A

Request the provider's most recent SOC 3 report

B

Accept the risk and proceed with migration

C

Require the provider to sign a Business Associate Agreement (BAA)

Mandatory under HIPAA for covered entities

D

Require the provider to encrypt all data at rest and in transit

Why: Option B is correct because a BA agreement is required under HIPAA to ensure the provider contractually agrees to safeguard ePHI. Option A is wrong because the risk assessment should drive decisions, not just acceptance. Option C is wrong because encryption does not eliminate the need for contractual protections. Option D is wrong because a SOC 2 report without HIPAA coverage does not suffice.
Q3
easyFull explanation →

An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?

A

Include security requirements in contracts and conduct periodic audits

Legally binding and verifiable

B

Require vendors to obtain ISO 27001 certification

C

Send annual self-assessment questionnaires

D

Perform quarterly penetration tests on vendor networks

Why: Including security requirements in contracts and conducting periodic audits is the most effective method because it creates a legally binding obligation for vendors to adhere to the organization's security policies, and audits provide direct, verifiable evidence of compliance. Unlike self-assessments or certifications, audits allow the organization to actively inspect controls, configurations, and processes, ensuring ongoing adherence rather than relying on a point-in-time assertion. This approach aligns with the NIST SP 800-53 continuous monitoring framework and is a core principle of third-party risk management (TPRM) in the CAS-004 domain.
Q4
mediumFull explanation →

A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?

A

Preventive control failure

A DLP solution should have prevented the email

B

Corrective control failure

C

Administrative control failure

D

Detective control failure

Why: A preventive control failure occurred because the organization lacked a technical safeguard—such as Data Loss Prevention (DLP) rules, email content filtering, or mandatory access controls—to block the outbound transmission of confidential financial data. Preventive controls are designed to stop unauthorized actions before they happen, and the absence of such a mechanism allowed the accidental email to be sent. The failure is not in detection or correction, but in the inability to prevent the data exfiltration at the point of transmission.
Q5
easyFull explanation →

Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?

A

Identify vulnerabilities and threats

B

Identify critical business processes and their impact if disrupted

Core purpose of BIA

C

Determine recovery time objectives (RTOs)

D

Develop continuity strategies

Why: The primary purpose of a business impact analysis (BIA) is to identify critical business processes and quantify the operational and financial impact if they were disrupted. This foundational step determines which systems and functions are essential to the organization's survival, directly informing the selection of recovery strategies and objectives. Without a BIA, continuity planning lacks a data-driven basis for prioritizing resources.
Q6
hardFull explanation →

A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?

A

Perform separate PIAs for GDPR and CCPA requirements

B

Skip PIAs for existing processing activities

C

Conduct a single PIA that covers both regulations' requirements

Comprehensive and efficient

D

Only perform PIAs when processing high-risk data

Why: Option B is correct because conducting a single PIA that addresses both regulations is efficient. Option A is wrong because separate PIAs are redundant. Option C is wrong because PIAs should be conducted before processing. Option D is wrong because only high-risk processing is not sufficient for all processing.

Want more Governance, Risk and Compliance practice?

Practice this domain
4

Domain 4: Security Engineering

All Security Engineering questions
Q1
mediumFull explanation →

A security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?

A

L2TP/IPsec with ESP

B

SSL/TLS VPN

C

ESP in tunnel mode with null encryption

ESP can be configured with null encryption to provide integrity and authentication without confidentiality.

D

AH in transport mode

Why: Option C is correct because ESP in tunnel mode with null encryption provides authentication and integrity via HMAC (e.g., HMAC-SHA256) while omitting encryption (ESP_NULL, RFC 2410). This satisfies the requirement for strong authentication and integrity without confidentiality for non-sensitive traffic, as the payload is authenticated but not encrypted.
Q2
hardFull explanation →

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

A

Client credentials grant

B

Authorization code grant

C

Resource owner password credentials grant

D

Implicit grant

Implicit grant does not support scope parameter; scopes are typically fixed in client configuration.

Why: The implicit grant flow in OAuth 2.0 does not require the client to include the scope parameter in the authorization request; the access token is returned directly in the URL fragment without a separate token endpoint call. When the scope parameter is missing, the authorization server may issue a token with a default or limited scope, causing users to be unable to access resources that require a specific scope. This matches the described symptom, making the implicit grant the most likely flow in use.
Q3
easyFull explanation →

An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?

A

Faster key generation than software

B

Reduced network latency for encryption

C

Automatic cloud backup of keys

D

Tamper-resistant key storage

HSMs are designed to protect keys from physical and logical attacks.

Why: An HSM provides tamper-resistant key storage by using physical and logical safeguards, such as tamper switches, epoxy potting, and zeroization circuits, that destroy cryptographic keys if an attacker attempts to access the hardware. This ensures that private keys remain secure even if the device is compromised, which is a primary requirement for compliance with standards like FIPS 140-2 Level 3 or 4. Software-based storage cannot offer the same level of physical protection against extraction attacks.
Q4
mediumFull explanation →

A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?

A

deny ip 192.168.1.0 0.0.0.255 any

Wildcard 0.0.0.255 matches the entire /24 subnet.

B

deny ip 192.168.1.0 0.0.0.0 any

C

deny ip 192.168.1.0 0.0.0.127 any

D

deny ip 192.168.1.0 255.255.255.0 any

Why: Option A is correct because in Cisco ACL syntax, the wildcard mask 0.0.0.255 matches all addresses in the 192.168.1.0/24 network. The 'deny ip 192.168.1.0 0.0.0.255 any' entry blocks any IP traffic from the source subnet 192.168.1.0 through 192.168.1.255 to any destination.
Q5
hardFull explanation →

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

A

Allow all traffic within the corporate network

B

Assume breach and verify every request

Zero trust operates on the principle of never trusting and always verifying.

C

Trust devices based on their IP address

D

Trust but verify for all internal traffic

Why: Zero trust architecture is built on the principle of 'never trust, always verify,' which explicitly requires that every access request—regardless of origin—be authenticated, authorized, and continuously validated. Option B ('Assume breach and verify every request') captures this core tenet, as it mandates that no implicit trust is granted based on network location or device status, and every request must be treated as potentially malicious until proven otherwise.
Q6
mediumFull explanation →

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

A

LDAP binds

B

OAuth 2.0 tokens

OAuth 2.0 is widely used for API authorization.

C

API keys

API keys are a common way to authenticate API requests.

D

SAML assertions

E

Kerberos tickets

Why: OAuth 2.0 tokens (B) are a standard method for securing REST APIs by providing delegated, scoped access without exposing user credentials. The client presents a bearer token (typically a JSON Web Token) in the Authorization header, which the API server validates to authorize the request. This aligns with RFC 6749 and is widely adopted for stateless, scalable API security.

Want more Security Engineering practice?

Practice this domain
5

Domain 5: Security Architecture

All Security Architecture questions
Q1
mediumFull explanation →

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

A

Place all three services in the same DMZ subnet and use host-based firewalls to restrict traffic.

B

Create two DMZ subnets: one for the web server and API gateway, and another for the database server.

C

Place the web server in a DMZ subnet, the API gateway in a separate DMZ subnet, and the database server on the internal network.

D

Create three separate DMZ subnets: one for the web server, one for the API gateway, and one for the database server, with firewall rules allowing only required traffic.

This provides defense in depth; each tier is isolated, and only specific ports/protocols are allowed between them.

Why: Option D is correct because it implements the principle of least privilege through network segmentation. By placing each service in its own DMZ subnet with firewall rules that allow only the required traffic (e.g., HTTP/HTTPS from web to API, SQL from API to database), the attack surface is minimized. This prevents lateral movement if one service is compromised, as an attacker cannot directly reach the database from the web server or the API gateway from the internet.
Q2
hardFull explanation →

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

A

It provides deep packet inspection to detect malicious traffic.

B

It enforces multi-factor authentication for every session.

C

It reduces latency by establishing direct peer-to-peer connections.

D

It prevents unauthorized users from discovering the application infrastructure.

SDP uses a 'black cloud' approach where the application server is invisible until the user is authenticated and authorized, reducing the attack surface.

Why: In a zero trust architecture, the primary security benefit of a software-defined perimeter (SDP) over a traditional VPN is that it hides the application infrastructure from unauthorized users. SDP uses a controller-based model where devices must authenticate and be authorized before they can even see the application servers, effectively creating a 'black cloud' that prevents discovery and reduces the attack surface. This aligns with the zero trust principle of 'never trust, always verify' and eliminates the network-level visibility that VPNs inherently provide to any connected client.
Q3
easyFull explanation →

A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?

A

Use envelope encryption where a cloud KMS wraps a data key, and the data key is used to encrypt the data.

B

Use server-side encryption with customer-provided keys (SSE-C).

C

Use server-side encryption with cloud provider-managed keys (SSE-S3).

D

Use client-side encryption where the application encrypts data before sending it to the cloud.

The company controls the encryption key entirely on-premises; the cloud only stores ciphertext.

Why: Option D is correct because client-side encryption ensures the data is encrypted by the application before it is sent to the cloud, using a key managed by the company's own on-premises HSM. This approach guarantees that the cloud provider never has access to the encryption key or the plaintext data, meeting the requirement that all data at rest in the public cloud object storage bucket be encrypted with a key managed by the company's own HSM.
Q4
mediumFull explanation →

A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?

A

Deploy SSH tunneling with certificate-based authentication and configure iptables rules on the bastion host.

B

Deploy an SSL/TLS VPN using client certificates and rely on the VPN client to enforce access policies.

C

Deploy a RDP gateway with certificate authentication and restrict access via group policies.

D

Deploy an IPsec VPN with certificate-based authentication and integrate with a RADIUS server for role-based access control.

IPsec provides network-layer access, RADIUS can enforce subnet restrictions based on user role.

Why: Option D is correct because an IPsec VPN with certificate-based authentication satisfies the requirement for encrypted, integrity-protected connections using the company's internal PKI. Integrating with a RADIUS server enables role-based IP access control, allowing the VPN gateway to restrict access to specific internal subnets based on the user's role, which aligns with the need for IP-based network access control.
Q5
hardFull explanation →

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

A

Use a cloud-based DDoS scrubbing service that only forwards clean traffic to the on-premises matching engine.

Scrubbing services filter attacks at the cloud edge, adding minimal latency if the provider is close to the origin; they preserve low latency for clean traffic.

B

Deploy an intrusion prevention system (IPS) in inline mode in front of the matching engine.

C

Move the matching engine to a cloud provider with elastic scalability.

D

Implement a reverse proxy with rate limiting and IP blacklisting.

Why: A cloud-based DDoS scrubbing service (e.g., AWS Shield Advanced, Cloudflare Magic Transit) filters malicious traffic at the cloud edge before it reaches the on-premises matching engine. This preserves low latency because only clean, low-volume traffic is forwarded, and the scrubbing infrastructure is designed for high-throughput, low-latency processing without introducing inline inspection delays on the critical path.
Q6
mediumFull explanation →

A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)

A

Establish an IPsec VPN tunnel between the AWS VPC and the on-premises network.

IPsec VPN provides encrypted tunnel over the internet, securing data in transit.

B

Use AWS Direct Connect to create a dedicated private network connection from on-premises to AWS.

Direct Connect bypasses the internet, providing a private, low-latency connection; can be combined with encryption for extra security.

C

Store database credentials in AWS Secrets Manager and retrieve them at runtime.

D

Configure VPC peering between the AWS VPC and the on-premises network.

E

Configure the web application to connect to the database using TLS encryption.

Why: Option A is correct because an IPsec VPN tunnel creates an encrypted, site-to-site connection between the AWS VPC and the on-premises network, ensuring encryption in transit and minimizing internet exposure by using the VPN gateway as the endpoint. Option B is correct because AWS Direct Connect provides a dedicated, private network connection that bypasses the internet entirely, reducing exposure and supporting encryption via optional MACsec or IPsec, while maintaining low latency and consistent bandwidth.

Want more Security Architecture practice?

Practice this domain
6

Domain 6: Security Operations

All Security Operations questions
Q1
easyFull explanation →

A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?

A

Submit a change request to implement an email content filter.

B

Check if the host is configured as a mail server in the organization's asset database.

This step quickly confirms if the traffic is expected, avoiding unnecessary escalation.

C

Block the outbound traffic on the firewall to prevent potential data exfiltration.

D

Run a full antivirus scan on the host to detect any malware.

Why: Option B is correct because the first step in investigating potential data exfiltration over TCP port 25 (SMTP) is to verify whether the host is authorized to send email. If the host is a legitimate mail server, the traffic may be normal; if not, it could indicate malware or a misconfigured application exfiltrating data via SMTP. This aligns with the CAS-004 objective of validating asset roles before escalating to containment.
Q2
mediumFull explanation →

A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?

A

Enforce a minimum password complexity policy for all users.

B

Require multi-factor authentication for all SSH logins.

C

Implement rate limiting on SSH connections per source IP.

D

Add the external IP address to the firewall deny list and implement an IP allowlist for SSH access.

This immediately blocks the attack and prevents any further attempts from that IP.

Why: Option D is correct because the attack is a brute-force or password-spraying attempt from a single external IP. Adding that IP to a firewall deny list immediately blocks all traffic from that source, while implementing an IP allowlist for SSH access ensures only trusted IPs can reach the service. This directly prevents the attack at the network layer, regardless of password strength or authentication method.
Q3
hardFull explanation →

An organization deploys a new web application that stores sensitive data in a backend database. During a penetration test, the tester discovers that the application is vulnerable to SQL injection via a search field. Which of the following design changes would best mitigate this vulnerability without significantly impacting functionality?

A

Deploy a web application firewall (WAF) to filter malicious payloads.

B

Rewrite the database query to use parameterized prepared statements.

Parameterized queries ensure user input is treated as data, not executable code, preventing SQL injection.

C

Move all database queries to stored procedures.

D

Implement client-side input validation to block special characters.

Why: Option B is correct because parameterized prepared statements separate SQL logic from user input, ensuring that any input supplied via the search field is treated strictly as data, not executable code. This directly prevents SQL injection by eliminating the possibility of an attacker altering the query structure, regardless of the input content.
Q4
mediumFull explanation →

A security engineer is configuring a SIEM and wants to reduce false positives while ensuring that real attacks are detected. Which of the following approaches would best achieve this balance?

A

Aggregate all logs from all sources and create a single correlation rule for each attack type.

B

Use the default correlation rules provided by the SIEM vendor without modification.

C

Block all traffic from external IP addresses that are not on the organization's whitelist.

D

Tune correlation rules based on the organization's asset inventory, network architecture, and threat intelligence.

Custom tuning ensures rules are relevant and accurate, reducing false positives while detecting true threats.

Why: Option D is correct because tuning correlation rules to the organization's specific asset inventory, network architecture, and threat intelligence directly reduces false positives by filtering out irrelevant events while ensuring that real attacks against known assets are detected. This approach leverages contextual knowledge to adjust thresholds, exclude noise, and prioritize alerts that match the actual attack surface, achieving the desired balance between sensitivity and specificity.
Q5
easyFull explanation →

During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?

A

dd

B

Wireshark

C

FTK Imager (with memory capture)

FTK Imager can capture an image of physical memory (RAM) for analysis.

D

Nmap

Why: FTK Imager with memory capture is the correct tool because it is specifically designed to acquire a bit-for-bit copy of volatile memory (RAM) from a live system while preserving forensic integrity. Unlike disk imaging tools, FTK Imager can capture the contents of physical memory, including running processes, network connections, and encryption keys, which are critical for incident response. This tool also generates a hash of the captured memory to ensure data integrity during analysis.
Q6
mediumFull explanation →

Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)

A

Require users to change passwords every 30 days.

B

Use single sign-on (SSO) for all applications.

C

Implement the principle of least privilege for all user roles.

Limiting privileges reduces the attack surface and potential damage.

D

Enable multi-factor authentication (MFA) for all administrative accounts.

MFA adds an extra layer of security beyond passwords.

E

Create default admin accounts for each department.

Why: The principle of least privilege (C) ensures that users and roles are granted only the permissions necessary to perform their job functions, reducing the attack surface and limiting potential damage from compromised accounts. Enabling multi-factor authentication (D) for administrative accounts adds a critical layer of security beyond passwords, mitigating risks from credential theft or brute-force attacks. Both are foundational controls in cloud IAM frameworks like AWS IAM, Azure AD, or GCP IAM.

Want more Security Operations practice?

Practice this domain

Frequently asked questions

How many questions are on the CAS-004 exam?

The CAS-004 exam has 90 questions and must be completed in 165 minutes. The passing score is 700/1000.

What types of questions appear on the CAS-004 exam?

Advanced scenario questions on enterprise security architecture, cryptography, governance, risk management, and integration of security controls. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.

How are CAS-004 questions organised by domain?

The exam covers 6 domains: Scripting, Containers and Automation, Application Environment, Configuration and Security, Governance, Risk and Compliance, Security Engineering, Security Architecture, Security Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual CAS-004 exam questions?

No. These are original exam-style practice questions written against the official CompTIA CAS-004 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 90 CAS-004 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all CAS-004 questionsTake a timed practice test