CompTIA · Free Practice Questions · Last reviewed May 2026
36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
Which of the following is the primary security benefit of using immutable infrastructure in automated deployments?
Reduces operational costs by reusing existing servers
Eliminates configuration drift and unauthorized changes
Increases system performance through hardware acceleration
Simplifies monitoring by reducing the number of servers
A security analyst is writing a script to scan container images for known vulnerabilities before deployment. Which of the following best practices should the analyst implement to ensure the script runs securely?
Hardcode API keys into the script for simplicity
Use parameterized queries or input sanitization for any user-supplied data
Run the script with root privileges to ensure it has access to all images
Store credentials in a world-readable configuration file
An organization implements a CI/CD pipeline that automatically builds and deploys containerized microservices. Which of the following is the most effective method to ensure that only signed, trusted container images are deployed to production?
Implement a private container registry with access controls
Enable content trust and require signatures on all images
Run vulnerability scanning on all images before deployment
Use an admission controller that checks image labels
A DevOps engineer is automating the deployment of a web application using containers. Which of the following security practices should be implemented to reduce the attack surface of the containers? (Select TWO.)
Run containers as a non-root user
Build images with embedded database credentials
Use minimal base images like Alpine or distroless
Expose port 22 for SSH debugging
Grant all Linux capabilities to the container
A security administrator is reviewing a Python script used to automate compliance checks across cloud resources. The script uses environment variables for API tokens. Which of the following are secure coding practices that should be implemented in this script? (Select TWO.)
Use try-except blocks to handle exceptions gracefully
Use os.system() to run shell commands for resource management
Hardcode API tokens as fallback if environment variables are missing
Validate that required environment variables exist before proceeding
Log the API tokens for troubleshooting purposes
Match each automation security concept with its correct description.
Immutable infrastructure
Infrastructure as Code
Secret management
Container orchestration
Want more Scripting, Containers and Automation practice?
Practice this domainWhich of the following is the primary purpose of input validation in application security?
To improve application performance by filtering out large inputs
To prevent injection attacks by ensuring data conforms to expected formats
To encrypt user input before storing it in the database
To log all user input for auditing purposes
A security architect is designing a microservices application that uses JWTs for authentication. Which of the following is the most critical security concern regarding JWT handling?
Token expiration not being enforced
The JWT being transmitted over HTTP instead of HTTPS
The server not validating the JWT's 'alg' header properly
The JWT containing personally identifiable information (PII)
During a security review, you find that a web application uses a Content Security Policy (CSP) header with the value: 'default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com;'. Which attack is the application still vulnerable to?
Cross-site request forgery (CSRF)
Cross-site scripting (XSS) via inline script injection
SQL injection
Man-in-the-middle (MITM) attack due to CDN inclusion
An application uses a relational database and constructs SQL queries by concatenating user input. Which secure coding practice should be implemented to mitigate SQL injection?
Use stored procedures exclusively
Escape all user input with a database-specific escaping function
Implement parameterized queries / prepared statements
Use an ORM (Object-Relational Mapping) framework
A DevOps team is implementing a CI/CD pipeline for a Java application. They want to ensure that all dependencies are scanned for known vulnerabilities before deployment. Which type of tool should they integrate into the pipeline?
Static Application Security Testing (SAST)
Dynamic Application Security Testing (DAST)
Software Composition Analysis (SCA)
Interactive Application Security Testing (IAST)
Which two of the following are effective mitigations against XML External Entity (XXE) injection attacks? (Select the two best options.)
Disable Document Type Definition (DTD) processing in the XML parser
Use a blacklist to filter out dangerous XML tags
Validate all XML input against a schema
Use a JSON or other less complex data format instead of XML
Want more Application Environment, Configuration and Security practice?
Practice this domainA global financial firm must comply with GDPR and SOX. The CISO wants to consolidate controls across frameworks using a single set of controls. Which approach best addresses this requirement?
Adopt a unified control framework such as NIST SP 800-53
Allows mapping to multiple regulations
Focus only on the most stringent regulation
Implement automated GRC tools without changing controls
Maintain separate control sets for each regulation
A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?
Request the provider's most recent SOC 3 report
Accept the risk and proceed with migration
Require the provider to sign a Business Associate Agreement (BAA)
Mandatory under HIPAA for covered entities
Require the provider to encrypt all data at rest and in transit
An organization wants to ensure that its third-party vendors comply with the company's security policies. Which of the following is the MOST effective method?
Include security requirements in contracts and conduct periodic audits
Legally binding and verifiable
Require vendors to obtain ISO 27001 certification
Send annual self-assessment questionnaires
Perform quarterly penetration tests on vendor networks
A company's data classification policy labels all financial data as 'Confidential.' An employee accidentally emails a spreadsheet containing customer payment information to an unauthorized external party. Which type of control failure occurred?
Preventive control failure
A DLP solution should have prevented the email
Corrective control failure
Administrative control failure
Detective control failure
Which of the following is the PRIMARY purpose of a business impact analysis (BIA)?
Identify vulnerabilities and threats
Identify critical business processes and their impact if disrupted
Core purpose of BIA
Determine recovery time objectives (RTOs)
Develop continuity strategies
A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?
Perform separate PIAs for GDPR and CCPA requirements
Skip PIAs for existing processing activities
Conduct a single PIA that covers both regulations' requirements
Comprehensive and efficient
Only perform PIAs when processing high-risk data
Want more Governance, Risk and Compliance practice?
Practice this domainA security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?
L2TP/IPsec with ESP
SSL/TLS VPN
ESP in tunnel mode with null encryption
ESP can be configured with null encryption to provide integrity and authentication without confidentiality.
AH in transport mode
A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?
Client credentials grant
Authorization code grant
Resource owner password credentials grant
Implicit grant
Implicit grant does not support scope parameter; scopes are typically fixed in client configuration.
An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?
Faster key generation than software
Reduced network latency for encryption
Automatic cloud backup of keys
Tamper-resistant key storage
HSMs are designed to protect keys from physical and logical attacks.
A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?
deny ip 192.168.1.0 0.0.0.255 any
Wildcard 0.0.0.255 matches the entire /24 subnet.
deny ip 192.168.1.0 0.0.0.0 any
deny ip 192.168.1.0 0.0.0.127 any
deny ip 192.168.1.0 255.255.255.0 any
A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?
Allow all traffic within the corporate network
Assume breach and verify every request
Zero trust operates on the principle of never trusting and always verifying.
Trust devices based on their IP address
Trust but verify for all internal traffic
Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)
LDAP binds
OAuth 2.0 tokens
OAuth 2.0 is widely used for API authorization.
API keys
API keys are a common way to authenticate API requests.
SAML assertions
Kerberos tickets
Want more Security Engineering practice?
Practice this domainA security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?
Place all three services in the same DMZ subnet and use host-based firewalls to restrict traffic.
Create two DMZ subnets: one for the web server and API gateway, and another for the database server.
Place the web server in a DMZ subnet, the API gateway in a separate DMZ subnet, and the database server on the internal network.
Create three separate DMZ subnets: one for the web server, one for the API gateway, and one for the database server, with firewall rules allowing only required traffic.
This provides defense in depth; each tier is isolated, and only specific ports/protocols are allowed between them.
An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?
It provides deep packet inspection to detect malicious traffic.
It enforces multi-factor authentication for every session.
It reduces latency by establishing direct peer-to-peer connections.
It prevents unauthorized users from discovering the application infrastructure.
SDP uses a 'black cloud' approach where the application server is invisible until the user is authenticated and authorized, reducing the attack surface.
A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?
Use envelope encryption where a cloud KMS wraps a data key, and the data key is used to encrypt the data.
Use server-side encryption with customer-provided keys (SSE-C).
Use server-side encryption with cloud provider-managed keys (SSE-S3).
Use client-side encryption where the application encrypts data before sending it to the cloud.
The company controls the encryption key entirely on-premises; the cloud only stores ciphertext.
A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?
Deploy SSH tunneling with certificate-based authentication and configure iptables rules on the bastion host.
Deploy an SSL/TLS VPN using client certificates and rely on the VPN client to enforce access policies.
Deploy a RDP gateway with certificate authentication and restrict access via group policies.
Deploy an IPsec VPN with certificate-based authentication and integrate with a RADIUS server for role-based access control.
IPsec provides network-layer access, RADIUS can enforce subnet restrictions based on user role.
A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?
Use a cloud-based DDoS scrubbing service that only forwards clean traffic to the on-premises matching engine.
Scrubbing services filter attacks at the cloud edge, adding minimal latency if the provider is close to the origin; they preserve low latency for clean traffic.
Deploy an intrusion prevention system (IPS) in inline mode in front of the matching engine.
Move the matching engine to a cloud provider with elastic scalability.
Implement a reverse proxy with rate limiting and IP blacklisting.
A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)
Establish an IPsec VPN tunnel between the AWS VPC and the on-premises network.
IPsec VPN provides encrypted tunnel over the internet, securing data in transit.
Use AWS Direct Connect to create a dedicated private network connection from on-premises to AWS.
Direct Connect bypasses the internet, providing a private, low-latency connection; can be combined with encryption for extra security.
Store database credentials in AWS Secrets Manager and retrieve them at runtime.
Configure VPC peering between the AWS VPC and the on-premises network.
Configure the web application to connect to the database using TLS encryption.
Want more Security Architecture practice?
Practice this domainA security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?
Submit a change request to implement an email content filter.
Check if the host is configured as a mail server in the organization's asset database.
This step quickly confirms if the traffic is expected, avoiding unnecessary escalation.
Block the outbound traffic on the firewall to prevent potential data exfiltration.
Run a full antivirus scan on the host to detect any malware.
A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?
Enforce a minimum password complexity policy for all users.
Require multi-factor authentication for all SSH logins.
Implement rate limiting on SSH connections per source IP.
Add the external IP address to the firewall deny list and implement an IP allowlist for SSH access.
This immediately blocks the attack and prevents any further attempts from that IP.
An organization deploys a new web application that stores sensitive data in a backend database. During a penetration test, the tester discovers that the application is vulnerable to SQL injection via a search field. Which of the following design changes would best mitigate this vulnerability without significantly impacting functionality?
Deploy a web application firewall (WAF) to filter malicious payloads.
Rewrite the database query to use parameterized prepared statements.
Parameterized queries ensure user input is treated as data, not executable code, preventing SQL injection.
Move all database queries to stored procedures.
Implement client-side input validation to block special characters.
A security engineer is configuring a SIEM and wants to reduce false positives while ensuring that real attacks are detected. Which of the following approaches would best achieve this balance?
Aggregate all logs from all sources and create a single correlation rule for each attack type.
Use the default correlation rules provided by the SIEM vendor without modification.
Block all traffic from external IP addresses that are not on the organization's whitelist.
Tune correlation rules based on the organization's asset inventory, network architecture, and threat intelligence.
Custom tuning ensures rules are relevant and accurate, reducing false positives while detecting true threats.
During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?
dd
Wireshark
FTK Imager (with memory capture)
FTK Imager can capture an image of physical memory (RAM) for analysis.
Nmap
Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)
Require users to change passwords every 30 days.
Use single sign-on (SSO) for all applications.
Implement the principle of least privilege for all user roles.
Limiting privileges reduces the attack surface and potential damage.
Enable multi-factor authentication (MFA) for all administrative accounts.
MFA adds an extra layer of security beyond passwords.
Create default admin accounts for each department.
Want more Security Operations practice?
Practice this domainThe CAS-004 exam has 90 questions and must be completed in 165 minutes. The passing score is 700/1000.
Advanced scenario questions on enterprise security architecture, cryptography, governance, risk management, and integration of security controls. Some questions are performance-based (PBQs), asking you to complete tasks in a simulated environment.
The exam covers 6 domains: Scripting, Containers and Automation, Application Environment, Configuration and Security, Governance, Risk and Compliance, Security Engineering, Security Architecture, Security Operations. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official CompTIA CAS-004 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.