Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Security Operations practice sets

CAS-004 Security Operations • Complete Question Bank

CAS-004 Security Operations — All Questions With Answers

Complete CAS-004 Security Operations question bank — all 0 questions with answers and detailed explanations.

65
Questions
Free
No signup
Certifications/CAS-004/Practice Test/Security Operations/All Questions
Question 1easymultiple choice
Read the full Security Operations explanation →

A security analyst receives an alert indicating an internal host is sending outbound traffic on TCP port 25 to multiple external IP addresses. Which action should the analyst take first to investigate potential data exfiltration?

Question 2mediummultiple choice
Read the full Security Operations explanation →

A SOC analyst is reviewing a large volume of failed login attempts across multiple user accounts from a single external IP address. The attempts use common usernames and passwords over SSH (port 22). Which security control would be most effective at preventing this type of attack?

Question 3hardmultiple choice
Read the full Security Operations explanation →

An organization deploys a new web application that stores sensitive data in a backend database. During a penetration test, the tester discovers that the application is vulnerable to SQL injection via a search field. Which of the following design changes would best mitigate this vulnerability without significantly impacting functionality?

Question 4mediummultiple choice
Read the full Security Operations explanation →

A security engineer is configuring a SIEM and wants to reduce false positives while ensuring that real attacks are detected. Which of the following approaches would best achieve this balance?

Question 5easymultiple choice
Read the full Security Operations explanation →

During a security incident, a forensic investigator needs to capture the contents of volatile memory on a compromised server. Which of the following tools should the investigator use?

Question 6mediummulti select
Read the full Security Operations explanation →

Which TWO of the following are best practices for securing a cloud-based identity and access management (IAM) system? (Select exactly 2.)

Question 7hardmulti select
Read the full Security Operations explanation →

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

Question 8hardmultiple choice
Read the full Security Operations explanation →

A security analyst reviews the above Windows security events from a domain controller. What is the most likely conclusion about the activity?

Exhibit

Refer to the exhibit.

```
Event: 4625 (An account failed to log on)
Account Name: Administrator
Source Network Address: 10.10.10.50
Logon Type: 3 (Network)
Status: 0xC000006D (bad username or password)

Event: 4624 (An account was successfully logged on)
Account Name: jsmith
Source Network Address: 10.10.10.50
Logon Type: 2 (Interactive)

Event: 4672 (Special privileges assigned to new logon)
Account Name: jsmith
Privileges: SeTcbPrivilege, SeDebugPrivilege

Event: 5140 (A network share object was accessed)
Account Name: jsmith$
Accesses: WriteData (or AddFile)
Share Name: \\*\C$
```
Question 9mediummultiple choice
Read the full Security Operations explanation →

A cloud security engineer reviews the above S3 bucket policy. Which of the following is the most significant security concern?

Exhibit

Refer to the exhibit.

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket123/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "203.0.113.0/24"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket123/*",
      "Principal": "*"
    }
  ]
}
```
Question 10mediummultiple choice
Read the full Security Operations explanation →

A security analyst notices repeated failed login attempts from a single IP address across multiple user accounts. Which of the following is the BEST immediate action to mitigate this attack?

Question 11hardmultiple choice
Read the full Security Operations explanation →

A SOC analyst is reviewing an alert about a suspicious process execution on a critical server. The alert shows that cmd.exe spawned from Microsoft Word. Which of the following is the BEST next step for the analyst?

Question 12easymultiple choice
Read the full NAT/PAT explanation →

An organization wants to implement a solution that automatically detects and blocks malicious traffic based on known signatures and behavioral anomalies. Which of the following should be deployed?

Question 13hardmultiple choice
Read the full Security Operations explanation →

A security engineer needs to design a solution to detect and respond to insider threats involving unauthorized data exfiltration via USB devices. Which of the following is the MOST effective approach?

Question 14mediummulti select
Read the full Security Operations explanation →

A security analyst is investigating a potential data breach. The logs show that an attacker used a compromised service account to access sensitive files on a file server. Which TWO actions should the analyst take FIRST to contain the incident? (Choose TWO.)

Question 15hardmultiple choice
Read the full Security Operations explanation →

A large enterprise has deployed a security information and event management (SIEM) system that ingests logs from all critical servers, network devices, and endpoints. The SIEM is configured to correlate events and generate alerts for suspicious activities. Recently, the SOC team has been overwhelmed by a high volume of false positive alerts, particularly from the web server farm. The false positives are mainly triggered by legitimate web crawling and scanning activities from partners and internal tools. The SOC manager wants to reduce false positives without missing real threats. As the security architect, you are asked to recommend a solution. Which of the following is the BEST course of action?

Question 16mediummultiple choice
Read the full VPN explanation →

A small business runs its critical line-of-business application on a single Windows server located in a local data center. The server is accessed by employees remotely via RDP over a VPN. Recently, the server has been experiencing slow performance, and the administrator notices high CPU usage from a process named 'svchost.exe'. The administrator suspects malware but is not sure. The business has no security tools beyond Windows Defender. Management wants to minimize downtime and ensure the server is back to full operation as soon as possible. Which of the following is the BEST course of action for the administrator to take first?

Question 17easymulti select
Read the full Security Operations explanation →

Which TWO of the following are key components of a successful incident response plan according to NIST SP 800-61?

Question 18hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

Exhibit:
```
Jul 15 10:23:45 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=admin
Jul 15 10:23:47 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:49 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:51 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:53 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:55 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:23:57 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
Jul 15 10:24:00 server1 authpriv: sudo: pam_unix(sudo:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/pts/2 ruser=root rhost=  user=root
```
Question 19mediummultiple choice
Read the full Security Operations explanation →

A security analyst at a financial institution is investigating a potential data exfiltration incident. The organization uses a zero-trust network architecture with micro-segmentation. The analyst notices that a database server with sensitive customer financial data has been communicating with an external IP address (198.51.100.45) over port 443 during non-business hours. The database server is not supposed to initiate outbound connections; all outbound traffic is logged and blocked by default except for specific allowlisted IPs and ports. The analyst reviews the firewall logs and finds that the outbound connection to 198.51.100.45 was allowed because the source port was 443, which is an allowed port for inbound HTTPS traffic. The database server is not a web server and does not run any HTTPS services. Which of the following is the best course of action for the analyst to take first?

Question 20mediumdrag order
Read the full Security Operations explanation →

Drag and drop the steps to set up a SIEM alert for a failed login threshold into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 21mediummatching
Read the full Security Operations explanation →

Match each security tier or model to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest privilege assets like domain controllers

Server and application administration

User workstations and devices

Separates admin accounts by sensitivity

Never trust, always verify

Question 22easymultiple choice
Read the full Security Operations explanation →

A security analyst observes anomalous outbound network traffic from a server that normally only performs internal functions. According to the incident response plan, what should the analyst do first?

Question 23mediummultiple choice
Read the full Security Operations explanation →

A company wants to reduce the mean time to detect (MTTD) for security incidents. Which technology is most effective for this purpose?

Question 24hardmultiple choice
Read the full Security Operations explanation →

During a ransomware incident, the organization discovers that all production backups have been encrypted by the attacker. What is the most effective recovery approach?

Question 25easymultiple choice
Read the full Security Operations explanation →

A forensic analyst needs to collect volatile data from a live Windows system. In which order should the analyst collect the following data? (Order of volatility)

Question 26mediummultiple choice
Read the full Security Operations explanation →

A SOC manager is considering implementing a SOAR platform. Which is the primary benefit of SOAR in day-to-day operations?

Question 27hardmultiple choice
Read the full Security Operations explanation →

After containing a confirmed security incident, the incident response team must plan for eradication. What must be done before eradication begins?

Question 28easymultiple choice
Read the full Security Operations explanation →

A SOC analyst is investigating a potential lateral movement within the network. Which log source is most critical for detecting lateral movement using pass-the-hash or pass-the-ticket attacks?

Question 29mediummultiple choice
Read the full DNS explanation →

A threat hunter hypothesizes that a sophisticated attacker is using DNS tunneling for command and control. Which data source would most likely confirm this activity?

Question 30hardmultiple choice
Read the full Security Operations explanation →

During a forensic investigation, the examiner discovers that the chain of custody documentation was not properly maintained for a critical hard drive. What is the most likely consequence?

Question 31mediummulti select
Read the full NAT/PAT explanation →

A SOC wants to improve detection of advanced persistent threats (APTs) that evade traditional signature-based tools. Which TWO approaches are most effective? (Select exactly 2.)

Question 32hardmulti select
Read the full Security Operations explanation →

During an incident response, the team must perform containment actions. Which TWO actions are considered proper containment? (Select exactly 2.)

Question 33easymulti select
Read the full Security Operations explanation →

Which THREE components are essential for a fully functional Security Operations Center (SOC)? (Select exactly 3.)

Question 34hardmultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what type of attack is most likely occurring?

Exhibit

Refer to the exhibit.

# grep "Failed password" /var/log/auth.log | tail -5
Feb 27 10:23:01 server1 sshd[1234]: Failed password for root from 192.168.1.10 port 22 ssh2
Feb 27 10:23:05 server1 sshd[1235]: Failed password for root from 192.168.1.10 port 22 ssh2
Feb 27 10:23:10 server1 sshd[1236]: Failed password for admin from 10.10.10.5 port 22 ssh2
Feb 27 10:23:15 server1 sshd[1237]: Failed password for root from 192.168.1.10 port 22 ssh2
Feb 27 10:23:20 server1 sshd[1238]: Failed password for user from 172.16.0.20 port 22 ssh2
Question 35mediummultiple choice
Read the full Security Operations explanation →

Based on the exhibit, what is the primary purpose of the condition in this IAM policy?

Exhibit

Refer to the exhibit.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::corporate-bucket/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": [
            "10.0.0.0/16",
            "192.168.1.0/24"
          ]
        }
      }
    }
  ]
}
Question 36easymultiple choice
Read the full Security Operations explanation →

Based on the exhibit, which vulnerability is being exploited?

Exhibit

Refer to the exhibit.

192.168.1.10 - - [27/Feb/2025:10:30:15 +0000] "GET /../../../etc/passwd HTTP/1.1" 200 2345
Question 37mediummultiple choice
Read the full Security Operations explanation →

A security analyst is reviewing alerts from a SIEM and notices multiple failed login attempts from a single IP address to different user accounts over a 5-minute window. What should the analyst do FIRST?

Question 38easymultiple choice
Read the full Security Operations explanation →

A company is implementing a SIEM solution and needs to ensure that logs from network devices, servers, and endpoints are collected in a consistent format. Which protocol should be used to transport logs securely?

Question 39hardmultiple choice
Read the full Security Operations explanation →

During a forensic investigation, an analyst finds that a compromised system's memory dump shows signs of a kernel-mode rootkit. Which technique is MOST effective to detect the rootkit without relying on the compromised OS?

Question 40easymultiple choice
Read the full Security Operations explanation →

An organization wants to reduce the attack surface of its web servers by ensuring only necessary modules are enabled. Which practice directly supports this goal?

Question 41hardmultiple choice
Read the full Ansible explanation →

A SOC team uses a SOAR platform to automate incident response. They want to ensure that playbooks run with minimal human intervention but still require approval for actions that could cause service disruption. Which approach should be used?

Question 42mediummultiple choice
Read the full Security Operations explanation →

After a security incident, the IR team identifies that the attacker used a spear-phishing email with an attached malicious macro. Which log source would be MOST crucial to determine the scope of the compromise?

Question 43hardmultiple choice
Read the full Security Operations explanation →

A security engineer needs to deploy a host-based intrusion detection system (HIDS) on a critical Linux server without impacting performance. Which configuration is MOST appropriate?

Question 44easymultiple choice
Read the full Security Operations explanation →

During a tabletop exercise, the CSIRT discovers that the organization lacks a clear chain of command for decision-making during incidents. Which document should be updated to address this gap?

Question 45mediummultiple choice
Read the full Security Operations explanation →

A threat hunter wants to identify potential lateral movement within the network. Which data source is LEAST useful for this purpose?

Question 46easymulti select
Read the full Security Operations explanation →

Which TWO of the following are primary goals of security operations monitoring? (Choose two.)

Question 47mediummulti select
Read the full Security Operations explanation →

A security analyst is analyzing a network capture and sees repeated TCP SYN packets to a host but no SYN-ACK responses. Which TWO conclusions are MOST likely? (Choose two.)

Question 48hardmulti select
Read the full Security Operations explanation →

A CSIRT is developing a threat hunting hypothesis based on the MITRE ATT&CK framework. Which THREE of the following are techniques that threat hunters would commonly investigate for initial access? (Choose three.)

Question 49hardmultiple choice
Read the full Security Operations explanation →

Given the exhibit, what is the MOST likely scenario?

Exhibit

Refer to the exhibit.

```
[timestamp] firewall: Deny TCP 10.0.1.100:54321 -> 203.0.113.5:80 (Drop)
[timestamp] firewall: Allow TCP 10.0.1.100:54322 -> 203.0.113.5:443 (Allow)
[timestamp] IDS: Alert - SQL Injection attempt detected from 10.0.1.100 to 203.0.113.5:443
[timestamp] web_server: HTTP POST /login.php with sql_injection_pattern
```
Question 50mediummultiple choice
Read the full Security Operations explanation →

Given the exhibit, what is the effect of this S3 bucket policy on an object stored in 'bucket-name'?

Exhibit

Refer to the exhibit.

```
[Security Policy JSON]
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": "s3:GetObject",
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Condition": {
        "IpAddress": {
          "aws:SourceIp": "10.0.0.0/8"
        }
      }
    },
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::bucket-name/*"
    }
  ]
}
```
Question 51easymultiple choice
Read the full Security Operations explanation →

Based on the auth.log exhibit, what is the MOST appropriate immediate action to mitigate this attack?

Exhibit

Refer to the exhibit.

```
# auth.log excerpt
Mar 15 10:23:45 server sshd[1234]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:23:46 server sshd[1235]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:23:47 server sshd[1236]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:23:48 server sshd[1237]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:23:49 server sshd[1238]: Failed password for root from 192.168.1.100 port 22 ssh2
Mar 15 10:23:50 server sshd[1239]: Failed password for invalid user admin from 192.168.1.100 port 22 ssh2
Mar 15 10:23:51 server sshd[1240]: Failed password for admin from 192.168.1.100 port 22 ssh2
Mar 15 10:23:52 server sshd[1241]: Failed password for admin from 192.168.1.100 port 22 ssh2
```
Question 52mediummultiple choice
Read the full NAT/PAT explanation →

A financial organization's SOC analysts have observed repeated failed authentication attempts from a single external IP address against multiple user accounts, followed by a successful authentication from the same IP using one of those accounts. Which type of security monitoring rule would be most effective at detecting this attack pattern in real time?

Question 53hardmultiple choice
Read the full Ansible explanation →

A large enterprise is implementing a SOAR platform to automate incident response. The security team wants to create a playbook for handling phishing emails reported by users. The playbook should: 1) validate the reported email by checking headers and attachments, 2) automatically block the sender's domain at the email gateway if malicious, 3) create a ticket, and 4) send an automated response to the user. Which of the following describes the best approach to design this playbook?

Question 54easymultiple choice
Read the full Security Operations explanation →

A SOC analyst receives an alert indicating that a workstation has been making outbound connections to a known command-and-control (C2) IP address. The analyst initiates the incident response process. Which of the following should be the FIRST action taken?

Question 55mediummultiple choice
Read the full Security Operations explanation →

During a routine vulnerability scan, a security engineer discovers that a critical web application is running an outdated version of a third-party library with a known remote code execution (RCE) vulnerability. The application is in production and cannot be taken offline immediately. Which of the following is the BEST immediate action to reduce risk?

Question 56hardmultiple choice
Read the full Security Operations explanation →

A security architect is designing a deception-based detection system for a high-security environment. The goal is to detect lateral movement by attackers who have already breached the perimeter. Which of the following deception techniques would be most effective at identifying an attacker without alerting them to the deception?

Question 57mediummulti select
Read the full Security Operations explanation →

A security administrator is evaluating ways to improve endpoint detection and response (EDR) capabilities. Which TWO of the following approaches would most effectively enhance the detection of fileless malware attacks?

Question 58hardmulti select
Read the full Security Operations explanation →

A security operations team wants to improve their threat intelligence program. Which THREE of the following are most important for ensuring that threat intelligence is actionable and effectively integrated into security operations?

Question 59easymultiple choice
Read the full VPN explanation →

You are a SOC analyst at a mid-sized company. The SIEM alerts on anomalous outbound traffic from a finance workstation to an external IP address never seen before. The workstation belongs to an employee in the accounts payable department. The alert shows that 500 MB of data was transferred via SMB over the internet, which is unusual because internal file shares are normally used. The employee is currently logged in and is in a meeting across the building. The initial triage confirms the workstation is not domain-joined and has been bypassing corporate firewall rules using a personal VPN. Which of the following actions should you take FIRST?

Question 60mediummultiple choice
Read the full Security Operations explanation →

A healthcare organization has suffered a ransomware attack. The ransomware encrypted all files on file servers and workstations, and a ransom note demands payment in cryptocurrency. The backup systems were also encrypted because the backup service account had write access to the backup repository. The organization's cybersecurity team has activated the incident response plan. Which of the following is the BEST course of action?

Question 61hardmultiple choice
Read the full VPN explanation →

A technology company suspects an insider threat is exfiltrating intellectual property. The security team has deployed user and entity behavior analytics (UEBA) and set up data loss prevention (DLP) rules. A UEBA alert flags a senior developer who is accessing the source code repository at 2 AM from a VPN connection that routes through a foreign country. The developer also recently downloaded a large quantity of source code—more than 10 times the normal volume. DLP policies are configured to block emails with attachments over 10 MB. Which of the following should the incident response team do FIRST?

Question 62mediummultiple choice
Review the full subnetting walkthrough →

A cloud security team uses AWS and has configured a virtual private cloud (VPC) with a public subnet for a web application. The web servers in the public subnet have security groups that allow inbound HTTP/HTTPS from 0.0.0.0/0. The security team receives an alert that an EC2 instance in the public subnet is making outbound connections to an IP address that is listed on a threat intelligence feed as a known mining pool. The instance's security group allows all outbound traffic. The team suspects the instance is compromised and running cryptocurrency mining malware. Which of the following should be the FIRST action to take?

Question 63easymulti select
Read the full Security Operations explanation →

A security analyst is reviewing web server logs and notices repeated requests to URLs containing sequences like '/../../../etc/shadow' and '/../../../etc/passwd'. Which TWO actions should the analyst take as part of the immediate incident response process?

Question 64mediummultiple choice
Read the full Security Operations explanation →

Based on the iptables exhibit, a security analyst has received an alert that an external IP (203.0.113.5) is attempting to connect to TCP port 3389 on the server. Which of the following best describes the current rule set's treatment of this traffic?

Network Topology
10 840 ACCEPT alllo * 0.0.0.0/0100 5400 ACCEPT all50 3000 ACCEPT tcp20 1200 ACCEPT tcp15 900 ACCEPT tcp5 300 DROP tcp3 180 LOG tcp50 3000 ACCEPT alleth0 eth1 0.0.0.0/0Refer to the exhibit.# iptables -L -n -v
Question 65hardmultiple choice
Read the full NAT/PAT explanation →

A mid-sized e-commerce company has recently experienced a data breach where customer payment card information was exfiltrated. The security team has identified that the breach originated from a compromised web server that was part of a PCI DSS compliant environment. The server was running outdated software and had several known vulnerabilities. Post-incident analysis reveals that the attacker exploited a SQL injection vulnerability in the order-tracking feature. The incident response team followed NIST SP 800-61 guidelines: they contained the threat, eradicated the malicious code, and restored the server from a known clean backup. However, two weeks after the restoration, the same server is again showing signs of similar malicious activity. The server is still in production and handling credit card transactions. Which of the following is the MOST effective course of action to prevent this recurring compromise?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

CAS-004 Practice Test 1 — 10 Questions→CAS-004 Practice Test 2 — 10 Questions→CAS-004 Practice Test 3 — 10 Questions→CAS-004 Practice Test 4 — 10 Questions→CAS-004 Practice Test 5 — 10 Questions→CAS-004 Practice Exam 1 — 20 Questions→CAS-004 Practice Exam 2 — 20 Questions→CAS-004 Practice Exam 3 — 20 Questions→CAS-004 Practice Exam 4 — 20 Questions→Free CAS-004 Practice Test 1 — 30 Questions→Free CAS-004 Practice Test 2 — 30 Questions→Free CAS-004 Practice Test 3 — 30 Questions→CAS-004 Practice Questions 1 — 50 Questions→CAS-004 Practice Questions 2 — 50 Questions→CAS-004 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity Operations

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Security Operations setsAll Security Operations questionsCAS-004 Practice Hub