CompTIA · 2026 Edition
A complete preparation guide written by CompTIA-certified engineers. Covers the exam format,all 6 blueprint domains, a week-by-week study plan, and proven tips for passing first time.
4–6 months
Prep time
Advanced
Difficulty
90
Exam questions
700/1000
Pass mark
Exam code
CAS-004
Full name
CompTIA SecurityX / CASP+
Vendor
CompTIA
Duration
165 minutes
Questions
90 items
Passing score
700/1000 (scaled)
Domains covered
6 blueprint domains
Recommended experience
10 years of IT experience with at least 5 in technical security; Security+ strongly recommended as a prerequisite
Typical prep time
4–6 months
CASP+ is CompTIA's expert-level security certification — it tests practitioner skills, not just knowledge. Unlike CISSP which targets managers, CASP+ is designed for hands-on engineers who architect and implement security solutions. It satisfies DoD 8570 IAT Level III and IASAE Level II/III requirements.
Job roles this opens
Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.
Month 1
Security Architecture: enterprise security design, cloud, network, endpoint, zero-trust models
Tip: CASP+ questions describe complex enterprise scenarios and ask what you would implement — not just what a technology does. Start thinking at the systems level: how do identity, network segmentation, encryption, and monitoring interact?
Month 2
Security Operations: vulnerability management, threat intelligence, incident response at scale
Tip: Threat hunting and intelligence operations are heavily covered on CAS-004. Know how to read IOCs (Indicators of Compromise), how MITRE ATT&CK is used for threat modelling, and how SOAR platforms automate IR playbooks.
Month 3
Security Engineering: cryptography implementation, PKI design, hardware security (HSM, TPM)
Tip: Cryptography on CASP+ goes deeper than Security+: know when to use RSA vs ECDSA vs EdDSA, what perfect forward secrecy means and which TLS cipher suites provide it, and when an HSM is required vs software key storage.
Month 4
Governance, Risk and Compliance: risk frameworks, audit types, data privacy regulations
Tip: GRC scenarios ask for prioritisation decisions under budget constraints. Know how to calculate risk (likelihood × impact), how to distinguish between risk acceptance, avoidance, mitigation, and transfer, and when each is appropriate.
Month 5–6
Performance-based question practice and full mock exams
Tip: CASP+ has no passing score — it is pass/fail graded by a panel. CompTIA does not publish the cut score. Focus on demonstrated competency across all domains rather than trying to hit a specific percentage in practice tests.
CASP+ is a practitioner exam, not a knowledge exam. Questions describe multi-constraint scenarios (budget, legacy systems, regulatory requirements, operational continuity) and ask for the best architectural decision. There is rarely an obviously wrong answer — all options are plausible.
Zero trust architecture is heavily tested on CAS-004: know the principles (verify explicitly, least privilege, assume breach), the control planes involved (identity, device, network, application), and how to implement microsegmentation.
Supply chain risk is a significant topic on CAS-004: hardware trojans, software bill of materials (SBOM), vendor vetting, and third-party risk assessments all appear in questions.
CASP+ is the only CompTIA expert-level certification — it sits above CISSP in hands-on technical depth, though CISSP has more industry recognition at the management level. Both serve different career tracks.
Post-quantum cryptography is on the CAS-004 blueprint: understand that RSA and ECC are vulnerable to Shor's algorithm on quantum computers, and know the NIST PQC candidate algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium) at a conceptual level.
Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.
Deep-dive explanations of the key topics tested on CAS-004 — with exam key points and common misconceptions.