Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsCAS-004TopicsSecurity Architecture
Free · No Signup RequiredCompTIA · CAS-004

CAS-004 Security Architecture Practice Questions

20+ practice questions focused on Security Architecture — one of the most tested topics on the CompTIA SecurityX CAS-004 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Security Architecture Practice

Exam Domains

Scripting, Containers and AutomationApplication Environment, Configuration and SecurityGovernance, Risk and ComplianceSecurity EngineeringSecurity ArchitectureSecurity OperationsAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Security Architecture Questions

Practice all 20+ →
1.

A security architect is designing a new DMZ for an e-commerce platform. The DMZ must host a web server, an API gateway, and a database server. The architect needs to minimize the attack surface while ensuring the web server can communicate with the API gateway, and the API gateway can communicate with the database. Which network segmentation approach best meets these requirements?

A.Place all three services in the same DMZ subnet and use host-based firewalls to restrict traffic.
B.Create two DMZ subnets: one for the web server and API gateway, and another for the database server.
C.Place the web server in a DMZ subnet, the API gateway in a separate DMZ subnet, and the database server on the internal network.
D.Create three separate DMZ subnets: one for the web server, one for the API gateway, and one for the database server, with firewall rules allowing only required traffic.

Explanation: Option D is correct because it implements the principle of least privilege through network segmentation. By placing each service in its own DMZ subnet with firewall rules that allow only the required traffic (e.g., HTTP/HTTPS from web to API, SQL from API to database), the attack surface is minimized. This prevents lateral movement if one service is compromised, as an attacker cannot directly reach the database from the web server or the API gateway from the internet.

2.

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

A.It provides deep packet inspection to detect malicious traffic.
B.It enforces multi-factor authentication for every session.
C.It reduces latency by establishing direct peer-to-peer connections.
D.It prevents unauthorized users from discovering the application infrastructure.

Explanation: In a zero trust architecture, the primary security benefit of a software-defined perimeter (SDP) over a traditional VPN is that it hides the application infrastructure from unauthorized users. SDP uses a controller-based model where devices must authenticate and be authorized before they can even see the application servers, effectively creating a 'black cloud' that prevents discovery and reduces the attack surface. This aligns with the zero trust principle of 'never trust, always verify' and eliminates the network-level visibility that VPNs inherently provide to any connected client.

3.

A security architect is evaluating cloud security architectures. The company requires that all data at rest in a public cloud object storage bucket be encrypted with a key that is managed by the company's own hardware security module (HSM) on-premises. Which encryption approach should the architect recommend?

A.Use envelope encryption where a cloud KMS wraps a data key, and the data key is used to encrypt the data.
B.Use server-side encryption with customer-provided keys (SSE-C).
C.Use server-side encryption with cloud provider-managed keys (SSE-S3).
D.Use client-side encryption where the application encrypts data before sending it to the cloud.

Explanation: Option D is correct because client-side encryption ensures the data is encrypted by the application before it is sent to the cloud, using a key managed by the company's own on-premises HSM. This approach guarantees that the cloud provider never has access to the encryption key or the plaintext data, meeting the requirement that all data at rest in the public cloud object storage bucket be encrypted with a key managed by the company's own HSM.

4.

A security architect is designing a secure remote access solution for a global workforce. The company requires that all remote connections be authenticated using certificates issued by the company's internal PKI, and that the connection be encrypted and integrity-protected. Additionally, the solution must support IP-based network access control to restrict access to specific internal subnets based on the user's role. Which of the following should the architect recommend?

A.Deploy SSH tunneling with certificate-based authentication and configure iptables rules on the bastion host.
B.Deploy an SSL/TLS VPN using client certificates and rely on the VPN client to enforce access policies.
C.Deploy a RDP gateway with certificate authentication and restrict access via group policies.
D.Deploy an IPsec VPN with certificate-based authentication and integrate with a RADIUS server for role-based access control.

Explanation: Option D is correct because an IPsec VPN with certificate-based authentication satisfies the requirement for encrypted, integrity-protected connections using the company's internal PKI. Integrating with a RADIUS server enables role-based IP access control, allowing the VPN gateway to restrict access to specific internal subnets based on the user's role, which aligns with the need for IP-based network access control.

5.

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

A.Use a cloud-based DDoS scrubbing service that only forwards clean traffic to the on-premises matching engine.
B.Deploy an intrusion prevention system (IPS) in inline mode in front of the matching engine.
C.Move the matching engine to a cloud provider with elastic scalability.
D.Implement a reverse proxy with rate limiting and IP blacklisting.

Explanation: A cloud-based DDoS scrubbing service (e.g., AWS Shield Advanced, Cloudflare Magic Transit) filters malicious traffic at the cloud edge before it reaches the on-premises matching engine. This preserves low latency because only clean, low-volume traffic is forwarded, and the scrubbing infrastructure is designed for high-throughput, low-latency processing without introducing inline inspection delays on the critical path.

+15 more Security Architecture questions available

Practice all Security Architecture questions

How to master Security Architecture for CAS-004

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Security Architecture. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Security Architecture questions on the CAS-004 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many CAS-004 Security Architecture questions are on the real exam?

The exact number varies per candidate. Security Architecture is tested as part of the CompTIA SecurityX CAS-004 blueprint. Practicing with targeted Security Architecture questions ensures you can handle any format or difficulty that appears.

Are these CAS-004 Security Architecture practice questions free?

Yes. Courseiva provides free CAS-004 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Security Architecture one of the harder CAS-004 topics?

Difficulty is subjective, but Security Architecture is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Security Architecture practice session with instant scoring and detailed explanations.

Start Security Architecture Practice →

Topic Info

Topic

Security Architecture

Exam

CAS-004

Questions available

20+