20+ practice questions focused on Security Engineering — one of the most tested topics on the CompTIA SecurityX CAS-004 exam. Each question includes a detailed explanation so you learn why the right answer is correct.
Start Security Engineering PracticeA security architect is designing a VPN solution for remote employees. The company requires strong authentication and integrity protection but is less concerned about confidentiality for non-sensitive traffic. Which protocol is most appropriate?
Explanation: Option C is correct because ESP in tunnel mode with null encryption provides authentication and integrity via HMAC (e.g., HMAC-SHA256) while omitting encryption (ESP_NULL, RFC 2410). This satisfies the requirement for strong authentication and integrity without confidentiality for non-sensitive traffic, as the payload is authenticated but not encrypted.
A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?
Explanation: The implicit grant flow in OAuth 2.0 does not require the client to include the scope parameter in the authorization request; the access token is returned directly in the URL fragment without a separate token endpoint call. When the scope parameter is missing, the authorization server may issue a token with a default or limited scope, causing users to be unable to access resources that require a specific scope. This matches the described symptom, making the implicit grant the most likely flow in use.
An organization wants to implement a hardware security module (HSM) to protect cryptographic keys. Which of the following is a primary benefit of using an HSM?
Explanation: An HSM provides tamper-resistant key storage by using physical and logical safeguards, such as tamper switches, epoxy potting, and zeroization circuits, that destroy cryptographic keys if an attacker attempts to access the hardware. This ensures that private keys remain secure even if the device is compromised, which is a primary requirement for compliance with standards like FIPS 140-2 Level 3 or 4. Software-based storage cannot offer the same level of physical protection against extraction attacks.
A network administrator is configuring a firewall to block traffic from a specific IP address range. The firewall uses ACLs. Which ACL entry would deny traffic from 192.168.1.0/24?
Explanation: Option A is correct because in Cisco ACL syntax, the wildcard mask 0.0.0.255 matches all addresses in the 192.168.1.0/24 network. The 'deny ip 192.168.1.0 0.0.0.255 any' entry blocks any IP traffic from the source subnet 192.168.1.0 through 192.168.1.255 to any destination.
A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?
Explanation: Zero trust architecture is built on the principle of 'never trust, always verify,' which explicitly requires that every access request—regardless of origin—be authenticated, authorized, and continuously validated. Option B ('Assume breach and verify every request') captures this core tenet, as it mandates that no implicit trust is granted based on network location or device status, and every request must be treated as potentially malicious until proven otherwise.
+15 more Security Engineering questions available
Practice all Security Engineering questions1. Baseline your knowledge
Start with 10 questions to gauge your current understanding of Security Engineering. This tells you whether you need a concept refresher or just practice.
2. Review every explanation
For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.
3. Focus on exam traps
Security Engineering questions on the CAS-004 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.
4. Reach 80% consistently
Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.
The exact number varies per candidate. Security Engineering is tested as part of the CompTIA SecurityX CAS-004 blueprint. Practicing with targeted Security Engineering questions ensures you can handle any format or difficulty that appears.
Yes. Courseiva provides free CAS-004 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.
Difficulty is subjective, but Security Engineering is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.
Launch a full Security Engineering practice session with instant scoring and detailed explanations.
Start Security Engineering Practice →