Back to CompTIA SecurityX CAS-004 questions

Scenario-based practice

Hard Difficulty Questions

Practise CompTIA SecurityX CAS-004 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CAS-004
exam code
CompTIA
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CAS-004 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Read the full VPN explanation →

An organization is implementing a zero trust architecture (ZTA). The security architect proposes using a software-defined perimeter (SDP) to replace the traditional VPN for remote access. Which of the following best describes the primary security benefit of SDP over VPN in a zero trust model?

Question 2hardmulti select
Full question →

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

Question 3hardmulti select
Full question →

A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)

Question 4hardmultiple choice
Read the full NAT/PAT explanation →

A multinational corporation is implementing a privacy program that must comply with both GDPR and CCPA. Which approach to privacy impact assessments (PIAs) is most appropriate?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A healthcare organization is planning to migrate patient data to a cloud provider. The risk assessment identifies that the provider's SOC 2 report does not cover HIPAA controls. What is the BEST course of action?

Question 6hardmultiple choice
Full question →

A security architect is designing a system that must comply with FedRAMP Moderate controls. The system will use a cloud service provider (CSP) that is already FedRAMP Authorized. What is the primary benefit of using this CSP?

Question 7hardmultiple choice
Full question →

You are the security architect for a mid-sized e-commerce company that processes credit card payments. The company must comply with PCI DSS. Currently, the cardholder data environment (CDE) includes a web server, an application server, and a database server, all on the same flat network segment. The QSA has identified that the CDE is not properly segmented, and network access controls are insufficient. The company wants to minimize the scope of PCI compliance by reducing the number of systems that handle cardholder data. You propose implementing network segmentation to isolate the CDE. Which of the following is the most effective approach to reduce PCI scope while maintaining business functionality?

Question 8hardmulti select
Full question →

A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)

Question 9hardmultiple choice
Full question →

A security architect is reviewing the network architecture of a financial trading system. The system uses a time-sensitive order matching engine that must process trades with minimal latency. The architect is concerned about the risk of a DDoS attack on the matching engine. Which of the following architectural changes would best mitigate DDoS risk while preserving low latency?

Question 10hardmultiple choice
Full question →

A security architect is evaluating a new cloud SaaS application that will handle sensitive customer data. The SaaS provider offers a shared responsibility model where the customer is responsible for data classification, access management, and encryption of data at rest using customer-managed keys. The architect must ensure that the organization retains the ability to revoke access to the data if the provider is compromised. Which key management strategy best meets this requirement?

Question 11hardmulti select
Full question →

An organization is deploying a new cloud-based application that processes personally identifiable information (PII). The security team must ensure data at rest is encrypted. Which THREE of the following controls should be implemented to protect the data? (Select THREE.)

Question 12hardmultiple choice
Full question →

A security engineer is troubleshooting a web application that uses OAuth 2.0 for authorization. Users report that after authenticating, they are unable to access resources that require a specific scope. The engineer inspects the authorization request and finds that the scope parameter is missing. Which OAuth flow is most likely being used?

Question 13hardmultiple choice
Full question →

A network administrator is troubleshooting connectivity issues. Based on the exhibit, which of the following is true about the iptables rules?

Exhibit

Refer to the exhibit.

```
# iptables -L FORWARD -v -n
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  eth0   eth1    10.0.1.0/24          0.0.0.0/0            state NEW,ESTABLISHED
    0     0 ACCEPT     all  --  eth1   eth0    0.0.0.0/0            10.0.1.0/24          state ESTABLISHED
```
Question 14hardmultiple choice
Full question →

A company is migrating to a zero trust architecture. Which of the following is a key principle of zero trust?

Question 15hardmultiple choice
Full question →

Match each automation security concept with its correct description.

Question 16hardmultiple choice
Full question →

A security engineer is reviewing a CI/CD pipeline that builds a Docker image. The engineer notices that the Dockerfile uses a base image from a public registry, installs packages via apt-get without version pinning, and copies a private SSH key into the image. Which of the following vulnerabilities is MOST directly introduced by this practice?

Question 17hardmultiple choice
Full question →

A SOC analyst is reviewing an alert about a suspicious process execution on a critical server. The alert shows that cmd.exe spawned from Microsoft Word. Which of the following is the BEST next step for the analyst?

Question 18hardmulti select
Full question →

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

Question 19hardmultiple choice
Full question →

A security analyst reviews the above Windows security events from a domain controller. What is the most likely conclusion about the activity?

Exhibit

Refer to the exhibit.

```
Event: 4625 (An account failed to log on)
Account Name: Administrator
Source Network Address: 10.10.10.50
Logon Type: 3 (Network)
Status: 0xC000006D (bad username or password)

Event: 4624 (An account was successfully logged on)
Account Name: jsmith
Source Network Address: 10.10.10.50
Logon Type: 2 (Interactive)

Event: 4672 (Special privileges assigned to new logon)
Account Name: jsmith
Privileges: SeTcbPrivilege, SeDebugPrivilege

Event: 5140 (A network share object was accessed)
Account Name: jsmith$
Accesses: WriteData (or AddFile)
Share Name: \\*\C$
```
Question 20hardmultiple choice
Full question →

A security analyst observes that SSH connections to the server are failing, but HTTP and HTTPS traffic works. Based on the exhibit, what is the most likely cause?

Network Topology
0 0 ACCEPT alllo * 0.0.0.0/0100 540 DROP tcp50 3000 ACCEPT tcp20 1200 ACCEPT tcpRefer to the exhibit.```

These CAS-004 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style CAS-004 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.