Back to CompTIA SecurityX CAS-004 questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise CompTIA SecurityX CAS-004 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
CAS-004
exam code
CompTIA
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related CAS-004 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A security architect is planning the migration of a legacy application to a containerized microservices architecture on Kubernetes. The architect must ensure that the architecture supports secrets management, service-to-service authentication, and encryption of data in transit between microservices. Which THREE components should the architect include in the design? (Choose three.)

Question 2hardmulti select
Full question →

A security architect is reviewing the network security controls for a critical industrial control system (ICS) environment. The architect must select two controls that are most effective at preventing unauthorized access to the ICS network from the corporate IT network, while still allowing necessary monitoring traffic. Which TWO controls should be implemented? (Choose two.)

Question 3easymulti select
Full question →

Which TWO of the following are examples of administrative controls? (Select TWO)

Question 4mediummulti select
Full question →

Which THREE of the following are common challenges when implementing a vendor risk management program? (Select THREE)

Question 5hardmulti select
Full question →

A security architect is evaluating a new cloud-based application that will process sensitive customer data. The architect must ensure compliance with GDPR and PCI DSS. Which THREE of the following controls should be implemented? (Select THREE.)

Question 6mediummulti select
Full question →

A security architect is designing a hybrid cloud environment where a web application hosted in AWS needs to securely access an on-premises database. The architect wants to minimize exposure to the internet and ensure encryption in transit. Which TWO techniques should the architect consider? (Choose two.)

Question 7hardmulti select
Full question →

An organization is deploying a new cloud-based application that processes personally identifiable information (PII). The security team must ensure data at rest is encrypted. Which THREE of the following controls should be implemented to protect the data? (Select THREE.)

Question 8mediummulti select
Full question →

A security architect is designing a secure software development pipeline. The organization wants to ensure that code is thoroughly analyzed before deployment. Which TWO of the following should be integrated into the pipeline to identify vulnerabilities early? (Select TWO.)

Question 9mediummulti select
Full question →

Which TWO of the following are valid methods for securing REST APIs? (Select TWO.)

Question 10hardmulti select
Full question →

Which THREE of the following are effective techniques for detecting advanced persistent threats (APTs) within a network? (Select exactly 3.)

Question 11mediummulti select
Full question →

A security engineer is reviewing the configuration of a web application firewall (WAF) that protects a critical e-commerce site. Which TWO settings should be enabled to defend against SQL injection attacks? (Select TWO.)

A security administrator is reviewing a Python script used to automate compliance checks across cloud resources. The script uses environment variables for API tokens. Which of the following are secure coding practices that should be implemented in this script? (Select TWO.)

Question 13mediummulti select
Full question →

Which TWO of the following are key elements of a data classification policy?

Question 14mediummulti select
Full question →

A security analyst is reviewing a web application's authentication mechanism. Which of the following are best practices to prevent session hijacking? (Select TWO.)

Question 15mediummulti select
Full question →

A security analyst is investigating a potential data breach. The logs show that an attacker used a compromised service account to access sensitive files on a file server. Which TWO actions should the analyst take FIRST to contain the incident? (Choose TWO.)

Question 16mediummulti select
Full question →

Which two of the following are best practices for securing container orchestration platforms (e.g., Kubernetes)? (Select two.)

Question 17mediummulti select
Full question →

An organization is implementing a DevSecOps pipeline. Which of the following are essential security controls to include? (Select TWO.)

Question 18hardmulti select
Full question →

A security architect is designing a secure software development lifecycle (SSDLC). Which of the following practices are essential for integrating security into the development process? (Select TWO.)

Question 19hardmulti select
Full question →

Which THREE of the following are required for a valid Business Associate Agreement (BAA) under HIPAA? (Select THREE)

Question 20hardmulti select
Read the full NAT/PAT explanation →

A multinational corporation is subject to GDPR and the California Consumer Privacy Act (CCPA). A security architect is designing a data governance solution to meet both regulations. Which TWO controls are most appropriate?

These CAS-004 practice questions are part of Courseiva's free CompTIA certification practice question bank. Courseiva provides original exam-style CAS-004 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.