CAS-004 · topic practice

Security Engineering and Cryptography practice questions

Practise CompTIA SecurityX CAS-004 Security Engineering and Cryptography practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Security Engineering and Cryptography

What the exam tests

What to know about Security Engineering and Cryptography

Security Engineering and Cryptography questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Security Engineering and Cryptography exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Security Engineering and Cryptography questions

20 questions · select your answer, then reveal the explanation

A security architect is designing a new authentication system for a high-security environment. The system must support passwordless authentication while providing strong protection against phishing attacks. Which of the following protocols best meets these requirements?

Question 2hardmultiple choice
Read the full NAT/PAT explanation →

A security engineer is reviewing a PKI deployment where the root CA is kept offline. The issuing CA signs certificates for internal applications. Recently, a subordinate CA was compromised, and the engineer needs to revoke all certificates issued by that CA. Which of the following is the most efficient method to revoke these certificates?

A company requires a cryptographic hash function for integrity verification of large files. The solution must be resistant to length extension attacks and provide high performance. Which of the following is the best choice?

Question 4mediummultiple choice
Read the full VPN explanation →

An organization is implementing IPsec VPNs between sites. The security team wants to ensure data integrity and authentication but is less concerned about confidentiality for this particular link. Which IPsec protocol and mode should they use?

A security analyst is configuring a TPM 2.0 for a new fleet of laptops. The requirement is to ensure that only authorized operating systems can boot and that any tampering with the boot process is detected. Which TPM feature should be used?

An organization wants to implement a privileged access management (PAM) solution to manage administrative credentials. They require that administrators request temporary access to privileged accounts and that these credentials are automatically rotated after each use. Which PAM approach best meets these requirements?

A web server is configured to use TLS 1.3. Which of the following is a key security benefit of TLS 1.3 over earlier versions?

A security engineer is selecting an asymmetric encryption algorithm for a system that must provide non-repudiation and long-term security (at least 20 years). The system has limited computational resources. Which of the following is the best choice?

A company is deploying IoT sensors that require secure firmware updates over the air (OTA). To ensure integrity and authenticity of the firmware, which of the following should be implemented?

Which of the following certificate types is most appropriate for an organization that needs to validate the identity of individuals for email encryption and signing?

During a security assessment, an analyst discovers that an HSM used for key generation is FIPS 140-2 Level 2 compliant. The organization requires a higher level of physical security to prevent tampering. Which upgrade would best address this requirement?

A security administrator is hardening SSH access to a jump host. The requirement is to allow only key-based authentication and restrict the use of weak cryptographic algorithms. Which of the following configurations accomplishes this?

An organization is implementing a PKI with a three-tier hierarchy (root CA, intermediate CA, issuing CA). The security team wants to ensure that certificate revocation information is available quickly and efficiently. Which TWO mechanisms should they implement? (Select TWO.)

Question 14mediummulti select
Read the full NAT/PAT explanation →

A company is migrating from RSA to elliptic curve cryptography for digital signatures. They require a signature algorithm that provides at least 128 bits of security strength and is resistant to quantum computing attacks in the foreseeable future. Which TWO algorithms meet these requirements? (Select TWO.)

A security engineer is evaluating hardware security modules (HSMs) for key management. The HSM must support key generation, storage, and cryptographic operations without exposing private keys. Additionally, the solution must comply with FIPS 140-2 Level 3. Which THREE features are essential for this requirement? (Select THREE.)

Question 16mediummultiple choice
Read the full NAT/PAT explanation →

A security architect is designing a new web application that must meet strict data confidentiality and integrity requirements. The application will run in a cloud environment and must support low-latency operations. The architect is considering cipher suites for TLS 1.3. Which combination of algorithms would best meet these requirements?

An organization is implementing a PKI to issue certificates for internal applications. The security team wants to minimize the risk of compromise to the root CA. Which of the following is the BEST practice to protect the root CA?

A company is migrating its internal services to use SSH key-based authentication instead of passwords. The security policy requires using the strongest supported algorithms. The SSH server supports the following key exchange algorithms: diffie-hellman-group14-sha256, ecdh-sha2-nistp384, curve25519-sha256. Which algorithm should the administrator choose to meet the policy?

Question 19hardmultiple choice
Read the full NAT/PAT explanation →

A security auditor is reviewing the cryptographic controls of a financial application that processes transactions. The application uses digital signatures with RSA 4096 and SHA-256. The auditor recommends migrating to a stronger algorithm due to concerns about long-term security and quantum resistance. Which of the following would be the MOST appropriate replacement?

An organization is deploying a new IoT device that must securely update its firmware over the air (OTA). The device has limited processing power and memory. Which cryptographic solution would provide the BEST balance of security and performance for verifying firmware updates?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Security Engineering and Cryptography sessions

Start a Security Engineering and Cryptography only practice session

Every question in these sessions is drawn from the Security Engineering and Cryptography domain — nothing else.

Related practice questions

Related CAS-004 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the CAS-004 exam test about Security Engineering and Cryptography?
Security Engineering and Cryptography questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Security Engineering and Cryptography questions in a focused session?
Yes — the session launcher on this page draws every question from the Security Engineering and Cryptography domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other CAS-004 topics?
Use the topic links above to move to related areas, or go back to the CAS-004 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the CAS-004 exam covers. They are not copied from any real exam or dump site.
CompTIA SecurityX CAS-004 Security Engineering and Cryptography Practice Questions with Explanations | Courseiva