CompTIA CAS-005 Practice Test 2026

Explanation:
The code takes a user‑supplied URL and fetches it without validation (requests.get(url)). This is a Server‑Side Request Forgery (SSRF) vulnerability. An attacker could specify internal server URLs to access sensitive documents or scan internal networks. The best solution in the development pipeline is a code scanner that detects SSRF patterns before deployment.

Correct Option:

C. Code scanner
A static application security testing (SAST) or code scanner integrated into the pipeline would flag requests.get(url) with user‑controlled input as an SSRF vulnerability. This allows the engineer to fix the issue before production. Code scanners are most effective for finding injection and request forgery flaws early in the development lifecycle.

Incorrect Option:

A. Indexing
Indexing refers to database optimization (creating indexes for faster queries) or document indexing for search. It has no relevance to preventing SSRF or validating user‑supplied URLs. Indexing does not block or detect the security issue in the code snippet.

B. Output encoding
Output encoding (e.g., HTML entity encoding) prevents cross‑site scripting (XSS) by neutralizing special characters in output. The vulnerability here is SSRF (server‑side request forgery), not XSS. Output encoding will not stop the application from making arbitrary HTTP requests to internal servers.

D. Penetration testing
Penetration testing is a manual or automated external assessment performed after deployment. It can confirm SSRF exists but does not prevent it from being introduced in the pipeline. A code scanner is better for shifting left (catching issues during development). Pen testing is reactive, not preventive.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 2: Enterprise Security Architecture (Secure development, SAST, SSRF prevention). Also OWASP Top 10 – SSRF (A10:2021) and OWASP ASVS (5.3.5 – validate URLs). CWE-918 (Server‑Side Request Forgery).

Explanation:
The requirements are: implement security monitoring, protect non-traditional devices/networks (e.g., OT/IoT/ICS), and ensure zero downtime for critical systems. Observing the environment and proactively addressing malicious activity aligns with passive monitoring (no downtime) and proactive threat hunting. Behavioral observation (e.g., network traffic baselining, anomaly detection) works for non-traditional devices where agents cannot be installed.

Correct Option:

D. Observing the environment and proactively addressing any malicious activity. –
Passive observation (e.g., NetFlow, mirrored ports, passive sensors) does not disrupt critical systems. Proactive hunting (e.g., threat intelligence, anomaly detection) identifies malicious activity before it causes damage. This works for non-traditional OT/ICS devices where active scanning or patching may cause downtime.

Incorrect Option:

A. Configuring honeypots in the internal network to capture malicious activity. –
Honeypots are decoys; they do not monitor real production systems nor protect the actual non-traditional devices. Attackers may avoid honeypots. Honeypots add detection but do not ensure "protection" across all devices.

B. Analyzing system behavior and responding to any increase in activity. –
"Responding to any increase" implies automated response, which risks false positives and may cause unnecessary downtime for critical systems. Zero downtime requires careful response orchestration. Also, this does not specify how to observe non-traditional devices.

C. Applying updates and patches soon after they have been released. –
Patching causes downtime (reboots, service restarts), which violates "ensure no downtime for critical systems." Additionally, OT/ICS devices often cannot be patched frequently. Patching is preventive, not monitoring, and does not protect non-traditional devices that may not receive patches.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 3.0 (Security Engineering) – OT/ICS security, passive monitoring, and zero downtime constraints. NIST SP 800-82 (Guide to Industrial Control Systems Security) – passive monitoring, no intrusive scanning. Zero downtime for critical systems (manufacturing, healthcare, energy). Non-traditional devices (OT, IoT, ICS, medical devices). Honeypot limitations for OT. Patching downtime conflict. Proactive threat hunting using passive observation (Zeek/Bro, RITA, network baselining). Behavior analysis with no active response causing downtime. CASP+ domain 3 – critical infrastructure protection, continuous monitoring without disruption. Manufacturing facility security monitoring.

Explanation:
The question specifies "minimize attacks against internet-facing hosts." Public IPs 205.1.3.5 (Server2 - Bind DNS, CVSS 6.5) and 207.1.5.7 (Server3 - Email, CVSS 5.5) are internet-facing. Server2 has a higher CVSS score (6.5 > 5.5) and should be patched first among internet-facing hosts. Server1 and Server4 are on private IPs (192.168.x.x) and are not directly internet-facing, so they are lower priority despite higher CVSS.

Correct Option:

B. Server2 –
Server2 (205.1.3.5) is internet-facing (public IP). CVSS 6.5 (Medium/High) with "Remotely Executable = Yes" and "Exploit = POC" (proof-of-concept available). Patching this first reduces the attack surface for external attackers targeting the DNS server. Publicly exposed Bind vulnerabilities can lead to remote compromise.

Incorrect Option:

A. Server1 –
Private IP (192.168.1.5) — not directly internet-facing. Although CVSS 7.5 is higher and exploit exists, internal hosts are lower priority than public-facing ones when minimizing external attacks. Attackers must first breach the perimeter to reach Server1.

C. Server3 –
Internet-facing (207.1.5.7) but CVSS 5.5 (Medium) is lower than Server2's 6.5. While still a priority, Server2 has higher severity and should come first. Server3 is an email server, typically protected by additional layers (spam filters, edge gateways).

D. Server4 –
Private IP (192.168.1.6) — not internet-facing. CVSS 9.8 (Critical) and exploit exists, but it is internal (Domain Controller). Patching internal hosts is critical, but the question specifically asks to minimize attacks against internet-facing hosts. Server4 is not internet-facing.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 6.0 (Risk Management) – Vulnerability prioritization based on asset exposure. CVSS scoring and prioritization for internet-facing vs internal assets. Public IP addresses indicate external exposure (e.g., 205.x.x.x, 207.x.x.x). Private IP ranges (192.168.x.x, 10.x.x.x, 172.16.x.x) are internal. Patch prioritization: external first, then critical internal. NIST SP 800-40 (Vulnerability Management). Bind DNS server vulnerabilities (remote code execution). Exploit = POC vs Exploit = Yes. Minimizing external attack surface. CASP+ risk management. Server role importance: Domain Controller (9.8) but internal → patch after external DNS.

Explanation:
The requirements include customer authentication, data exposure prevention, global data access, and regional access restrictions. RBAC controls who can access what data (preventing exposure), while geolocation policies restrict access by specific regions. Together, these meet all four requirements without forcing data replication or limiting the cloud provider's regional footprint.

Correct Option:

A. Applying role-based access controls and configuring geolocation policies
RBAC ensures authenticated customers only see authorized data, directly preventing unauthorized exposure. Geolocation policies (e.g., using AWS WAF geolocation or Azure Front Door) restrict access based on customer region, satisfying the "restrict by specific regions" requirement. Both controls work together without changing data storage locations or customer access methods.

Incorrect Option:

B. Replicating the data in each customer environment
Data replication would dramatically increase cost, complexity, and security risk (more attack surfaces). It also does not inherently prevent data exposure—each customer environment would need its own access controls. This solution is overengineered and fails to address regional restriction requirements efficiently.

C. Hosting the data regionally and providing each customer with a unique link
Unique links (pre-signed URLs or shareable links) are difficult to manage at scale, do not provide strong authentication, and offer minimal data exposure prevention. Links can be shared accidentally or intercepted. This solution does not address regional restrictions and introduces significant security and usability problems.

D. Moving to a cloud provider that operates only in one specific region
Single-region hosting violates the requirement to "allow customer access to data throughout the cloud environment" and makes regional restriction irrelevant. It also creates availability risks and may violate data residency laws if customers are in other regions. This option directly contradicts the stated requirements.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 2: Enterprise Security Architecture (Cloud security, identity and access management, geolocation controls). Also NIST SP 800-210 (General Access Control Guidance for Cloud Systems) and OWASP RBAC guidelines.

Explanation:
The SIEM report shows individual events (deny connection, IPS alert, malware detection, allow connection) but no single event triggered a meaningful alert about the attack on VM001. Log correlation combines events across time, sources, and types (e.g., IPS alert + malware detection + allow connection) into a single, higher-fidelity alert. The analyst should perform (or enable) correlation to detect the attack pattern.

Correct Option:

B. Perform a log correlation on the SIEM solution. –
Correlation rules link seemingly disparate events (e.g., IPS alert followed by malware detection then allow connection to a suspicious IP). SIEM correlation reduces false positives and identifies multi-step attack patterns. This would have alerted the team to the attack on VM001 rather than requiring post-incident discovery.

Incorrect Option:

A. Include the EDR solution on the SIEM as a new log source. –
Adding EDR provides additional data but does not automatically enhance alerting unless correlation rules are applied. The existing logs (IPS, malware detection, connection events) already contained evidence; the missing piece is correlation, not more sources.

C. Improve parsing of data on the SIEM. –
Parsing extracts fields from raw logs (e.g., timestamp, IP, event ID). The data in the report appears already parsed. Improving parsing without correlation does not connect events into an attack narrative. Parsing is a prerequisite, not the solution for missed attacks.

D. Create a new rule set to detect malware. –
The SIEM already detected malware (8:11:12 event). Individual rules for malware detection exist. The issue is that no alert combined that detection with surrounding events. A new malware rule alone would not change the outcome; correlation across events is needed.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 4.0 (Security Operations) – SIEM correlation. NIST SP 800-92 (Log Management) – Correlation for attack detection. SIEM rule types: single-event rules vs correlation rules (e.g., join, sequence, time window). Example: IPS alert → malware detection → outbound allow within 1 hour. Correlation reduces alert fatigue and detects multi-step attacks. Parsing vs normalization vs correlation. EDR integration as complementary, not replacement. VM001 attack timeline reconstruction.

Explanation:
The logs show an outbound PowerShell connection from 192.168.1.1 to external IP 40.90.23.154:443 at 8:07 UTC, immediately after executing cmd.exe /c powershell. This indicates command-and-control (C2) beaconing or malware callback. The first response action should be containment: blocking the malicious external IP at the proxy or firewall to sever the C2 channel and prevent further data exfiltration or commands.

Correct Option:

C. Configure the forward proxy to block 40.90.23.154 –
Blocking the destination IP cuts the active C2 communication. This contains the threat immediately, preventing additional malicious commands from reaching the compromised host and stopping potential data exfiltration. It is a network-level containment action that does not require endpoint access.

Incorrect Option:

A. Disable powershell.exe on all Microsoft Windows endpoints –
Disabling PowerShell globally is a heavy-handed, disruptive change that breaks legitimate administrative scripts and workflows. While PowerShell abuse is common, this action is not first response; it is a long-term hardening control. Immediate containment requires blocking the C2 IP.

B. Restart Microsoft Windows Defender –
Restarting Defender addresses a potential AV issue, but the logs show no Defender failure. The host is already compromised with an active C2 session; restarting Defender does not terminate the existing PowerShell connection or block the external IP. This does not contain the incident.

D. Disable local administrator privileges on the endpoints –
Privilege reduction is a preventive control, not an active incident response action. The compromise has already occurred; disabling admin rights now does not stop the running PowerShell process or the established C2 tunnel. First response must be containment (block IP).

Reference:
CompTIA CAS-005 Exam Objectives – Domain 5.0 (Incident Response) – Containment (blocking C2 infrastructure). NIST SP 800-61 (Incident Handling) – Containment phase: blocking IPs, domains. MITRE ATT&CK T1059.001 (Command and Scripting Interpreter: PowerShell) and TA0011 (C2). First response priority: Stop the active compromise before further damage. SIEM event correlation for C2 beaconing.

Explanation:
When outsourcing critical functions like payroll, the organization remains legally accountable for protecting personally identifiable information (PII). Even if a vendor or subprocessor handles the data, the original organization cannot transfer liability. Assessing subprocessor risks ensures that PII safeguards meet regulatory and contractual obligations, preserving the organization’s ultimate responsibility.

Correct Option:

C. The responsibility of protecting PII remains with the organization.
Data privacy laws (e.g., GDPR, CCPA) hold the data controller (the organization) fully accountable for PII protection, regardless of outsourcing. Subprocessor risk assessment verifies that vendors uphold equivalent security and privacy controls. Failure to assess subprocessors does not absolve the organization—it increases breach liability and regulatory penalties.

Incorrect Option:

A. Risk mitigations must be more comprehensive than the existing payroll provider.
Outsourcing does not automatically require more comprehensive mitigations than the current in-house or previous provider. The standard is adequacy and compliance, not necessarily superiority. This option introduces an arbitrary comparison not supported by legal or risk management principles for subprocessor assessment.

B. Due care must be exercised during all procurement activities.
While due care is always necessary in procurement, this is too generic. The question specifically asks why the subprocessor risk assessment is needed. Due care applies broadly to vendor selection but does not explain the unique legal and accountability focus on subprocessors versus the primary vendor.

D. Specific regulatory requirements must be met in each jurisdiction.
Although regulatory requirements vary by jurisdiction, this explains what must be achieved, not why the organization must assess subprocessors specifically. The core reason is retained accountability for PII. Jurisdictional rules are a subset of that accountability, not the fundamental driver.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 1: Risk Management (Third-party risk, data privacy, legal liability). Also GDPR Article 28 (Processor obligations) and NIST SP 800-53 (CA-9: Internal system connections).

Explanation:
The alert indicates a possible malicious action on the internal network. To investigate further, the engineer needs to understand what normal behavior looks like for that user or system. User behavior analytics (UBA) establishes baselines and highlights anomalous activities (e.g., unusual login times, abnormal data access, atypical command execution). Querying UBA data provides context to determine if the alert is a true positive.

Correct Option:

D. Querying user behavior analytics data –
UBA platforms aggregate logs and apply machine learning to model normal user and entity behavior. When a SIEM alerts on a possible malicious action, UBA can show whether the associated user has deviated from their typical pattern (e.g., first-time access to a sensitive share, unusual volume of data transfer). This context validates or refutes the alert.

Incorrect Option:

A. Consulting logs from the enterprise password manager –
Password manager logs track credential access and changes, but are not directly relevant to a generic "possible malicious action" alert unless the action specifically involved password manager use. This is too narrow and unlikely to provide initial investigation context.

B. Searching dark web monitoring resources for exposure –
Dark web monitoring identifies whether credentials or data have been posted online. This is useful for post-breach or credential stuffing investigations, but not as an immediate next step for an internal network alert. It is reactive and outside-focused, while the alert is inside the network.

C. Reviewing audit logs from privileged actions –
Privileged action logs are valuable if the malicious action involved an admin account. However, the alert does not specify privilege level. Reviewing only privileged logs would miss actions by non-privileged users. UBA covers all users and entities, making it broader and more appropriate initially.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 4.0 (Security Operations) – User and entity behavior analytics (UEBA). NIST SP 800-53 (AU-6: Audit Record Correlation). SIEM and UBA integration for alert triage. Insider threat detection using behavioral baselines. Incident investigation workflows.

Explanation:
A single certificate must support multiple identities: two DNS names (www.int.comptia.org, webserver01.int.comptia.org) and one IP address (10.5.100.10). The Subject Alternative Name (SAN) extension allows a certificate to specify multiple DNS names, IP addresses, or other identifiers. Browsers and TLS clients require SAN for multi-domain certificates; the Common Name (CN) is deprecated for this purpose.

Correct Option:

A. Subject alternative name

SAN extension (RFC 5280) allows multiple identities: DNS, IP, email, URI.

The CSR must include all three identifiers as SAN entries.

TLS clients validate against SANs, not the CN field.

This enables mutual authentication using any of the three identities.

Incorrect Options:

B. Organizational unit

OU is an X.500 attribute within the Distinguished Name (DN), used for organizational structure.

Not used for identity validation in TLS.

Irrelevant for specifying DNS or IP addresses.

C. Extended key usage

EKU defines the purpose of the certificate (e.g., server authentication, client authentication, code signing).

Does not list acceptable DNS names or IP addresses.

Required for proper TLS usage but does not solve multi-identity requirement.

D. Certificate extension

Too broad; SAN is one type of certificate extension.

Answer is vague; SAN is the specific extension needed.

Exam expects precise identification of SAN.

Reference:
CompTIA CAS-005 Exam Objectives — Domain 1: Security Architecture (PKI, Certificates). RFC 5280 (Internet X.509 PKI) — Section 4.2.1.6: Subject Alternative Name. “SAN allows binding multiple names and IP addresses to a single certificate.”

Explanation:
The requirements: fast for all users (speed), available worldwide (global reach), and protected against attacks. A CDN (Content Delivery Network) caches content at edge locations worldwide, improving speed and availability. A WAF (Web Application Firewall) protects the application from web attacks (SQLi, XSS, DDoS). Together, CDN provides performance/availability, WAF provides security.

Correct Option:

A. WAF –
Web Application Firewall sits in front of the web application to filter, monitor, and block malicious HTTP/S traffic (e.g., SQL injection, cross-site scripting, OWASP Top 10). It protects the application from attacks while CDN handles distribution.

C. CDN –
Content Delivery Network (e.g., CloudFront, Akamai, Fastly) caches video content at globally distributed edge servers, reducing latency for users worldwide, improving speed, and providing availability / DDoS mitigation. It also helps with geographic load balancing.

Incorrect Option:

B. IPS –
Intrusion Prevention System operates at the network layer inspecting traffic for known signatures, but for a web video application, WAF is more targeted and effective for application-layer attacks. IPS can complement but is not the best primary choice vs WAF.

D. SASE –
Secure Access Service Edge combines networking (SD-WAN) with security (SWG, CASB, ZTNA). It is more relevant for remote workforce access than for a customer-facing video application. Overkill and less focused on web app protection.

E. VPN –
Virtual Private Network encrypts traffic for a single user/device, but does not scale for thousands of customers, adds latency (opposite of "fast"), and does not protect the application itself. VPN is for private access, not public video delivery.

F. CASB –
Cloud Access Security Broker monitors and secures cloud app usage (often employee access to SaaS). Not designed for protecting a customer-facing video training application or improving global speed.

Reference:
CompTIA CAS-005 Exam Objectives – Domain 1.0 (Security Architecture) – CDN and WAF. CDN for global performance and availability (NIST SP 800-95 – Web services). WAF for application-layer attack protection (OWASP, NIST SP 800-95). IPS differences from WAF (network vs application layer). SASE for remote workforces. VPN not for public CDN use case. CASB for cloud app governance. Global video training application requirements. CDN + WAF as standard cloud architecture pair. CDN provides edge DDoS protection. WAF provides web attack filtering. CASP+ domain 1 – selecting security and performance components for global web applications. Fast, worldwide, protected → CDN + WAF.