Cybersecurity cert-prep add-on

CompTIA SecurityX (CASP+) Exam Prep Add-On

Convert DevSecOps Fundamentals into a CASP+ ramp covering enterprise security architecture and integration.

$197 add-on70h additional studyTarget exam: CompTIA CASP+Exam fee: $509

What the add-on ships

++Domain reviews mapped to the official CompTIA SecurityX (CAS-005) exam blueprint
++Four full-length performance-based-question mock exams aligned to CompTIA's enterprise-architecture scenario format
++Exam-day scenario walkthroughs covering risk management, enterprise security operations, and integration
++DoD 8140 mapping notes for CASP+/SecurityX qualifying work roles
++Direct link to the official CompTIA SecurityX exam page as the canonical reference

Built on the parent course

++DevSecOps Fundamentals seven-module curriculum grounded in NIST SSDF (SP 800-218), OWASP ASVS, SLSA, and CIS Benchmarks
++SAST, DAST, SCA, IaC scanning, container security, secret management, and CI/CD hardening practice from the parent course

Parent course: devsecops fundamentals

Best for

++Senior engineers moving into security architecture without an ISC2 CISSP first
++Practitioners on the DoD 8140 track who need the CASP+/SecurityX credential for IAT Level III
++DevSecOps practitioners formalizing enterprise-scale security architecture fluency

Practice surface

++Four full-length PBQ mock exams in CompTIA's enterprise scenario format
++Risk-management scenario library for targeted weak-area practice
++Integration and architecture decision-making drill set

Buy the add-on

$197 on top of the devsecops fundamentals parent course. Lifetime access to the practice materials, mock exams, and exam-day worksheets.

See the parent course

Exam summary

CompTIA SecurityX (CAS-005, formerly CASP+) is CompTIA's expert-level cybersecurity credential. Five domains: security governance, security architecture, security engineering, security operations, and security risk and incident response. Exam is 90 multiple-choice and performance-based questions in 165 minutes, pass / fail (no scaled score is published).

Domain reviews

Governance, Risk, and Compliance

Enterprise governance, risk management, third-party risk, compliance frameworks.

++Risk-management frameworks: NIST RMF, ISO 31000, FAIR (Factor Analysis of Information Risk)
++Compliance regimes: HIPAA, PCI DSS 4.0, GLBA, SOX, GDPR, CCPA / CPRA
++Third-party risk: vendor questionnaires (SIG, CAIQ), contract clauses, ongoing monitoring
++Privacy frameworks: data lifecycle, DSAR handling, privacy by design
++Security governance: charters, RACI, board reporting

Primary sources:

NIST SP 800-37 Rev. 2 Risk Management Framework

Security Architecture

Enterprise architecture, secure design, advanced cryptography.

++SASE / SSE architectures, zero trust
++Secure SDLC: threat modeling (STRIDE, PASTA), SAST, DAST, IAST
++Cryptography: PKI, HSMs, key escrow, post-quantum cryptography (NIST candidates: Kyber/ML-KEM, Dilithium/ML-DSA, SPHINCS+)
++Identity architecture: federation, OIDC, SAML, SCIM, FIDO2
++Cloud architecture: shared responsibility, multi-cloud, hybrid

Primary sources:

Security Engineering

Implementing the architecture: secure configuration, network security, endpoint, application.

++Network: NGFW, IDS/IPS, deception (canaries, honeypots), micro-segmentation
++Endpoint: EDR/XDR, secure boot, TPM, full-disk encryption
++Application: secure code review, WAF, RASP, container security
++Cloud workload: CSPM, CWPP, CNAPP
++Cryptographic engineering: TLS configuration, certificate transparency, OCSP stapling

Primary sources:

NIST SP 800-218 Secure Software Development Framework (SSDF)

Security Operations

SOC operations at expert level: detection engineering, threat hunting, vulnerability management.

++SOAR playbook design, integration with SIEM
++Threat-informed detection (MITRE ATT&CK-aligned analytics)
++Threat hunting hypotheses and methodology
++Vulnerability management lifecycle, exploitation-prediction prioritization (EPSS, CISA KEV)
++Cyber threat intelligence integration into operations

Primary sources:

Security Risk and Incident Response

Incident response at enterprise scale, business continuity, disaster recovery.

++Incident response lifecycle (NIST SP 800-61 Rev. 2) at enterprise scale
++Tabletop exercise design
++Business continuity: BIA, RTO, RPO, recovery strategies
++Disaster recovery: hot / warm / cold site, multi-region cloud DR
++Forensic readiness: chain of custody, e-discovery, legal hold

Primary sources:

Practice scenarios (6)

Practice scenarios are scenario-based learning, not exam-question mimicry. Each scenario maps to a specific exam domain and includes a worked explanation plus a primary-source citation. Reproducing actual exam items would violate the cert body's NDA; the format here exercises the same underlying concepts under different surface phrasing.

Preview scenario 1 of 6 · Governance, Risk, and Compliancefree preview

A CISO is selecting a quantitative risk-assessment methodology that produces a dollar-denominated loss-distribution curve rather than a single ALE point estimate. Which methodology fits?

A. NIST CSF
B. FAIR (Factor Analysis of Information Risk)
C. ISO/IEC 27001 Annex A
D. COBIT

Answer: B

FAIR is the quantitative methodology built around loss-event frequency and loss magnitude distributions, producing a dollar-denominated risk distribution curve (typically displayed as a loss-exceedance curve). NIST CSF is a categorical framework; ISO 27001 Annex A is a control catalog; COBIT is a governance framework.

Reference: FAIR Institute resources

Unlock the rest

5 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $197 one-time, lifetime access.

Exam-day strategy

++Identify the domain first. CASP+ / SecurityX questions often have multiple plausible answers across domains; the right one belongs to the specific domain the scenario sets up.
++On PBQs, take the time to understand the scenario, then commit and move on. PBQs cannot always be revisited.
++Watch for scenarios where the right answer requires combining two layers (architecture + engineering, or governance + operations). The exam tests this synthesis.
++Post-quantum cryptography is a hot exam topic on CAS-005. Memorize the FIPS 203 / 204 / 205 mapping (ML-KEM, ML-DSA, SLH-DSA).
++Pace at roughly 105 seconds per question. 165 minutes for 90 questions is moderate.

Additional resources

Sources

Official CompTIA CASP+ exam page (certifying body)

Exam fee and blueprint last verified 2026-05-22. Confirm current values with the certifying body before scheduling the exam.

What the add-on ships

++Domain reviews mapped to the official CompTIA SecurityX (CAS-005) exam blueprint

++Four full-length performance-based-question mock exams aligned to CompTIA's enterprise-architecture scenario format

++Exam-day scenario walkthroughs covering risk management, enterprise security operations, and integration

++DoD 8140 mapping notes for CASP+/SecurityX qualifying work roles

++Direct link to the official CompTIA SecurityX exam page as the canonical reference

Exam summary

Domain reviews

Governance, Risk, and Compliance

Enterprise governance, risk management, third-party risk, compliance frameworks.

++Risk-management frameworks: NIST RMF, ISO 31000, FAIR (Factor Analysis of Information Risk)
++Compliance regimes: HIPAA, PCI DSS 4.0, GLBA, SOX, GDPR, CCPA / CPRA
++Third-party risk: vendor questionnaires (SIG, CAIQ), contract clauses, ongoing monitoring
++Privacy frameworks: data lifecycle, DSAR handling, privacy by design
++Security governance: charters, RACI, board reporting

Primary sources:

NIST SP 800-37 Rev. 2 Risk Management Framework

Security Architecture

Enterprise architecture, secure design, advanced cryptography.

++SASE / SSE architectures, zero trust
++Secure SDLC: threat modeling (STRIDE, PASTA), SAST, DAST, IAST
++Cryptography: PKI, HSMs, key escrow, post-quantum cryptography (NIST candidates: Kyber/ML-KEM, Dilithium/ML-DSA, SPHINCS+)
++Identity architecture: federation, OIDC, SAML, SCIM, FIDO2
++Cloud architecture: shared responsibility, multi-cloud, hybrid

Primary sources:

Security Engineering

Implementing the architecture: secure configuration, network security, endpoint, application.

++Network: NGFW, IDS/IPS, deception (canaries, honeypots), micro-segmentation
++Endpoint: EDR/XDR, secure boot, TPM, full-disk encryption
++Application: secure code review, WAF, RASP, container security
++Cloud workload: CSPM, CWPP, CNAPP
++Cryptographic engineering: TLS configuration, certificate transparency, OCSP stapling

Primary sources:

NIST SP 800-218 Secure Software Development Framework (SSDF)

Security Operations

SOC operations at expert level: detection engineering, threat hunting, vulnerability management.

++SOAR playbook design, integration with SIEM
++Threat-informed detection (MITRE ATT&CK-aligned analytics)
++Threat hunting hypotheses and methodology
++Vulnerability management lifecycle, exploitation-prediction prioritization (EPSS, CISA KEV)
++Cyber threat intelligence integration into operations

Primary sources:

Security Risk and Incident Response

Incident response at enterprise scale, business continuity, disaster recovery.

++Incident response lifecycle (NIST SP 800-61 Rev. 2) at enterprise scale
++Tabletop exercise design
++Business continuity: BIA, RTO, RPO, recovery strategies
++Disaster recovery: hot / warm / cold site, multi-region cloud DR
++Forensic readiness: chain of custody, e-discovery, legal hold

Primary sources:

Practice scenarios (6)

Preview scenario 1 of 6 · Governance, Risk, and Compliancefree preview

A CISO is selecting a quantitative risk-assessment methodology that produces a dollar-denominated loss-distribution curve rather than a single ALE point estimate. Which methodology fits?

A. NIST CSF
B. FAIR (Factor Analysis of Information Risk)
C. ISO/IEC 27001 Annex A
D. COBIT

Answer: B

Reference: FAIR Institute resources

Unlock the rest

5 more practice scenarios with full explanations and primary-source citations

The remaining scenarios cover every exam domain at the same depth as the preview above. Includes the exam-day strategy guide and additional study resources. $197 one-time, lifetime access.

Exam-day strategy

++Identify the domain first. CASP+ / SecurityX questions often have multiple plausible answers across domains; the right one belongs to the specific domain the scenario sets up.

++On PBQs, take the time to understand the scenario, then commit and move on. PBQs cannot always be revisited.

++Watch for scenarios where the right answer requires combining two layers (architecture + engineering, or governance + operations). The exam tests this synthesis.

++Post-quantum cryptography is a hot exam topic on CAS-005. Memorize the FIPS 203 / 204 / 205 mapping (ML-KEM, ML-DSA, SLH-DSA).

++Pace at roughly 105 seconds per question. 165 minutes for 90 questions is moderate.