The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerA
A is correct: Improved security operations center (SOC) performance is the correct answer because Security Orchestration, Automation, and Response (SOAR) platforms are specifically designed to streamline and automate incident response workflows used by SOC teams. SOAR solutions integrate multiple security tools, automate repetitive analysis and response tasks, and orchestrate actions across security platforms. This allows analysts to handle more incidents with fewer manual steps, reduces response time, and improves operational efficiency within the SOC. In enterprise environments, SOAR improves analyst productivity by automating playbooks for detection and response activities, enabling the SOC to focus on higher-value investigative work rather than manual triage.
B is incorrect: Automated firewall log collection tasks describe a specific operational capability, but it does not represent the primary benefit of SOAR platforms. Log collection is typically handled by centralized logging or SIEM platforms rather than SOAR systems. While SOAR can integrate with SIEM tools and automate workflows triggered by logs, the act of collecting firewall logs itself is not the main advantage delivered by SOAR. Therefore, this option represents a narrow technical function rather than the broader operational improvement expected from implementing SOAR.
C is incorrect: Optimized cloud resource utilization relates to cloud cost management and infrastructure optimization rather than security orchestration. Technologies that optimize compute resources typically involve cloud management platforms, autoscaling mechanisms, or infrastructure monitoring tools. SOAR platforms focus on security operations automation and incident response rather than improving cloud resource efficiency. As a result, this option does not align with the core purpose of deploying SOAR in a security operations environment.
D is incorrect: Increased risk visibility may occur indirectly when security processes become more organized, but this is not the primary or most immediate benefit of a SOAR implementation. Risk visibility is typically achieved through governance, risk management platforms, or security analytics tools such as SIEM. SOAR primarily focuses on orchestrating response activities and automating incident handling rather than performing risk analysis or providing high-level risk management insights. Consequently, this option is less aligned with the operational purpose of SOAR in detection and response environments.
Select all that apply
Correct AnswersB, F
A is incorrect: This option is incorrect because Typeis not a defined field within the Subject Alternative Name (SAN)certificate extension. The SAN extension allows additional identities to be associated with a certificate, but it specifies concrete identity formats rather than a generic “type” field. In PKI standards, SAN entries correspond to predefined identity formats such as DNS names, IP addresses, email addresses, and URIs. Therefore, “Type” is not an explicit SAN entry that can be configured in certificate templates.
B is correct: This is a correct answer. The emailfield is an explicit option within the Subject Alternative Name (SAN)extension. It allows a certificate to be associated with an email address in addition to or instead of the primary subject identity. This is commonly used in certificates for secure email systems, where the certificate must verify ownership of an email address for encryption or digital signing purposes. Within PKI certificate templates, SAN email entries help identify the subject associated with the certificate and provide additional identity information for documentation and validation. Including email addresses within SAN entries helps ensure that certificates can be used for identity verification beyond simple host authentication.
C is incorrect: This option is incorrect because an OCSP responder is part of certificate status validation infrastructure, not an identity field in the SAN extension. Online Certificate Status Protocol (OCSP) is used to determine whether a certificate has been revoked by querying a validation service operated by the certificate authority. OCSP responder information is typically included in the Authority Information Access (AIA)extension of a certificate rather than the Subject Alternative Name extension. Therefore, it is not an explicit SAN field that can be used for identity documentation.
D is incorrect: This option is incorrect because a Registration Authority (RA) is a component of a PKI architecture responsible for validating certificate requests before they are approved by the Certificate Authority (CA). The RA performs identity verification and request approval processes. However, the role of an RA is part of the PKI infrastructure and operational workflow, not an identity attribute included within the SAN extension of a certificate. Therefore, it is not a valid SAN field option.
E is incorrect: This option is incorrect because the Common Name (CN) is part of the Subject fieldof a certificate rather than the Subject Alternative Name extension. Historically, CN was used to identify hostnames in TLS certificates, but modern best practices recommend using SAN entries instead. While the CN remains a component of certificate identity information, it is not an option within the SAN extension itself. Therefore, it does not satisfy the requirement of identifying fields explicitly contained in the SAN extension.
F is correct: This is a correct answer. A DNS name is one of the most common fields within the Subject Alternative Name (SAN) extension. It allows a certificate to be associated with one or more domain names, enabling a single certificate to secure multiple hostnames or services. For example, SAN entries may include example.com, www.example.com, and other related domains within the same certificate. In modern TLS implementations, DNS names in the SAN extension are the primary method used by browsers and systems to validate server identity. Including DNS entries in SAN fields provides explicit documentation and verification of which domain names the certificate is intended to secure.
Correct AnswerA
A is correct: File integrity monitoring (FIM) tracks and verifies the integrity of critical system files by calculating and periodically checking cryptographic hashes. When a monitored file changes unexpectedly—such as system binaries, configuration files, or security policies—the system generates alerts indicating potential unauthorized modification. CASP security operations guidance highlights FIM as a key control for detecting tampering with critical operating system or application files and for supporting incident detection and forensic investigation.
B is incorrect: Link aggregationcombines multiple network connections into a single logical link to increase bandwidth and provide redundancy. While beneficial for network performance and availability, it does not monitor or detect modifications to files on a system.
C is incorrect: WAN optimizationimproves the performance of data transfers across wide area networks through techniques such as caching, compression, and traffic shaping. These optimizations affect network efficiency but do not provide visibility into changes made to system files or configurations.
D is incorrect: Certificate stapling is a TLS optimization technique in which a server includes a cached Online Certificate Status Protocol (OCSP) response during the TLS handshake. This reduces latency when checking certificate revocation status but does not detect modifications to files on an endpoint or server.
Correct AnswerB
A is incorrect: Redundancy refers to duplicating critical components such as servers, network paths, or storage systems to increase availability and resilience. While redundancy can support disaster recovery by reducing single points of failure, it is primarily a system design strategy rather than a core element that must be documented within the disaster recovery plan itself. A disaster recovery plan focuses on procedures, roles, and validation processes for restoring operations after a disruption.
B is correct: Testing exercises are a critical component of a disaster recovery plan because they validate whether recovery procedures actually work during an incident. Organizations must regularly perform tests such as simulations, tabletop exercises, or failover drills to ensure that recovery time objectives (RTOs) and recovery point objectives (RPOs) can be achieved. Including testing exercises in the plan ensures personnel are familiar with recovery procedures and that the recovery strategy remains effective and up to date.
C is incorrect: Autoscaling is a cloud infrastructure capability that automatically adjusts compute resources based on demand. While autoscaling can improve system availability and performance, it is primarily an operational scalability feature rather than a disaster recovery planning component. Disaster recovery plans focus on restoring services after outages rather than dynamically scaling systems during normal operation.
D is incorrect: Competitor locations refer to the geographic locations of competing organizations and are unrelated to disaster recovery planning. Disaster recovery planning focuses on restoring organizational systems, infrastructure, and services following a disruption. Information about competitors does not contribute to the organization’s ability to recover from disasters or outages.
Correct AnswerA
A is correct: This is correct. In the Infrastructure as a Service shared responsibility model, the cloud provider secures the underlying infrastructure such as physical data centers, networking, and virtualization layers. However, the customer remains responsible for securing the operating systems, applications, and data hosted within that infrastructure. In this case, the breach occurred due to a SQL injection vulnerability in the web application, which indicates insufficient input validation or secure coding practices within the application itself. Because the pharmaceutical company deployed and manages the application running on the IaaS infrastructure, it is ultimately responsible for securing the application layer and preventing such vulnerabilities.
B is incorrect: This is incorrect. The cloud provider operating under the IaaS model is responsible for securing the underlying infrastructure that supports customer workloads. This includes physical servers, storage hardware, networking, and hypervisor layers. However, the provider does not control or secure the customer’s applications or databases running on virtual machines. Since the attack exploited a vulnerability in the web portal application through SQL injection, the breach occurred above the infrastructure layer and therefore falls outside the CSP’s primary responsibility in the shared responsibility model.
C is incorrect: This is incorrect. A web portal software vendor may provide the original application framework or platform, but the organization deploying the application remains responsible for securely configuring, maintaining, and validating the software. SQL injection vulnerabilities typically arise from improper input validation or insecure coding practices implemented within the deployed application environment. Even if the vendor provided the original software, the organization operating it is responsible for implementing secure coding controls and security testing before deployment.
D is incorrect: This is incorrect. The database software vendor provides the database platform itself, but database engines are not responsible for validating application inputs before queries are executed. SQL injection attacks exploit weaknesses in the application layer that constructs database queries improperly. The database software simply processes the queries it receives. Therefore, the vulnerability exists in the application interacting with the database rather than in the database software itself.
Correct AnswerC
A is incorrect: Risk transfer involves shifting the financial impact of a risk to a third party, typically through mechanisms such as insurance or outsourcing. While this can reduce the financial burden if a security incident occurs, it usually involves paying premiums or contractual costs. In the scenario presented, the cost of implementing anti-malware controls already exceeds the expected loss from the threat. Introducing additional costs through risk transfer would therefore not be the most cost-effective response.
B is incorrect: Risk mitigation refers to implementing security controls to reduce the likelihood or impact of a threat. Installing anti-malware software is an example of risk mitigation because it reduces the chance that malware will compromise systems. However, the scenario states that the cost of the anti-malware solution exceeds the expected loss from the malware threat. According to risk management principles, implementing a control that costs more than the potential loss is not economically justified.
C is correct: Risk acceptance occurs when an organization determines that the cost of implementing controls exceeds the expected impact of the risk and therefore decides to tolerate the risk without additional safeguards. In this scenario, the potential loss from a malware threat is lower than the cost of deploying anti-malware protection. Accepting the risk becomes the most cost-effective option because spending resources on mitigation would exceed the financial impact of the threat. CASP+ risk management guidance emphasizes that organizations may accept risks when mitigation costs outweigh potential losses.
D is incorrect: Risk avoidance involves eliminating the activity that introduces the risk altogether. For example, avoiding malware risk could mean disconnecting systems from networks or not using the affected technology. While this removes the risk, it often prevents the organization from performing necessary business functions. In the context of the scenario, avoidance would likely introduce operational disruption and is not the most practical or cost-effective response compared to simply accepting the low-level risk.
Correct AnswerA
A is correct: A is the correct answer. A source code escrow agreement stores the vendor’s source code with a trusted third party and releases it to the customer if predefined conditions occur, such as the vendor going out of business or ceasing support. In the context of a mission-critical application delivered by a new and potentially unstable vendor, escrow mitigates vendor lock-in and operational continuity risk. If the developer stops supporting the product, the organization can access the source code and continue maintaining or modifying the software internally or through another development team. CASP+ study materials emphasize that escrow agreements are used to protect organizations from vendor failure by ensuring access to the application’s source code for maintenance and further development, which directly preserves business continuity.
B is incorrect: B is incorrect. A source code escrow agreement does not grant the organization authority to compel a third-party developer to continue support. Escrow arrangements are designed as a contingency mechanism, not an enforcement mechanism. If the vendor stops operations or support, the escrow release condition allows the organization to obtain the code, but it does not legally obligate the vendor to resume development or support services. From a CASP+ governance perspective, escrow mitigates operational risk through access and continuity, not contractual enforcement of vendor activity.
C is incorrect: C is incorrect. Source code escrow does not give the organization control over the vendor’s development lifecycle, coding practices, or internal processes. Governance of the developer’s processes would require contractual oversight, audits, or development management frameworks. Escrow is specifically focused on ensuring future access to intellectual property if the vendor fails, rather than supervising how the software is created or maintained during normal operations. Therefore, it does not provide operational management authority over the third-party developer.
D is incorrect: D is incorrect. Escrow agreements do not include financial compensation provisions that require the vendor to fund a replacement development team. The mechanism simply ensures that the source code and relevant build materials are released under specific triggering conditions. While the organization could hire a new development team after obtaining the source code, the escrow itself does not provide funding for that activity. Consequently, this option misrepresents the purpose and function of source code escrow in risk management and business continuity planning.
Select all that apply
Correct AnswersC, E
A is incorrect: A. The new source feature of the web browser.The page source view in a browser allows the tester to see the HTML structure of the login page. While this may reveal some client-side form details such as input fields, it generally does not expose the actual HTTP request structure, headers, or dynamic POST parameters used during authentication. Since brute-force tools require precise information such as the POST request structure and error responses returned by the server, viewing page source alone would not provide sufficient insight into the request/response exchange.
B is incorrect: B. The logs from the web server.Web server logs record requests that have already been processed by the server and may include IP addresses, timestamps, and request paths. However, penetration testers typically do not have direct access to production web server logs during testing engagements. Even if logs were available, they are not the most efficient method for capturing request headers, POST parameters, or authentication error strings needed to configure brute-force tools. Therefore, this option would not be the best approach for gathering the required information.
C is correct: C. The inspect feature from the web browser.This is a correct answer because the browser’s developer tools (inspect feature) allow the tester to view the network traffic generated by the login form, including POST requests, parameter names, request headers, and server responses. By observing the network tab during a login attempt, the tester can identify the POST URL, form variables such as username and password fields, and the error message returned by the application when authentication fails. This information is essential when configuring brute-force utilities.
D is incorrect: D. A tcpdump from the web server. Packet captures from the web server could theoretically reveal HTTP traffic details, including POST requests and responses. However, obtaining a packet capture from the server requires administrative access and may introduce operational complexity. Additionally, encrypted HTTPS traffic would limit visibility unless decryption is performed. Because the tester can gather the necessary data more easily through browser tools or intercepting proxies, this option is not the most practical choice.
E is correct: E. An HTTP interceptor.This is a correct answer because an HTTP interception proxy (such as Burp Suite or OWASP ZAP) allows testers to capture, inspect, and modify HTTP requests and responses in real time. Using an interceptor, the tester can clearly identify request headers, POST parameters, authentication endpoints, and error strings returned by the application during failed login attempts. This level of visibility is exactly what brute-force utilities require to properly configure automated login attempts.
F is incorrect: F. The website certificate viewed via the web browser.Viewing the website’s TLS certificate provides information about the encryption configuration, certificate authority, and domain validation details. However, it does not reveal HTTP request structures, POST parameters, or authentication responses. Since the brute-force tool requires request-level details rather than encryption metadata, examining the certificate would not help the tester gather the necessary information.
Correct AnswerB
A is incorrect: Including all available cipher suites affects how TLS sessions negotiate encryption algorithms but does not influence certificate deployment across multiple subdomains. Cipher suites determine encryption strength and compatibility during TLS negotiation, not how certificates are structured or reused across domains. Therefore, enabling additional cipher suites would not reduce the number of certificates required for multiple web applications.
B is correct: A wildcard certificate allows a single certificate to secure multiple subdomains under the same base domain, such as *.example.com. In environments implementing SSL inspection where several applications will be deployed using different subdomains, a wildcard certificate enables the inspection device to handle traffic for all those subdomains without deploying separate certificates for each one. This simplifies certificate management and supports scalable inspection across multiple services.
C is incorrect: Using a third-party certificate authority (CA) determines who issues and signs the certificate but does not eliminate the need for separate certificates across multiple subdomains. Whether the certificate is issued internally or by a public CA, individual certificates would still be required unless a wildcard certificate is used. Therefore, selecting a third-party CA alone does not solve the deployment requirement described.
D is incorrect: Certificate pinning forces an application or client to trust only a specific certificate or public key associated with a service. This mechanism is designed to prevent man-in-the-middle attacks by rejecting certificates that do not match the pinned value. However, certificate pinning actually interferes with SSL inspection because the inspection device presents its own certificate to decrypt and re-encrypt traffic. As a result, pinning would prevent inspection rather than enable it.
Correct AnswerC
A is incorrect: Network load balancersdistribute incoming traffic across multiple backend servers to improve availability, scalability, and performance. They operate primarily at the transport or application layer and are used to ensure service reliability rather than enforce granular access control. While a load balancer can help manage application traffic, it does not restrict users to a single application or prevent network exposure. It also does not enforce identity-based or context-aware access decisions. Therefore, a load balancer does not satisfy the requirement to allow contractors to access only one internal application without exposing the broader network environment.
B is incorrect: IPSec VPN provides secure encrypted connectivity between remote users and an internal network. Although VPNs protect communications in transit and authenticate users, they typically grant broad network access once the tunnel is established. This traditional perimeter-based approach exposes the internal network to the remote user, even if access restrictions are later applied through segmentation controls. In the scenario, the organization explicitly wants to avoid exposing the internal network and instead provide access to only a single application. Since VPNs generally extend the network boundary rather than isolate application access, this option is not the best choice.
C is correct: Zero Trust Network Access (ZTNA) is the correct answer because it enables application-level access without exposing the underlying network infrastructure. ZTNA solutions enforce identity-based authentication, device posture validation, and contextual risk evaluation before granting access to specific resources. Instead of placing users inside the network like a VPN, ZTNA brokers connections directly to the authorized application only. This architecture aligns with Zero Trust principles such as least privilege and continuous verification. By limiting contractors to a single application and preventing direct network visibility, ZTNA effectively reduces the attack surface while maintaining secure remote access capabilities.
D is incorrect: Reverse proxies sit between clients and backend servers, forwarding requests to internal applications while masking the internal infrastructure. They can provide some level of isolation and protection by preventing direct exposure of backend servers. However, reverse proxies primarily focus on traffic routing, caching, and application protection (such as integration with web application firewalls). They do not inherently provide the identity-centric, device posture, and policy-based access controls required to securely grant contractors limited access to a single internal application. Therefore, while they can support secure application publishing, they do not fully address the Zero Trust access requirement described in the scenario.
