The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerA
A is correct: The Registration Authority (RA) is responsible for verifying the identity of entities requesting certificates before forwarding approved certificate signing requests to the Certificate Authority. During the PKI enrollment process, the RA performs subject identity validation to ensure the requester is legitimate and meets policy requirements. If the subject identity validation fails, the request is rejected at this stage before certificate issuance occurs. CASP+ materials describe the RA as the component responsible for validating identity and approving or rejecting certificate requests before they reach the CA.
B is incorrect: Online Certificate Status Protocol (OCSP) is used to check the revocation status of certificates that have already been issued. It allows systems to determine whether a certificate is still valid or has been revoked. OCSP does not participate in the identity validation or certificate enrollment process.
C is incorrect: The Certificate Authority (CA) issues and signs digital certificates after receiving validated certificate signing requests. However, the CA typically relies on the Registration Authority to perform identity verification. The failure described in the scenario relates specifically to subject identity validation, which occurs before the CA issues the certificate.
D is incorrect: An Identity Provider (IdP) is used in identity federation and authentication systems such as SAML or OAuth to authenticate users and provide identity assertions to relying services. It is not directly involved in the PKI certificate enrollment process or certificate identity validation performed during certificate issuance.
Correct AnswerA
A is correct: A legal records hold (legal hold) requires an organization to preserve all information relevant to the pending litigation so that it can be used during legal discovery. This typically involves identifying and preserving communications, documents, emails, logs, and other records that match the criteria specified by legal counsel, such as particular search terms, individuals, or timeframes. The preservation process is closely tied to the e-discovery process, where relevant electronically stored information must be retained and made available for legal review. Preserving communications that match the requested search terms ensures the organization complies with legal obligations and avoids accusations of evidence spoliation.
B is incorrect: Blocking communication with the customer while litigation is ongoing is not a standard requirement of a legal hold. A legal hold focuses on preserving existing and future records related to the matter, not restricting business communications. Organizations may continue normal operations and communication unless otherwise directed by legal counsel. Therefore, blocking communication would not directly fulfill the requirement of preserving evidence for litigation.
C is incorrect: Training employees on legal record holds can be part of a broader compliance or governance program, but it does not represent the immediate operational action required once a legal hold is issued. The purpose of a legal hold is to ensure relevant records are preserved for litigation, and training alone does not ensure that relevant communications and documents are retained for the specific case.
D is incorrect: Requesting that all users not delete any files is overly broad and not aligned with how legal holds are typically implemented. Legal holds generally target specific records, custodians, or topics related to the litigation rather than halting deletion across the entire organization. This option may also disrupt normal retention policies without guaranteeing that the correct records related to the case are preserved.
Correct AnswerB
A is incorrect: NIST SP 800-53 is a catalog of security and privacy controls used to secure federal information systems and guide compliance-based security programs. While it is valuable for implementing organizational security controls and governance, it is not designed as a threat-hunting or adversary behavior framework. It focuses on security control baselines rather than mapping adversary tactics, techniques, and procedures (TTPs). Therefore, it is not the most appropriate framework for analyzing suspected APT activity.
B is correct: MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures based on real-world attack observations. It provides a structured framework that threat hunting teams can use to identify attacker behavior across the entire attack lifecycle. By mapping suspicious activity to ATT&CK techniques, analysts can detect advanced persistent threats, understand adversary behavior, and identify gaps in defensive controls. Because APT campaigns typically involve multiple stages and stealthy techniques, MITRE ATT&CK is widely used for threat hunting, detection engineering, and incident analysis.
C is incorrect: The Cyber Kill Chain is a model developed by Lockheed Martin that describes the stages of an attack, including reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. While it helps analysts understand the general progression of attacks and improve defensive controls at different stages, it is more conceptual and less granular than frameworks designed specifically for threat hunting. It does not provide the detailed mapping of adversary techniques required for identifying APT behavior within networks.
D is incorrect: The Diamond Model of Intrusion Analysis focuses on analyzing relationships between four elements of an intrusion: adversary, infrastructure, capability, and victim. This model is useful for intelligence analysis and understanding attack campaigns, but it is not primarily designed as a practical framework for detecting adversary techniques within network activity. For threat hunting teams attempting to identify specific attacker behaviors associated with APT activity, the MITRE ATT&CK framework provides more operational guidance.
Select all that apply
Correct AnswersE, F
A is incorrect: Regression testing verifies that previously working functionality still works after changes are introduced to software. It is primarily used in the development lifecycle when source code changes are made. In this scenario, the organization only has compiled binaries, meaning regression testing cannot effectively evaluate the internal security posture or vulnerabilities of the application prior to production deployment.
B is incorrect: Static Application Security Testing (SAST) analyzes source code, bytecode, or binaries without executing the application. While some SAST tools can analyze compiled artifacts, they are typically designed for source code analysis during development. Since the scenario specifically states that the applications are provided only as compiled binaries and not integrated into the development lifecycle, traditional SAST approaches are not the most suitable primary analysis technique.
C is incorrect: Third-party dependency management tools track open-source libraries and dependencies used in applications to identify known vulnerabilities. However, these tools generally rely on access to source code or build manifests(such as package files) to determine dependency usage. Because the organization only receives compiled binaries, dependency management tools would not provide effective analysis of the application’s behavior or vulnerabilities.
D is incorrect: IDE SAST refers to static analysis tools integrated directly within development environments to help developers identify vulnerabilities while writing code. Since the organization is evaluating third-party compiled binaries, there is no development environment or source code available for analysis. Therefore, IDE-based SAST tools would not be applicable.
E is correct: Fuzz testing is a dynamic testing technique that sends large volumes of malformed or unexpected inputs to an application to observe crashes, memory errors, or unexpected behavior. CASP+ software assurance practices highlight fuzzing as a useful technique for identifying vulnerabilities in applications where source code is not available, making it particularly suitable for analyzing compiled binaries before deployment.
F is correct: Interactive Application Security Testing (IAST) combines elements of static and dynamic analysis by monitoring application behavior during runtime while interacting with the application. IAST tools instrument the running application and analyze internal execution flows and vulnerabilities as they occur. CASP+ materials identify IAST as effective for analyzing application behavior when testing compiled applications within controlled environments, providing insight into vulnerabilities that occur during execution.
Correct AnswerC
A is incorrect: Root cause analysis (RCA) is a post-incident investigation process used to determine the underlying cause of a security event. The goal is to understand why the incident occurred and identify contributing factors so that preventative controls can be improved. While RCA provides valuable insights for improving security posture, it is primarily an analytical report rather than a practical operational guide for responding to incidents. Because the question asks for a reference guide for the SOC team to use during future incidents, root cause analysis does not directly fulfill that requirement.
B is incorrect: A communication plan defines how information about incidents should be communicated to stakeholders, including internal teams, management, legal departments, and potentially external entities such as regulators or customers. It outlines communication channels, escalation paths, and reporting timelines. Although this is an important component of incident response planning, it does not provide detailed operational instructions for analysts responding to security events. Therefore, it does not serve as the most appropriate reference guide for handling future incidents.
C is correct: A runbook is a documented set of procedures that provides step-by-step operational instructions for responding to specific incidents or performing security operations tasks. In a SOC environment, runbooks are commonly used to standardize incident response processes, ensuring analysts follow consistent procedures when investigating alerts, containing threats, and performing remediation activities. These documents act as practical reference guides for the team and are particularly valuable during high-pressure situations where quick, structured responses are required. Because the SOC analyst was asked to create a reference guide for the entire team to use during future incidents, developing a runbook is the most appropriate solution.
D is incorrect: Lessons learned documentation is typically produced after an incident response effort is completed. It summarizes observations, identifies what worked well, highlights weaknesses in the response process, and recommends improvements to policies or controls. While this documentation supports organizational learning and continuous improvement, it does not provide operational procedures for responding to incidents. Instead, it informs future planning and process refinement. Therefore, lessons learned is not the best option for creating a practical response reference guide.
Correct AnswerC
A is incorrect: Shared accountsallow multiple users to authenticate using the same credentials. This practice reduces accountability and auditability because individual user actions cannot be easily traced. While shared accounts present a security risk and are generally discouraged, implementing or modifying policies related to shared accounts does not directly address brute-force authentication attempts. The issue described in the scenario concerns repeated login attempts, which requires a control that actively limits authentication attempts rather than addressing account ownership.
B is incorrect: Password complexity requirements already exist in the environment. The policy specifies a minimum length of 15 characters, the use of numbers, and the inclusion of capital letters. These rules are designed to strengthen passwords and reduce the effectiveness of dictionary or guessing attacks. However, complexity rules alone do not prevent an attacker from repeatedly attempting authentication attempts in a brute-force attack. Because these requirements are already in place, adding more complexity rules would not directly mitigate the brute-force vulnerability described.
C is correct: Account lockout policies are the correct answer because they limit the number of failed login attempts allowed before an account is temporarily locked. This control prevents attackers from repeatedly attempting password guesses against an account. After a defined number of failed attempts, the account becomes unavailable for authentication until a specified lockout duration expires or administrative intervention occurs. By restricting the number of login attempts within a time period, account lockout policies significantly reduce the effectiveness of brute-force attacks against authentication systems.
D is incorrect: Password history policies prevent users from reusing previously used passwords within a defined number of password changes. The scenario already specifies that passwords cannot be one of the last 12 passwords used, which indicates that a password history control is already implemented. While password history improves long-term password hygiene, it does not prevent an attacker from performing repeated login attempts against an account. Therefore, this option does not address the brute-force risk.
E is incorrect: Time-based login restrictions limit when users are permitted to authenticate to systems, typically by restricting login activity to specific hours or work schedules. While this control can reduce the window of opportunity for unauthorized access attempts, it does not directly prevent brute-force attacks if the attacker attempts authentication during permitted login periods. Because the primary issue described is susceptibility to repeated password guessing attempts, time-based login restrictions would not be the most effective additional control.
Correct AnswerA
A is correct: A. Zigbee. This is the correct answer because Zigbee is a wireless communication protocol specifically designed for low-power, low-data-rate personal area networks (PANs). Zigbee operates using small digital radios and is optimized for environments such as IoT and industrial automation where many devices must communicate efficiently while consuming minimal power. A key feature of Zigbee networks is their mesh topology, which allows support for a large number of nodes while maintaining reliability and extended coverage through device-to-device communication.
B is incorrect: B. Wi-Fi. Wi-Fi is designed for wireless local area networks (WLANs) and supports higher bandwidth and longer range than PAN technologies. However, it generally consumes significantly more power and is not optimized for low-power embedded devices or large sensor networks. While Wi-Fi can support many clients, it is not intended for the low-power mesh networking model used in IoT PAN environments. Therefore, it does not best meet the scenario’s requirements.
C is incorrect: C. CAN. Controller Area Network (CAN) is a communication protocol primarily used in automotive and embedded systems to allow microcontrollers and devices to communicate without a host computer. CAN networks operate over wired connections and are typically used in vehicle systems or industrial automation environments. They are not wireless PAN protocols using low-power radios and therefore do not match the requirements described in the question.
D is incorrect: D. Modbus.Modbus is a communication protocol widely used in industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments. It typically operates over serial communication or TCP/IP networks and is designed for device communication in industrial automation systems. Modbus is not a wireless low-power PAN protocol and does not rely on small digital radios or mesh networking capabilities.
E is incorrect: E. DNP3.Distributed Network Protocol version 3 (DNP3) is another protocol commonly used in SCADA and utility environments for communication between control systems and remote devices. It operates primarily over serial or IP networks and is designed for reliability in industrial control environments. Like Modbus and CAN, it is not intended for wireless PANs using low-power radios and therefore does not meet the criteria described in the scenario.
Correct AnswerB
A is incorrect: A Master Service Agreement (MSA) is a contract that establishes the general terms and conditions governing the relationship between two parties, typically a service provider and a client. It outlines responsibilities, payment structures, and legal obligations for ongoing services. While an MSA may reference service expectations at a high level, it typically does not define detailed remediation timelines for specific operational tasks such as vulnerability remediation tickets.
B is correct: A Service Level Agreement (SLA) defines measurable service expectations and performance metrics between parties, including response times, resolution times, and remediation deadlines. In vulnerability management and security operations, SLAs commonly define the timeframe within which high- and critical-priority vulnerabilities must be remediated. This ensures that security teams track remediation progress and resolve issues within defined deadlines based on risk severity. CASP+ guidance emphasizes using SLAs to enforce remediation timelines and accountability for addressing security findings.
C is incorrect: An Interconnection Security Agreement (ISA) defines the security requirements and responsibilities between organizations when connecting their information systems. It focuses on the protection of interconnected systems rather than operational processes such as vulnerability remediation timelines or ticket tracking.
D is incorrect: A Memorandum of Understanding (MOU) is a formal agreement that outlines the intent of cooperation between organizations but generally lacks the enforceable performance metrics and operational details found in SLAs. MOUs describe collaborative relationships but are not typically used to specify remediation deadlines for security findings.
Correct AnswerD
A is incorrect: A Secure Development Life Cycle (SDLC) attack would refer to weaknesses or compromises occurring during stages of the software development lifecycle, such as insecure coding practices, testing failures, or development environment compromise. While the attacker did compromise code before compilation, the key characteristic of the scenario is that the compromise occurred at the vendor leveland propagated through products delivered to multiple industries. The defining risk is not merely the SDLC compromise itself but the distribution of the compromised product through the vendor ecosystem. Therefore, this option does not best capture the nature of the risk described.
B is incorrect: A side-load attacktypically refers to installing software or applications outside of official distribution channels, often bypassing security checks. This type of attack is commonly associated with mobile platforms or systems where users manually install applications from untrusted sources. In this scenario, the malware was inserted directly into the manufacturer’s code base before compilation and distributed through legitimate product channels. Since the attack does not involve unauthorized installation by users, it does not represent a side-loading attack.
C is incorrect: Remote code signingrefers to the process of digitally signing code to verify authenticity and integrity before distribution. While attackers may attempt to compromise signing processes, the scenario does not specifically indicate that the attacker manipulated code-signing infrastructure. Instead, the malicious code was embedded directly into the code base prior to compilation and then distributed to customers through legitimate vendor channels. Therefore, code signing is not the primary category of risk in this situation.
D is correct: A supply chain attack is the correct answer because the attacker compromised the vendor’s development environment and inserted malicious code into the product before it was compiled and distributed. When the hardware manufacturer delivered its product to customers, the malicious code was unknowingly propagated across multiple industries and sectors. Supply chain attacks exploit trust relationships between vendors and customers by embedding malicious components into legitimate products or services. Because the compromise occurred at the vendor level and spread broadly through distributed hardware and software, this scenario represents a classic example of a supply chain attack.
Select all that apply
Correct AnswersA, B
A is correct: A web content filter inspects outbound and inbound web traffic and enforces policies that restrict access to unauthorized or risky websites. In the scenario, users were transferring data to unauthorized sites through terminal services. Implementing web filtering would allow the organization to block or restrict access to specific external destinations while permitting approved sites required for business operations. This control helps prevent data exfiltration to unapproved services and enforces acceptable use policies for remote connectivity.
B is correct: A bastion host is a hardened system placed at the network boundary that acts as a controlled gateway for remote administrative access or terminal services. Users connect to the bastion host first, and from there they are granted controlled access to internal systems. This approach limits direct remote access to internal infrastructure and allows the organization to apply strict monitoring, authentication, and session control policies. By funneling remote access through a bastion host, the organization can ensure that only authorized employees connect securely to internal resources.
C is incorrect: Network traffic decryption and deep packet inspection allow security tools to inspect encrypted traffic for malicious content or data exfiltration attempts. While this capability can improve visibility into network traffic, it does not directly enforce restrictions on which external sites users may access through terminal services. Additionally, it does not provide a controlled remote access gateway for employees. Therefore, while useful for monitoring, it is not the most appropriate solution to address the problem described.
D is incorrect: Tokenization replaces sensitive data elements with non-sensitive tokens while maintaining the ability to reference the original data in a secure system. This technique is commonly used to protect payment card data or personally identifiable information in storage and processing systems. However, tokenization does not control user access to remote services or prevent users from transferring data to unauthorized sites.
E is incorrect: Data masking obscures sensitive data by replacing it with fictional or partially hidden values, often for testing or non-production environments. This technique protects sensitive information from unauthorized viewing but does not prevent users from transferring data to external sites through remote connections. Consequently, it does not address the remote access control requirement described in the scenario.
F is incorrect: Blocking the use of external media prevents data from being copied to removable devices such as USB drives or external hard drives. While this control helps prevent data exfiltration through physical media, the scenario specifically involves data transfers to unauthorized sites via terminal services. Therefore, restricting removable media would not address the core issue of unauthorized network-based data transfers.
