The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: Completing a vulnerability analysis helps identify known weaknesses within systems and applications. While this process is important for understanding the organization’s exposure to vulnerabilities, the scenario indicates that the hospital already knows patching is behind and lacks accountability and tracking. Conducting additional analysis would not resolve the core issue of monitoring patch progress and assigning responsibility for remediation activities.
B is incorrect: Obtaining guidance from the Health ISAC could provide useful threat intelligence and industry best practices related to healthcare cybersecurity. However, the primary issue described in the scenario is the absence of a mechanism to track patching activities, assign responsibility, and measure remediation timelines. External guidance would not directly solve the internal operational deficiency that is preventing effective patch management.
C is correct: Purchasing a ticketing system for auditing efforts is the correct answer because it introduces a structured method for tracking vulnerabilities, assigning remediation tasks, and documenting timelines for patch implementation. A ticketing or workflow system establishes accountability by assigning tasks to responsible personnel and provides an audit trail showing when vulnerabilities were identified and when patches were applied. CASP+ materials emphasize the importance of tracking and accountability mechanisms in vulnerability and patch management processes to ensure timely remediation.
D is incorrect: Ensuring CVEs are current would help maintain awareness of newly disclosed vulnerabilities. However, the scenario already indicates that vulnerabilities are known but patching is delayed due to operational concerns and lack of tracking. Keeping CVE data updated does not address the core governance issue of monitoring patching progress and assigning responsibility.
E is incorrect: Training administrators on the importance of patching may improve awareness and encourage better security practices. However, training alone does not provide the operational structure required to track vulnerabilities, assign remediation tasks, and measure patch timelines. Without a tracking mechanism, the hospital would still lack accountability and audit capability.
Correct AnswerB
A is incorrect: Identity theft involves stealing someone’s personal or financial information to impersonate them, typically for fraud such as opening accounts or conducting financial transactions. Although impersonation is involved in the scenario, identity theft normally focuses on misuse of personal data rather than generating fabricated multimedia content such as a realistic video of the CEO.
B is correct: Deepfake is the correct answer because it refers to synthetic media generated using artificial intelligence or machine learning techniques to create realistic but fake audio or video content. In this scenario, a video appears to show the CEO making an announcement that never occurred, which is a classic example of deepfake manipulation. CASP+ materials describe deepfakes as an emerging threat where attackers create convincing media impersonations to spread misinformation or manipulate audiences.
C is incorrect: Website defacement occurs when attackers modify the visual content of a website, often replacing legitimate information with unauthorized messages, propaganda, or malicious content. The scenario describes a fabricated video impersonating the CEO rather than unauthorized modification of a website’s content, so website defacement does not apply.
D is incorrect: Social engineering involves manipulating individuals into revealing sensitive information or performing actions that compromise security. While deepfake content could potentially be used as part of a social engineering campaign, the question asks specifically about the technique used to create the fake video. Therefore, the most precise classification is a deepfake attack.
Correct AnswerA
A is correct: A purple team approach involves collaboration between offensive security teams (red team/penetration testers) and defensive teams (blue team/operations). This collaboration improves communication, planning, and scope definition before testing begins. In this scenario, the production server was impacted because the systems administrator was not involved in the planning phase and scope was poorly coordinated. A purple team model ensures that operational teams participate in planning, helping define testing boundaries, identify sensitive production systems, and coordinate safe testing procedures. This reduces the likelihood of unintended operational disruptions while still allowing meaningful security testing.
B is incorrect: Excluding non-production systems from the penetration test would contradict best practices. Typically, organizations attempt to perform penetration testing against staging or non-production environments whenever possible to avoid impacting live services. The issue in the scenario is that a production system was targeted unintentionally, not that non-production systems were included. Excluding non-production systems would increase risk by forcing testing to occur only in production environments, which would make operational disruption more likely.
C is incorrect: A black-box penetration test simulates an external attacker who has no prior knowledge of the target environment. While this testing model can provide realistic attack simulation, it does not address the planning and coordination problem described in the scenario. The issue was not the tester’s level of knowledge but rather the lack of involvement from system administrators and poor scope coordination. Therefore, changing the testing methodology to black-box would not prevent accidental targeting of production systems.
D is incorrect: An intercepting proxy is commonly used during application testing to inspect and manipulate HTTP traffic between the client and server. Tools such as these help testers analyze application behavior and identify vulnerabilities in web applications. However, deploying an intercepting proxy in production does not reduce the risk of penetration testing activities impacting critical systems. It would not solve the underlying issue of improper test scoping and lack of coordination with operational teams.
E is incorrect: Replacing penetration testing with automated vulnerability scanning would significantly reduce the effectiveness of security assessments. Vulnerability scanners identify known weaknesses but cannot replicate complex attack paths, chained exploits, or adversarial techniques that penetration tests uncover. The scenario indicates that the impact occurred because of poor planning rather than because penetration testing itself is inappropriate. Eliminating penetration testing would weaken the organization’s security posture rather than improve testing safety.
Correct AnswerB
A is incorrect: A tabletop exercise is a discussion-based activity where participants walk through incident scenarios to evaluate decision-making, communication processes, and response procedures. While tabletop exercises help improve incident response readiness and coordination among stakeholders, they do not involve active technical testing of systems or detection controls. Because the requirement is to test detection and prevention capabilities against specific adversary techniques mapped to the MITRE ATT&CK framework, a tabletop exercise would not provide the necessary technical validation.
B is correct: A penetration test involves actively simulating real-world attack techniques against an organization’s systems in order to identify vulnerabilities and evaluate security defenses. Modern penetration testing methodologies often incorporate adversary emulation techniques that map directly to MITRE ATT&CK tactics, techniques, and procedures (TTPs). By conducting a penetration test that emulates advanced persistent threat (APT) behavior, the organization can evaluate whether its security controls detect or prevent those techniques. This approach directly supports validating detection and prevention capabilities aligned with the MITRE ATT&CK framework.
C is incorrect: Sandbox detonation is a technique used primarily in malware analysis, where suspicious files or code are executed in a controlled environment to observe behavior. While sandboxing helps identify malicious behavior in files or executables, it does not simulate adversary campaigns or evaluate enterprise detection capabilities across the network environment. Therefore, it does not address the objective of testing detection and prevention controls against MITRE ATT&CK–mapped attack techniques.
D is incorrect: A honeypot is a decoy system designed to attract attackers and observe malicious activity. Honeypots can provide valuable intelligence about attacker behavior and may assist in detecting unauthorized access attempts. However, they are passive monitoring mechanisms rather than structured testing methodologies. Honeypots do not systematically simulate or validate an organization’s defenses against specific MITRE ATT&CK techniques associated with APT actors. Consequently, they would not best accomplish the stated goal.
Correct AnswerD
A is incorrect: Geo-blocking restricts network access based on geographic location, typically by filtering IP address ranges associated with specific countries or regions. While this can reduce exposure to certain threat actors or comply with regulatory restrictions, it does not verify the integrity of system firmware or boot components. It operates at the network access control layer rather than the hardware or platform trust layer. Therefore, it provides no assurance that firmware or boot code has not been altered.
B is incorrect: Browser sandboxingisolates browser processes to prevent malicious web content from affecting the underlying operating system or other applications. This control is useful for limiting the impact of web-based exploits and protecting endpoints from malicious scripts or downloads. However, sandboxing applies to application runtime behavior and not to system initialization or firmware verification. It does not validate the integrity of BIOS/UEFI firmware or early boot components.
C is incorrect: URL filtering blocks or allows web traffic based on URL reputation, categories, or policy rules. It is primarily a network or web security control used to prevent users from accessing malicious or inappropriate websites. Although it helps reduce exposure to web-based threats such as phishing or malware downloads, it does not provide any mechanism for verifying system firmware or boot process integrity. Consequently, it does not address tampering with low-level platform components.
D is correct: Measured boot with attestationrecords cryptographic measurements (hashes) of firmware, bootloaders, and early boot components during system startup and stores them in a trusted hardware module such as a Trusted Platform Module (TPM). These measurements can later be validated through attestation services to confirm that the boot chain has not been modified. This mechanism ensures integrity verification of firmware and boot components and allows remote systems to confirm that the platform is running trusted code. CASP guidance highlights measured boot and attestation as hardware root-of-trust mechanisms used to verify platform integrity during startup.
Correct AnswerC
A is incorrect: Shared spreadsheet secrets involve storing cryptographic keys or passwords in spreadsheets that multiple users, including system administrators, can access. This exposes sensitive cryptographic material to unauthorized access and does not isolate keys from administrators, making it insecure.
B is incorrect: Local plaintext key files store cryptographic keys directly on the host file system without encryption or access controls. Administrators with access to the system can read or copy these keys, increasing the risk of compromise. This approach does not isolate cryptographic operations from system administrators.
C is correct: HSM-backed key management uses Hardware Security Modules to securely generate, store, and perform cryptographic operations. Keys are protected inside the HSM and cannot be directly accessed or extracted by system administrators. Operations such as encryption, decryption, and signing occur within the HSM, ensuring separation of duties and protecting sensitive keys. This design best meets the requirement to isolate cryptographic operations from administrators.
D is incorrect: Embedded certificates in source code store private keys or certificates directly in application code. This exposes sensitive material to developers or anyone with code access, increasing the risk of compromise. It does not isolate cryptographic operations from system administrators.
Correct AnswerA
A is correct: Using a secrets management tool is the correct approach for managing sensitive information such as API keys, passwords, and certificates in containerized environments. Secrets management systems securely store and control access to sensitive data, often integrating with orchestration platforms and applications through APIs or dynamic injection mechanisms. This prevents secrets from being embedded in configuration files or container images and allows secure rotation, auditing, and centralized access control. In containerized architectures, externalizing secrets into a dedicated management system significantly reduces the risk of exposure.
B is incorrect: Saving secrets in key escrow is a process used for securely storing encryption keys with a trusted third party so they can be recovered if needed. While escrow mechanisms are useful for key recovery scenarios, they do not address the operational need to securely store and distribute application secrets in a containerized environment. Therefore, this option does not solve the problem of safely handling secrets used by the application.
C is incorrect: Storing secrets inside Dockerfiles is insecure because Dockerfiles are often stored in version control systems and used to build container images. Any secrets embedded in the Dockerfile would become part of the container image or repository history, exposing them to developers or attackers who gain access to the image. This practice contradicts secure container design principles and increases the risk of credential leakage.
D is incorrect: Running Dockerfiles in a randomized namespace relates to container isolation and namespace separation within the container runtime environment. Although namespaces help isolate processes and resources between containers, they do not provide a mechanism for securely storing or managing application secrets. Consequently, this option does not address the issue of protecting secrets previously stored in configuration files.
Correct AnswerC
A is incorrect: Open-Source Intelligence (OSINT) involves gathering information from publicly available sources such as websites, social media, or public records. While OSINT may help identify threat actors or malware campaigns associated with a captured executable, it does not provide a method for safely executing or testing the binary itself. Therefore, OSINT would not be used to analyze the behavior of the executable obtained from the honeypot.
B is incorrect: Static Application Security Testing (SAST) analyzes source code or compiled binaries without executing them to identify vulnerabilities or insecure coding patterns. While SAST can be used for code analysis during software development, the scenario involves analyzing an unknown executable captured by a honeypot. Because the goal is to test the executable and observe its behavior, a dynamic analysis approach is more appropriate than static inspection.
C is correct: Dynamic Application Security Testing (DAST) involves executing software in a controlled environment to observe runtime behavior and identify security issues. For malware or suspicious executables captured by a honeypot, researchers typically run the file in an isolated sandbox or controlled test environment to analyze its behavior, network connections, and system modifications. CASP+ materials describe dynamic analysis as a method for identifying malicious behavior during execution, making it the most appropriate choice for testing the executable.
D is incorrect: OWASP (Open Worldwide Application Security Project) is a community that publishes resources, tools, and best practices for application security, such as the OWASP Top Ten. While OWASP provides guidance on web application security, it is not a testing methodology used to analyze or execute a suspicious binary file captured by a honeypot.
Correct AnswerC
A is incorrect: This is incorrect. Peer-to-peer secure communications can protect data exchanges between endpoints, but this model does not inherently provide centrally managed, dynamically enforced one-to-one subject/object paths based on unique per-user allow lists. Peer-to-peer designs are focused more on endpoint-to-endpoint communication than on granular policy orchestration across predefined services. The requirement is for an architecture that restricts users to only authorized services and dynamically builds individualized access relationships. That calls for fine-grained segmentation and policy-based traffic control rather than a general peer communication model.
B is incorrect: This is incorrect. API gateways can proxy application traffic and enforce service access controls for API-based interactions. They are useful for brokering, authenticating, and monitoring application connections. However, they are not the best fit for an architectural requirement centered on dynamically constructing one-to-one subject/object access paths for each user across the network. This scenario points to a broader access-control architecture with individualized policy enforcement at a segmentation level, not merely application-layer proxying. API gateways may be part of a secure application design, but they do not best satisfy the full requirement for per-user dynamic path construction and service isolation.
C is correct: This is correct. Microsegmentation enabled by software-defined networking provides granular, policy-driven control over which subjects can communicate with which objects. It supports highly specific allow lists, can restrict users to predefined services, and enables dynamic creation of one-to-one access paths based on identity, role, or other policy attributes. This directly aligns with the requirement for unique per-user allow lists and dynamically enforced access relationships. From a CASP+ architectural perspective, SDN-based microsegmentation is the strongest answer because it implements least privilege at a fine-grained level and supports adaptive, centrally managed policy enforcement. Rather than relying on static network boundaries, it creates logical segmentation paths tailored to each authorized communication flow.
D is incorrect: This is incorrect. VLANs provide logical network separation and can reduce broadcast domains, but they are relatively coarse-grained compared with the requirements in the question. VLANs are generally static constructs and do not natively provide individualized per-user allow lists or dynamically constructed one-to-one subject/object access paths. While VLANs can contribute to segmentation, they are not well suited for identity-driven, highly granular, dynamically managed access control. The requirement clearly points to a more advanced and flexible segmentation model than traditional network infrastructure-based VLAN design.
Correct AnswerA
A is correct: Software-defined networking (SDN) centralizes network control in a software-based controller that manages forwarding devices across the network. While this architecture provides flexibility and automation, it also introduces new security concerns. One key risk is an expanded attack surface, because the centralized controller and management APIs become high-value targets. If attackers compromise the SDN controller, they may gain the ability to manipulate network flows, intercept traffic, or disrupt services across the entire network infrastructure. CASP+ materials highlight that centralized control planes and programmable interfaces can increase exposure points if not properly secured.
B is incorrect: SDN is typically designed to reduce hardware management costs by shifting network control from specialized hardware to software-based management. Centralized management and automation simplify configuration and reduce the need for manual hardware management across network devices. Therefore, increased hardware management costs are not generally considered a risk associated with SDN.
C is incorrect: SDN actually improves visibility and scalability by enabling centralized management and dynamic provisioning of network resources. Administrators can programmatically adjust network behavior and scaling through the controller. Reduced visibility of scaling capabilities would contradict one of the major operational benefits of SDN.
D is incorrect: Firmware vulnerabilities are primarily associated with hardware devices such as routers, switches, or embedded systems. While SDN infrastructure may still rely on hardware components, firmware risks are not unique to SDN environments. The primary SDN-specific risk relates to centralized control and programmable interfaces rather than firmware vulnerabilities.
