The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: Asset disposal refers to securely retiring hardware or media, typically through processes such as sanitization, destruction, or decommissioning. This activity ensures sensitive data is not recoverable when assets are no longer needed. While important for lifecycle security, it does not involve identifying hidden attacker activity or analyzing indicators of compromise within an operational environment.
B is incorrect: Patch deployment is the process of applying updates to software or systems to remediate vulnerabilities and improve security. Although patching is a critical defensive control, it is primarily reactive and preventative rather than investigative. It does not involve actively searching for adversary presence or suspicious behavior within an environment.
C is correct: Threat hunting is a proactive security practice in which analysts actively search through systems, logs, and network activity to detect malicious behavior that automated tools or alerts may have missed. Instead of waiting for alerts from security tools, threat hunters form hypotheses and investigate anomalies, indicators of compromise, and attacker techniques. CASP security operations guidance identifies threat hunting as a proactive method used by security teams to uncover hidden threats and adversary activity within enterprise environments.
D is incorrect: License reconciliationinvolves reviewing software licenses and usage to ensure compliance with vendor agreements. This activity supports governance and asset management but has no connection to detecting attacker behavior or investigating potential compromises within an environment.
Correct AnswerC
A is incorrect: Expanding the use of IPS and NGFW devices would increase the number of inline security controls inspecting network traffic. While these technologies can detect and block threats, deploying them broadly throughout the environment may introduce latency or performance overhead. This could interfere with customers’ ability to access their data at any time, which directly conflicts with one of the stated requirements. Additionally, IPS and NGFW solutions do not inherently prioritize remediation workflows or reduce analyst workload through automation.
B is incorrect: Increasing the number of analysts could improve the organization’s ability to manually identify and respond to risks. However, this approach does not scale effectively in a dynamic environment where customer demand and system activity may rapidly increase. Hiring additional staff also does not inherently prioritize remediation of high-risk threats or automate repetitive security operations. Therefore, it does not optimally meet the requirement for efficiency and prioritization.
C is correct: Implementing a SOAR (Security Orchestration, Automation, and Response) solution best meets the requirements. SOAR platforms integrate with security tools, automate responses to known threats, and use playbooks to prioritize remediation actions. This allows security analysts to focus on high-risk items while automation handles routine threats. Because SOAR operates through orchestration and automation rather than inline traffic inspection, it does not interfere with customer access to data and supports dynamic environments that scale with demand.
D is incorrect: Integrating enterprise threat feeds into the existing SIEM would improve threat visibility and enhance the organization’s ability to identify potential risks by correlating events with external threat intelligence. However, a SIEM primarily performs monitoring and alerting rather than automated remediation. Analysts would still need to manually investigate and respond to incidents, which does not sufficiently reduce workload or ensure prioritized remediation of threats affecting data integrity and availability.
Correct AnswerA
A is correct: Software Composition Analysis (SCA) is specifically designed to identify vulnerabilities, licensing issues, and risks associated with third-party and open-source components used in software development. Modern applications often rely heavily on external libraries and dependencies, which can introduce supply chain risks if those components contain vulnerabilities or malicious code. SCA tools analyze dependency manifests and code repositories to detect vulnerable components and alert developers before the code is deployed. This approach directly mitigates risks in the software supply chain by providing visibility and governance over third-party components. As a result, SCA is the most effective technique for addressing third-party risks within the development environment.
B is incorrect: Multifactor authentication strengthens identity verification and protects developer accounts, repositories, and administrative systems from unauthorized access. While MFA is an important security control within development environments, it does not specifically address risks introduced by third-party software components or external libraries in the software supply chain. The objective of the question is to mitigate risks arising from dependencies integrated into the application codebase. Because MFA primarily addresses authentication security rather than supply chain integrity, it is not the best choice for this scenario.
C is incorrect: Establishing coding standards and monitoring for compliance helps ensure developers follow secure coding practices and consistent development procedures. These standards can reduce vulnerabilities caused by poor development practices and enforce secure programming guidelines across teams. However, coding standards primarily address vulnerabilities in internally developed code rather than the security posture of third-party dependencies. Supply chain risks typically arise from external libraries or packages that may contain vulnerabilities or malicious code, which coding standards alone cannot detect. Therefore, this control does not directly mitigate third-party software risks.
D is incorrect: Unit testing and regression testing are important components of quality assurance in the software development lifecycle. These testing approaches verify that code functions correctly and that new changes do not break existing functionality. However, these tests primarily focus on application functionality rather than identifying vulnerabilities within external software dependencies. They are not designed to detect insecure or compromised third-party components used in the application. Because the question focuses on mitigating risks within the software supply chain, testing approaches alone are insufficient compared to specialized analysis tools like SCA.
Correct AnswerD
A is incorrect: A. Authenticated scanning. Authenticated scanning uses valid credentials to log in to systems and perform deep configuration and vulnerability analysis. This method typically reduces false positives compared with unauthenticated scans because it can directly inspect the system. However, authenticated network scans still require connecting to each host and actively interrogating services, which can create load on servers and increase scanning time across distributed environments. Given the requirements for fast scanning and low impact on servers, authenticated scanning does not best satisfy all conditions.
B is incorrect: B. Passive scanning.Passive vulnerability scanning analyzes network traffic to detect vulnerabilities and misconfigurations without actively probing hosts. While this approach produces very little impact on systems, it relies on observing traffic patterns and therefore may miss vulnerabilities that are not visible in network traffic. Passive scanning is also typically slower in discovering vulnerabilities because it depends on seeing relevant activity over time. Additionally, the requirement specifies signature-based detection, which is more closely associated with active vulnerability assessment tools rather than passive monitoring systems.
C is incorrect: C. Unauthenticated scanning.Unauthenticated scans test systems from the perspective of an external attacker without using credentials. While they can be useful for identifying externally visible vulnerabilities, they tend to generate more false positivesbecause the scanner cannot verify configurations internally. They also require network probing across each host and subnet, which may impact systems and networks. Because the organization requires the least false positives and low system impact, unauthenticated scanning would not be the most appropriate choice.
D is correct: D. Agent-based scanning. This is the correct answer because agent-based vulnerability assessment installs lightweight agents on endpoints and servers that locally gather vulnerability and configuration data. The agents then report results to a central management platform. This approach allows fast and accurate vulnerability detection with minimal network traffic, reducing load on servers during scanning operations. Agent-based solutions also produce fewer false positives because the agent can directly inspect the system. Additionally, they are well suited for distributed environments with multiple VLANs, screened subnets, and branch offices, since the agents communicate securely with the central management platform without requiring extensive network scanning across each segment.
Correct AnswerD
A is incorrect: A. Mobile device management with remote wipe capabilities. Mobile device management (MDM) solutions allow administrators to manage devices, enforce policies, and remotely wipe data from lost or stolen devices. While remote wipe can help remove sensitive information after a device is reported stolen, it depends on the device reconnecting to a network and receiving the wipe command. If the attacker prevents the device from connecting or removes the storage media, the wipe command may never be executed. Because the requirement is to ensure that data cannot be compromised or altered after theft, MDM alone does not provide guaranteed protection.
B is incorrect: B. Passwordless smart card authorization with biometrics. Smart cards and biometric authentication strengthen user authentication and help prevent unauthorized logins. However, these mechanisms only control access to the operating system or applications. If the storage media is removed from the device or the system is attacked offline, the data could still be accessed unless it is encrypted. Therefore, authentication controls alone do not guarantee that the data remains confidential or protected from modification after physical theft.
C is incorrect: C. Next-generation endpoint detection and response agent.Endpoint detection and response (EDR) systems monitor endpoints for malicious behavior and help detect and respond to attacks. While EDR tools are valuable for identifying compromise or suspicious activity, they rely on the device being operational and connected to monitoring infrastructure. If a device is stolen and taken offline, the EDR system cannot prevent direct access to stored data. Therefore, EDR does not provide sufficient protection against data exposure from physical device theft.
D is correct: D. Full disk encryption with centralized key management. This is the correct answer because full disk encryption (FDE) ensures that all data stored on the device is encrypted at rest. Without the proper decryption key, the data remains unreadable even if the attacker removes the drive or attempts offline analysis. Centralized key management further strengthens this approach by allowing the organization to securely manage and control encryption keys, enforce policies, and revoke access if necessary. This control directly addresses the requirement that stolen devices must not expose or allow modification of sensitive data.
Correct AnswerA
A is correct: ExifTool is a specialized utility used to read and analyze metadata embedded within files such as images, audio files, and documents. Many digital images—especially those taken by mobile devices—contain EXIF metadata that may include GPS coordinates, timestamps, device model, and camera settings. During forensic analysis, investigators frequently use ExifTool to extract this metadata and determine the geographic location where an image was captured. Because the analyst needs to identify the GPS location embedded in the image metadata, ExifTool is the most appropriate tool.
B is incorrect: The file command is a Unix-based utility used to determine the file type of a given file by examining its header or magic numbers. It helps analysts identify whether a file is an image, executable, archive, or another format. However, it does not extract metadata such as GPS coordinates from within the file. Therefore, it would not help determine the geographic location where the image was taken.
C is incorrect: Volatility is a memory forensics framework used to analyze volatile memory captured from a system. It enables investigators to inspect running processes, open network connections, and other artifacts contained in RAM during incident response or forensic investigations. Since the scenario involves analyzing metadata embedded in an image file rather than examining system memory, Volatility would not be the appropriate tool.
D is incorrect: Readelf is a utility used to display information about ELF (Executable and Linkable Format) binaries commonly found on Linux systems. It can reveal details such as program headers, section headers, and symbol tables within compiled executables. Because the investigation concerns an image file rather than a binary executable, readelf would not be useful for extracting geographic metadata.
E is incorrect: Ssdeep is a fuzzy hashing tool used to compare files and identify similarities between them. It generates context-triggered piecewise hashes that help investigators detect modified versions of files or related malware samples. While valuable in malware analysis and file comparison, it does not extract metadata or geographic information from images. Therefore, it would not assist in determining where the image was taken.
Correct AnswerD
A is incorrect: Virtualized emulators replicate hardware or software environments to allow applications designed for one platform to run on another. While this may assist with compatibility testing or legacy support, it does not address the architectural portability required when refactoring a monolithic application into a cloud-native microservices architecture. Emulation introduces overhead and tight coupling to simulated environments rather than enabling lightweight deployment across different cloud platforms. From a CASP+ perspective, portability in cloud-native architectures requires technologies that enable consistent packaging and deployment of application components, which emulation does not provide.
B is incorrect: Type 2 hypervisors run on top of a host operating system and allow multiple virtual machines to run on a single physical machine. Although virtualization supports infrastructure flexibility, Type 2 hypervisors are primarily used for desktop virtualization or development environments rather than scalable cloud-native deployments. They still rely on full operating system images, which reduces portability and efficiency when compared with modern container-based architectures. CASP+ guidance distinguishes virtualization from containerization, emphasizing that containers provide lighter-weight, portable deployments for cloud-native services.
C is incorrect: Orchestration refers to the automated coordination and management of multiple system components, such as containers or services. Tools like Kubernetes orchestrate container deployment, scaling, and networking across clusters. However, orchestration alone does not provide portability; it only manages workloads that are already packaged in a portable format. Without a portable packaging mechanism—such as containers—the orchestration layer cannot ensure consistent application behavior across environments. Therefore, orchestration supports operations but does not by itself make the architecture portable.
D is correct: Containerization is the correct answer because it packages an application and its dependencies into a lightweight container that can run consistently across different environments, including on-premises systems and multiple cloud providers. Containers support microservices architectures and enable secure microsegmentation by isolating application components. In cloud-native environments, containerization ensures application portability and consistency regardless of the underlying infrastructure. CASP+ materials highlight containerization as a modern approach for scalable and portable deployments, distinguishing it from traditional virtualization approaches.
Correct AnswerC
A is incorrect: Storing payment card data in an encoded file does not provide meaningful protection against unauthorized disclosure. Encoding typically refers to reversible transformations such as Base64 or character encoding schemes. These methods are designed for data formatting or transport compatibility rather than security. Because encoded data can be easily decoded without a cryptographic key, it does not provide confidentiality controls appropriate for sensitive financial data. From a CASP+ governance and architecture perspective, encoding does not meet the security requirements for protecting cardholder data. Therefore, it fails to adequately mitigate the risk of disclosure.
B is incorrect: Database encryption at rest protects stored data by encrypting it on disk, ensuring that unauthorized access to storage media does not directly reveal sensitive information. While this control improves confidentiality, the original payment card numbers still exist within the system and can be decrypted by authorized applications or compromised accounts. This means attackers who gain database or application access may still retrieve the real card numbers. Encryption at rest is therefore an important defense-in-depth control, but it does not eliminate exposure of account numbers themselves. Because the question asks for the solution that best protects account numbers from disclosure, a stronger data protection technique is available.
C is correct: Tokenization replaces sensitive data elements such as payment card numbers with non-sensitive tokens that have no exploitable value outside the tokenization system. The actual card numbers are stored in a secure token vault while applications and systems process only the tokens. This approach significantly reduces the exposure of cardholder data because even if the database or application environment is compromised, the attacker only obtains meaningless tokens rather than real account numbers. Data security techniques such as tokenization are commonly used to protect sensitive information and reduce the scope of regulated data environments. Consequently, tokenization provides the strongest protection against unauthorized disclosure of payment card numbers.
D is incorrect: Data field masking hides sensitive data when displayed to users, typically by obscuring portions of the information (for example, showing only the last four digits of a card number). While this helps prevent accidental exposure in user interfaces or reports, the original data still exists within the database. Attackers who gain direct access to the backend storage or application logic may still retrieve the full card numbers. Field masking is primarily a presentation-layer control rather than a core data protection mechanism. As a result, it does not provide the same level of protection against unauthorized disclosure as tokenization.
Correct AnswerC
A is incorrect: Static analysis reviews source code or compiled code without executing the program. It helps identify vulnerabilities such as insecure functions, logic errors, or insecure coding patterns during development. However, static analysis does not actively send different inputs to a running application. Since the requirement is to test the API with various malicious and benign inputs during execution, static analysis alone would not meet the objective.
B is incorrect: Input validation is a secure coding practice used to ensure that user-provided input conforms to expected formats and constraints before processing. While proper input validation helps prevent many attacks, it is a defensive coding control rather than a testing technique. The analyst’s task is to test the API for vulnerabilities using varied inputs, not to implement the validation itself.
C is correct: Fuzz testing is the correct answer because it involves automatically sending large volumes of random, malformed, or unexpected inputs to an application or API to identify vulnerabilities. This technique helps uncover issues such as buffer overflows, input handling flaws, and application crashes that occur when the system processes unusual or malicious data. CASP+ materials identify fuzz testing as a security testing method used to evaluate how applications handle a wide variety of input conditions.
D is incorrect: Post-exploitation refers to activities performed after a system has already been compromised, such as maintaining persistence, escalating privileges, or extracting data. This phase occurs later in an attack lifecycle and does not involve testing application input handling. Since the goal is to assess vulnerabilities in an API by testing different inputs, post-exploitation is not applicable.
Correct AnswerB
A is incorrect: A systems administrator is responsible for maintaining and operating IT systems, including configuration, patching, and system availability. While administrators implement security controls and enforce policies, they are not responsible for determining the sensitivity or classification level of organizational data. Data classification decisions require business authority and knowledge of regulatory requirements, which typically fall outside the system administrator’s responsibilities.
B is correct: The data owner is the individual or role responsible for determining how data should be classified and protected. Data owners understand the business value, sensitivity, and regulatory requirements associated with the data. Because of this authority and accountability, they are responsible for defining classification levels (such as confidential, sensitive, or public) and determining the appropriate security controls needed to protect the data. CASP+ governance guidance identifies data owners as the primary role responsible for data classification decisions and defining protection requirements.
C is incorrect: A data processor is typically an entity that processes data on behalf of another organization, often under contractual obligations. This role executes processing tasks but does not determine how the data should be classified or protected at the policy level.
D is incorrect: A data custodian is responsible for maintaining and safeguarding data according to the policies established by the data owner. Custodians implement controls such as backups, access management, and system protections but do not determine the classification level of the data itself.
E is incorrect: A data steward is responsible for ensuring the quality, consistency, and proper management of data throughout its lifecycle. Although stewards help manage and govern data practices, the authority to determine classification levels generally resides with the data owner rather than the steward.
