The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerC
A is incorrect: Intrusion Detection Systems (IDS) analyze network traffic to detect malicious activity based on signatures or anomalous patterns. IDS solutions are effective for identifying external attacks, exploitation attempts, and suspicious network behavior. However, they primarily focus on packet-level network traffic rather than user behavior patterns. Since the requirement involves detecting abnormal login times and unusual data access patterns associated with insider threats, IDS does not provide the behavioral analytics necessary to support this objective.
B is incorrect: Security Information and Event Management (SIEM) platforms aggregate and correlate logs from multiple systems across an enterprise environment. SIEM solutions help SOC teams detect suspicious activity through rule-based correlation and centralized monitoring. While SIEM can ingest authentication logs and file access records, traditional SIEM platforms rely mainly on predefined detection rules rather than behavioral baselining of user activity. Because the scenario requires identifying deviations from normal user behavior, SIEM alone is not the most specialized solution.
C is correct: User and Entity Behavior Analytics (UEBA) is the correct answer because it analyzes behavioral patterns of users and systems to detect anomalies that may indicate insider threats or compromised accounts. UEBA platforms establish behavioral baselines by monitoring login times, data access patterns, device usage, and other contextual factors. When activity deviates from normal behavior—such as unusual login times or abnormal data access volumes—the system generates alerts for investigation. Security operations practices highlight UEBA as a key technology for detecting insider threats and compromised identities through behavioral analytics.
D is incorrect: Vulnerability scannersidentify known weaknesses in systems, applications, and configurations by comparing them against vulnerability databases. These tools help organizations detect outdated software, insecure configurations, and missing patches. However, vulnerability scanners do not analyze user behavior or detect suspicious activity related to account misuse. Since the scenario focuses on identifying insider threats through behavioral analysis, vulnerability scanning does not meet the requirement.
Correct AnswerD
A is incorrect: Password vaultssecurely store user credentials and allow users to retrieve passwords for different applications. While vaults help manage and protect credentials, users still authenticate separately to each application using stored passwords. This approach does not provide centralized authentication through a corporate identity provider across multiple SaaS applications. Therefore, a password vault does not best enable the requirement described.
B is incorrect: Network segmentationdivides networks into smaller zones to control communication and limit lateral movement. It improves network security by isolating systems and restricting access between segments. However, segmentation is unrelated to authentication or identity management across SaaS platforms. Since the requirement involves enabling users to authenticate using a corporate identity provider across multiple services, network segmentation does not address the objective.
C is incorrect: Static credentials refer to fixed usernames and passwords configured individually for each system or application. Using static credentials across multiple SaaS platforms would require separate authentication for each service and increases the risk of credential reuse or compromise. This approach does not enable centralized identity management or single sign-on capabilities. Therefore, static credentials do not meet the requirement for unified authentication across SaaS applications.
D is correct: Identity federation is the correct answer because it allows users to authenticate through a trusted identity provider and access multiple applications without maintaining separate credentials for each service. Federation technologies such as SAML, OAuth, or OpenID Connect establish trust relationships between the corporate identity provider and external SaaS applications. This enables single sign-on (SSO), centralized identity management, and consistent access policies across multiple services. Security architecture guidance highlights identity federation as the primary mechanism for enabling enterprise identity providers to authenticate users across cloud-based applications.
Correct AnswerC
A is incorrect: Near-field communication (NFC) is a short-range wireless communication technology typically used for contactless payments, device pairing, and secure credential exchanges. NFC requires very close proximity (generally a few centimeters) and is typically triggered intentionally through device interaction. While NFC can identify when two devices communicate, it does not provide automated monitoring of mobile device movement into defined physical areas such as a data center zone. Because the scenario requires automatic alerts when a device enters a defined boundary, NFC would not meet the architectural requirement.
B is incorrect: Short Message Service (SMS) is a communication protocol used to send text messages between devices over cellular networks. SMS could be used to notify individuals after an event occurs, but it is not a location-based detection mechanism. The scenario requires a system that detects when a device enters a specific area and triggers alerts automatically. SMS alone cannot determine device location or entry into a controlled physical space; it would only serve as a notification channel rather than the detection control required.
C is correct: Geofencing is the correct answer because it creates a virtual perimeter around a defined geographic area and triggers alerts when a device enters or exits that boundary. In enterprise security environments, geofencing can be used to monitor mobile devices entering restricted zones such as sensitive areas of a data center. When a device crosses the boundary, the system can automatically generate alerts for security personnel and notify the individual device owner that access is logged and monitored. CASP+ materials describe geofencing as a mechanism used in mobility management to enforce location-based security policies and monitoring.
D is incorrect: Bluetooth is a short-range wireless communication protocol used for connecting peripherals and exchanging data between nearby devices. While Bluetooth beacons can support proximity detection in certain implementations, Bluetooth itself is not designed to enforce location-based security boundaries across defined areas like a data center zone. It lacks the native capability to establish and monitor a virtual geographic boundary with automatic alerts when devices enter or leave the area. Therefore, it would not fully satisfy the requirements described in the scenario.
Select all that apply
Correct AnswersA, E
A is correct: Network Access Control (NAC) enforces security policies on devices before granting network access. NAC solutions commonly perform posture assessments to verify that connecting devices meet organizational security requirements such as updated antivirus software, patched operating systems, and appropriate configuration baselines. In the scenario, visitors connecting to Wi-Fi through unused ports must have their devices assessed before gaining access to the network. NAC provides this functionality by evaluating device posture and restricting or allowing access accordingly. Therefore, NAC directly satisfies the requirement for pre-access posture assessment.
B is incorrect: A Web Application Firewall (WAF) protects web applications by filtering and monitoring HTTP or HTTPS traffic between users and web servers. It is designed to block application-layer attacks such as SQL injection, cross-site scripting, or session hijacking. However, the scenario focuses on network access control for Wi-Fi users and monitoring wireless traffic behavior. Since WAFs protect web applications rather than network access or wireless traffic analysis, this option does not address the stated requirements.
C is incorrect: A Wireless LAN Controller (WLC) centrally manages wireless access points, enabling administrators to configure SSIDs, authentication methods, and wireless network policies. While a WLC plays an important role in managing wireless infrastructure, it does not perform posture assessments on connecting devices or detect abnormal traffic behavior. These capabilities are typically provided by NAC or intrusion detection/prevention systems rather than the wireless controller itself.
D is incorrect: A Wireless Distribution System (WDS) enables wireless access points to connect with each other wirelessly to extend network coverage without requiring wired backhaul connections. WDS is used for expanding wireless networks and bridging access points, not for performing posture assessments or analyzing traffic for abnormal behavior. Therefore, it does not satisfy the security requirements described in the scenario.
E is correct: A Network Intrusion Prevention System (NIPS) monitors network traffic for malicious or abnormal behavior and can generate alerts or take action when suspicious activity is detected. In the scenario, the requirement specifies that wireless traffic must be scanned for abnormal behavior and that the security team should be notified before any actions are taken. A NIPS can inspect traffic patterns, identify anomalies or known attack signatures, and alert security teams accordingly. Therefore, deploying a NIPS fulfills the requirement for monitoring and detecting abnormal wireless network activity.
F is incorrect: A Network Access Control List (NACL) is typically used in networking environments (such as cloud infrastructure or routers) to define allow or deny rules for network traffic based on IP addresses, ports, or protocols. While NACLs can restrict traffic flows, they do not perform device posture assessments or detect abnormal network behavior. Since the requirements involve verifying device security posture and monitoring traffic anomalies, NACLs do not provide the necessary capabilities.
Correct AnswerD
A is incorrect: A. XML injection. XML injection occurs when an attacker manipulates XML input or structure to alter how an application processes XML data. This attack typically involves modifying XML tags, attributes, or document structure to manipulate queries or configuration data. While certain special characters may be involved, XML injection defenses usually focus on proper XML parsing, schema validation, and secure handling of XML documents. The specific blocklisted characters in the scenario—particularly angle brackets and quotation marks—are more commonly associated with HTML or JavaScript injection rather than manipulation of XML documents. Therefore, XML injection is not the most appropriate match for the described controls.
B is incorrect: B. LDAP injection.LDAP injection occurs when untrusted input is incorporated into LDAP queries without proper sanitization, allowing attackers to manipulate directory queries. Typical LDAP injection payloads involve characters such as parentheses, logical operators, and wildcard characters used in LDAP filter syntax. While input validation is important in preventing LDAP injection, the listed characters in the scenario are more characteristic of HTML or script injection vectors. Additionally, LDAP injection primarily targets directory query structures rather than client-side script execution. Therefore, this option does not best align with the controls described.
C is incorrect: C. CSRF. Cross-site request forgery (CSRF) exploits a user's authenticated session to perform unintended actions on a web application. CSRF attacks occur when a victim’s browser is tricked into sending unauthorized requests to a trusted application. Preventing CSRF typically involves implementing controls such as anti-CSRF tokens, same-site cookies, or request validation mechanisms. Input validation or blocking special characters does not address the root cause of CSRF attacks. Therefore, the controls described in the scenario would not effectively mitigate CSRF.
D is correct: D. XSS. This is the correct answer because cross-site scripting (XSS) attacks involve injecting malicious scripts into web pages that are executed in the browser of other users. Attackers commonly exploit characters such as <, >, quotes, semicolons, and other symbols used to construct HTML or JavaScript payloads. The scenario specifically mentions blocklisting characters like angle brackets and quotes, which are frequently used to inject script tags or malicious HTML. Additionally, enforcing least privilege within the application limits the potential damage if an injected script attempts to perform unauthorized actions. Together, these controls indicate that the security architect is attempting to mitigate XSS attacks.
Correct AnswerB
A is incorrect: Threat intelligence provides information about known threats, indicators of compromise, and attacker tactics gathered from external sources or internal analysis. While threat intelligence helps organizations detect and respond to attacks more effectively, it does not inherently provide an environment where attackers can be observed using live exploitation techniques. It also does not create a transparent detection mechanism embedded in production networks.
B is correct: Deception software is the correct answer because deception technologies deploy decoys, honeypots, and trap assets within production environments to detect malicious activity early. These systems are designed to be transparent to legitimate users and impose minimal performance impact. Attackers interacting with decoy systems reveal their tactics, techniques, and procedures, allowing security teams to observe and investigate exploitation techniques in real time. CASP+ materials highlight deception technology as a method for early detection of advanced persistent threats and enabling threat hunting within enterprise networks.
C is incorrect: Centralized logging aggregates logs from multiple systems to provide visibility and correlation for security events. While centralized logging platforms such as SIEM systems support monitoring and investigation, they rely on existing telemetry rather than creating traps to attract attackers. They also do not provide a direct mechanism for studying live exploitation behavior in a controlled environment embedded in production networks.
D is incorrect: Sandbox detonation executes suspicious files in an isolated environment to observe their behavior and determine whether they are malicious. This technique is effective for malware analysis and detecting unknown threats in files or downloads. However, sandboxing focuses on analyzing files rather than detecting advanced persistent threats moving through a network or enabling investigation of attacker behavior across production and development systems.
Correct AnswerB
A is incorrect: A risk register is a repository that documents identified risks, their likelihood, impact, and mitigation strategies. While it helps track and manage organizational risks, it does not define roles and responsibilities for specific security tasks. Therefore, it is not the best tool for assigning accountability or communication responsibilities.
B is correct: A RACI matrix (Responsible, Accountable, Consulted, Informed) is a tool used to clearly define and communicate roles and responsibilities for tasks or processes. It assigns who is responsible for performing a task, who is accountable for outcomes, who should be consulted during execution, and who should be kept informed. By using a RACI matrix, a security manager can ensure clarity in task ownership and stakeholder communication across security initiatives, making it the most appropriate tool for the scenario described.
C is incorrect: The kill chain is a framework that describes the stages of a cyberattack, from initial reconnaissance to actions on objectives. It is useful for understanding attacker behavior and planning defensive measures, but it does not assign internal responsibilities or communication roles for security tasks.
D is incorrect: A hash inventory is a catalog of cryptographic hash values used to verify file integrity or detect changes in critical systems. While it supports integrity monitoring and incident detection, it does not provide a framework for defining responsibilities or accountability among team members for security tasks.
Correct AnswerB
A is incorrect: Preventing metadata tampering is not the primary purpose of calculating file hashes. Hashes do not actively stop modification of file metadata or content; instead, they detect whether a change has occurred. Metadata such as timestamps or attributes can still be altered by attackers or investigators if proper forensic procedures are not followed. Hashing is therefore a verification mechanism rather than a preventative control. Consequently, this option does not correctly describe the primary reason for generating hashes in digital forensics.
B is correct: In digital forensics, file hashing is used to verify that evidence remains unchanged throughout the investigation process. When investigators collect digital evidence, they generate a hash value (such as SHA-256) that uniquely represents the file’s contents at the time of acquisition. Later comparisons of the hash can confirm that the file has not been altered, ensuring the integrity of the evidence. This integrity validation is essential when presenting digital evidence in legal proceedings because investigators must demonstrate that the data remained unchanged from the time it was collected. Therefore, validating file integrity is the primary reason for generating hashes from confiscated systems.
C is incorrect: Although hash values are unique representations of file content, generating unique identifiers is not the primary forensic purpose of hashing evidence. While hashes can act as identifiers when cataloging files, the main forensic objective is to ensure that the file’s contents remain unchanged during analysis, storage, and transfer. Hashes serve primarily as an integrity verification mechanism rather than simply as identification markers. Therefore, this option does not represent the best reason for generating file hashes.
D is incorrect: The chain of custody documents the chronological handling of evidence from collection through analysis and presentation in court. It records who collected the evidence, who accessed it, and how it was transferred or stored. While file hashes support the integrity validation of evidence, they do not themselves preserve the chain of custody. Maintaining chain of custody involves procedural documentation and evidence handling controls rather than cryptographic hashing. Therefore, this option is not the correct explanation.
Correct AnswerA
A is correct: Short-lived scoped tokens limit both the lifetime and the permissions associated with service account credentials. By issuing tokens that expire quickly and restricting them to the minimum permissions required, organizations significantly reduce the potential impact if the credential is compromised. Even if an attacker obtains the token, its short validity period and limited scope restrict lateral movement and privilege escalation. CASP security architecture guidance emphasizes least privilege, credential rotation, and minimizing exposure windows as key strategies for reducing the blast radius of compromised identities.
B is incorrect: Long-lived shared keysare static credentials that remain valid for extended periods and are often reused across multiple services or systems. This significantly increases risk because if the key is compromised, attackers may maintain access for a long time and potentially access multiple systems. CASP identity and credential management principles discourage static, shared credentials due to their large attack surface and lack of traceability.
C is incorrect: Universal admin rightsgrant full administrative privileges to accounts regardless of the task being performed. This directly violates the principle of least privilege and dramatically increases the potential damage if an account is compromised. An attacker with administrative access could modify systems, access sensitive data, and pivot throughout the environment. CASP materials stress limiting privileges to reduce the scope of compromise.
D is incorrect: Embedded root certificates onlyrefers to embedding trusted certificate authorities within systems to establish trust for encrypted communications. While certificate trust anchors are important for cryptographic validation, they do not control service account privileges or token lifetimes. Therefore, this measure does not reduce the blast radius of a compromised service account credential.
Correct AnswerA
A is correct: Software Composition Analysis (SCA) tools analyze third-party libraries, frameworks, and open-source dependencies used within an application. They identify outdated components, known vulnerabilities, and licensing risks by comparing included packages against vulnerability databases. In the scenario, the issue stems from old third-party packages being included in the software before distribution. SCA directly addresses this problem by tracking dependencies and alerting developers when libraries are outdated or contain known vulnerabilities. CASP+ materials emphasize monitoring and managing third-party components within the SDLC to ensure vulnerabilities in external packages are identified and remediated before release.
B is incorrect: A SCAP scanner uses the Security Content Automation Protocol to evaluate system configurations and compliance with security baselines. SCAP is primarily used for vulnerability management and configuration compliance on operating systems and infrastructure. It is not designed to analyze application source code dependencies or detect outdated third-party libraries used in software development.
C is incorrect: Static Application Security Testing (SAST) analyzes source code to identify vulnerabilities such as insecure coding practices, injection flaws, or buffer overflows. While SAST is valuable for detecting security flaws in internally developed code, it does not focus specifically on identifying outdated or vulnerable third-party libraries included in an application.
D is incorrect: Dynamic Application Security Testing (DAST) tests running applications by simulating external attacks against the deployed system. DAST identifies runtime vulnerabilities such as injection or authentication issues but does not analyze software dependencies or detect outdated third-party components during development.
