The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerA
A is correct: Implementing rate limiting on the API directly addresses the issue of excessive requests consuming server resources. Since the APIs do not require authentication and the servers show heavy CPU utilization, the most likely cause is an excessive volume of requests, possibly from automated scripts or abusive clients. Rate limiting restricts how many requests a client can send within a defined time window, preventing abuse and protecting backend resources. This control can be implemented quickly and reduces load without requiring major architectural changes.
B is incorrect: Geoblocking on the WAF would restrict traffic from certain geographic regions. However, the scenario does not indicate that the traffic originates from specific regions or that the load is caused by a localized attack. Additionally, geoblocking may block legitimate users and does not address high request rates from allowed regions. Therefore, it is not the most effective or timely solution.
C is incorrect: Implementing OAuth 2.0 would introduce authentication and authorization controls for API access. While this could eventually help control access to the APIs, it requires development changes, integration with identity providers, and client-side updates. Because the requirement is to remedy performance issues quickly, implementing OAuth would introduce significant complexity and delay.
D is incorrect: Input validation helps prevent injection attacks and malformed input from reaching backend services. While this improves application security, it does not address the underlying issue of excessive request volume causing high CPU utilization. Even valid requests could still overwhelm the servers if they arrive at a high rate. Therefore, input validation would not resolve the immediate performance problem.
Correct AnswerC
A is incorrect: Software Composition Analysis (SCA) is used to identify vulnerabilities in third-party libraries and dependencies used by an application. It helps detect outdated packages and known vulnerabilities within external components. In this scenario, however, the issue is related to the application revealing information through error messages during directory probing, not vulnerabilities in third-party software components. Therefore, SCA would not remediate the problem shown in the test results.
B is incorrect: Packet inspection analyzes network traffic to detect malicious patterns or anomalies at the network layer. While packet inspection can identify suspicious activity or attacks in transit, it does not address how the application itself handles and displays error messages. The vulnerability shown is an application-level information disclosure issue rather than a network inspection problem.
C is correct: The responses returned by the application reveal internal directory structures and access conditions (for example, identifying specific admin directories and indicating when access is denied versus when files do not exist). This type of verbose error messaging provides attackers with valuable reconnaissance information that can assist in enumerating restricted resources. Implementing proper error handling ensures that applications return generic responses to users while logging detailed errors internally for administrators. CASP+ secure coding guidance stresses the importance of preventing information disclosure through application error messages.
D is incorrect: Eliminating unsafe functions is important when addressing vulnerabilities such as buffer overflows or improper input handling. However, the issue presented in the scenario involves revealing system information through error messages rather than unsafe memory or input functions. Removing unsafe functions would not directly address the information disclosure caused by the application’s error responses.
Correct AnswerB
A is incorrect: Quality of Service (QoS) being applied by the public cloud provider to inbound customer traffic is not the most likely cause in this scenario. The question is framed as a security and architecture problem, and the bank has already implemented multiple availability and resilience controls, including DDoS protection, distributed DNS, CDN caching, inline WAF protection, and multi-cloud failover. A provider-side QoS policy could affect throughput, but it is not the most exam-aligned explanation when the slowdown is isolated to a specific unauthenticated payments page rather than the entire service. From a CompTIA perspective, the better answer is the one that identifies the remaining exposed application component that could still be abused despite the listed protections.
B is correct: The API gateway endpoints are being directly targeted is the best answer. The uploaded CASP+ material specifically notes that an API gatewaysits between external clients and applications, and that API security depends on controls such as authentication, authorization, rate limiting, input filtering, monitoring, and logging. It also explains that API gateways can protect backend services from abuse. The SecurityX material further states that API gateways can enforce rate limiting and throttling to prevent clients from overwhelming APIs, including protection against intentional abuse such as DDoS attacks. In this scenario, the page is unauthenticated, which makes direct abuse of backend API endpoints more plausible. The CDN protects and accelerates static content, and the WAF protects web applications inline, but direct high-volume targeting of API endpoints can still create slowdown if the APIs themselves are the bottleneck. This aligns with another CASP+ practice scenario in the materials where customer-facing, unauthenticated APIs with heavy CPU utilization were best remediated with rate limiting on the API. That makes direct targeting of the API gateway endpoints the most appropriate root cause.
C is incorrect: A brute-force credential attackis less likely because the slowdown is occurring on the unauthenticatedpayments page. Brute-force attacks are typically associated with authentication workflows such as login endpoints, password reset forms, or token generation services. Since the question explicitly says the affected page is unauthenticated, a credential attack does not fit the facts as well as API abuse. From a CompTIA exam perspective, this option is a distractor meant to pull attention toward a familiar web threat that does not actually match the portion of the application being affected.
D is incorrect: A DDoS attack targeted at the CDNis less likely because the architecture already states that static content is cached in the CDNand that protection from DoS attacks against infrastructure and web applications is in place. CDNs are specifically used to absorb and distribute large volumes of traffic for static assets, improving availability and performance. The SecurityX material notes that CDNs cache content to reduce load on origin infrastructure. If the slowdown were primarily at the CDN layer, the architecture’s existing controls should make that a less likely remaining weakness than direct abuse of dynamic application or API components behind the CDN. Therefore, this is not the best answer.
Correct AnswerB
A is incorrect: A public load balancer distributes incoming traffic among service instances and can provide SSL/TLS termination for external clients. However, it does not handle service-to-service encryption or enforce identity-based policiesbetween internal microservices, so it does not meet the stated requirements.
B is correct: A service mesh with mutual TLS (mTLS) provides end-to-end encryption between services and enforces identity-based authentication and authorization. The mesh transparently manages certificates for workloads, enabling encrypted communication, policy enforcement, and service identity verification without requiring changes to application code. This design fits perfectly for Kubernetes platforms needing secure, identity-aware internal service communication.
C is incorrect: Static host file entries allow hosts to resolve names to IP addresses manually. While this can assist with connectivity, it provides neither encryption nor identity-based policy enforcement. It does not protect service-to-service communication or ensure confidentiality and integrity, so it is not suitable for the requirement.
D is incorrect: An RDP gateway provides secure remote desktop access for users to connect to Windows hosts. It is designed for external user access, not for internal encrypted communication between Kubernetes services. Therefore, it does not fulfill the need for encrypted, identity-based service-to-service communication.
Correct AnswerD
A is incorrect: Self-signed pinning refers to trusting a specific certificate or public key that is manually configured within an application or system. While certificate pinning can prevent man-in-the-middle attacks by ensuring a specific certificate is trusted, it does not provide a mechanism for checking whether a certificate has been revoked by a certificate authority. Revocation status cannot be dynamically validated through pinning alone. CASP+ cryptography guidance emphasizes using certificate status verification mechanisms to determine whether certificates remain valid. Therefore, self-signed pinning does not provide real-time revocation checking.
B is incorrect: Certificate Revocation Lists (CRLs) contain lists of revoked certificates published periodically by certificate authorities. Systems download and cache these lists to check whether certificates have been revoked. However, CRLs are typically updated on scheduled intervals, meaning there can be delays between when a certificate is revoked and when the updated CRL is distributed. CASP+ materials note that CRL-based validation may not provide timely revocation detection due to these update cycles. Consequently, CRL-only validation does not provide near real-time revocation checking.
C is incorrect: A wildcard Subject Alternative Name (SAN) certificate allows a single certificate to secure multiple subdomains (for example, *.example.com). This feature simplifies certificate management but does not involve certificate revocation checking or validation processes. The SAN field simply identifies which domains are covered by the certificate. CASP+ cryptographic principles distinguish certificate attributes from revocation validation methods. Therefore, wildcard SAN certificates do not provide revocation checking capabilities.
D is correct: Online Certificate Status Protocol (OCSP) allows systems to query a certificate authority’s OCSP responder to verify the revocation status of a certificate in near real time. Instead of relying on periodically downloaded CRLs, OCSP enables clients to request the current status of a specific certificate during the validation process. CASP+ cryptography guidance highlights OCSP as a more timely method of certificate revocation verification compared with CRLs. Because OCSP provides near real-time revocation status information, it is the best choice for certificate validation in this scenario.
Correct AnswerB
A is incorrect: A general-purpose certificate is typically issued for a single fully qualified domain name (FQDN). It is commonly used for securing individual websites or services with TLS. In a BYOD environment where multiple services and enrollment endpoints may exist under different hostnames within the organization’s domain, a single-domain certificate would not provide the flexibility needed to support multiple services and devices across different subdomains.
B is correct: A multidomain certificate, also known as a Subject Alternative Name (SAN) certificate, allows multiple domain names or hostnames to be secured with a single certificate. This capability is useful in environments where multiple services—such as enrollment servers, authentication portals, and management systems—exist across several hostnames under the organization’s domain. In a BYOD deployment with PKI-based enrollment, multidomain certificates allow the organization to support multiple services involved in device enrollment and authentication while maintaining centralized certificate management. Therefore, this option best meets the requirement.
C is incorrect: A wildcard certificate secures all subdomains under a single domain, such as *.example.com. While this provides flexibility for many services under one domain, wildcard certificates are less appropriate for PKI enrollment systems where strict identity validation and granular hostname control are important. Additionally, wildcard certificates can introduce security risks because compromise of the certificate could impact all subdomains. Therefore, this option is not the most appropriate choice for a controlled PKI enrollment environment.
D is incorrect: An extended validation (EV) certificate provides enhanced verification of the organization's identity during the certificate issuance process. These certificates are typically used for public-facing websites that require strong user trust indicators in browsers. EV certificates focus on validating the organization’s legitimacy rather than enabling multi-hostname support or device enrollment capabilities. As a result, they do not specifically address the requirements of enrolling mobile devices within a corporate PKI environment.
Correct AnswerC
A is incorrect: Low CPU utilizationreflects system resource usage and typically indicates that processing capacity is not fully utilized. While cryptographic operations can affect CPU performance, low CPU utilization does not indicate a flaw in the cryptographic implementation itself. It is a performance metric rather than a security indicator.
B is incorrect: Oversized MTU refers to configuring a network with larger maximum transmission unit values, often to support jumbo frames. This configuration affects network performance and packet transmission efficiency but has no relationship to cryptographic algorithm strength or implementation quality. Therefore, it does not indicate cryptographic weakness.
C is correct: Use of deprecated cipher suitesdirectly indicates a weak cryptographic implementation because such algorithms have known vulnerabilities or insufficient key strengths. Examples include RC4, DES, and MD5-based constructions, which have been deprecated due to susceptibility to cryptographic attacks. CASP cryptography guidance emphasizes that organizations must avoid obsolete algorithms and use modern, secure cipher suites to maintain strong confidentiality and integrity protections.
D is incorrect: Link-state convergencerefers to the process by which routing protocols such as OSPF update and stabilize their routing tables after a network change. While important for network reliability and routing performance, it is unrelated to cryptographic mechanisms or encryption practices. It therefore does not indicate a cryptographic implementation weakness.
Correct AnswerA
A is correct: Replication ensures that data is continuously copied from one system to another so that multiple systems maintain synchronized copies of critical data. In a clustered high-availability environment, replication allows a standby node to maintain an up-to-date dataset. In the scenario, failover worked as expected but both clusters lost critical data, indicating that data synchronization between nodes was insufficient. Configuring replication ensures that data written to one node is mirrored to the other node, minimizing data loss and reducing recovery delays after outages. CASP+ materials highlight replication as a key resilience mechanism to maintain data availability and integrity across clustered systems.
B is incorrect: Caching temporarily stores frequently accessed data in faster storage to improve application performance and reduce latency. While caching can improve responsiveness, it does not provide persistent data synchronization between clustered systems and therefore would not prevent data loss during outages or ensure faster recovery from a power failure.
C is incorrect: Containerization packages applications and their dependencies into portable environments that can run consistently across systems. While containers can improve deployment efficiency and scalability, they do not inherently provide data synchronization or protection against data loss during system outages.
D is incorrect: Redundancy refers to deploying duplicate components or systems to eliminate single points of failure. Although redundancy improves system availability, the scenario already indicates that a high-availability cluster exists and failover occurred successfully. The issue is not the presence of redundant systems but the lack of synchronized data between them.
E is incorrect: High availability refers to system architectures designed to ensure continuous operation and smooth failover during failures. The scenario already states that the cluster was configured for high availability and that failover occurred successfully. However, high availability alone does not guarantee that the data between nodes is synchronized, which is why replication must be implemented to prevent data loss.
Correct AnswerA
A is correct: Evidence presented in a court of law must be material, meaning it must be relevant and directly related to the facts of the case. Material evidence helps establish or refute elements of the legal claim or charge being evaluated by the court. In digital forensics, evidence must demonstrate a meaningful connection to the incident under investigation and support the legal argument being presented. Courts evaluate whether evidence contributes to proving or disproving a fact in dispute. If digital evidence does not materially support the case, it may be excluded regardless of how well it was collected or preserved.
B is incorrect: Tangible evidence refers to physical objects that can be directly observed or touched, such as hardware devices or printed documents. However, digital evidence often exists in electronic form, such as log files, system images, or network captures. While digital evidence can be stored on tangible media, the evidentiary requirement in court is not that the evidence itself must be tangible. Courts accept digital artifacts provided that they are properly collected, preserved, and relevant. Therefore, tangibility is not the defining requirement for admissibility.
C is incorrect: Consistency refers to evidence being logically coherent or aligned with other information in an investigation. While consistent evidence may strengthen a case by reinforcing other findings, it is not a formal legal requirement for admissibility. Evidence may still be admissible even if it conflicts with other evidence, as determining credibility and weight is the responsibility of the court or jury. Consequently, consistency alone is not the requirement that determines whether digital evidence can be presented in court.
D is incorrect: Conserved evidence refers to evidence that has been preserved or protected from alteration. Proper preservation of digital evidence is extremely important in forensic investigations, particularly through maintaining chain of custody and forensic imaging procedures. However, the legal requirement referenced in the question relates to whether the evidence is relevant to the case being argued. While conservation supports evidence integrity, the admissibility requirement highlighted here is materiality rather than conservation.
Correct AnswerC
A is incorrect: This option is incorrect because scalability refers to the ability of a system to handle increasing workloads by adding resources such as additional servers, memory, or compute capacity. In the scenario, the architecture review indicates that memory and CPU usage are low and there is significant storage capacity available, which suggests that the environment currently has sufficient resources and is not experiencing scaling pressure. While scalability could become a concern in the future if demand increases, the observations provided do not indicate a current limitation in the system’s ability to scale. Therefore, scalability is not the most pressing architectural issue identified in the review.
B is incorrect: This option is incorrect because automationinvolves using tools and processes to automatically deploy, configure, monitor, or manage infrastructure and applications. Examples include infrastructure as code, automated deployment pipelines, and automated scaling or recovery mechanisms. The scenario does not indicate manual operational bottlenecks or configuration management issues that would suggest automation deficiencies. Instead, the architecture observation highlights a structural weakness related to system redundancy. Therefore, automation is not the most relevant concern described.
C is correct: This is the correct answer.The key observation is that the load balancer has only a single server assigned. A load balancer is typically used to distribute traffic across multiple backend servers to improve resilience and fault tolerance. If only one server exists behind the load balancer, the architecture has a single point of failure. If that server fails, the application becomes unavailable. CASP+ security architecture principles emphasize designing systems for high availability and redundancy. Load-balanced environments normally include multiple backend instances so that traffic can continue to be served if one instance fails. The architecture review therefore identifies an availability risk, since the current configuration lacks redundancy behind the load balancer.
D is incorrect: This option is incorrect because performancerelates to how efficiently a system processes requests, including metrics such as response time, throughput, and resource utilization. The observations in the scenario indicate that CPU and memory usage are low, which typically suggests that the system is not currently experiencing performance constraints. Although performance monitoring is always important, the provided observations do not indicate slow responses, high resource consumption, or system bottlenecks. The more critical issue identified is the lack of redundancy behind the load balancer, which affects availability rather than performance.
