The latest changes and updates from the administration for this exam.
Latest Update: Jun 22 2026
All questions are working fine.
Correct AnswerA
A is correct: This is the correct answer. A Security Orchestration, Automation, and Response (SOAR) platform automates incident response workflows by integrating security tools, processes, and threat intelligence sources. SOAR solutions allow organizations to create playbooks that automatically perform predefined actions when certain events occur. In this scenario, when a phishing email is identified, a SOAR playbook could automatically extract malicious domains, URLs, or sender addresses and update the organization’s blocklists across email gateways, web filters, and security controls. CASP+ operational security guidance highlights SOAR as a key capability for improving incident response efficiency through automation and orchestration. By automating repetitive tasks—such as updating blocklists when phishing indicators are detected—organizations can reduce response times, minimize human error, and ensure consistent handling of phishing incidents.
B is incorrect: This option is incorrect because a Managed Security Service Provider (MSSP) is an external organization that provides outsourced security monitoring and management services. MSSPs typically offer services such as security monitoring, threat detection, incident response assistance, and security device management. While an MSSP could help monitor phishing threats or assist with incident response, it does not inherently provide automated internal processes such as dynamically updating blocklists when phishing attempts are detected. The scenario specifically requires automation of internal response actions, which is more directly addressed by SOAR technology.
C is incorrect: This option is incorrect because containerizationis a software deployment method that packages applications and their dependencies into isolated containers. Containers enable consistent execution across environments and are commonly used in DevOps and cloud-native architectures. Containerization focuses on application deployment and resource isolation, not on automating incident response or updating blocklists. Therefore, it does not address the requirement to automatically update security controls when phishing attempts are detected.
D is incorrect: This option is incorrect because virtualizationallows multiple virtual machines to run on a single physical system, enabling better resource utilization and isolation between operating systems. Virtualization is widely used in data centers and cloud environments to support flexible infrastructure deployment. However, virtualization does not automate security response actions or integrate security tools to update blocklists based on phishing detections. The scenario requires automated security workflow management, which virtualization does not provide.
E is incorrect: This option is incorrect because Managed Detection and Response (MDR) services provide outsourced threat detection and incident response capabilities. MDR providers typically use advanced monitoring, threat hunting, and analysis to identify malicious activity in customer environments. Although MDR services can detect phishing-related threats and assist with incident response, they do not inherently automate internal processes such as dynamically updating blocklists within an organization’s security infrastructure. The requirement focuses on automated orchestration of internal response actions, which aligns more directly with SOAR capabilities.
Correct AnswerD
A is incorrect: Business intelligencefocuses on organizational performance, market trends, and operational decision-making rather than cybersecurity threats. It typically includes analytics related to revenue, operations, and strategic planning within an organization. Because the scenario involves identifying and blocking malicious domains using threat intelligence feeds, business intelligence does not provide actionable security indicators such as domains, IP addresses, or malware signatures. Therefore, it is not relevant to the requirement described.
B is incorrect: Strategic threat intelligence provides high-level insights into threat actors, motivations, geopolitical trends, and long-term risk considerations. It is primarily intended for executive leadership and strategic decision-making. While strategic intelligence helps organizations understand the broader threat landscape, it does not provide specific technical indicators that can be used directly in security controls. Since the SOC team needs actionable data to block malicious domains, strategic intelligence is too high-level for this operational task.
C is incorrect: Operational intelligencefocuses on information about ongoing or upcoming cyber threats, campaigns, and adversary activities. It may include details about threat actor techniques, attack infrastructure, and timelines of active campaigns. Although operational intelligence can help security teams understand how attacks are conducted, it often supports threat analysis and response planning rather than providing specific indicators used directly in automated blocking mechanisms. Therefore, it is not the most appropriate choice for blocking malicious domains.
D is correct: Tactical threat intelligence is the correct answer because it provides specific technical indicators of compromise (IOCs) that security systems can use directly. These indicators include malicious domains, IP addresses, file hashes, URLs, and other observable artifacts associated with threats. SOC teams commonly ingest tactical intelligence feeds into security tools such as DNS filtering systems, firewalls, or intrusion prevention systems to automatically block known malicious infrastructure. Because the requirement involves blocking domains identified through threat intelligence feeds, tactical intelligence provides the most actionable data for this purpose.
Correct AnswerC
A is incorrect: A user agent being incompatible with the WAF would not normally prevent logging of traffic entirely. WAFs inspect HTTP/HTTPS traffic at the application layer regardless of the specific browser or client user agent string. Even if the client used an unusual or unsupported user agent, the request would still typically pass through the WAF and be logged as raw traffic. Therefore, this situation would not explain the absence of logging or visibility for the malicious traffic.
B is incorrect: An expired certificate on the WAF could generate TLS warnings or block secure connections depending on configuration, but it would not typically cause the WAF to lose visibility into traffic passing through it. In most deployments, the WAF would still observe and log incoming requests even if certificate validation issues occur. Certificate expiration affects trust and encryption negotiation rather than traffic inspection capability. Therefore, it does not explain why specific traffic is not appearing in logs.
C is correct: If HTTP traffic is not redirected or forwarded through HTTPS termination where the WAF can perform TLS decryption, the WAF may not be able to inspect the encrypted application-layer content. Without decryption, the WAF cannot analyze or log detailed request data because the payload remains encrypted. This results in limited or no visibility into application activity and prevents detection of malicious traffic patterns. Proper WAF operation typically requires HTTPS interception or TLS termination so that the application-layer traffic can be decrypted, inspected, and logged before being forwarded to the backend web server.
D is incorrect: The presence of older or vulnerable cipher suites may weaken cryptographic security but does not inherently prevent a WAF from logging or inspecting traffic. As long as the WAF can negotiate the TLS session and decrypt the traffic, inspection and logging remain possible. Cipher strength primarily affects security posture rather than monitoring visibility. Therefore, this option does not explain the lack of logging and visibility observed by the SOC analyst.
Correct AnswerA
A is correct: This is the correct answer. The presence of the company proxy certificate in the middle of the certificate chain indicates that the organization is performing TLS/SSL inspection through a proxy. In this configuration, the proxy decrypts and re-encrypts HTTPS traffic using an internally trusted certificate authority (CA). If users begin receiving certificate errors across multiple external websites, it typically indicates that the proxy’s intermediate CA certificate is expired, misconfigured, or improperly deployed. To resolve the issue, the security team should renew and redeploy the intermediate CA certificate used by the proxy and ensure that the internal root CA remains trusted on client systems. Once the proxy presents a valid certificate chain during HTTPS inspection, the browser will trust the connection again and the certificate errors should be resolved.
B is incorrect: This option is incorrect because the issue does not originate from the external websites’ certificates. The help desk technician observed that an internal proxy certificate appears in the certificate chain, which indicates that HTTPS traffic is being intercepted and re-signed by the organization's proxy. External websites typically provide valid certificates issued by public certificate authorities, and multiple unrelated sites producing certificate errors simultaneously strongly suggests an internal infrastructure issue. Therefore, contacting external websites would not resolve the problem.
C is incorrect: This option is incorrect because analyzing traffic with Wiresharkmay help identify network anomalies or potential malicious activity, but the scenario already provides clear evidence of the issue: the internal proxy certificate appearing in the certificate chain and causing browser certificate errors. The problem is most likely related to certificate trust or expiration, not a network attack or suspicious traffic pattern. Since the root cause has effectively been identified, packet capture analysis would not be the most efficient next step to resolve the issue.
D is incorrect: This option is incorrect because adding websites to the proxy allow listwould bypass inspection for those specific sites, but the problem affects multiple external websites and is related to the proxy certificate chain itself. Allow-listing sites would only serve as a temporary workaround and would weaken security by bypassing TLS inspection controls. The correct approach is to fix the underlying certificate trust issue rather than selectively bypassing the proxy.
Correct AnswerA
A is correct: S/MIME certificates are commonly exchanged between organizations to enable secure email using cryptographic protections such as encryption and digital signatures. Digital signatures allow the recipient to verify the sender’s identity and confirm that the message contents have not been altered in transit. This provides integrity and authentication for email communications between the organizations. In enterprise cryptographic implementations, S/MIME leverages PKI certificates to sign messages so recipients can validate the sender and ensure message integrity, which is a primary use case for exchanging certificates between organizations.
B is incorrect: While S/MIME can help recipients verify the sender’s identity, the primary purpose of exchanging S/MIME certificates is not specifically to reduce spam or impersonation spam. Spam prevention typically relies on email filtering technologies such as SPF, DKIM, and DMARC rather than certificate exchange. S/MIME focuses on cryptographic assurance of message integrity and sender authenticity rather than spam filtering mechanisms.
C is incorrect: Enabling a decentralized IT infrastructure is unrelated to the purpose of exchanging S/MIME certificates. S/MIME is an email security standard designed to provide cryptographic protection for messages, not to modify network architecture or infrastructure design. Decentralization refers to system architecture decisions, whereas S/MIME operates at the application layer for secure email communication.
D is incorrect: Business email compromise (BEC) attacks involve social engineering techniques where attackers impersonate executives or partners to request fraudulent payments or sensitive information. Although S/MIME digital signatures can help validate sender authenticity, exchanging certificates alone does not eliminate BEC risks. Attackers may still compromise legitimate accounts or exploit users who ignore signature verification warnings. Therefore, S/MIME helps mitigate certain risks but cannot fully eliminate business email compromise threats.
Correct AnswerB
A is incorrect: Data scrubbing refers to the process of removing sensitive information from datasets, logs, or records so that it cannot be recovered or misused. While scrubbing is useful for sanitizing data before sharing or analysis, it permanently removes the sensitive data. In this scenario, the help desk still needs access to partial employee information to verify identity during authentication, so permanently removing the data would prevent its use for verification.
B is correct: Field masking displays only a portion of sensitive data while hiding the rest, such as showing the last four digits of a Social Security number or employee ID. This allows help desk staff to verify user identity without exposing the full sensitive value. Because the requirement states that help desk staff must view only partial information to authenticate employees while protecting the complete data, field masking directly satisfies the requirement.
C is incorrect: Encryption in transit protects data while it is being transmitted across networks by preventing unauthorized interception or eavesdropping. Although this control protects confidentiality during communication, it does not control how much information is displayed to help desk personnel during authentication processes. Therefore, it does not address the requirement to show only partial information.
D is incorrect: Metadata describes characteristics about data such as creation time, format, or author information. While metadata can provide contextual information about files or records, it does not provide a mechanism to hide portions of sensitive information while still allowing partial visibility for authentication purposes. Therefore, it is not relevant to the requirement.
Correct AnswerD
A is incorrect: Digital signing is a cryptographic process used to verify the authenticity and integrity of data by generating a signature with a private key that can be validated with a corresponding public key. It supports non-repudiation and integrity verification but does not enable processing or computation on encrypted data. Therefore, it does not address the requirement to perform operations on encrypted information without decryption.
B is incorrect: Tokenization replaces sensitive data with non-sensitive placeholder values (tokens) that reference the original data stored securely elsewhere. This approach protects sensitive information such as payment card numbers but does not allow computation on the protected data itself. Any meaningful processing typically requires retrieving the original data from the token vault, which means the data must be restored rather than computed while encrypted.
C is incorrect: Base64 encoding is a data encoding technique used to represent binary data in ASCII text format for transmission or storage compatibility. It is not encryption and provides no confidentiality protection. Since Base64 only converts data representation and does not protect or mathematically operate on encrypted values, it cannot support computations on protected data.
D is correct: Homomorphic encryptionenables mathematical computations to be performed directly on encrypted data without decrypting it first. The result of the computation remains encrypted and can later be decrypted to obtain the correct plaintext result. This capability allows secure processing of sensitive data in untrusted environments such as cloud systems while maintaining confidentiality throughout the computation process. CASP guidance identifies homomorphic encryption as an emerging cryptographic technique that supports secure computation on protected data.
Correct AnswerA
A is correct: Certificate pinning ensures that the mobile application only trusts a specific server certificate or public key that is embedded within the application. This prevents attackers from successfully performing on-path (man-in-the-middle) attacks even if they can present a certificate issued by a trusted certificate authority or manipulate the network. By validating the pinned certificate during the TLS handshake, the application rejects connections that do not match the expected certificate. Because the scenario specifically aims to prevent on-path attacks between the mobile client and backend services, certificate pinning is the most effective control.
B is incorrect: Code obfuscation makes application code more difficult to reverse engineer by altering its structure while preserving functionality. This technique can protect intellectual property and hinder attackers attempting to analyze the application logic. However, obfuscation does not protect communications between the mobile application and backend services. Since the threat described involves interception or manipulation of network traffic during transmission, obfuscation does not directly mitigate on-path attacks.
C is incorrect: Client certificate authentication provides mutual TLS by requiring the client to present a valid certificate during authentication with the server. While this strengthens authentication between client and server, it does not necessarily prevent a man-in-the-middle attacker from intercepting or relaying traffic if the attacker can proxy communications. Additionally, distributing and managing client certificates across large numbers of mobile devices can introduce operational challenges. Certificate pinning more directly addresses the specific threat of on-path interception.
D is incorrect: Detecting rooted or jailbroken devices can help prevent attackers from running the application on compromised systems where security controls might be bypassed. This technique can reduce risks related to local tampering or debugging of the application. However, rooted-device detection does not prevent attackers from intercepting network communications between the application and server. Because the scenario specifically addresses protection against on-path attacks, this control would not directly mitigate the threat.
Correct AnswerC
A is incorrect: IP allowlisting restricts network communication so that only approved IP addresses can access a service or system. While this helps limit exposure to unauthorized network sources, it does not verify whether a software update itself is authentic or whether its contents have been altered. This control focuses on network access control rather than validating the integrity and origin of software packages.
B is incorrect: Base64 decoding is a data encoding/decoding mechanism used to convert binary data into ASCII text for transmission or storage compatibility. It provides no cryptographic protection and does not verify authenticity or integrity. Because Base64 is reversible without any security guarantees, it cannot confirm whether software updates have been modified or originate from a trusted source.
C is correct: Code signing validation uses digital signatures to confirm that software was produced by a trusted publisher and that the code has not been altered since it was signed. When an update package is signed with the developer’s private key, the receiving system can verify the signature using the corresponding public key. If the code has been changed, the signature validation will fail. CASP cryptography and software security guidance highlights code signing as a key mechanism for verifying the authenticity and integrity of software updates.
D is incorrect: Password reuse policygoverns user authentication behavior by preventing individuals from reusing previous passwords. Although it strengthens identity security and reduces credential-based attacks, it has no relevance to verifying the authenticity or integrity of software updates. This policy addresses user account management rather than software supply chain integrity.
Correct AnswerB
A is incorrect: Global any-any routing allows unrestricted communication between all network segments and hosts. While this may simplify routing, it significantly increases attack surface and facilitates lateral movement by attackers. Therefore, it does not help reduce lateral movement inside east-west traffic paths.
B is correct: Microsegmentation divides the network into fine-grained segments and enforces granular access control between workloads or systems. By limiting which systems can communicate with each other, microsegmentation reduces the ability of attackers to move laterally after compromising a host. Policies can be applied at the workload or container level, effectively controlling east-west traffic and containing breaches within isolated segments. This makes microsegmentation the most effective control for the stated objective.
C is incorrect: A single flat VLAN places all systems on the same broadcast domain with unrestricted communication between hosts. While easy to manage, it maximizes lateral movement opportunities for attackers and does not reduce risk within east-west traffic paths.
D is incorrect: Open SMB shares provide shared file access without authentication or access controls. These shares increase the risk of unauthorized access and lateral movement. Exposing open SMB shares directly facilitates attack propagation rather than containing it, making it contrary to the goal of reducing lateral movement.
