CompTIA SecurityX (formerly CASP+) is the capstone certification in the CompTIA cybersecurity pathway, designed for security architects and senior security engineers. The CAS-005 exam launched on December 17, 2024, replacing the retired CAS-004 version, and it now includes significant updates around AI’s impact on security, advanced cryptographic analysis, and zero-trust architecture. For IT professionals targeting six-figure senior security roles, SecurityX is one of the few vendor-neutral advanced certifications that validates hands-on engineering skills rather than just knowledge recall. This guide breaks down every exam domain, provides a structured eight-week study plan, and covers the specific strategies needed to conquer the performance-based questions that trip up even experienced candidates.
What Is CompTIA SecurityX?
SecurityX is CompTIA’s advanced-level cybersecurity certification, sitting at the top of their security track above Security+, CySA+, and PenTest+. It was previously known as CASP+ (CompTIA Advanced Security Practitioner), and CompTIA rebranded the certification alongside the CAS-005 exam launch in December 2024. The certification validates the ability to architect, engineer, and implement secure solutions across complex enterprise environments, including cloud, on-premises, and hybrid deployments.
Unlike CompTIA’s foundational certifications, SecurityX is explicitly designed for practitioners with significant experience. CompTIA recommends a minimum of 10 years of general IT administration experience, including at least 5 years of hands-on security experience before attempting the exam, according to the official CompTIA SecurityX page. This is not a certification for career changers — it targets professionals already working in security engineering, architecture, or senior analyst roles who need formal validation of advanced competencies.
SecurityX also holds critical value for government contractors and military personnel. It is an approved DoD 8570 baseline certification for IAT Level III, IAM Level II, and IASAE I and II, meaning it satisfies Department of Defense workforce requirements for positions managing sensitive information systems, as confirmed by Infosec Institute’s career path overview. This makes it a direct alternative or complement to the CISSP certification for defense sector roles.
CAS-005 Exam Format and Details
The CAS-005 exam is structured differently from most CompTIA certifications. Understanding the format before you book your exam date is essential for proper preparation. Here are the key specifications from the CompTIA SecurityX certification page:
- Exam code: CAS-005 (SecurityX V5)
- Launch date: December 17, 2024
- Number of questions: Maximum of 90
- Question types: Multiple-choice and performance-based (PBQs)
- Duration: 165 minutes
- Passing score: Pass/fail only (no scaled numeric score)
- Exam cost: $469 USD
- Language: English
- Estimated retirement: ~2027 (typically three years post-launch)
The pass/fail scoring model is a critical distinction. Unlike Security+ or CySA+, which provide a scaled score (typically 750 to pass on a 100–900 scale), SecurityX simply reports pass or fail. This means you cannot gauge how close you came if you fail — you must prepare to clear the bar decisively rather than squeaking by. The 165-minute window with up to 90 questions gives you roughly 1.8 minutes per question, but performance-based questions consume significantly more time, so plan to move efficiently through multiple-choice items.
The Four Exam Domains Breakdown
The CAS-005 exam covers four domains, each weighted differently. Understanding these weights lets you allocate study time proportionally. The domain percentages below come from both the CompTIA exam objectives summary and Infosec Institute’s domain guide:
| Domain | Topic | Weight |
|---|---|---|
| 1.0 | Governance, Risk and Compliance | 20% |
| 2.0 | Security Architecture | 27% |
| 3.0 | Security Engineering | 31% |
| 4.0 | Security Operations | 22% |
Domain 3 (Security Engineering) carries the heaviest weight at 31%, so candidates should prioritize secure system design, cryptographic implementation, identity and access management architectures, and integration of security controls across hybrid environments. Domain 2 (Security Architecture) at 27% covers enterprise security architecture, cloud security models, and the design of resilient systems. Together, these two domains account for over half the exam, meaning architecture and engineering skills are what separate passing candidates from failing ones.
Domain 1 (Governance, Risk and Compliance) covers frameworks like NIST, ISO 27001/27002, risk assessment methodologies, and compliance requirements such as GDPR, HIPAA, and PCI-DSS. Domain 4 (Security Operations) focuses on incident response, monitoring, threat hunting, automation, and detection engineering — areas that have gained prominence with the rise of SOC automation and SOAR platforms.
What Changed From CAS-004
The CAS-005 exam introduced several meaningful changes from its predecessor. CAS-004 was officially retired on June 17, 2025, and CAS-005 is now the only version available, according to Infosec Institute’s SecurityX FAQ. The most significant updates include:
- AI and machine learning impact on security: CAS-005 explicitly addresses how artificial intelligence affects information security — both as a defensive tool and as an attack vector. This includes adversarial AI, model poisoning, and using ML for threat detection.
- Zero-trust architecture: Expanded coverage of zero-trust network access (ZTNA), microsegmentation, and continuous authentication models.
- Automation and orchestration: Greater emphasis on SOAR, automated incident response, and detection engineering, reflecting how modern security operations teams function.
- Cloud and hybrid security integration: Deeper coverage of multi-cloud security, container security, and securing serverless architectures.
- Evaluating emerging cryptographic trends: Post-quantum cryptography awareness and modern cryptographic protocol evaluation.
The domain structure itself shifted. In CAS-004, Domain 2 was “Enterprise Security Architecture” at 31% and Domain 3 was “Security Operations and Incident Response” at 22%. In CAS-005, the weights were rebalanced — Security Engineering grew to 31%, and the operations domain was restructured to include automation and proactive detection. This shift signals CompTIA’s recognition that modern security professionals need more than theoretical knowledge — they need hands-on engineering and operational competencies validated through performance-based testing.
Who Should Pursue SecurityX?
SecurityX is not an entry-level credential, and attempting it without the recommended experience is a recipe for frustration and wasted exam fees. The ideal candidate profile includes professionals already working in roles such as security architect, senior security engineer, security consultant, technical lead for security operations, or IT manager responsible for enterprise security posture.
If you currently hold CompTIA Security+ and are wondering whether to jump to SecurityX, the gap is substantial. Security+ validates foundational knowledge — understanding concepts, identifying threats, knowing basic controls. SecurityX expects you to design, build, and implement those controls in production environments. You should be comfortable with enterprise network architecture, advanced cryptography, cloud security models, risk frameworks, and incident response procedures before booking the exam.
For professionals working toward CISSP, SecurityX serves as an excellent stepping stone. CISSP is management-oriented and covers governance, policy, and program management at breadth. SecurityX is technical and engineering-focused, covering the “how” of implementing security solutions. Many candidates pursue both — SecurityX to validate technical depth and CISSP to qualify for leadership roles. The combination is particularly powerful for positions requiring DoD 8570 compliance, where both certifications are approved baselines. For a broader view of where SecurityX fits in the certification landscape, see the 2026 cybersecurity certification roadmap.
If you are currently studying for CySA+ or PenTest+, complete those first. They build the analytical and offensive security foundations that SecurityX assumes you already possess.
Proven Eight-Week Study Plan
A structured study approach is non-negotiable for CAS-005. Based on the exam domain weights and the depth of content, here is an eight-week plan designed for working professionals who can dedicate 10–15 hours per week:
Weeks 1–2: Governance, Risk and Compliance (Domain 1, 20%). Study NIST CSF, NIST SP 800-53, ISO 27001/27002 control frameworks. Master qualitative and quantitative risk assessment methods, including FAIR (Factor Analysis of Information Risk). Cover compliance requirements for GDPR, HIPAA, PCI-DSS, SOX, and understand how they map to technical controls. Practice threat modeling using STRIDE, PASTA, and attack tree methodologies.
Weeks 3–4: Security Architecture (Domain 2, 27%). Focus on enterprise security architecture models, zero-trust principles, defense-in-depth strategies, and cloud security architectures (shared responsibility model across AWS, Azure, GCP). Study microsegmentation, software-defined perimeter, and secure SDLC integration. Review reference architectures for identity federation, PKI hierarchies, and secure network segmentation.
Weeks 5–6: Security Engineering (Domain 3, 31%). This is the heaviest domain. Dive into cryptographic implementation — TLS 1.3, certificate management, key rotation, HSMs, and post-quantum cryptography awareness. Cover identity and access management (SAML, OAuth 2.0, OIDC), endpoint security engineering, vulnerability management automation, and securing container orchestration platforms. Build hands-on labs using cloud free-tier accounts.
Week 7: Security Operations (Domain 4, 22%). Study incident response frameworks (NIST SP 800-61), SIEM/SOAR integration, threat intelligence platforms, threat hunting methodologies, and security monitoring at scale. Practice configuring detection rules and automated playbooks.
Week 8: Practice exams and PBQ drills. Take at least three full-length practice exams. Focus time management — aim to complete 90 questions in under 150 minutes, leaving buffer for difficult PBQs. Review every wrong answer and map it back to the relevant domain objective.
Best Study Resources and Labs
Selecting the right study materials can make the difference between passing on the first attempt and spending $469 on a retake. Here are the resources most recommended by certified professionals, including those discussing the exam on Reddit’s r/CompTIA community:
- Official CompTIA SecurityX Study Guide (Exam CAS-005): The authorized textbook covering all four domains with practice questions. Start here for structured domain coverage.
- CompTIA SecurityX CAS-005 Certification Guide (O’Reilly): The second edition published by O’Reilly provides deeper technical explanations and real-world scenarios that bridge the gap between theory and exam application.
- MeasureUp Practice Tests: The official MeasureUp CAS-005 practice test contains 228 questions aligned to the current objectives and is considered one of the most accurate predictors of exam readiness.
- Jason Dion Practice Exams (Udemy): Widely used across CompTIA certifications for realistic question style and detailed explanations for every answer.
- Professor Messer SecurityX Course: Free video-based training that covers exam objectives systematically, useful as a supplementary resource alongside the official study guide.
- Hands-on Lab Platforms: Practice with TryHackMe, HackTheBox, or cloud free-tier accounts to build real skills in network configuration, SIEM setup, and identity management that translate to PBQ scenarios.
Avoid exam dumps and so-called “brain dumps.” CompTIA actively monitors for these, and using them violates the NDA you sign before the exam — it can result in certification revocation and permanent bans from future CompTIA exams. Legitimate practice tests from MeasureUp and Dion are more than sufficient when combined with hands-on lab practice.
Mastering Performance-Based Questions
Performance-based questions (PBQs) are where CAS-005 separates certified professionals from test-takers who memorized flashcards. PBQs present simulated scenarios — configuring a firewall rule set, matching security controls to threats, designing a network segmentation scheme, or troubleshooting a cryptographic misconfiguration — and require you to interact with the interface to solve the problem.
CompTIA does not publish the exact number of PBQs, but they appear throughout the exam alongside multiple-choice items. The official CompTIA exam objectives document confirms the exam uses “a mix of multiple-choice and performance-based questions,” and these hands-on items typically account for a meaningful portion of your final assessment.
Strategy for PBQs: First, if a PBQ appears at the start of the exam and you are not confident, flag it and move on. Return after completing the multiple-choice section — you do not want to burn 15 minutes on one scenario and then rush through 40 MCQs. Second, read the entire scenario prompt carefully before touching any controls. PBQs often include subtle requirements hidden in the description that determine the correct configuration. Third, practice with lab environments that mirror exam scenarios — configure actual firewall rules, set up SSO integrations, deploy a SIEM agent, and walk through incident response playbooks manually.
The best PBQ preparation is practical experience. If your current job does not involve hands-on security engineering, supplement with home lab environments using virtual machines, pfSense, Active Directory, and cloud accounts to simulate the architectures you will encounter on the exam.
Salary and Career ROI
The financial return on a SecurityX investment is strong. Because the certification targets senior-level roles, certified professionals typically command salaries well above the IT average. According to Infosec Institute’s 2025 salary analysis, SecurityX holders in roles like Chief Information Security Officer earn an average of $211,651 per year, with total compensation reaching up to $309,000 as reported by Glassdoor.
Other roles aligned with SecurityX skills include:
- Security Architect: Designs enterprise-wide security frameworks, typically earning $130,000–$180,000 depending on location and organization size.
- Senior Security Engineer: Implements and maintains security infrastructure, with salaries ranging from $120,000–$170,000.
- Security Consultant: Advises organizations on security strategy and implementation, often commanding $140,000–$190,000 plus project bonuses.
- Technical Director of Security: Leads engineering teams, with total compensation packages exceeding $200,000 at large enterprises.
At an exam cost of $469, the ROI is immediate for professionals who use the credential to negotiate raises or qualify for promotions. For government contractors, SecurityX’s DoD 8570 approval opens doors to positions that require baseline certifications, expanding job eligibility across federal agencies and defense contractors.
Common Pitfalls and Final Tips
Several recurring mistakes cause candidates to fail CAS-005 on their first attempt. Avoiding these can save you both the retake fee and months of additional study time:
Underestimating the experience requirement. SecurityX assumes deep technical knowledge. If you cannot configure a site-to-site VPN, explain the difference between AES-256-GCM and AES-256-CBC, or describe how OAuth 2.0 authorization flows work, you need more hands-on time before booking. Study guides alone will not bridge a genuine experience gap.
Ignoring governance and compliance content. Many technical professionals skip Domain 1 because it feels less hands-on, but at 20% of the exam, neglecting GRC content can cost you the certification. Spend dedicated time on NIST frameworks, risk scoring methodologies, and regulatory requirements.
Poor time management during the exam. With 90 questions and PBQs in 165 minutes, you cannot afford to spend 10 minutes on a single question. Flag difficult items and maintain forward momentum. Aim to complete your first pass in 120 minutes, leaving 45 minutes for flagged questions and review.
Using outdated CAS-004 study materials. The domain structure, weights, and content changed significantly between CAS-004 and CAS-005. Ensure all your study resources explicitly reference CAS-005 objectives. Free YouTube videos and practice tests labeled “CASP+” may cover outdated material that no longer appears on the exam.
Not taking enough practice exams. Take at least three full-length practice tests under timed conditions. If you are not consistently scoring 80% or higher on practice exams, you are not ready for the real test. Use wrong answers as a diagnostic tool to identify weak domains and redirect your final week of study.
References
- CompTIA SecurityX Official Certification Page
- Infosec Institute — SecurityX Domains Overview
- Infosec Institute — SecurityX Average Salary 2025
- Infosec Institute — SecurityX FAQ (CAS-004 Retirement)
- Infosec Institute — SecurityX Career Path and DoD 8570
- CompTIA SecurityX CAS-005 Exam Objectives and Details
- MeasureUp — CAS-005 Official Practice Test
- O’Reilly — CompTIA SecurityX CAS-005 Certification Guide
- Reddit r/CompTIA — SecurityX CAS-005 Study Resources Discussion