CompTIA Advanced Security Practitioner
(CASP+) Certification Examination
QUESTIONS AND CORRECT ANSWERS
(VERIFIED ANSWERS) PLUS RATIONALES
2026 Q&A | INSTANT DOWNLOAD PDF
1. A security architect is designing controls for a hybrid cloud environment.
Which approach BEST ensures consistent security policy enforcement across
on-premises and cloud resources?
A. Separate security policies for each environment
B. Manual configuration reviews
C. Centralized policy management with federated identity
D. Environment-specific access controls
Rationale: Centralized policy management with federated identity ensures
consistent enforcement and reduces configuration drift across hybrid
environments.
2. Which risk management strategy transfers risk to a third party?
A. Risk avoidance
B. Risk acceptance
C. Risk mitigation
D. Risk transference
Rationale: Risk transference shifts the financial or operational impact of
risk to another party, such as through insurance or outsourcing.
3. Which encryption method provides both confidentiality and integrity for
data in transit?
A. AES
, B. RSA
C. TLS
D. SHA-256
Rationale: TLS combines encryption and message authentication to
protect confidentiality and integrity during transmission.
4. A company wants to prevent data exfiltration via USB devices. Which
control is MOST effective?
A. Network firewall rules
B. Host-based antivirus
C. Endpoint device control policies
D. User security awareness training
Rationale: Device control policies directly restrict or monitor USB usage at
the endpoint.
5. Which metric BEST measures the effectiveness of an incident response
program?
A. Number of incidents reported
B. Cost of security tools
C. Mean time to contain (MTTC)
D. Number of employees trained
Rationale: MTTC directly reflects how quickly incidents are controlled,
indicating response effectiveness.
6. Which architecture principle reduces attack surface by default?
A. Defense in depth
B. Least privilege
C. Separation of duties
D. Redundancy
Rationale: Least privilege limits access to only what is required, reducing
potential attack vectors.
7. A threat actor exploits a zero-day vulnerability. Which control would have
MOST likely reduced impact?
A. Signature-based IDS
, B. Behavior-based monitoring
C. Patch management
D. Vulnerability scanning
Rationale: Behavior-based monitoring can detect anomalies even when no
signature exists.
8. Which cloud service model places the MOST security responsibility on the
customer?
A. SaaS
B. PaaS
C. IaaS
D. FaaS
Rationale: In IaaS, customers manage OS, applications, and security
controls.
9. What is the PRIMARY purpose of a security baseline?
A. Detect intrusions
B. Encrypt data
C. Define minimum acceptable security configuration
D. Replace risk assessments
Rationale: Baselines establish minimum standards for secure system
configurations.
10.Which type of testing evaluates real-world attacker behavior?
A. Vulnerability scanning
B. Compliance auditing
C. Penetration testing
D. Configuration assessment
Rationale: Penetration testing simulates attacker techniques to identify
exploitable weaknesses.
11.Which control BEST protects against privilege escalation attacks?
A. Strong encryption
(CASP+) Certification Examination
QUESTIONS AND CORRECT ANSWERS
(VERIFIED ANSWERS) PLUS RATIONALES
2026 Q&A | INSTANT DOWNLOAD PDF
1. A security architect is designing controls for a hybrid cloud environment.
Which approach BEST ensures consistent security policy enforcement across
on-premises and cloud resources?
A. Separate security policies for each environment
B. Manual configuration reviews
C. Centralized policy management with federated identity
D. Environment-specific access controls
Rationale: Centralized policy management with federated identity ensures
consistent enforcement and reduces configuration drift across hybrid
environments.
2. Which risk management strategy transfers risk to a third party?
A. Risk avoidance
B. Risk acceptance
C. Risk mitigation
D. Risk transference
Rationale: Risk transference shifts the financial or operational impact of
risk to another party, such as through insurance or outsourcing.
3. Which encryption method provides both confidentiality and integrity for
data in transit?
A. AES
, B. RSA
C. TLS
D. SHA-256
Rationale: TLS combines encryption and message authentication to
protect confidentiality and integrity during transmission.
4. A company wants to prevent data exfiltration via USB devices. Which
control is MOST effective?
A. Network firewall rules
B. Host-based antivirus
C. Endpoint device control policies
D. User security awareness training
Rationale: Device control policies directly restrict or monitor USB usage at
the endpoint.
5. Which metric BEST measures the effectiveness of an incident response
program?
A. Number of incidents reported
B. Cost of security tools
C. Mean time to contain (MTTC)
D. Number of employees trained
Rationale: MTTC directly reflects how quickly incidents are controlled,
indicating response effectiveness.
6. Which architecture principle reduces attack surface by default?
A. Defense in depth
B. Least privilege
C. Separation of duties
D. Redundancy
Rationale: Least privilege limits access to only what is required, reducing
potential attack vectors.
7. A threat actor exploits a zero-day vulnerability. Which control would have
MOST likely reduced impact?
A. Signature-based IDS
, B. Behavior-based monitoring
C. Patch management
D. Vulnerability scanning
Rationale: Behavior-based monitoring can detect anomalies even when no
signature exists.
8. Which cloud service model places the MOST security responsibility on the
customer?
A. SaaS
B. PaaS
C. IaaS
D. FaaS
Rationale: In IaaS, customers manage OS, applications, and security
controls.
9. What is the PRIMARY purpose of a security baseline?
A. Detect intrusions
B. Encrypt data
C. Define minimum acceptable security configuration
D. Replace risk assessments
Rationale: Baselines establish minimum standards for secure system
configurations.
10.Which type of testing evaluates real-world attacker behavior?
A. Vulnerability scanning
B. Compliance auditing
C. Penetration testing
D. Configuration assessment
Rationale: Penetration testing simulates attacker techniques to identify
exploitable weaknesses.
11.Which control BEST protects against privilege escalation attacks?
A. Strong encryption
