CompTIA CASP+ / SecurityX prep, expert security roadmap with ARIA

CompTIA CASP+ (now SecurityX) CAS-005 is 165 minutes, around 90 questions including multiple performance-based items, pass/fail scoring with no numeric result, and CompTIA's only expert-level practitioner credential. Security+, plus CySA+ or PenTest+, and roughly ten years of IT experience with five in security are recommended; none of it is enforced. I prep you for it with an adaptive evaluation, a longer roadmap weighted toward Architecture and Operations, a gauntlet that mirrors exam conditions, and a pass guarantee with five measurable conditions. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=CASP%2B.

TL;DR

165 minutes, around 90 items, pass/fail (no numeric score), expert difficulty, four domains weighted toward Operations at 30 percent and Architecture at 29 percent.
CompTIA renamed CASP+ to SecurityX with CAS-005. Exam code, blueprint, and format are unchanged. The credential lists SecurityX.
Performance-based questions are denser than on Security+ or CySA+, with multi-step scenarios spanning architecture, cryptography, and incident response.
I open with a CAT eval that lands a domain-by-domain skill estimate, then build a longer expert-grade roadmap because the bar on this exam is unforgiving.
Pass-guarantee eligibility is checked by a database function with five mechanical conditions.

What the CAS-005 exam is

CAS-005 is the current CompTIA advanced security exam, released under the SecurityX name and active in 2026. It tests senior-practitioner skill across enterprise security architecture, day-to-day operations at scale, security engineering with deep cryptography, and program-level governance. Format: up to 90 questions in 165 minutes, multiple choice plus a heavier slice of performance-based items than the lower CompTIA exams, no live lab.

Domain	Weight	What it covers
1.0 Security Architecture	29%	Zero trust, SASE / SSE, segmentation and microsegmentation, secure cloud architecture, on-prem to cloud migration, secure data lifecycle, resilience patterns.
2.0 Security Operations	30%	Threat hunting, advanced detection engineering, SIEM and SOAR at scale, vulnerability management, IR across distributed teams, digital forensics.
3.0 Security Engineering and Cryptography	26%	Hardening, secure protocols, PKI, hardware roots of trust (HSM, TPM), key management at scale, post-quantum considerations, cryptographic agility, identity federation.
4.0 Governance, Risk, and Compliance	15%	NIST CSF, ISO 27001, COBIT, regulatory mapping, third-party and supply chain risk, SBOMs, vendor assessment, audit and assurance.

Operations and Architecture together carry 59 percent. A roadmap that splits time evenly across all four wastes a real chunk of the prep window.

Pass/fail scoring

CAS-005 reports a single outcome: pass or fail. No scaled number, no published cut percentage. CompTIA sets the cut per form using a modified Angoff method, and the threshold rotates as forms rotate. Practical effect: there is no domain you can sandbag. A weak domain at expert depth pulls the whole sheet under the line.

PBQ-heavy format

PBQs on CAS-005 are denser and longer than on the lower exams. A single item might run a 12-step incident timeline across cloud, on-prem, and identity, then ask which containment action, which forensic artifact, and which notification path. Expect multi-step architecture diagrams, cryptographic artifact reading (cert chains, OCSP, CRL), log correlation across SIEM and EDR feeds, and risk-register mapping. PBQs eat time. Budget three to six minutes each, flag and return any past seven, and keep multiple-choice pace tight.

Where it sits next to CISSP and CCSP

CASP+ / SecurityX is hands-on technical. You still read packet captures, write firewall rules, and reason about HSM key ceremonies. CISSP is management-leaning, with ISC2's enforced five-year experience requirement. CCSP is the cloud follow-on to CISSP. If your day still includes architecture decisions and incident calls, CASP+ fits better. If your day is policy and program management, CISSP fits better. Many senior engineers hold both, in that order.

How ARIA preps you for it

ARIA owns your CASP+ prep end to end. Five pieces, each running every day you are in the program.

The CAT evaluation. Your first session is an adaptive test that converges on your real skill across the four domains. Difficulty adjusts after every answer, stopping at 95 percent confidence or 25 questions. Read the full CAT explainer for the mechanics. Because CAS-005 is expert level, the eval pushes the upper difficulty bands harder than it would on Security+.

The expert-grade roadmap. I generate four to five phases sequenced from your weakest domain to your strongest, each with three to five milestones. CASP+ roadmaps run longer than the lower CompTIA exams because the bar is higher and the surface is wider. Cryptography gets its own phase on most plans. Full structure: the roadmap overview.

The daily task engine and gauntlet emphasis. Every time you reopen the app, I pick the next thing to work on, today. One task. Not a list. The gauntlet carries more weight on this cert than on lower exams. Long-form, exam-conditions, PBQ-rich. The pass guarantee requires one gauntlet at 80 percent or better; on CASP+, I push you for two at 85 percent before I clear you.

The error backlog with PBQ-pattern tags. Every wrong answer is tagged with the trap pattern, domain, and topic. PBQ-specific tags get extra weight: PBQ-architecture, PBQ-crypto, PBQ-incident-timeline, framework-mismatch (NIST vs ISO vs COBIT), supply-chain-artifact (SBOM vs SLSA vs vendor questionnaire). Tagged items return at increasing intervals and retire only after three correct in a row.

The readiness score. A single 0-to-100 number that estimates your probability of passing today. It blends coverage, accuracy, and recency, and decays roughly 3 points per day past the grace window. See readiness and decay for the math. With every milestone done, two mock passes, the gauntlet criteria above, and live readiness at 80, the pass guarantee flips eligible.

The broader picture of how adaptive AI prep differs from chatbot Q&A lives in the AI cert prep guide. CASP+ is a cert where the difference matters most.

Common pitfalls on CASP+

These are the questions that quietly cost the most. Generic prep plans skim them. I drill them.

Enterprise security architecture (zero trust, SASE, SSE)

Zero trust is not a product, SASE is not a vendor SKU, and SSE is the security half of SASE. Stems describe a hybrid environment with mixed identity, several SaaS apps, and a remote workforce, then ask which architecture pattern applies and where the policy enforcement point sits. Candidates conflate the three because every vendor uses every word. I drill the actual mechanics: identity-aware proxy vs network segmentation, ZTNA vs SDP, SWG vs CASB, and the policy decision point / enforcement point split.

Advanced cryptography (HSMs, TPMs, post-quantum)

HSMs are network or PCIe key vaults that hold root keys for an organization or service. TPMs are chip-level roots of trust on individual machines that anchor measured boot and disk encryption. Stems hide the distinction in questions about key escrow, secure boot, or BitLocker recovery. Post-quantum is the newer trap: candidates assume "quantum-resistant" means "use elliptic curves" because the marketing is loose. I drill the actual NIST PQC finalists (Kyber, Dilithium, Falcon, SPHINCS+) and what cryptographic agility means in practice.

Supply chain risk (SBOMs, vendor assessments, SLSA)

A software bill of materials is a list, not a control. SBOMs say what is in the software; vendor questionnaires say what the vendor claims; SLSA says the provenance of the build. Three artifacts, three different questions. Stems write a third-party incident scenario and ask which artifact would have caught the issue. Candidates default to "vendor questionnaire" because that is the most common at their day job. I drill the artifact-to-question mapping cold.

Incident response at enterprise scale

The IR phases (preparation, detection, containment, eradication, recovery, lessons learned) are familiar from Security+ and CySA+. CASP+ asks them at scale, with regulatory clocks running. Stems set up a multi-region cloud incident with simultaneous business-impact, legal-hold, and regulator-notification timelines, then ask which artifact you preserve first or which team you escalate to. The trap is forgetting that legal and communications are part of the response, not bolt-ons.

Governance frameworks (NIST CSF, ISO 27001, COBIT)

Three frameworks that overlap, with different audiences and control libraries. NIST CSF is voluntary, US-flavored, function-organized (Identify, Protect, Detect, Respond, Recover, Govern in CSF 2.0). ISO 27001 is an ISMS standard with a certification scheme and Annex A controls. COBIT is governance-of-IT, written for boards and CIOs. Stems describe an org and ask which framework fits. I drill the audience-and-purpose mapping so you pick on fit, not familiarity.

Threat modeling (STRIDE, PASTA, OCTAVE)

STRIDE is per-component categorization, useful at design review. PASTA is a seven-stage attacker-centric process, heavier and risk-driven. OCTAVE is asset-centric and organizational. Stems describe a team and a goal; the right answer is the methodology that fits the context. I drill all three so the choice is mechanical.

Cloud Security Alliance CCM mapping

The CSA Cloud Controls Matrix maps cloud-relevant controls across many frameworks. Candidates either ignore it or treat it as a compliance shortcut. CASP+ asks CCM-mapping questions where you identify which control domain applies to a cloud scenario and which adjacent framework it cross-references. I drill the CCM domain list and the practical use case so the question reads as routine.

Common questions

Do I need CySA+ or PenTest+ before sitting CASP+ / SecurityX?

CompTIA recommends Security+ as the floor and CySA+ or PenTest+ on top, plus roughly ten years of IT experience with at least five in security. None of it is enforced at the exam center. The CAT evaluation surfaces whichever gap is real for you and the roadmap closes it before the expert content begins.

How does pass/fail scoring on CAS-005 actually work?

CAS-005 returns pass or fail with no numeric score. CompTIA does not publish a passing percentage. Internally, your raw item performance maps through a cut score the psychometricians set per form. You have to answer at expert level on every domain weighting; you cannot tank one and float on another. The readiness score I keep on you is calibrated against this reality.

How long does CASP+ prep take at 45 to 60 minutes per day?

At 45 minutes per day, median time-to-ready sits between fourteen and twenty weeks. At 60 minutes, ten to fifteen weeks. The roadmap is sized from your CAT baseline. Candidates with current CySA+ or strong SOC time land at the lower end. Career switchers from networking land higher because the architecture and governance content is dense.

CASP+ vs CISSP for management track vs technical?

CASP+ / SecurityX is hands-on technical, aimed at senior practitioners who still touch architecture, cryptography, and incident response. CISSP leans management, weighted toward governance and program oversight, with a five-year experience requirement enforced by ISC2. Build and break things, CASP+ fits. Write policy and run programs, CISSP fits. Many senior engineers hold both. The Security+ page lays out the bottom of the same ladder if you are deciding where to start.

What does the SecurityX rename change about CAS-005?

CompTIA renamed CASP+ to SecurityX with the CAS-005 release. Exam code, blueprint, format, and price are the same. The credential lists SecurityX. Recruiters and DoD documentation are mid-transition through 2026, so most listings reference both names. Either name on a resume is correct as of 2026. CASP+ (CE) is still approved for DoD 8570 IAT Level III and the equivalent 8140 work roles, which is one of the larger reasons US federal contractors pay for it.

Start your CompTIA CASP+ / SecurityX prep

The cheapest possible signal is the CAT evaluation. It tells you which of the four CAS-005 domains you actually own at expert depth, which one will cost you the exam if you sit it tomorrow, and where the roadmap starts.

Start your free CASP+ / SecurityX evaluation now. Background reading: the practice sessions page covers how the daily lane and the gauntlet feed each other.

TL;DR​

What the CAS-005 exam is​

Pass/fail scoring​

PBQ-heavy format​

Where it sits next to CISSP and CCSP​

How ARIA preps you for it​

Common pitfalls on CASP+​

Enterprise security architecture (zero trust, SASE, SSE)​

Advanced cryptography (HSMs, TPMs, post-quantum)​

Supply chain risk (SBOMs, vendor assessments, SLSA)​

Incident response at enterprise scale​

Governance frameworks (NIST CSF, ISO 27001, COBIT)​

Threat modeling (STRIDE, PASTA, OCTAVE)​

Cloud Security Alliance CCM mapping​

Common questions​

Do I need CySA+ or PenTest+ before sitting CASP+ / SecurityX?​

How does pass/fail scoring on CAS-005 actually work?​

How long does CASP+ prep take at 45 to 60 minutes per day?​

CASP+ vs CISSP for management track vs technical?​

What does the SecurityX rename change about CAS-005?​

Start your CompTIA CASP+ / SecurityX prep​