CASP+ Cheat Sheet 2026

The 30 highest-yield CASP+ facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.

90 questions
165 min time limit
70.00% to pass
  1. Which cloud identity and access management practice MOST effectively enforces least privilege for serverless functions? Creating a unique, minimal IAM execution role per function with only required permissions
  2. Which technology allows a SOC to automatically respond to low-confidence alerts by enriching them with threat intelligence before escalation? Security Orchestration, Automation, and Response (SOAR)
  3. Which technique allows computation on encrypted data without decrypting it? Homomorphic encryption
  4. A PKI administrator needs to revoke a certificate immediately due to a key compromise. Which mechanism provides the FASTEST revocation propagation? OCSP stapling with short-validity responses
  5. A CASP+ professional is building a vendor risk management program. Which assessment type provides the MOST assurance about a cloud provider's security controls? SOC 2 Type II report from an independent auditor
  6. A keylogger is being operated by a Meterpreter shell on the CFO's laptop. What security principle is the keylogger most likely to violate? Confidentiality
  7. Which network architecture decision BEST prevents lateral movement after an initial compromise? Implementing east-west traffic inspection between network segments
  8. Which attack exploits predictable initialization vectors (IVs) in CBC mode encryption? BEAST (Browser Exploit Against SSL/TLS)
  9. Which approach BEST ensures that security architecture decisions remain aligned with business objectives over time? Establishing a security governance committee with regular architecture review boards
  10. Which protocol is primarily used for federated identity management and single sign-on across different organizations? SAML
  11. Which MITRE ATT&CK tactic describes an adversary's attempts to steal credentials from the target environment? Credential Access
  12. An organization must encrypt data at rest in a cloud environment while retaining sole control of the encryption keys. Which model achieves this? Customer-managed keys (CMK) stored in a customer-controlled HSM (HYOK — Hold Your Own Key)
  13. Which incident response phase involves identifying lessons learned and updating security controls to prevent recurrence? Post-Incident Activity
  14. A company migrates a regulated workload to a public cloud. Which cloud deployment model MOST effectively addresses data sovereignty requirements? Sovereign cloud or government cloud region with contractual data residency guarantees
  15. An organization performs a gap analysis against ISO 27001. Which output BEST prioritizes remediation efforts? A risk-ranked list of control gaps with associated residual risk levels
  16. An enterprise deploys a SIEM. Which integration provides the MOST actionable threat intelligence for the architecture? Threat intelligence platform (TIP) with indicator enrichment
  17. Which standard specifically defines requirements for payment card data security applicable to merchants and service providers? PCI DSS (Payment Card Industry Data Security Standard)
  18. A CASP+ professional is defining KPIs for the SOC. Which metric BEST measures the effectiveness of the detection capability? Mean time to detect (MTTD) for confirmed incidents
  19. A SOC analyst receives an alert for a possible SQL injection attack. Which evidence BEST confirms successful exploitation? Database error messages followed by unexpected data in HTTP responses
  20. A CASP+ analyst needs to detect credential dumping on Windows endpoints. Which security control provides the MOST direct protection? Configuring Credential Guard to isolate LSASS using virtualization-based security
  21. Which attack targets the hypervisor layer to escape from a virtual machine and access the underlying host or other VMs? VM escape (hypervisor breakout)
  22. A CASP+ professional is designing an API gateway for microservices. Which control is MOST important for API security? OAuth 2.0 with JWT tokens and rate limiting per client
  23. Which attack targets the mathematical relationship between a public and private RSA key pair when small prime factors are used? Factoring attack (e.g., using Pollard's rho or GNFS)
  24. An organization wants to assess the maturity of its information security program. Which framework provides a structured maturity model for this purpose? CMMC (Cybersecurity Maturity Model Certification)
  25. What is the primary difference between authentication and authorization in an IAM framework? Authentication verifies identity; authorization determines permissions
  26. Which quantitative risk analysis technique uses probability distributions and repeated simulations to model the range of possible outcomes? Monte Carlo simulation
  27. Which Kubernetes security control prevents containers from running as the root user within a cluster? Pod Security Admission (PSA) with restricted policy
  28. Which artifact should be collected FIRST when responding to a Linux system compromise, given the order of volatility? Running process list and network connections
  29. Which security architecture approach MOST effectively addresses insider threats? User and Entity Behavior Analytics (UEBA) combined with least-privilege access
  30. Which metric BEST quantifies the financial impact of a single security incident for risk calculation purposes? Single Loss Expectancy (SLE)
Turn these facts into recall: