CASP+ Cheat Sheet 2026
The 30 highest-yield CASP+ facts, distilled from real exam questions. Print it, save it as a PDF, or study it here — free, no sign-up.
90 questions
165 min time limit
70.00% to pass
- Which cloud identity and access management practice MOST effectively enforces least privilege for serverless functions? → Creating a unique, minimal IAM execution role per function with only required permissions
- Which technology allows a SOC to automatically respond to low-confidence alerts by enriching them with threat intelligence before escalation? → Security Orchestration, Automation, and Response (SOAR)
- Which technique allows computation on encrypted data without decrypting it? → Homomorphic encryption
- A PKI administrator needs to revoke a certificate immediately due to a key compromise. Which mechanism provides the FASTEST revocation propagation? → OCSP stapling with short-validity responses
- A CASP+ professional is building a vendor risk management program. Which assessment type provides the MOST assurance about a cloud provider's security controls? → SOC 2 Type II report from an independent auditor
- A keylogger is being operated by a Meterpreter shell on the CFO's laptop. What security principle is the keylogger most likely to violate? → Confidentiality
- Which network architecture decision BEST prevents lateral movement after an initial compromise? → Implementing east-west traffic inspection between network segments
- Which attack exploits predictable initialization vectors (IVs) in CBC mode encryption? → BEAST (Browser Exploit Against SSL/TLS)
- Which approach BEST ensures that security architecture decisions remain aligned with business objectives over time? → Establishing a security governance committee with regular architecture review boards
- Which protocol is primarily used for federated identity management and single sign-on across different organizations? → SAML
- Which MITRE ATT&CK tactic describes an adversary's attempts to steal credentials from the target environment? → Credential Access
- An organization must encrypt data at rest in a cloud environment while retaining sole control of the encryption keys. Which model achieves this? → Customer-managed keys (CMK) stored in a customer-controlled HSM (HYOK — Hold Your Own Key)
- Which incident response phase involves identifying lessons learned and updating security controls to prevent recurrence? → Post-Incident Activity
- A company migrates a regulated workload to a public cloud. Which cloud deployment model MOST effectively addresses data sovereignty requirements? → Sovereign cloud or government cloud region with contractual data residency guarantees
- An organization performs a gap analysis against ISO 27001. Which output BEST prioritizes remediation efforts? → A risk-ranked list of control gaps with associated residual risk levels
- An enterprise deploys a SIEM. Which integration provides the MOST actionable threat intelligence for the architecture? → Threat intelligence platform (TIP) with indicator enrichment
- Which standard specifically defines requirements for payment card data security applicable to merchants and service providers? → PCI DSS (Payment Card Industry Data Security Standard)
- A CASP+ professional is defining KPIs for the SOC. Which metric BEST measures the effectiveness of the detection capability? → Mean time to detect (MTTD) for confirmed incidents
- A SOC analyst receives an alert for a possible SQL injection attack. Which evidence BEST confirms successful exploitation? → Database error messages followed by unexpected data in HTTP responses
- A CASP+ analyst needs to detect credential dumping on Windows endpoints. Which security control provides the MOST direct protection? → Configuring Credential Guard to isolate LSASS using virtualization-based security
- Which attack targets the hypervisor layer to escape from a virtual machine and access the underlying host or other VMs? → VM escape (hypervisor breakout)
- A CASP+ professional is designing an API gateway for microservices. Which control is MOST important for API security? → OAuth 2.0 with JWT tokens and rate limiting per client
- Which attack targets the mathematical relationship between a public and private RSA key pair when small prime factors are used? → Factoring attack (e.g., using Pollard's rho or GNFS)
- An organization wants to assess the maturity of its information security program. Which framework provides a structured maturity model for this purpose? → CMMC (Cybersecurity Maturity Model Certification)
- What is the primary difference between authentication and authorization in an IAM framework? → Authentication verifies identity; authorization determines permissions
- Which quantitative risk analysis technique uses probability distributions and repeated simulations to model the range of possible outcomes? → Monte Carlo simulation
- Which Kubernetes security control prevents containers from running as the root user within a cluster? → Pod Security Admission (PSA) with restricted policy
- Which artifact should be collected FIRST when responding to a Linux system compromise, given the order of volatility? → Running process list and network connections
- Which security architecture approach MOST effectively addresses insider threats? → User and Entity Behavior Analytics (UEBA) combined with least-privilege access
- Which metric BEST quantifies the financial impact of a single security incident for risk calculation purposes? → Single Loss Expectancy (SLE)
Turn these facts into recall: