Skip to main content

V4

CASP+

CASP+ is an advanced certification for security architects and senior engineers, validating expertise in managing secure solutions within complex environments. It showcases your ability to maintain a resilient enterprise while tackling advanced cybersecurity challenges. CASP+ (V4) has retired for the English exam but will remain available in Japanese and Thai until September 17, 2025. The new version rebranded as SecurityX (V5), includes updated enhancements and is now available.

Xpert CASP+ Certification

CASP+ (V4) Exam Objectives

Security architecture (29%)

  • Security program documentation: policies, procedures, standards, and guidelines.
  • Program management: training (phishing, security, privacy), communication, reporting, and RACI matrix.
  • Frameworks: COBIT, ITIL, and others.
  • Configuration management: asset life cycle, CMDB, and inventory.
  • GRC tools: mapping, automation, and compliance tracking.
  • Data governance: production, development, testing, and QA.
  • Risk management: impact analysis, risk assessment (quantitative vs. qualitative), third-party risk, confidentiality, integrity, and availability.
  • Threat modeling: actor characteristics, attack patterns, and frameworks (ATT&CK, CAPEC, STRIDE).
  • Attack surface: architecture reviews, data flows, and trust boundaries.
  • Compliance strategies: industry-specific standards (PCI DSS, ISO/IEC 27000).
  • Security frameworks: NIST CSF, CIS, CSA, and others.

Security operations (30%)

  • Threat management: intelligence types (tactical, strategic, operational), threat actor properties (resources, capabilities, sophistication), and frameworks (MITRE ATT&CK, Diamond Model, Cyber Kill Chain).
  • Indicators of compromise (IoC): logs, network activity, unusual process activity, and alerts (SIEM, IDS/IPS, DLP).
  • Vulnerability management: scans (credentialed vs. non-credentialed, active vs. passive), patch management, criticality ranking, and SCAP (OVAL, CPE, CVE, CVSS).
  • Vulnerability assessment and penetration testing: methods (static/dynamic analysis, reverse engineering), and tools (vulnerability scanners, protocol analyzers, exploit frameworks).
  • Risk mitigation: code injections, race conditions, cross-site scripting (XSS), weak cryptography, improper exception handling, and outdated software.
  • Processes to reduce risk: proactive detection (threat hunting, honeypots), preventive measures (hardening, sandboxing, immutable systems), and security automation (Cron tasks, Bash, PowerShell, Python).
  • Physical security: lighting reviews, visitor logs, camera reviews, and open vs. confined spaces.

Security engineering and cryptology (26%)

  • Secure network architecture: traffic mirroring, access control lists (ACLs), load balancers, intrusion detection/prevention systems (IDS/IPS), network segmentation, zero trust, and software-defined networking (SDN).
  • Infrastructure security design: scalability (vertical, horizontal), resiliency (high availability, redundancy), performance (clustering, caching), and automation (SOAR, bootstrapping).
  • Application security: secure coding standards, testing (SAST, DAST, IAST), CI/CD pipelines, secure design patterns, and application vetting.
  • Data security techniques: data loss prevention (DLP), encryption, tokenization, anonymization, data classification, and lifecycle management.
  • Authentication and authorization: multifactor authentication (MFA), single sign-on (SSO), federation, access control models (MAC, DAC, RBAC, ABAC), and identity proofing.
  • Cloud and virtualization security: hypervisors, containers, VDI, cloud deployment models (private, public, hybrid), and service models (SaaS, PaaS, IaaS).
  • Cryptography and PKI: privacy, integrity, non-repudiation, compliance, cryptographic use cases (data at rest, in transit, in use), and PKI use cases (web services, VPN, code signing).
  • Emerging technologies: artificial intelligence, machine learning, blockchain, quantum computing, passwordless authentication, and homomorphic encryption.

Governance, risk, and compliance (15%)

  • Security program management: policies, procedures, standards, guidelines, and training (phishing, security, privacy).
  • Compliance requirements: industry-specific regulations (CMMC, PCI DSS, SOX, HIPAA, GDPR, FISMA, NIST, CCPA) and standards (ISO/IEC 27000).
  • Risk management: impact analysis, risk assessment (quantitative vs. qualitative), third-party risk, and risk mitigation strategies.
  • Governance frameworks: COBIT, ITIL, NIST CSF, and others.
  • Data governance: production, development, testing, QA, and data classification.
  • Audit and assessment: internal and external audits, compliance tracking, and reporting.
  • GRC tools: automation, mapping, and compliance monitoring.
  • Threat modeling and attack surface management: actor characteristics, attack patterns, architecture reviews, and trust boundaries.

Exam details

  • Exam version: V4

  • Exam series code: CAS-004

  • Launch date: October 6, 2021

  • Number of questions: maximum of 90 questions, multiple-choice and performance-based

  • Duration: 165 minutes

  • Passing score: pass/fail only; no scaled score

  • Retirement: June 17, 2025

  • Languages: English, Japanese, and Thai

  • Recommended experience: minimum of 10 years of general hands-on tech experience, including 5 years in security

  • NICE and DOD 8140 work roles: security architect, systems requirements planner, security control assessor, research and development specialist, and more

Skills learned

  • Security architecture: analyze security requirements in hybrid networks to design enterprise-wide, zero trust security architectures with advanced cloud and virtualization solutions.

  • Security operations: address advanced threat management, vulnerability management, risk mitigation, incident response tactics, and digital forensics analysis.

  • Governance, risk, and compliance: prove compliance with regulations like CMMC, PCI-DSS, SOX, HIPAA, GDPR, FISMA, NIST, and CCPA while enhancing enterprise cybersecurity resiliency.

  • Security engineering and cryptography: configure endpoint security controls, enterprise mobility, cloud/hybrid environments, and enterprise-wide PKI and cryptographic solutions.

Stay informed

Advance with confidence

Get updates, insights, and exclusive offers to support your learning journey and career growth.