SecurityX

SecurityX (V5) exam objectives

Governance, risk, and compliance (20%)

• Security program documentation: policies, procedures, standards, and guidelines.
• Program management: training (phishing, security, privacy), communication, reporting, and RACI matrix.
• Frameworks: COBIT, ITIL, etc.
• Configuration management: asset life cycle, CMDB, and inventory.
• GRC tools: mapping, automation, and compliance tracking.
• Data governance: production, development, testing, and QA.
• Risk management: impact analysis, risk assessment (quantitative vs. qualitative), third-party risk, confidentiality, integrity, and availability.
• Threat modeling: actor characteristics, attack patterns, and frameworks (ATT&CK, CAPEC, STRIDE).
• Attack surface: architecture reviews, data flows, and trust boundaries.
• Compliance strategies: industry-specific standards (PCI DSS, ISO/IEC 27000).
• Security frameworks: NIST, CSF, CSA, and others.

Security architecture (27%)

• Cloud capabilities: CASB (API-based, proxy-based), shadow IT detection, shared responsibility model, CI/CD pipeline, Terraform, Ansible, container security, orchestration, and serverless workloads.
• Cloud data security: data exposure, leakage, remanence, insecure storage, and encryption keys.
• Cloud control strategies: proactive, detective, and preventative controls; customer-to-cloud connectivity, service integration, and continuous authorization.
• Network architecture: segmentation, microsegmentation, VPN, always-on VPN, and API integration.
• Security boundaries: asset identification, management, attestation, data perimeters, and secure zones.
• Deperimeterization: SASE, SD-WAN, and software-defined networking.
• Zero trust concepts: defining subject-object relationships.

Security engineering (31%)

• Automation: scripting (PowerShell, Bash, Python), event triggers, IaC, cloud APIs, generative AI, containerization, patching, SOAR, and workflow automation.
• Vulnerability management: scanning, reporting, and SCAP (OVAL, XCCDF, CPE, CVE, CVSS).
• Advanced cryptography: PQC, key stretching, homomorphic encryption, forward secrecy, and hardware acceleration.
• Cryptographic use cases: data at rest, in transit, and in use; secure email, blockchain, privacy, compliance, and certificate-based authentication.
• Cryptographic techniques: tokenization, code signing, cryptographic erase, digital signatures, hashing, and symmetric/asymmetric cryptography.

Security operations (22%)

• Monitoring and data analysis: SIEM (event parsing, retention, false positives/negatives), aggregate analysis (correlation, prioritization, trends), and behavior baselines (network, systems, users).
• Vulnerabilities and attack surface: injection, XSS, insecure configurations, outdated software, and weak ciphers; mitigations include input validation, patching, encryption, and defense-in-depth.
• Threat hunting:  internal intelligence (honeypots, UBA), external intelligence (OSINT, dark web, ISACs), TIPs, IoC sharing (STIX, TAXII), and rule-based languages (Sigma, YARA, Snort).
• Incident response: malware analysis (sandboxing, IoC extraction, code stylometry), reverse engineering, metadata analysis, data recovery, and root cause analysis.

Download exam objectives

• CompTIA SecurityX (V5) exam objectives - English

Try practice questions

• CompTIA SecurityX (V5) practice questions