CASP+ (CAS-004)

In Feb 2023, I took CompTIA’s CASP+ (Advanced Security Practioner) exam, and I passed first time.

I used Jason Dion’s Udemy course to prepare for this. That was the only specific training that I did for this exam, but I also spent the previous 6 months preparing for the OSCP, and I have prior knowledge/experience.

Aside from the Udemy course, Jason Dion also did a YouTube video: The road to the CASP+. In that, he described the CASP+ as a “capstone” certification, which builds on the knowledge you gained in other certifications. CompTIA’s career pathway shows the core skills (ITF+, A+, Network+, Security+) then the cybersecurity certs (PenTest+ and CySA+), then CASP+. However, Dion says that the CASP+ also draws on Linux+ and Cloud+ (neither of which I’ve done); from my own experience, I think that CASP+ overlaps with Server+.
NB Although I haven’t done Cloud+, I have done Microsoft’s Azure Fundamentals certification, and I think that was relevant, e.g. to understand availability zones.

It’s also worth noting that the exam objectives will change for various certifications over time. In my case, I did the Network+ (N10-005) in Apr 2015. Back then, the exam objectives didn’t include SDN (Software Defined Networking); this was added in N10-007, and is also present in N10-008. However, SDN is included in the exam objectives for CASP+ (CAS-004), specifically in objective 1.1. So, if I was relying on the older objectives for Network+, I’d struggle with CASP+. In my case, I’ve also done the Cisco CCNA, which covers SDN in detail, so I was fine. As a side note, this does help to justify why the CASP+ can renew the Network+ (and other certs), i.e. you need to know the material which is covered by the current objectives.

The exam objectives for CASP+ are split into 4 domains:

  • 1.0 Security Architecture
  • 2.0 Security Operations
  • 3.0 Security Engineering and Cryptography
  • 4.0 Governance, Risk, and Compliance

I think that the first 3 domains have the most overlap with other CompTIA certs, and these are the most practical. The 4th domain is a bit different, and I found that the CISMP was good preparation for this, along with the assessor courses for IASME Cyber Assurance.

Coming back to Jason Dion’s Udemy course, I basically used that as a recap, and to fill in any blanks. It did the job, since I passed the exam. I think the practice exam in this course was slightly easier than the real exam (mainly because it doesn’t include a virtual environment) but it’s a good way to prepare.

However, the course also has some flaws, mainly due to the way it’s been put together. Basically, there are hundreds of videos (ranging from 1 minute to 25 minutes long), where each tackles a particular topic. That’s fine, but I think some of them have been re-used from other courses, and it lacks an overall structure. In particular:

  • There’s a lot of duplication between modules. (At a guess, I think the course could be about 5 hours shorter without the duplicate content.)
  • Some modules contradict each other, e.g. recommending whether passwords should or shouldn’t expire. (Module 114 says no, module 115 says yes.)
  • Some modules contradict themselves, e.g. there are different definitions of what AIK stands for in module 121.
  • Some modules contradict the real world, i.e. they’re flat out wrong. E.g. modules 234 and 246 claim that a 4 digit PIN has 1,000 possible values, when the actual number is 10,000. I got at least one question wrong in the exam because I took the training material at face value.
  • The pronunciation is wrong in a few places, e.g. Bruce Schneier’s surname doesn’t contain a “d” (it’s not “Schneider”) and the second syllable in Galois should rhyme with “car” rather than “voice”.

Udemy have frequent sales, so I paid £15 for this (rather than the RRP of £70), and I think that was a fair price. Looking at the Dion Training site (outside Udemy), this course costs $499, which is absurdly high! It would make sense if it included an exam voucher, but the page doesn’t mention that (only a free retake if you fail your first attempt).

I did the exam from home, with online proctoring. The CompTIA website says that there will be a maximum of 90 questions in 165 minutes (i.e. 2 hours 45 minutes). I think they say “maximum” because it depends on the split between multiple choice and performance-based questions (PBQs).
NB There are 2 types of PBQs (simulations and virtual environments), and the CASP+ exam contains both. You can skip over a simulation and come back to it later, but you can’t do that with a virtual environment; once you click “Next”, that’s it, and the “Next” button doesn’t ask you whether you’re sure (unlike the button to end the exam, which asks you twice).

In my case, I had 82 questions in total. That included 2 simulations and 1 virtual environment, but the virtual environment was spread across 2 questions (i.e. the first question just gave the preamble and emphasised that you only get one chance to complete it). So, that left 78 multiple choice questions. The quantity might be different for other people, so this is just a single data point.

When I got to the virtual environment, the exam timer was paused for it to load up. However, it was still a bit slow to respond at first, e.g. it took a minute or so before I could see any desktop icons (after the exam timer had resumed). I don’t think that was due to my internet connection, because it was responsive after that; it’s just the resources that have been allocated on the remote machine. Related to that, my advice is that you shouldn’t reboot the virtual machine if you can avoid it, because it will take a while to come back up, and your timer isn’t paused for that.

I need to be careful not to say too much (because of the NDA), but I think my OSCP preparation was what helped me the most, i.e. I’ve spent a lot of time doing hands-on configuration. If you have a strategic role (e.g. writing retention schedules and business continuity plans), this will be more of a challenge.

Overall, it took me about 2 hours to do the exam:

  • 1h 40m to do my first pass, where I marked some questions for review
  • 5m to review the questions that I’d flagged
  • 15m to review all the questions (except for the virtual environment)

So, there was about 45 minutes left on the clock when I finished. As I’ve said before for other exams, this isn’t a race, and it’s fine to take longer. My point is that if you know the material then you probably don’t need to worry about running out of time; just keep an eye on the clock in the corner of the screen.

After I finished the exam, I did both surveys. Usually, this is the point where I’d get my score, displayed on the screen and/or printed out (at a test centre). In this case, they said that I’d need to wait for an email, but I recommend logging into the Pearson Vue website to check your exam history. I checked that website 45 minutes after the exam finished, and it said that I’d passed; the information might have been available if I’d checked sooner.
NB You only get a pass/fail result for the exam (not a score), but it will list any objectives where you got at least one question wrong.

I finished my exam at 15:32 on a Wednesday afternoon. When I checked the CertMetrics site at 09:20 the following morning, there was no mention of my exam or certification. At 11:34, I received an email asking me to claim my digital badge (on Credly), and then the CertMetrics site displayed everything. So, I’m guessing that the databases are synced once a day.

The main reason that I did this exam was to renew my existing certifications. When I did the CySA+ in 2020, this added 3 years to my prior certs (putting them 5 years in the future). Now that I’ve done the CASP+, all my certs will expire on the same date:

That makes more sense, so I think there must have been a temporary glitch in 2020.

On a side note, it’s interesting that the CASP+ is listed under the “Mastery Series” rather than the “Professional Series”. I’m not aware of any other “Mastery” certifications (i.e. it’s a series of 1) but maybe there will be others later.

Passing this exam also gave me 2 stackable certifications:

  • CompTIA Security Analytics Expert (Security+, CySA+, and CASP+)
  • CompTIA Security Infrastructure Expert (Security+, CySA+, PenTest+, and CASP+)

I’m not sure what I’ll do in 3 years when my CompTIA certifications are due for renewal. As it stands, there aren’t any higher certifications available, so I’ll either need to repeat the CASP+ exam, do an equivalent exam from another organisation (e.g. the CISSP), or look at other ways to get the CEUs. For now, I’m satisfied that I’ve completed the set.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.