Today I’ll be reviewing the CompTIA Advanced Security Practitioner (CASP+) CAS–003 exam, which validates candidates’ ability to implement technical solutions within cybersecurity policies and frameworks. The exam covers advanced-level concepts in risk management, enterprise security operations, architecture, security integration, research, and collaboration.
The CASP+ CAS–003 exam contains five weighted sections:
- 19% Risk Management — business and industry influences, policies and procedures, risk mitigation strategies, risk metrics
- 25% Enterprise Security Architecture — network security components, host security components, mobile and small form factor device security, software vulnerabilities and controls
- 20% Enterprise Security Operations — security assessments, incident response, forensics, and tools to conduct each operation
- 23% Technical Integration of Enterprise Security — systems integration, cloud and virtualization technologies, advanced AAA technologies, cryptography, secure communication and collaboration
- 13% Research, Development, and Collaboration — industry trends, impact analysis, security and technology life cycles, business unit collaboration
There is a maximum of 90 questions (multiple-choice and “performance-based,” AKA simulations) on the exam, with 165 minutes to answer them. Unlike other CompTIA exams, CASP+ is pass/fail only, with no scaled score provided.
How I scored
I’m a fourth-year computing security student at RIT in upstate New York, with plenty of exposure and hands-on experience related to the topics covered by the exam through classes, competitions, internships, clubs, and personal projects. CompTIA suggests that candidates have at least ten years of experience with the exam, five of which are in technical security roles. I would argue that only the five-year recommendation is accurate, and even that is probably a bit much.
Typically, this is where I’d break down my score on the exam. However, as previously mentioned, CASP+ is pass/fail only with no scaled score provided. Therefore, all I can say is that I studied from December 19th, 2020 to January 4th, 2021, with the exam on January 4th at 9:00 AM, and I passed!
How did I pay for the exam?
I am fortunate enough to have the CyberCorps Scholarship for Service (SFS) pay for my certifications. In general, I don’t recommend pursuing certifications unless your company, school, or scholarship will pay for it. Still, I recognize that there might be edge cases where one would want a certificate to enhance their prospects with a future employer.
If you are a student, the CompTIA Academic Marketplace offers nicely discounted exam vouchers for students enrolled in accredited colleges and universities.
My Pearson OnVUE experience
Unlike previous CompTIA exams, I took this exam online. I still prefer physical Pearson VUE testing centers due to their ease and reliability, but the nearest physical location where I usually test was closed due to the COVID-19 pandemic.
OnVUE allows candidates to test at home using their personal computer while being supervised by a remote proctor. As such, you must have a reasonably capable computer, webcam, and microphone (not a headset) available.
After downloading the OnVUE portable application, you will upload an official ID, a photo of your face, and pictures of your workspace. After a remote proctor verifies your identity and accepts your working environment, they will release the exam to you through BrowserLock. BrowserLock is a highly restricted piece of software primarily used to prevent cheating on high school- and college-level exams and other standardized tests that Pearson delivers. Be aware that the application will kill the Explorer process and any chat or video apps such as Slack or Discord. Once the exam begins, you are not to eat, talk, leave the view of the camera, or allow anyone to enter your workspace, else your exam may be revoked. Ensure the area you choose to work in is clean (OnVUE has a clean-desk policy) and is somewhere you will not be disturbed for the duration of the exam appointment, even if you plan to finish early. Once you start the exam, the software will look and operate similarly to a physical Pearson VUE site.
Unfortunately, I have not had good experiences with OnVUE itself. The first test I attempted using this method was the Cisco Certified CyberOps Associate, and the proctor and I were unable to get my exam to launch. I ended up just going to a physical test center. This time around, the CASP+ exam launched without issue, and I completed all of the questions except for one performance-based question. More on this later.
My study materials
As I say every time, the exam objectives should always be the first resource that anyone studying for a certification exam should review.
Download the topics in PDF format. Cross out or highlight content that is familiar or unfamiliar to you, take notes in the margins, essentially do whatever you need to give yourself a clear picture or roadmap for how you will attempt this exam and in what order you will study the content. Sometimes, CompTIA’s syllabus is not always the best order in which new students should learn the content.
I’ve previously used Jason’s courses while studying for the CySA+ and PenTest+ exams. He does an excellent job at breaking down the five domains into multiple nice, manageable videos of around 2–3 minutes each and mostly sticks to the exam topics. I did find a few sections that he covered numerous times redundantly (access control models, cloud storage types, network security devices) and some that I believe he missed (state machine models, service-oriented architecture). Overall, this course was a great resource and one that I would highly recommend to anyone else studying for the exam.
I also used the practice test books by Sybex for previous CompTIA cybersecurity exams and continued to do so for the CASP+. However, the book seemed to be less useful for this exam due to its reliance on fact reiteration and lack of scenario-based questions. While it worked for me to ensure I had the prerequisite knowledge to attempt scenario-based questions on the actual exam, the difference in question format took me by surprise.
The book contains over 1,000 practice questions divided across each domain, as well as two practice exams. Question solutions with explanations are in the back of the book. I only found one question error in this book relating to stream and block cipher categorization, which I reported to the publisher.
My CompTIA exam strategy is to skip the performance-based simulations presented at the beginning of the exam, answer as many multiple choice questions as possible, and then return to the performance-based simulations. I typically flag anywhere from 15–20 questions and review them at the end of the exam.
I received 81 questions, 5 of which were performance-based. While exam details and question specifics are under NDA, I can speak generically about my experience. Be very familiar with acronyms since the exam won’t spell them out for you. I found that concepts relating to risk management and business agreements were the hardest for me to remember since I was new to these domains. Many of the technical questions reminded me of the Security+ exam, despite being more challenging since they are scenario-based rather than simply knowledge-based. Study the exam objectives and you should be just fine.
- Identity protocols
- Install a patch
- Harden a system (x2)
- Interpret vulnerability scanner output and make recommendations
I encountered one major issue during the exam due to the OnVUE delivery method: the CTRL keys are disabled when in BrowserLock. My final simulation question asked me to select multiple options in a dropdown using the CTRL key. After an hour (of exam time!) chatting with OnVUE support, they said they would make a note of my inability to complete the question and that I should submit the exam anyway.
Fortunately, I still passed. If you encounter a problem like this with your OnVUE exam, I strongly suggest completing the rest of the questions first and then contacting support about issues with any remaining time. OnVUE support restarted my exam several times, which connected me to different proctors and required me to re-explain my issue at least three times. I also experienced some difficulty explaining that I wasn’t asking for help answering a question. Hopefully, your exam will go smoother than mine did.
Good luck with your studies!
The CompTIA Advanced Security Practitioner (CASP+) is CompTIA’s highest-level cybersecurity certificate. It validates candidates’ ability to implement technical solutions within cybersecurity policies and frameworks and meets four different DoD 8140 (8570) criteria for technician, management, and architect/engineer roles.
I started obtaining CompTIA cybersecurity certifications in January 2018, and I am delighted to have finished them. I don’t believe I will pursue any certifications in their infrastructure track and instead pursue further certifications from GIAC and Cisco. Depending on funding, my next certificate will either be GCIA (building on GCIH) or Cisco Certified CyberOps Professional (building on Associate).
Best of luck to all who will be attempting this exam after me! Do reach out if you have any questions.
I do not use affiliate links, nor do I earn compensation for any products I endorse in this post. These are the resources I used to pass this exam and my honest reviews of them.