If you have searched for CASP+ recently and found it has vanished, you are not imagining things. CompTIA retired the old CASP+ exam (CAS-004) on 17 June 2025 and replaced it with CompTIA SecurityX (CAS-005), the new flagship of the CompTIA Xpert Series. The credential is the same idea, an expert level certification for senior security practitioners, but the name, the exam code and a big chunk of the content have changed. So the obvious question is whether CompTIA SecurityX is worth it in 2026, and this guide answers it in full.
Below you will find exactly what SecurityX is, the four exam domains and their weightings, the real cost, the difficulty, how it stacks up against CISSP, and an honest verdict on who should sit it and who should skip it.
What Is CompTIA SecurityX (CAS-005)?
CompTIA SecurityX is an expert level, vendor neutral cybersecurity certification that validates your ability to design, engineer and operate secure enterprise environments at scale. It sits at the very top of the CompTIA security pathway, above Security+ and CySA+, and it is aimed at people who architect security solutions rather than follow runbooks written by someone else.
SecurityX is part of the rebranded CompTIA Xpert Series, which is why the familiar "+" naming was dropped. CASP+ became SecurityX, but the role it certifies, the advanced security practitioner, has not changed.
Exam Tip: SecurityX (CAS-005) is the direct successor to CASP+ (CAS-004). If a study resource still says "CASP+" and references the CAS-004 objectives, it is out of date. Always check the exam code is CAS-005 before you buy anything.
The CAS-005 refresh modernised the content heavily. The exam now treats cloud native and hybrid environments as the default rather than the exception, and it adds current architectural concepts including zero trust, Secure Access Service Edge (SASE), AI threat modelling, post quantum cryptography and compliance as code. This is a deliberate shift away from the on premises assumptions that ran through older CASP+ versions.
The Four SecurityX Exam Domains
The CAS-005 exam is built around four domains. Around 74 per cent of the objectives are scenario based, which tells you everything about how CompTIA expects you to be tested: applied judgement, not flashcard recall.
| Domain | What it covers | Weighting |
|---|---|---|
| 1. Governance, Risk and Compliance | Risk management, regulatory frameworks, compliance as code, third party risk | 20% |
| 2. Security Architecture | Zero trust, SASE, secure cloud and hybrid design, resilient architecture | 27% |
| 3. Security Engineering | Cryptography (including post quantum), secure implementation, automation | 31% |
| 4. Security Operations | Threat hunting, incident response, detection engineering, monitoring | 22% |
Security Engineering and Security Architecture together make up 58 per cent of the exam, which confirms where the weight sits. SecurityX is fundamentally an architect and engineer certification, with governance and operations supporting the technical core.
Why the scenario focus matters
The domains look broad on paper, but the exam tests them through layered scenarios. A single question might ask you to weigh a compliance requirement, a budget constraint and a technical limitation at the same time and pick the strongest option. Memorising definitions will not save you here. You need to have made these trade offs in real environments, or at least practised making them under exam conditions.
SecurityX Exam Details and Cost
Here are the hard facts you need to plan your attempt. These reflect the current CAS-005 exam in 2026.
| Detail | CompTIA SecurityX (CAS-005) |
|---|---|
| Number of questions | Maximum of 90 |
| Question types | Multiple choice and performance based (PBQs) |
| Exam length | 165 minutes |
| Scoring | Pass or fail, no scaled score |
| Exam cost | Around 509 to 529 US dollars |
| Recommended experience | 10+ years IT, 5+ years hands on security |
| Validity | 3 years |
| Renewal | 75 CEUs plus a 50 US dollar annual CE fee |
A few of these deserve a closer look.
There is no pass mark to aim for. Unlike Security+, which needs 750 out of 900, SecurityX is graded pass or fail with no published threshold and no scaled score. You walk out knowing only whether you passed, with no domain breakdown. That makes targeted practice more important, not less, because you cannot lean on a "good enough" score in your weakest area.
The performance based questions are the real test. PBQs are hands on simulations where you might configure a firewall, analyse logs or troubleshoot a security issue in a virtual environment. They are weighted heavily and they are the single biggest reason candidates fail, because you genuinely cannot memorise your way through them.
Exam Tip: SecurityX is DoD 8140 (formerly 8570) approved, which is a major reason it holds value for anyone working with or aspiring to work with US defence contractors and federal agencies.
Renewal is ongoing. SecurityX is valid for three years. To keep it active you need 75 Continuing Education Units (CEUs) across the cycle, earned through training, conferences, publications or relevant work experience, plus a 50 US dollar annual CE fee. Budget for the renewal, not just the exam.
How Hard Is SecurityX?
SecurityX is hard, and it is meant to be. It is an expert level exam pitched at people with roughly a decade of IT experience and five years specifically in security. CompTIA does not enforce those years, but the exam is written as though you have lived them.
The most common failure pattern is predictable: candidates jump straight to SecurityX from Security+ with only two or three years of experience, skip CySA+ entirely, and get caught out by the performance based questions. The scenarios assume you have actually configured the controls and made the architectural calls, not just read about them.
If you are working towards this, a sensible CompTIA security ladder looks like this:
- CompTIA Security+ for the foundations. See our guide on how to pass CompTIA Security+ on your first attempt.
- CompTIA CySA+ for hands on analyst and operations skills. Our CySA+ CS0-004 study plan covers the route.
- CompTIA SecurityX once you have the architecture and engineering experience to back it up.
Skipping rungs is exactly how strong candidates end up failing an exam they were technically capable of passing with more preparation.
SecurityX vs CISSP: Which Should You Choose?
This is the comparison most senior practitioners actually care about, because both certifications sit at a similar level and both carry real weight with employers. The honest answer is that they validate different things.
| Factor | CompTIA SecurityX (CAS-005) | ISC2 CISSP |
|---|---|---|
| Primary focus | Hands on technical architecture and engineering | Broad security management and governance |
| Best for | Security architects and senior engineers | Security managers and programme leaders |
| Experience requirement | Recommended, not verified | 5 years verified and enforced |
| Exam style | Heavy performance based, scenario driven | Multiple choice and advanced innovative items |
| Renewal | 75 CEUs over 3 years | 120 CPEs over 3 years |
SecurityX leans technical. It rewards people who design and implement security controls. CISSP leans managerial. It rewards people who run security programmes and speak the language of risk and governance to the business. The content overlaps, but the emphasis is genuinely different.
A practical rule of thumb: if your career is heading towards security architect or principal engineer, SecurityX maps better to the work. If you are heading towards CISO, security manager or GRC leadership, CISSP carries more recognition in those rooms. Plenty of senior professionals eventually hold both. For a deeper look at the management side, read our take on whether CISSP is worth it in 2026.
Is CompTIA SecurityX Worth It in 2026?
For the right person, yes. SecurityX is worth it in 2026 if you are a mid to senior security professional moving towards architecture or advanced engineering roles, and especially if you work in or around the US public sector where DoD 8140 approval matters.
The case in favour is strong:
- Salary ceiling. Senior security architect and engineer roles that list SecurityX or its CASP+ heritage commonly sit around the 185,000 US dollar mark in the United States, according to industry salary data.
- It is vendor neutral. Unlike a cloud specific architect certification, SecurityX validates principles you can carry across AWS, Azure, on premises and hybrid estates.
- It proves applied skill. The performance based format means a pass is hard to fake. Hiring managers know it is not a memorisation exam.
- It is current. The CAS-005 refresh added zero trust, SASE, AI threat modelling and post quantum cryptography, so the content matches what enterprises are actually buying and building right now.
The case against is mostly about timing and fit:
- It is not an entry point. If you have under three years of hands on security experience, your time and money are better spent on Security+ and CySA+ first.
- The ongoing cost is real. Between the exam fee and three years of CEUs and CE fees, this is not a one off purchase.
- CISSP may serve you better if your trajectory is management rather than technical depth.
If you are weighing this against newer specialist options, it is also worth reading about CompTIA SecAI+, the AI security certification, to decide whether broad expert validation or a focused specialism fits your next move better.
How to Prepare for SecurityX
Given the scenario heavy, performance based format, passive reading will not get you there. A focused plan works better:
- Map your weak domains first. With Security Engineering at 31 per cent and Security Architecture at 27 per cent, prioritise the technical core if your background is operations heavy.
- Practise PBQs relentlessly. The performance based questions decide most pass or fail outcomes. Reproduce the hands on tasks, do not just read about them.
- Drill scenario questions under time pressure. With a maximum of 90 questions in 165 minutes, you have under two minutes per item on average, and the scenarios are long. Pace practice matters.
- Test against current CAS-005 objectives. Avoid any bank still built on CAS-004 CASP+ content.
This is where realistic practice questions earn their keep. Working through exam style scenarios on CertCrush shows you fast where your reasoning breaks down, so you can fix it before exam day rather than during it.
Ready to Start Practising?
CompTIA SecurityX rewards applied judgement, and the only reliable way to build it is to practise against realistic, scenario based questions until the trade offs become second nature. Reading the objectives tells you what is on the exam. Practising tells you whether you can actually pass it.
Create your free CertCrush account and start working through exam style questions built for the way SecurityX really tests you. Train on the scenarios, sharpen your weak domains, and walk into CAS-005 ready to pass it the first time.