The certification on the wall didn’t change, but the exam behind it did. In December 2024, CompTIA retired the CASP+ brand and shipped its replacement: CompTIA SecurityX, exam code CAS-005. The old CAS-004 exam stayed available for a six-month transition window and was pulled on June 17, 2025. Anyone holding active CASP+ at that point received an automatic SecurityX badge — same status, new name. New candidates have one path forward, and it isn’t the one most study guides on the shelf were written for.
The rebrand is the smaller half of the story. SecurityX consolidated 28 CASP+ objectives down to 23, restructured the domain weightings, folded cryptography into a broader engineering domain, and added explicit coverage of AI threats, zero-trust architecture, IaC, and SASE. For working architects and senior engineers, the practical question is what to study, what carried over, and whether the credential still maps to the same job roles and DoD requirements. It does — but the syllabus underneath looks meaningfully different.
Why CompTIA Killed the CASP+ Name
CASP+ launched in 2011 and went through four exam revisions over thirteen years. By 2024, the brand had a recognition problem. The “+” suffix sits across CompTIA’s entire stack — A+, Network+, Security+, CySA+, PenTest+ — which collapses certifications meant for first-year helpdesk hires and ten-year security architects into the same visual tier. CASP+ also carried a name that telegraphed nothing about cybersecurity to recruiters scanning a resume.
CompTIA’s answer was the Xpert Series, a new advanced bracket sitting above the “+” line. SecurityX is the second of multiple new certifications in the Xpert Series, which was developed for IT professionals with multiple years of work experience. The first was DataX, an advanced data science credential, and CloudNetX followed as a combined cloud-and-networking architect cert. The Xpert framing lets CompTIA position SecurityX next to vendor-neutral peers like CISSP and SABSA without the suffix dragging it back into entry-level company.
Patrick Lane, CompTIA’s director of cybersecurity product management, framed SecurityX as “the only hands-on, performance-based certification for advanced practitioners — not managers — at the advanced skill level of cybersecurity.” That positioning is deliberate. CISSP candidates increasingly come from the GRC and management track; SecurityX is being marketed at the architects and senior engineers who still ship configurations.
The Domain Restructure: 28 Objectives Down to 23
The bones of the exam look familiar. Both CAS-004 and CAS-005 cover four domains, the question count is still capped at 90, the time limit is still 165 minutes, and the test is still pass/fail with no scaled score. What changed is the weighting and the boundaries between domains.
CASP+ CAS-004 led with Security Architecture (29%), then Security Operations (30%), Security Engineering and Cryptography (26%), and closed with Governance, Risk, and Compliance (15%). SecurityX CAS-005 reorders the priorities. Governance, Risk and Compliance has gone from 15% to 20% of the exam. Security Architecture used to comprise 29%, but it’s now 27%. Security Engineering and Cryptography has been updated to simply “Security Engineering,” and the percentage has increased to 31%, which makes engineering the largest single domain. Security Operations dropped to 22%.
The shifts tell a story. GRC moved from afterthought to anchor — leading the exam at 20% reflects the reality that architects spend more time translating regulations into controls than they did a decade ago. Engineering absorbed cryptography rather than treating it as a separate concern, which mirrors how PKI, key management, and encryption-at-rest now sit inside broader engineering workstreams. Operations shrank not because day-to-day ops matter less but because much of what used to live there — incident response, monitoring, automation — moved into engineering as code.
The objective consolidation is the more interesting change. SecurityX will now cover 23 instead of the 28 objectives in CASP+ V4. The updated certification and exam narrow the focus, helping you gain a more specialized understanding of current cybersecurity needs. Five objectives didn’t survive the cut. Topics that overlapped between domains were merged, dated material around legacy on-prem architectures was trimmed, and the surviving objectives were rewritten to assume a hybrid-cloud baseline rather than treating cloud as an exotic add-on.
What’s Genuinely New in CAS-005
Three areas got real expansion rather than reshuffled coverage.
Artificial intelligence threats and AI-enabled defense are now exam material. The GRC domain explicitly covers “the security challenges associated with AI adoption” , including model poisoning, prompt injection, and the governance problems of deploying generative AI inside enterprise workflows. Engineering objectives reference generative AI as part of automation tooling. This is the first CompTIA cert at this tier to put AI directly on the objectives rather than leaving it to bonus reading.
Zero trust architecture is now a first-class topic. Zero trust concepts: defining subject-object relationships appears in the architecture domain alongside SASE, SD-WAN, and microsegmentation. CASP+ touched zero trust; SecurityX assumes you can design a policy enforcement model around it.
Cloud-native engineering got a substantial bump. Cloud capabilities: CASB (API-based, proxy-based), shadow IT detection, shared responsibility model, CI/CD pipeline, Terraform, Ansible, container security, orchestration, and serverless workloads are all named explicitly. Infrastructure-as-code by tool name — Terraform, Ansible — is on the syllabus, as are PowerShell, Bash, and Python for automation. The exam now expects candidates to recognize SOAR workflows, container security boundaries, and the security model of serverless execution.
Threat modeling got more rigor too. The exam tests STRIDE — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege — and expects candidates to apply MITRE ATT&CK and CAPEC frameworks to scenario questions, not just identify them.
SecurityX Domain Reference
Working architects preparing for the exam need a quick map of what each domain actually covers. The official CAS-005 objectives document is the authoritative source, but here’s the practical breakdown.
The 31% engineering domain is where most candidates underprepare. CASP+ veterans coming back to recertify often expect cryptography to be its own bucket and miss that it’s now embedded inside broader engineering scenarios — key lifecycle management appears alongside container hardening and secrets vaulting in the same performance-based questions.
Performance-Based Questions Got Heavier
CompTIA didn’t publish a quota, but third-party prep providers tracking the exam report a sharper PBQ emphasis. 74% of the objectives in SecurityX are scenario-based and emphasize tool implementation over simple identification. Candidates report sitting in front of simulated consoles, log views, and configuration files for stretches of the test — not just clicking through multiple-choice trivia.
The format shift matches the audience CompTIA wants. CompTIA SecurityX is the only hands-on, performance-based certification for advanced practitioners — not managers — at the advanced skill level of cybersecurity is a positioning claim, but the exam mechanics back it up. Memorizing definitions of SAML versus OAuth won’t carry a candidate through a PBQ that asks them to trace a federated authentication failure across an identity provider’s logs.
Pricing, Prerequisites, and the DoD 8140 Question
The retail price is unchanged from late-period CASP+. The SecurityX CAS-005 exam costs $509 at standard retail, with vouchers, bundles, and academic discounts available through CompTIA’s partners. There are still no formal prerequisites. It’s recommended that candidates have a minimum of 10 years of experience in IT administration, including at least 5 years of hands-on technical security experience.
The certification is valid for three years and renews through CompTIA’s Continuing Education program — renew with 75 CEUs through CompTIA’s CE Program — or by passing the next exam version when it ships.
For federal candidates, the more important fact is that CompTIA SecurityX is compliant with ISO/ANSI 17024 standards and maps to DCWF work roles used by U.S. DoD Directive 8140.03M. The DoD 8140 mapping is the same one CASP+ held; nothing was lost in the transition. SecurityX qualifies for the same NICE/DCWF roles its predecessor did, including senior security architect and senior security engineer positions across federal civilian and defense agencies.
Should Existing CASP+ Holders Care?
Practically, no. If you are an active CASP+ certification holder, you’ll receive a notification to download the updated SecurityX badge. The certification status doesn’t change, the renewal cycle doesn’t reset, and the DoD recognition carries over. Recruiters running CASP+ keyword searches in applicant tracking systems will still match resumes that list either name, but candidates updating their LinkedIn should list it as “CompTIA SecurityX (formerly CASP+)” to cover both ATS pattern matches.
The candidates who do need to pay attention are the ones who started studying for CAS-004 materials before the sunset and are now sitting on outdated guides. Books, video courses, and practice exams written for CAS-004 cover roughly 80% of CAS-005 correctly, but the 20% gap — AI threats, expanded zero trust, IaC tool names, the GRC domain’s expanded weighting — is where new candidates will lose points. Updated study material with the CAS-005 code on the cover is the only safe choice for anyone testing in 2026.
How SecurityX Compares to CISSP and CCSP
The CISSP question comes up in nearly every conversation about advanced cybersecurity certifications, and the answer hasn’t changed with the rebrand: the two credentials don’t substitute for each other. CISSP, administered by (ISC)², weighs heavier on managerial and policy material across its eight domains and is the de facto requirement for CISO and director-level roles. SecurityX is technical and performance-based.
CCSP is narrower than either — strictly cloud security — and sits closer to SecurityX’s Domain 2 in scope but with deeper coverage. Architects who already hold CCSP and want enterprise-wide validation often add SecurityX rather than CISSP. Architects on the management track typically do the opposite.
The pragmatic answer: SecurityX validates that you can design and build, CISSP validates that you can govern and manage. Senior practitioners on the technical ladder hold SecurityX. Senior practitioners moving to executive roles add CISSP on top.
Frequently Asked Questions
Is SecurityX easier or harder than CASP+? Roughly equivalent in raw difficulty, but the emphasis shifted. The exam is harder for candidates whose strength was rote definitions and easier for candidates with hands-on cloud and IaC experience.
Do I have to retake the exam if I held CASP+? No. Active CASP+ holders received an automatic SecurityX badge and keep their existing certification cycle. You only retest when your three-year window expires, and at that point you’d take whichever exam version is current.
Is SecurityX still on the DoD 8570/8140 approved list? Yes. The mapping carried over with the rebrand. SecurityX is approved for the same DCWF work roles CASP+ held under DoD Directive 8140.03M.
Should I take Security+ first, or jump straight to SecurityX? CompTIA recommends Security+ and CySA+ as stepping stones but they aren’t required. Candidates with five-plus years of hands-on security experience often skip directly to SecurityX. Candidates without that background should not.
The Bottom Line
SecurityX is CASP+ with a sharper edge and better marketing. The four-domain structure, 90-question format, and three-year renewal cycle all carried over. What changed is the topical center of gravity — toward zero trust, AI threats, cloud-native engineering, and IaC tooling — and the brand position, which now sits in CompTIA’s expert tier rather than getting lost in the “+” stack.
For new candidates, the practical move is to study against the CAS-005 objectives directly, treat any pre-2025 study material as a partial reference, and weight preparation toward Domain 3 engineering scenarios where the exam dedicates 31% of its questions. For existing CASP+ holders, the move is simpler: download the SecurityX badge, update the resume language to cover both ATS keywords, and keep accumulating CEUs on the existing renewal schedule. The certification on the wall didn’t change. The exam behind it caught up.
