CompTIA Advanced Security Practictioner

One week ago, I passed the CAS-003 exam after studying for approximately three weeks. Here is how I studied, and my thoughts on the exam.

How I Studied

Starting three weeks before the exam, I began listening to Christopher Rees’ course on Pluralsight that covered CASP topics for the CAS-002 exam on my way to and from work. Given my commute time and the playback speed that I use for all Pluralsight courses, I listened to the roughly nine and a half hours of material in two weeks. This was completely non-interactive. I did not watch any of the videos, and I took no notes.

From there, I moved onto the CASP Study Guide, Second Edition, written by Michael Gregg. Again, this book was made for the outdated CAS-002 exam. I began with the goal of reading two chapters every day, but my experience in the industry made that a too easily obtained objective, so it quickly became one chapter a day. While doing so, I made sure to pay special attention to the Real World Scenarios, as well as the end-of-chapter review questions. The former allowed me to check my understanding of concepts by applying them to a realistic problem, while the latter served as a way to find out what I didn’t get the first time, so that I could go back and review it.

I believe that the strategy of listening to the materials passively before actively engaging with the materials proved to be highly effective, as it allowed me to understand, at a very high level, how all of the material fit together, as well as providing initial exposure for the highly technical aspects. I will certainly be doing it for all future exams.

The exam

As I have previously taken and passed the CompTIA Network+ and Security+ exams, I knew mostly what to expect from the CAS-003 test. Just like every other PearsonVUE exam, you sign in, drop off everything you brought except the clothes on your body in a locker, and sit down in front of a computer. After agreeing (again) to the code of conduct, the exam begins.

Unsuprisingly, the CAS-003 exam did not have a lot of material that I had not encountered, either in my day job or in my studies for the CAS-002 exam. I do, however, think that the lab scenarios given to me were occasionally poorly constructed. I understand the difficulty associated with being vendor-agnostic and still testing technical ability, but I believe that the lab environments could have been done better by giving the tester more freedom. For example, there is no reason that, as a information security administrator, I will not be able to modify IP addresses inside firewall rules, or delete firewall rules altogether.


The CompTIA CAS-003 exam was the hardest certification exam I have taken to date. I suspect that may be at least in part due to that all of the study materials I had used were designed for the previous version of the exam. I do not, however, think that a person who studied for the CAS-002, unaware that it was going to be retired in October, needs to go out and buy CAS-003 materials to pass this exam.

For future certification exams, I will continue to use the study technique of listening to the material first, then engaging it afterwards. As previously noted, this significantly reduced the time I needed to set aside to read through a book, as most of the concepts only needed a tiny push for them to click into place.

Written on November 11, 2018