This certification was a reasonably lengthy study process, about two months in total. By test time, I still didn’t feel prepared for the exam. This blog will let you in on what I used to study, what I thought about the exam, and whether the certification is worth the effort.
I used quite a few study materials to prepare for this exam. Not because I needed to but instead because I thought I needed to.
I started with the Sybex CompTIA CASP+ Study Guide for Exam CAS-003 and the accompanying Practice Tests Book. They came together in the CASP+ Certification Kit: Exam CAS-003 Exam CAS-003 on Amazon. The practice tests book came with over 1,000 questions, and the study guide came with a few hundred. I believe all of these are hosted on the Wiley Test bank that you get access to when you purchase the materials.
I actually recommend you use the online test bank rather than the one in the book. The online material is much more efficient to go through, and you can set the quiz builder to use only questions you haven’t answered or those you have answered incorrectly.
After I made it through this material, I felt that I needed more practice questions. CompTIA is known for asking questions oddly and forcing you to carefully consider how CompTIA would answer. I wanted to be exposed to more questions to start training my brain to think like the CASP+ exam.
I moved next to Cybrary. They have a vast repository of training, labs, and test questions. Turns out the practice questions were poorly written and gave answers conflicting with the previous study material. I can’t speak for their other study material, but I highly recommend avoiding it for this exam.
I also tried the labs on Cybrary, called “Practice Labs CompTIA CASP+ Virtual Labs.” I didn’t make up the name. I promise. In past CompTIA exams, the labs were kind of a shock because I had zero preparation. I figured practicing a little before exam time would help. These turned out to big a time eater. I went through a few hours of the labs and they were zero help on the actual exam. Please don’t waste your time.
If you understand the material in the first book, you should be fine on the exam.
After about two days, I canceled my subscription to Cybrary. I moved on to another study guide book, CASP + CompTIA Advanced Security Practioner Certification All-in-One Exam Guide, Second Edition (Exam CAS-003). I hoped they covered things slightly differently, gave good exam tips, and provided more practice test questions. The book and practice questions were well written, and they even came with lab questions in the online resources. Compared to the first book, it had much fewer test questions.
In hindsight, there was no need for all of the resources I used. If I were to just focus on the first book, I would have been fine. So my recommendation is to get the Sybex Certification kit and spend your time there instead of wasting time on other material.
I know organizations are super prickly about exam details, so I will do my best not to reveal their deep dark secrets. Please reach out to me CompTIA if I need to modify any content.
So first off, if you studied well, you have plenty of time. Relax, you can do it. Like most exams, read the questions carefully, contemplate your answer and move on. I have never been one to go back and change answers continuously, but that is just how I roll. Just don’t second guess yourself out of a win on the exam.
How close were the questions to the material? Ooooh, tricky question. They were like 50% there. Even though I spent so much time studying, I had to rely on my five-plus years of experience to answer the other half correctly.
I spent so much time memorizing methodologies such as SDLC, RMF, and random frameworks. To a small degree, this helped. The problem is that there are just so many in the study guides. Learn a handful and move on.
Based on my experiences, I would focus a good chunk of study time on understanding the various security technologies and knowing when they should be used over another. For instance, when would you use AV versus a UTM? Or Radius versus Diameter?
The fact is the exam covers so much material. If you lack industry experience, you will have a tough time memorizing it all.
Who is the Certification for?
Initially, I thought this was the CompTIA version of the CISSP and held it in the same regard. It is kinda like the CISSP but is not nearly as well sought after as the CISSP. Itpro.tv has a pretty good blog comparing the CISSP to the CASP+. I recommend checking it out.
Further research on this certification revealed that it was created for the military. Sorry, I tried to find the resource, but I lost it. Where I got the information is unimportant. What is important to know is that the U.S. government is pretty much the only entity that cares about this certification. On the 8570 Approved Baseline Certifications chart, the certification would qualify you for IAT Level III, IAM Level II, and IASAE II roles.
Is the Certification Worth the Effort and Cost?
I hate providing an opinion without evidence so let’s look at the number of job postings for CASP+ versus CISSP. Because these are so similar, they will make a good comparison.
On glassdoor.com, there were 1,808 jobs in the United States, with “CASP” in the job description. This count was a little elevated. Unfortunately, Glassdoor sanitizes the plus sign, and psychology jobs also have the term CASP in them (related to autism, apparently).
If I use the term “CISSP” instead, I get 13,317 results. That should answer your question of which one is more sought after. Even with psychology results mixed in with the CASP+ results doesn’t even come close.
I will never get sponsored by CompTIA with this next part. In my opinion, the certification is not worth the effort. Regardless of your specialty, you would likely need a few years of experience in the industry to pass the exam. If you are going the management route, you are better off getting the CISSP associate. Once you get the requisite years of experience, it will be upgraded.
What if you are in a technical specialty? Then go with a technical certification. Depending on your specialty, there is something out there for you: cloud certs galore, several pen test certs, and even a few blue team related certifications.
I honestly see zero reasons to get this certification now that I have it. If I were to go back in time, I would get the CISSP instead of the CASP+.
I was actually planning on getting the CISSP next but, doing all this high-level stuff depresses me. I just need to do some hacking for a while to get my motivation back up to do boring certifications. Maybe next year.
Up next on my radar will be some HackTheBox and TryHackMe for a month or so. Following that, I will work on completing Red Team Ops or Offensive Security’s PEN-300. I am working on adding some new techniques to my toolbox, along with some advanced anti-virus evasion.
Hopefully, you found this review helpful. Feel free to check out my other blogs on TheCyberUnion, and as always, send me some feedback so I can better help you!
Silverbits is an infosec practitioner who has spent time in the crazy SOC life, at a help desk, as a penetration tester, doing digital forensics and malware analysis. All together, he has over 7 years of experience in Information Technology.
Related Blogs and Links