SecurityX logo
Focused certification exam prep
Start practice

SecurityX Domain 2: Security Architecture (27%) - Complete Study Guide 2026

TL;DR
  • Security Architecture is 27% of the CAS-005 exam, the second-largest domain after Security Engineering.
  • Expect scenario-heavy multiple-choice and performance-based questions, not simple definition recall.
  • Topics span secure infrastructure design, cloud/hybrid architecture, data security, and resilience engineering.
  • CompTIA recommends at least 10 years of IT experience with 5 years in security before attempting this material.

Domain 2 Overview: Why Security Architecture Carries 27%

CompTIA structured the CAS-005 exam around four domains, and Security Architecture sits at 27% of total exam weight - second only to Security Engineering at 31%. That weighting is not arbitrary. Architecture questions ask candidates to design, evaluate, and defend infrastructure decisions rather than just recite terminology, which makes this domain time-consuming to master and heavily represented on test day.

If you're mapping out your overall approach, the SecurityX Exam Domains 2026 guide breaks down how all four domains fit together, while this article goes deep specifically on Domain 2. For a broader first-attempt strategy, pair this with the SecurityX Study Guide 2026.

Exam Format Reminder: The CAS-005 exam allows a maximum of 90 questions - a mix of multiple-choice and performance-based items - within a 165-minute window. Scoring is pass/fail with no scaled score reported, so there's no partial-credit strategy to lean on within a domain.

Core Topics You Must Master

Security Architecture on CAS-005 is less about memorizing a single framework and more about applying design judgment across hybrid, cloud, and legacy environments simultaneously. The following areas consistently anchor this domain's objectives.

Secure Infrastructure Design Principles

Candidates must evaluate network segmentation, zero trust architecture, and secure-by-design principles when integrating new systems into existing environments.

  • Zero trust concepts applied to identity, device, and workload trust boundaries
  • Micro-segmentation and software-defined networking tradeoffs
  • Secure design patterns for on-premises, cloud, and hybrid topologies

Cloud and Virtualization Architecture

You'll need to compare architectural options across IaaS, PaaS, SaaS, and containerized environments, then justify which model fits a given risk and business constraint.

  • Container and orchestration security (e.g., Kubernetes-style workload isolation)
  • Shared responsibility model boundaries across cloud service types
  • Serverless and microservices design implications for attack surface

Data Security and Cross-Domain Solutions

Expect scenarios requiring you to architect controls that protect data at rest, in transit, and in use - often across trust boundaries with differing classification levels.

  • Data flow mapping and classification-driven control selection
  • Cross-domain solutions for environments with strict segmentation requirements
  • Cryptographic architecture decisions (key management, PKI hierarchy design)

Resilience, Recovery, and Availability Architecture

This domain also tests whether you can design infrastructure that survives failure, not just infrastructure that resists attack.

  • High-availability and redundancy design across multiple sites or regions
  • Architecting for disaster recovery objectives (RTO/RPO-driven design choices)
  • Resilient architecture for OT, ICS, and embedded/IoT environments

Key Takeaway

Treat every Domain 2 topic as a design decision with tradeoffs, not a fact to memorize - CAS-005 rewards candidates who can justify why one architecture beats another for a given scenario.

How CAS-005 Tests Architecture Knowledge

Unlike entry-level certifications that ask "what is a firewall," Domain 2 questions on CAS-005 typically present a business scenario - a merger, a cloud migration, a compliance mandate - and ask you to select or critique an architectural response. Performance-based questions (PBQs) are especially common in this domain because architecture is inherently visual and structural: you may be asked to place controls on a network diagram, sequence a secure migration, or identify the weak point in a proposed design.

Because the exam mixes multiple-choice and performance-based items within a single 165-minute session and caps at 90 questions total, pacing matters. Architecture PBQs can consume disproportionate time if you haven't practiced diagram-based reasoning beforehand. If you're unsure how difficult this feels in practice, the How Hard Is the SecurityX Exam guide discusses difficulty patterns candidates report across domains, and the SecurityX Pass Rate breakdown looks at what the available data actually shows.

Format Note: There is no partial credit and no scaled score on CAS-005 - it's pass/fail. That means a strong Domain 2 performance can't be "banked" against a weak showing elsewhere; every domain has to hold up on its own.

Domain 2 vs. the Other Three Domains

Seeing Security Architecture next to the other three domains helps clarify where it starts and stops. Governance sets the policy and risk context, Engineering implements the technical controls, and Operations runs and monitors them day to day - Architecture is the connective layer that designs how it all fits together.

DomainWeightPrimary Focus
Domain 1: Governance, Risk, and Compliance20%Policy, risk management, regulatory alignment
Domain 2: Security Architecture27%Infrastructure, cloud, data, and resilience design
Domain 3: Security Engineering31%Technical implementation and control engineering
Domain 4: Security Operations22%Monitoring, incident response, ongoing operations

Because Architecture and Engineering together represent 58% of the exam, candidates who under-prepare on design-oriented thinking often struggle regardless of how well they know governance frameworks. If you haven't reviewed the other three areas yet, the companion guides for Domain 1: Governance, Risk, and Compliance, Domain 3: Security Engineering, and Domain 4: Security Operations follow the same format as this one.

Who Hires for These Architecture Skills

Security Architecture competency maps directly to job titles that employers actively recruit for once a candidate holds this credential - security architect, principal security engineer, enterprise architect with a security focus, and cloud security architect roles all lean heavily on the exact competencies tested in Domain 2. Employers hiring for these positions are typically looking for the design-level judgment this domain tests, not just tool familiarity.

To see how this domain translates into career outcomes, review the SecurityX Jobs overview for role examples and the SecurityX Salary Guide 2026 for how architecture-heavy roles are compensated relative to other security career paths. If you're still weighing whether the certification is worth pursuing at all given the time investment this domain requires, the Is the SecurityX Certification Worth It ROI analysis covers that decision from multiple angles.

Experience Alignment: CompTIA recommends at least 10 years of hands-on IT experience with a minimum of 5 years in broad hands-on security experience before attempting CAS-005. Domain 2's design-based scenarios are a big part of why that experience bar exists - architecture judgment is hard to fake on exam day.

Scheduling Domain 2 Into Your Study Plan

Given that Architecture and Engineering combine for 58% of the exam, most candidates benefit from front-loading Domain 2 early in their preparation timeline, then revisiting it in a final review pass once the other domains are fresh. Below is one way to sequence a multi-week plan around the domain weightings.

Weeks 1-2

Foundations of Architecture Thinking

  • Map zero trust concepts and secure design principles to real environments you've worked in
  • Diagram hybrid and cloud topologies from memory, labeling trust boundaries
Weeks 3-4

Cloud, Data, and Resilience Deep Dive

  • Compare IaaS/PaaS/SaaS shared responsibility boundaries in scenario form
  • Practice PBQ-style tasks: sequencing secure migrations, placing controls on diagrams
Weeks 5-6

Cross-Domain Integration Review

  • Connect Domain 2 design decisions to Domain 1 risk/compliance drivers
  • Connect Domain 2 designs to Domain 3 engineering implementations
Final Week

Timed Practice Under Exam Conditions

  • Run full-length practice sessions within the 165-minute limit
  • Prioritize architecture PBQs since they tend to take longer per item

This is a scenario-driven variation on spaced repetition - rather than reviewing flashcards on a fixed schedule, you're revisiting the same architecture scenarios with increasing complexity as your study progresses. You can build a full practice routine around this domain using the timed exams at the SecurityX practice test platform.

Common Pitfalls Candidates Hit on This Domain

A few recurring mistakes show up when candidates prepare for Security Architecture content:

  • Studying architecture in isolation. Domain 2 concepts rarely appear alone on the exam - they're tested alongside governance drivers or engineering implementation details, so isolated flashcard review underprepares you for scenario questions.
  • Skipping diagram practice. Because performance-based questions in this domain are often visual or sequence-based, candidates who only study text-based material get caught off guard by the format.
  • Underestimating cloud-native architecture. Container orchestration, serverless design, and microservices security are frequently under-reviewed compared to traditional network architecture topics.
  • Ignoring resilience and recovery design. Candidates often focus on preventing attacks but spend too little time on architecting for availability and recovery, which is explicitly part of this domain.

For a general sense of how these pitfalls compare across the whole exam - not just this domain - the SecurityX Certification Cost breakdown is also worth reviewing before you schedule your attempt, since re-takes add both time and expense. You can also run full-length timed simulations on the practice test site to see exactly where architecture-specific gaps show up before exam day.

Frequently Asked Questions

How much of the CAS-005 exam is Security Architecture?

Security Architecture is Domain 2 and accounts for 27% of the exam, making it the second-largest of the four domains behind Security Engineering at 31%.

Does Domain 2 focus more on cloud or on-premises architecture?

Both. CAS-005 expects candidates to design and evaluate security across hybrid environments, meaning you need fluency in cloud service models as well as traditional on-premises and network architecture.

Are Domain 2 questions mostly multiple-choice or performance-based?

The exam mixes both formats across all domains, with a maximum of 90 questions in 165 minutes. Architecture content is a common area for performance-based questions because it lends itself to diagram- and scenario-based tasks.

Do I need specific architecture certifications before attempting Domain 2 content?

CompTIA doesn't require prerequisite certifications, but it does recommend at least 10 years of hands-on IT experience with 5 years in broad security experience, which typically includes prior exposure to architecture-level decision-making.

How does Domain 2 relate to job roles after certification?

Security Architecture competencies map closely to roles such as security architect and cloud security architect, making this domain particularly relevant for candidates targeting design-focused career paths.

Ready to pass your SecurityX exam?

Put this into practice with free SecurityX questions across every exam domain.