Read-only Code Scholars guide

AP Cybersecurity study guide for evidence-based defenders.

This guide is organized around the official AP Cybersecurity unit sequence, but the explanations, study prompts, and school-friendly scenarios are written for Code Scholars students.

Practice AP Cyber MCQ AP Cyber Course Page

Student reviewing cybersecurity study materials on a laptop

Exam mode

Fully digital in Bluebook; every question is scenario-centered.

Section I

60 multiple-choice questions in 80 minutes, worth 70% of the exam score.

Section II

1 free-response investigation in 50 minutes, worth 30% of the exam score.

Core habit

Read the asset, weakness, evidence, and requested control before choosing an answer.

Detailed Notes

Full AP Cybersecurity notes on this page

The landing guide now includes the same detailed unit explanations, exam connections, and security reasoning students need before they open practice questions.

Unit 1 Detailed Notes

Introduction to Security

This unit builds the AP Cyber vocabulary students use everywhere else: assets, vulnerabilities, threats, controls, authentication, adversaries, risk, and responsible use of AI.

Open Unit Page

Security questions start with the protected asset

Every security decision begins by naming what must be protected. In AP Cybersecurity, the asset might be an account, a phone, a classroom laptop, a database, a building entry system, or the availability of a school service. If the answer does not protect the asset named in the prompt, it is probably solving the wrong problem.

After naming the asset, separate the condition from the possible event. A shared password, open Wi-Fi network, or outdated device is a vulnerability. Account takeover, data exposure, denial of service, or unauthorized change is the threat or impact that may result.

Mitigation is not a magic word for any security tool. A mitigation must change the likelihood or impact of the specific risk. MFA reduces the value of a stolen password; training helps reduce social engineering success; logging improves detection and investigation.

Exam Connection

When choices sound similar, prefer the answer that ties asset, weakness, and control together instead of the answer that only names a security product.

Social engineering targets workflow, trust, and pressure

Social engineering works because people follow routines and trust familiar names, logos, roles, and urgent requests. A convincing message may pressure a student to click quickly, ask a staff member to bypass a normal process, or trick a family member into sharing a one-time code.

The safest response is usually procedural: verify through a separate trusted channel, report the message, avoid using links in the suspicious message, and preserve evidence. “Tell users to be careful” is weaker than designing a workflow that makes verification normal.

Personal information can become a security weakness. Birthdays, school names, pet names, and activity details may help attackers guess passwords, answer recovery questions, or craft more believable messages.

Exam Connection

Look for the requested action in the scenario. If the attacker wants a code, password, reset link, or download, the best answer usually blocks that action and verifies separately.

Authentication proves identity; authorization limits actions

Authentication answers “Who are you?” Authorization answers “What are you allowed to do?” A secure system needs both. A user can log in correctly and still have too much access if permissions are poorly managed.

Multi-factor authentication is powerful because it requires more than one kind of proof. If a password is stolen, the attacker still needs another factor. MFA is especially important for email, administrator accounts, financial systems, and any account that can reset other accounts.

Account lifecycle matters. Old accounts, shared administrator accounts, and permissions that remain after a role changes all create risk. Security is not only about login; it is also about reviewing and removing access.

Exam Connection

Do not choose an answer that only makes passwords more complex if the scenario clearly involves stolen credentials, excessive permissions, or account recovery abuse.

AI changes both attack speed and defensive review

AI tools can help attackers draft more convincing messages, translate scams, imitate voices, summarize public information about a target, or generate variants of malicious code. That does not make every attack advanced, but it can make attacks faster and harder to spot.

Defenders can also use AI to review configuration ideas, summarize logs, suggest detection rules, and help triage large volumes of events. The important habit is verification: AI output should be checked by a knowledgeable person before it becomes a real security decision.

Sensitive information should not be pasted into unapproved AI tools. A prompt can reveal internal system details, personal data, or incident information that should remain protected.

Exam Connection

Strong AI-security answers balance usefulness with review, privacy, and verification. Avoid choices that treat AI as either always trustworthy or always useless.

Unit 2 Detailed Notes

Securing Physical Spaces

This unit shifts security from accounts to rooms, devices, entry points, storage areas, visitor flow, and evidence from physical access controls.

Open Unit Page

Physical access can become digital compromise

Cybersecurity is not limited to screens and networks. If someone can enter a room, view a password, take a laptop, plug into a network port, or use an unlocked device, they may gain digital access without attacking software at all.

Physical spaces contain assets and pathways. A classroom, lab, server closet, front desk, or storage cabinet has different people, devices, records, and visitor patterns. Good security fits the space instead of applying the same control everywhere.

The strongest recommendations often combine people, process, and technology: visitor badges, escort rules, locked storage, screen locks, sign-out records, and awareness about shoulder surfing or tailgating.

Exam Connection

When the prompt describes a room or device location, do not jump straight to encryption or firewall answers unless the physical access path is also addressed.

Controls can prevent, deter, detect, or document

A lock or badge reader can prevent unauthorized access. A camera may deter behavior and help investigate later. A sign-out sheet documents who had responsibility. A tamper-evident seal shows that something may have been opened.

Detection controls are only useful when someone reviews them and knows what action follows. A camera that no one checks or an inventory record that is never reconciled provides weak operational value.

A control should match the asset. A visitor sign-in process may be enough for a public lobby, while a server closet requires stricter access control and better audit evidence.

Exam Connection

Identify whether the question asks for prevention, detection, accountability, or recovery. The best control depends on that verb.

Usability matters in physical security

Physical controls fail when they make normal work too difficult. If a policy causes students or staff to prop open doors, share badges, or skip sign-out steps, the real system is less secure than the written rule.

Good designs make the secure action the easy action. Examples include a convenient visitor desk, clear badge expectations, automatic screen locks, labeled storage, and simple reporting for missing devices.

Security tradeoffs should be named. A stricter access rule may improve accountability but slow movement; more cameras may improve investigation but create privacy concerns.

Exam Connection

For free-response questions, a short tradeoff sentence can strengthen the answer when the recommendation affects school operations or privacy.

Physical evidence should be correlated

A missing device, unknown visitor, or open cabinet should not be investigated from one clue alone. Useful evidence may include badge logs, camera footage, sign-out sheets, Wi-Fi connection logs, device management records, and staff schedules.

Evidence has limits. Badge logs show a credential was used, not always the person holding it. Camera footage may have blind spots. A sign-out sheet can be wrong or incomplete.

A careful analyst builds a timeline: when the asset was last known safe, who had access, what changed, what logs support that story, and what action should happen next.

Exam Connection

Avoid claiming certainty from one physical clue. Phrase conclusions as supported by evidence and recommend the next record to check.

Unit 3 Detailed Notes

Securing Networks

This unit covers how devices communicate, how defenders reduce unnecessary access, and how logs, firewall rules, segmentation, wireless controls, and monitoring reveal network risk.

Open Unit Page

Networks are about permitted communication

A network security question usually asks who should be allowed to communicate with what. Think in terms of source, destination, service, direction, and business need. A student laptop, guest phone, web server, and grade database should not all have equal access.

Segmentation limits the blast radius of a compromise. If a guest device is infected, it should not be able to reach administrative systems. If a web server is public, it should still have limited access to internal databases.

Least privilege applies to traffic too. Allow only the connections required for the workflow and block unnecessary paths.

Exam Connection

For firewall or segmentation questions, translate the scenario into “A may talk to B using C, but not D.” That plain sentence usually reveals the answer.

Firewall rules require careful reading

A firewall rule is not just “allow” or “deny.” The meaning depends on source, destination, protocol, port, order, and whether the rule is an exception. A rule that allows one service should not be expanded to all services.

A common exam trap is choosing a broad rule because it makes the application work. A safer rule is narrow enough to support the need without opening unrelated access.

Rule order can matter in real systems. If the course scenario shows a table, read from top to bottom if the prompt says the first matching rule applies.

Exam Connection

Reject answers that use “allow all” logic unless the prompt clearly describes a low-risk public resource with no sensitive connection.

Wireless risk extends beyond the walls

Wireless networks broadcast through physical space, so attackers may interact from a hallway, parking lot, neighboring room, or public area. This makes authentication, encryption, approved access points, and separation especially important.

Guest Wi-Fi should be separated from internal services. A visitor may need internet access, but that does not mean they need access to printers, databases, school file shares, or administrative systems.

Rogue access points and look-alike networks exploit trust. Users may connect to a network name that appears familiar unless devices and policies guide them toward approved networks.

Exam Connection

A hidden SSID alone is weak. Look for answers involving strong authentication, encryption, approved access points, and network separation.

Network logs are evidence, not instant conclusions

Network logs can show blocked traffic, repeated connection attempts, unusual destinations, unexpected ports, DNS lookups, or activity outside normal hours. These signals help analysts decide what to investigate.

One unusual event may have a harmless explanation. Stronger evidence usually comes from patterns or correlation: firewall logs plus authentication logs, DNS logs plus endpoint alerts, or repeated attempts from the same source.

Detection and response are linked. A log entry should lead to a next step such as checking device ownership, reviewing authentication, isolating a host, or updating a rule.

Exam Connection

If the question asks what the evidence shows, avoid overclaiming. If it asks what to do next, choose the next investigation or containment step that fits the evidence.

Unit 4 Detailed Notes

Securing Devices

This unit focuses on endpoints: laptops, tablets, phones, lab machines, shared devices, IoT equipment, and the controls that keep them trustworthy.

Open Unit Page

Device security starts with a known-good baseline

A baseline is the expected secure configuration for a device: approved software, screen lock, current updates, limited services, logging, encryption where appropriate, and managed administrator access.

Hardening removes unnecessary risk. If a service, app, port, or permission is not needed, it should not remain enabled by default. This reduces the number of ways a device can be misused.

Shared devices need extra care because many users touch them. Sign-in rules, automatic logout, device management, and clear ownership make investigations easier.

Exam Connection

When a scenario says “shared,” “lab,” or “public device,” think about screen locks, standard accounts, sign-out, device management, and accountability.

Patching is prioritized risk reduction

A patch fixes a known weakness, but patching is also an operational process. Teams must know which devices exist, which versions they run, which vulnerabilities matter most, and when updates can be applied safely.

Internet-facing systems, devices with sensitive data, and systems with known exploited vulnerabilities should usually be prioritized. A low-risk device may still need updates, but urgency depends on exposure and impact.

Unofficial fixes and random downloads can create new risk. Patches should come from trusted sources and be tracked so defenders know what changed.

Exam Connection

If all devices cannot be patched at once, rank by exposure, sensitivity, and known exploitation rather than by convenience alone.

Endpoint alerts need containment and scope

Malware can steal data, encrypt files, persist for later access, spy on activity, or use a device as a stepping stone. An endpoint alert is the beginning of investigation, not the end.

Containment may include disconnecting from the network, disabling an account, quarantining a file, preserving logs, or rebuilding the device. The action should match the severity and evidence.

Scope asks whether the problem is isolated or broader. Analysts compare similar devices, recent logins, file changes, network connections, and alerts from the same time period.

Exam Connection

Do not stop at “run antivirus” if the prompt asks for incident response. Include evidence preservation, containment, and scope.

Least privilege improves device accountability

Routine users should not operate as administrators because malware or mistakes inherit the user’s privileges. Standard accounts reduce the damage that one compromised session can cause.

Shared administrator accounts weaken evidence because actions cannot be tied to a specific person. Named admin accounts, approval processes, and logs create better accountability.

Logs matter only if they are enabled, protected, and reviewed. A device event log can help identify logins, installs, setting changes, and failures.

Exam Connection

When a prompt mentions unknown changes, suspicious installs, or shared admin passwords, least privilege and named accounts are likely relevant.

Unit 5 Detailed Notes

Securing Applications and Data

This unit brings together permissions, application behavior, input handling, cryptography, data protection, backups, logs, and privacy-minded security decisions.

Open Unit Page

CIA is a practical decision tool

Confidentiality means only authorized people can read data. Integrity means data and actions are accurate and protected from unauthorized change. Availability means systems and data are usable when needed.

Many controls support more than one part of CIA, but AP answers should identify the most direct connection. Encryption primarily protects confidentiality; backups support availability and recovery; access control can protect both confidentiality and integrity.

The same incident can affect multiple goals. Public edit access threatens integrity, but if private data is visible it also threatens confidentiality.

Exam Connection

Before choosing a control, name the primary CIA concern in the scenario. This prevents choosing a recovery control for a confidentiality problem or a secrecy control for an availability problem.

Permissions should reflect roles and data ownership

Applications often fail because access grows over time. A user gets editor access for one project, changes roles, and keeps permissions long after the need is gone.

Role-based access keeps permissions tied to job functions. Owners or approvers should review who can view, edit, share, delete, export, or administer important data.

Public links, inherited folder permissions, stale accounts, and shared accounts are common hidden risks. The safest answer often involves review and least privilege, not simply trusting users.

Exam Connection

If the prompt mentions old users, public sharing, or too many editors, choose permission review, ownership approval, and least privilege.

Encryption, hashing, encoding, and compression are different

Encryption protects secrecy by making data unreadable without the key. It can protect data in transit, such as through TLS, and data at rest, such as stored files or databases.

Hashing creates a fixed output used for comparison or integrity checks. A secure password system should not store readable passwords; it should store protected password-derived values and compare during login.

Encoding changes representation, and compression reduces size. Neither should be described as protecting secrets by itself.

Exam Connection

If the goal is secrecy, think encryption. If the goal is verifying a value without revealing the original, think hashing. Do not confuse either with encoding.

Applications need secure input, logs, and recovery

Applications can be attacked through weak input handling, broken access control, exposed secrets, unsafe configuration, and missing logs. Secure design checks user input and verifies authorization before sensitive actions.

Logs help answer what happened, who acted, what changed, and when. However, logs can also contain sensitive data, so they need access control and retention rules.

Backups and version history support recovery after deletion, corruption, ransomware, or mistaken changes. A backup is only useful if it can actually be restored.

Exam Connection

For application scenarios, connect the control to the failure: validation for unsafe input, role checks for unauthorized access, logs for investigation, backups for recovery.

How to Use This Guide

The Code Scholars four-step security loop

Students should use the same loop for MCQ scenarios, free-response investigations, and unit review.

1. Protect the right asset

Name the thing being protected first: account, device, room, network segment, application, data set, or workflow.

2. Separate weakness from threat

A vulnerability is the condition that can be abused. A threat is what could happen because of that condition.

3. Choose a matching control

The best mitigation directly reduces the stated risk and fits the environment, not just a security term that sounds strong.

4. Justify with evidence

AP Cyber answers should point back to logs, permissions, policies, configurations, user roles, or observed behavior.

Study Plan

How to turn the notes into exam readiness

The AP Cyber exam rewards accurate security decisions from evidence. Use this sequence before moving into unit drills.

Build the map

Read each unit once for the big picture. Your goal is not memorization yet; it is knowing which unit owns which kind of risk.

Annotate scenarios

For every practice question, mark the protected asset, the weakness, the evidence, the likely impact, and the control being requested.

Practice decisions

Use MCQ and short written drills to choose proportional controls. A strong answer names the control and explains why it fits the stated environment.

Review vocabulary in context

Do not study terms as isolated flashcards only. Attach each term to a tiny scenario, a log clue, or a mitigation decision.

All Five Units

Complete AP Cybersecurity unit map

Each unit page includes topic notes, traps to avoid, a defensive checklist, evidence drill, review questions, and vocabulary.

Unit 1

Introduction to Security

This unit builds the AP Cyber vocabulary students use everywhere else: assets, vulnerabilities, threats, controls, authentication, adversaries, risk, and responsible use of AI.

assetvulnerabilitythreatmitigationMFAsocial engineering

Security Thinking and Risk Language

For any scenario, write a four-part sentence: The asset is __, the vulnerability is __, the threat is __, so the mitigation should __.

Social Engineering and Human Workflow

The best defense usually combines verification, reporting, training, and authentication controls rather than telling users to simply be careful.

Authentication and Account Protection

Use multi-factor authentication for important accounts, remove old access, avoid shared administrator accounts, and review unusual login signals.

Adversaries, Motives, and AI-Enabled Risk

Treat AI output as a draft, not an authority. Verify recommendations and do not paste sensitive configurations into untrusted tools.

Open Unit 1 Guide

Unit 2

Securing Physical Spaces

This unit shifts security from accounts to rooms, devices, entry points, storage areas, visitor flow, and evidence from physical access controls.

physical controltailgatingdeterrencebadge loginventorychain of custody

Assets, Spaces, and Exposure

Map where an asset lives, who touches it, what happens if it is lost or changed, and whether the space supports that risk level.

Preventive Physical Controls

Match control strength to the asset. A public classroom printer needs different protection than an administrator laptop cart.

Detection and Accountability

Detection controls are strongest when they are reviewed and correlated with user schedules or device records.

Tailgating, Shoulder Surfing, and Device Handling

Use awareness, badges, clean-desk habits, screen locks, port control, and escort rules as layered defenses.

Open Unit 2 Guide

Unit 3

Securing Networks

This unit covers how devices communicate, how defenders reduce unnecessary access, and how logs, firewall rules, segmentation, wireless controls, and monitoring reveal network risk.

segmentationfirewallsourcedestinationprotocolport

Network Segmentation and Exposure

Ask what traffic is necessary. Then deny or isolate traffic that is not needed for the workflow.

Firewall and Rule Reasoning

Translate rules into plain English before answering: who can talk to whom, over what service, and what is blocked.

Wireless, Rogue Devices, and Network Access

Choose encrypted, authenticated Wi-Fi for internal resources and keep guest networks separated from sensitive systems.

Network Evidence and Indicators

Treat a log as evidence to investigate, not automatic proof. Correlate firewall, DNS, authentication, and application data.

Open Unit 3 Guide

Unit 4

Securing Devices

This unit focuses on endpoints: laptops, tablets, phones, lab machines, shared devices, IoT equipment, and the controls that keep them trustworthy.

hardeningbaselinepatchendpointmalwarequarantine

Hardening and Baselines

Pick controls that reduce routine compromise while allowing the device to do its job.

Patch and Vulnerability Management

If a device is busy, schedule maintenance rather than ignoring the update forever.

Malware, Endpoint Detection, and Response

Preserve logs, report through the approved process, isolate affected systems when needed, and avoid running suspicious files.

Device Accounts, Logs, and Least Privilege

Use standard accounts for normal work, admin accounts for approved maintenance, and logs to investigate unexpected behavior.

Open Unit 4 Guide

Unit 5

Securing Applications and Data

This unit brings together permissions, application behavior, input handling, cryptography, data protection, backups, logs, and privacy-minded security decisions.

confidentialityintegrityavailabilityrole-based accessencryptionhashing

CIA Triad for Applications

Match each control to the part of CIA it protects. Access control often protects confidentiality and integrity; backups support availability and recovery.

Roles, Permissions, and Data Ownership

Use role-based access, periodic review, owner approval, and least privilege for shared data.

Cryptography, Hashing, and Data Movement

Use encryption for sensitive data in transit and at rest when appropriate; use hashing when you need to verify without revealing the original value.

Application Attacks, Logs, and Recovery

Prefer input validation, safe query methods, permission checks, logging, backups, and incident response steps that match the evidence.

Open Unit 5 Guide

Exam Strategy

How to answer AP Cyber questions

The exam rewards careful reading more than memorized buzzwords. Use evidence, controls, and proportional recommendations.

Multiple-choice habits

Underline the protected asset and the suspicious signal before looking at choices.
Reject answers that change the scenario, overreact without evidence, or solve a different risk.
For rule tables, translate each row into plain English before deciding whether traffic should pass.
For logs, decide whether the evidence is prevention, detection, investigation, or recovery evidence.

Free-response habits

Write in the order: evidence, risk, recommendation, reason the recommendation works.
Do not claim certainty from one clue. Use language such as suggests, indicates, or should be investigated when evidence is partial.
Tie every mitigation to the asset it protects and the weakness it addresses.
Mention tradeoffs when appropriate: usability, cost, operational disruption, privacy, or false positives.

Core Glossary

Terms students should know in scenario context

These definitions are intentionally tied to security decisions, not just memorized vocabulary.

asset

Something valuable that needs protection, such as an account, device, network, room, application, or data set.

vulnerability

A weakness or condition that could be exploited, such as outdated software, excessive permissions, or an unlocked device.

threat

A possible harmful event or actor that could take advantage of a vulnerability.

mitigation

A control or action that reduces likelihood, impact, or both.

residual risk

Risk that remains after controls are applied.

least privilege

Giving users, devices, or traffic only the access needed for the job.

segmentation

Separating systems or networks to limit unnecessary access and reduce blast radius.

audit log

A record of events used for accountability, monitoring, and investigation.

encryption

A method for protecting confidentiality by making data unreadable without the appropriate key.

hashing

A one-way transformation used for comparison or integrity checks, not for recovering the original value.

MFA

Multi-factor authentication, which requires more than one type of proof before access is granted.

hardening

Reducing unnecessary device or system risk by applying secure settings and removing unneeded access.

Reference Scope

Sources used for topic scope

The prose and study prompts on this page are original Code Scholars material. These sources were used only to understand course scope and security framing.

College Board AP Cybersecurity Course and Exam Description College Board AP Cybersecurity Exam Overview