What Is AP Cybersecurity? Complete 2026 Course & Exam Guide

AP Cybersecurity — Pillar Guide

What Is AP Cybersecurity? Complete 2026 Course & Exam Guide

A teacher-and-student guide to what AP Cybersecurity covers, how it differs from AP CSA, which units are live right now, and how to prepare for the exam.

✓ Updated March 2026 Units 1–3 Live Teacher + Student Guide
Course Hub → Curriculum & Units → Exam Format → AP CSA Hub →

AP Cybersecurity is live now at APCSExamPrep.com. Units 1–3 are fully available — including all lessons, exercises, labs, and quizzes. Units 4–5 launch April 2026. Start the course →

?What AP Cybersecurity Is (and Is Not)

AP Cybersecurity is an Advanced Placement course built around a single question: how do attackers exploit systems, and how do defenders stop them?

It is not a hacking course. It is not a pure programming course. The focus is applied security reasoning: identify an attack vector, classify the technique, evaluate the damage, and select controls that actually reduce risk.

  • Identify the attacker’s goal and entry point
  • Classify the technique (phishing vs. spear phishing vs. pretexting, etc.)
  • Evaluate impact (what gets exposed, what breaks, what cascades)
  • Select defenses that reduce likelihood and limit damage
The Core Skill

Students earn points by explaining why something is risky and why a specific defense works — not by memorizing buzzwords.

The Five Content Domains

AP Cybersecurity is organized into five units. If you master the reasoning framework for each, you are ready for the exam:

Unit 1 — Introduction to Security (Live ✓)

Human risk is the #1 attack surface. Students analyze social engineering (phishing, vishing, pretexting), AI-driven personalization attacks, password vulnerabilities, and public Wi-Fi dangers. Core skill: identify the psychological principle being exploited and the defense that specifically addresses it.

Unit 2 — Securing Spaces (Live ✓)

Physical access, environmental controls, surveillance, and the security of the space around a device — not just the device itself. Students learn that many attacks bypass digital controls entirely by targeting physical access.

Unit 3 — Securing Networks (Live ✓)

Network topology, data flow, segmentation, firewalls, intrusion detection, and where data is exposed in transit. Students learn why network architecture choices directly determine an attacker’s blast radius.

Unit 4 — Securing Devices (April 2026)

Endpoint security: malware taxonomy, authentication models, hardening, patch management, and the growing risk surface of IoT devices.

Unit 5 — Securing Applications & Data (April 2026)

Cryptography fundamentals (symmetric vs. asymmetric, hashing vs. encryption), PKI, application vulnerabilities, and why “crypto done wrong” is often worse than no crypto.

Unit 1

Introduction to Security

Social engineering, passwords, AI threats, Wi-Fi risks

✓ Live Now Start Lesson 1 →
Unit 2

Securing Spaces

Physical security, environmental controls, access

✓ Live Now View Unit →
Unit 3

Securing Networks

Network architecture, firewalls, segmentation

✓ Live Now View Unit →
Unit 4

Securing Devices

Malware, hardening, IoT, patch management

Launching April 2026
Unit 5

Securing Applications & Data

Cryptography, PKI, hashing, app security

Launching April 2026

AP Cybersecurity vs. AP Computer Science A

These courses serve different goals — and they pair extremely well together:

  AP Cybersecurity AP Computer Science A
Core Focus Defend systems; analyze threats Build software in Java
Primary Skill Applied security reasoning Programming & algorithm design
Exam Format MCQ + performance tasks (expected 2027) 42 MCQ + 4 FRQ (May 2026)
Programming Intensity Low — concept-driven High — Java throughout
Best For Security, IT, networking pathways Software engineering, CS pathways
Best Fit Guidance

Students who want to build software should prioritize AP CSA. Students who want to defend systems or pursue security/IT pathways get the fastest early advantage from AP Cybersecurity. Many strong students take both.

Exam Format (Official — Released 2026)

The College Board has officially released the AP Cybersecurity exam structure. Here is what is confirmed:

Section I 60 MCQ 80 min · 70% of score
Section II 1 FRQ 50 min · 30% of score

Fully digital via Bluebook. The FRQ is a device security analysis task — students receive firewall rules, system logs, file permissions, and a device policy, then must identify attacks, configure settings, and suggest hardening measures.

The exam tests four skills that spiral through all 5 units: Analyze Risk, Mitigate Risk, Detect Attacks, and Collaborate.

Full Official Exam Format Guide →

How to Prepare

For Students

  • Learn every vocabulary term in scenario context, not just as a definition
  • Practice the “classify + justify” loop weekly: What is the attack? Why does it work? What stops it?
  • Study real incidents — the concepts become memorable when anchored to actual breaches
  • Build the habit of noticing security decisions in everyday life (Wi-Fi prompts, email links, account recovery flows)

For Teachers

  • Structure every lesson as: concept → worked example → scenario practice → quiz
  • Assess with short scenario prompts more often than traditional tests — the exam will test applied reasoning
  • Build in “tradeoff discussions”: present a security decision and have students argue both sides
  • Use the APCSExamPrep.com course for structured lessons, exercises, and quizzes that match the exam format
Go to the Course Hub → AP CSA Hub →

Practice: AP Cybersecurity MCQs

3 harder-difficulty questions — select an answer, then reveal the explanation.

Question 1 of 3 — Identify the Flaw
An IT administrator configures the following authentication policy for a mid-size organization:
• Minimum 10 characters; must include uppercase, number, and special character
• Passwords expire every 60 days
• Last 5 passwords cannot be reused
No limit on failed login attempts before lockout
Which of the following represents the MOST SIGNIFICANT security weakness in this policy?
A The 60-day expiration window provides attackers too long to exploit stolen credentials before a forced reset
B Requiring multiple character types simultaneously reduces the overall entropy of chosen passwords
C The absence of account lockout allows unlimited automated credential-guessing against any account
D Allowing reuse after only 5 previous passwords enables users to cycle back to weak credentials too quickly
Answer: C — Explanation

Why C: With no account lockout, an attacker can run automated brute-force or credential-stuffing tools against any account indefinitely. Even a 10-character password with complexity requirements can be compromised at scale when there is no rate limiting or lockout mechanism. This is the most direct and exploitable gap in the policy.

Why not A: 60-day expiration is a real concern, but NIST now recommends against frequent forced rotation specifically because it leads to predictable cycling patterns — it is a secondary issue, not the most significant flaw here.

Why not B: Character type requirements actually increase complexity. This option is designed to sound plausible but is factually incorrect — requiring more character types expands the keyspace.

Why not D: The 5-password reuse restriction is a minor concern, but it does not expose the organization to the same immediate, scalable risk as unlimited login attempts.

Question 2 of 3 — Statements I, II, and III
A SOC analyst reviews authentication logs showing that a valid employee account logged in from a Chicago, IL IP address at 8:47 AM, then authenticated again from an IP address geolocated to Eastern Europe at 9:12 AM the same morning.

Which of the following conclusions are NECESSARILY SUPPORTED by this evidence alone?
I.   The account credentials have been compromised by an unauthorized third party.
II.   The second login event represents an impossible-travel anomaly.
III. The organization’s multi-factor authentication controls have been bypassed.
A I only
B II only
C I and III only
D I, II, and III
Answer: B — Explanation

Why B (II only): The only thing the logs necessarily establish is an impossible-travel event — Chicago to Eastern Europe in 25 minutes is physically impossible. Statement II is a factual description of the log data, not an inference.

Why not I: Compromise is a reasonable inference, not a guaranteed conclusion. The user could have been connected through a VPN endpoint in Eastern Europe, or the account might be shared. The logs alone do not rule out a legitimate explanation.

Why not III: The logs show a successful authentication, but they do not indicate whether MFA was enforced or how the attacker may have obtained the second factor. We cannot conclude MFA was bypassed without additional evidence.

Exam Trap: Questions asking what evidence “necessarily supports” are testing logical precision. Eliminate any statement that requires an assumption not proven by the given data.

Question 3 of 3 — Defense Selection
During a penetration test, an assessor compromises a public-facing web server. After gaining a shell on the web server, the assessor discovers it can open direct TCP connections to an internal database server on port 5432 with no additional authentication required between the two systems.

Which security control, if implemented before the engagement, would have MOST DIRECTLY prevented the assessor from reaching the database server after compromising the web server?
A Encrypting the database contents using AES-256 encryption at rest
B Requiring administrators to use multi-factor authentication when accessing the web server console
C Installing a host-based intrusion detection system on the public-facing web server
D Implementing internal firewall rules denying direct connections from the web server tier to the database tier
Answer: D — Explanation

Why D: The specific problem is that the web server can open direct TCP connections to the database — this is a network segmentation failure. Firewall rules blocking web-tier to database-tier traffic would have stopped lateral movement entirely, regardless of how the web server was compromised. This is a network access control problem requiring a network access control solution.

Why not A: Encryption at rest protects data if physical media is stolen. It does not prevent an authenticated database connection — the attacker connects as a legitimate client and reads plaintext data regardless of at-rest encryption.

Why not B: MFA on admin console access addresses the initial intrusion vector, not lateral movement. Once the web server is compromised, MFA on the console is irrelevant to the server-to-server TCP connection.

Why not C: HIDS can detect and alert on suspicious activity, but detection is not prevention. The assessor could still open the TCP connection — the HIDS would log it, not block it.

Frequently Asked Questions

When does AP Cybersecurity launch nationally?

The national rollout is the 2026–27 school year, with the first official AP exam expected in May 2027. APCSExamPrep.com’s course is live now — students can begin and get a full year ahead of the exam.

Does AP Cybersecurity require programming?

No. AP Cybersecurity is not a programming course. It may include light scripting concepts in later units, but the emphasis is applied security analysis, not Java or Python development. It is accessible to students without prior coding experience.

Should a student take AP CSA and AP Cybersecurity?

Yes, they pair extremely well. AP CSA builds the ability to construct software. AP Cybersecurity builds the ability to defend it. Students pursuing any CS or IT pathway benefit from both perspectives.

What is the exam format for AP Cybersecurity?

The College Board has not finalized the full exam specification. Based on the CED, expect scenario-based MCQs and performance tasks that require students to analyze and respond to security situations — not just define terms.

Start the Course → Practice Questions →
Back to blog

Leave a comment

Please note, comments need to be approved before they are published.