AP Cybersecurity Unit 1 Lesson 5 Exercise 1

AP Cybersecurity — Unit 1, Topic 1.5

Exercise 1: AI Defense Application Lab

Classify AI defense applications, analyze an anomaly detection alert, and recommend AI-assisted security improvements for Maple Street Veterinary Clinic. The three skills most tested for Topic 1.5.

Skills 2.A, 2.C, 3.A ~30–40 min • 3 Parts • 24 pts
Part 1
AI Defense Application Classification (12 pts)
12 pts

Four AI security tools have been deployed across Vantex Financial Group. For each description, identify the AI defense application and the CED skill it primarily serves.

Tool 1

An ML model that has been monitoring Vantex’s user accounts for 30 days and now generates alerts when any user’s login time, location, or data access volume deviates significantly from their historical pattern. Yesterday it flagged a login from Singapore at 2 AM that matched an existing employee’s credentials.

AI defense application:

Tool 2

A tool that ingests malicious IP addresses, file hashes, and domain names from 47 external threat feeds and matches them against Vantex’s firewall logs and endpoint events in real time — generating a P1 alert when three low-confidence events from the past hour share IOCs with a known ransomware group.

AI defense application:

Tool 3

An AI system integrated into Vantex’s development pipeline that scans every pull request for SQL injection patterns, hardcoded credentials, and insecure API calls before the code reaches production. The development team reviews all flagged items before merging.

AI defense application:

Tool 4

A platform that, when a brute-force attack exceeds 15 failed login attempts per minute from a single IP, automatically adds that IP to the perimeter firewall block list and sends an alert to the SOC with full context — without requiring manual analyst action for the initial block.

AI defense application:

Part 2
Anomaly Detection Alert Analysis (6 pts)
6 pts

Vantex’s SIEM generates the following P2 alert for a user account:

SIEM Alert — P2 — 2026-03-12 23:41:07

User: mrivera (Maria Rivera, Senior Accountant)

Trigger: File access volume anomaly — 3.2 standard deviations above 30-day baseline

Current rate: 1,847 file accesses in last 62 minutes (1,787/hr)

Baseline: 180–320 accesses/day (23–40/hr) — exclusively to Finance share

Current access target: Multiple shares including HR (not in baseline)

Login time: 11:41 PM (outside normal 8 AM–6 PM window)

Geographic: Same IP as prior 30 days (internal network)

1. This alert was generated by anomaly-based detection. What is the behavioral baseline for Maria, and how does her current behavior deviate? (2 pts)

2. Would a signature-based IDS have detected this? Why or why not? (2 pts)

3. The SOC analyst must investigate before taking action. List the first two questions the analyst should answer before suspending Maria’s account. (2 pts)

Part 3
AI Defense Recommendations (6 pts)
6 pts

Maple Street Veterinary Clinic has no AI security tools. They have experienced three incidents this year: (1) a staff member clicked a phishing email, (2) their patient portal has three unpatched SQL injection vulnerabilities found during a manual review, and (3) they cannot review their 180,000 daily log entries. Recommend AI tools for each gap.

Gap 1 (Phishing): Which AI tool addresses this, and what limitation requires a human layer too? (2 pts)

Gap 2 (SQL Injection): What is the correct AI tool, and why must a human developer review its findings before implementation? (2 pts)

Gap 3 (Log Review): Which AI tool is specifically designed for this problem? What is the difference between what AI does and what the human analyst does? (2 pts)

✎ AP Exam Tip

AP questions about AI defense always test: (1) matching the right AI tool to the right problem (anomaly for behavior, code scanner for vulnerabilities, NLP for phishing), (2) whether human oversight is required (always yes for consequential actions), and (3) the distinction between what AI does (volume/scale/pattern recognition) vs. what humans do (contextual judgment, validation, response decisions).

AP Cybersecurity · Unit 1 · Lesson 1.5 · Exercise 1
LessonExercise 1LabQuiz

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]