AP Cybersecurity Unit 1 Scenario Practice

AP Cyber Hub Unit 1 1.1 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.2 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.3 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.4 ▼ Lesson Ex 1 Ex 2 Lab Quiz 1.5 ▼ Lesson Ex 1 Ex 2 Lab Quiz

Unit 1 • Scenario-Based Practice

Home›AP Cybersecurity›Unit 1 › Scenario Practice

Scenario-Based MCQ Challenge

15 questions across 3 real-world breach scenarios — all 5 Unit 1 topics integrated

Score: 0 / 0 Read each scenario carefully before answering

Exam Overview

Questions

15 MCQ

Format

3 Linked Scenarios

Topics

All 5 (1.1–1.5)

Difficulty

Cross-Topic Synthesis

Scenario 1 of 3

Greenfield Medical Associates

Greenfield Medical Associates is a 12-person medical practice with two locations. Last Tuesday, the office manager, Dana, received an email appearing to come from the practice’s electronic health records (EHR) vendor. The email stated that a critical security patch required her to log into a portal using a link provided in the message. Dana clicked the link and entered her credentials on a page that closely resembled the vendor’s login screen.

Later that week, the IT consultant discovered that an attacker had used Dana’s credentials to access the practice’s patient scheduling system. Logs showed the unauthorized access originated from an IP address associated with a public coffee shop network. The attacker had also created a secondary admin account with the password Greenfield2026!. Further investigation revealed that several other staff members were using passwords based on the practice name followed by the current year.

Q1 Topic 1.1 — Social Engineering

The attack on Dana is BEST classified as which type of social engineering technique?

(A) Vishing — the attacker used a voice call to impersonate a trusted vendor and request login credentials (B) Baiting — the attacker left a malware-infected USB device in the office for an employee to find and use (C) Tailgating — the attacker followed an authorized employee through a secure entrance to gain physical access (D) Spear phishing — the attacker crafted a targeted email impersonating a specific vendor the practice uses

The email was crafted specifically for Greenfield’s EHR vendor — not a generic mass phishing blast. The targeting of a specific organization with a contextually relevant lure (a “security patch” from their actual vendor) makes this spear phishing.

(A) Incorrect — no voice communication occurred in this scenario.

(C) Incorrect — tailgating is a physical access attack, not an email-based attack.

(D) Incorrect — baiting involves physical media like USB drives, not targeted emails.

Exam Tip: Spear phishing = targeted at a specific person or organization. Regular phishing = generic mass blast. The specificity of the lure is the distinguishing factor.

Q2 Topic 1.2 — Password Attacks

The IT consultant discovers that six staff members use passwords following the pattern Greenfield + four-digit year + special character. Which of the following statements about this vulnerability are correct?

I. A dictionary attack using common organizational password patterns could compromise these accounts efficiently.
II. Adding a special character at the end makes these passwords resistant to most automated cracking tools.
III. A credential stuffing attack using Dana’s stolen credentials could succeed if she reuses the same password on other systems.

(A) I only (B) III only (C) I, II, and III (D) I and III only

Statement I is correct — predictable patterns based on the organization name are prime dictionary attack targets. Statement II is incorrect — a single trailing special character on a predictable base provides minimal protection against tools that account for common appending patterns. Statement III is correct — credential stuffing exploits password reuse across services.

(A) Incomplete — Statement III is also correct.

(B) Incomplete — Statement I is also correct.

(D) Incorrect — Statement II overstates the protection of a single appended character.

Exam Tip: In I/II/III questions, evaluate each statement independently before looking at the answer choices. One false statement eliminates multiple options.

Q3 Topics 1.2 + 1.3 — Cross-Topic

The unauthorized access originated from a public coffee shop network. Which of the following BEST explains why the attacker likely chose to route the intrusion through this type of network?

(A) Public networks make it more difficult to trace the attacker’s true identity because many users share the same external IP address (B) Public networks encrypt all traffic by default, making it easier for the attacker to transmit stolen data without detection (C) Public networks automatically bypass corporate firewalls, allowing direct access to internal systems from any connected device (D) Public networks provide faster upload speeds than residential connections, enabling quicker exfiltration of patient records

Public Wi-Fi networks typically route all connected users through shared IP addresses via NAT, making it significantly harder for investigators to identify a specific individual.

(A) Incorrect — public networks do not encrypt traffic by default; they are notoriously insecure.

(C) Incorrect — connecting to a public network does not bypass a target organization’s firewall.

(D) Incorrect — public networks do not inherently provide faster speeds than other connection types.

Exam Tip: Shared IP addresses on public Wi-Fi = anonymity for attackers. This is a key concept linking wireless security to forensic investigation challenges.

Q4 Topics 1.1 + 1.2 — Cross-Topic

The practice wants to prevent a similar attack in the future. Which combination of countermeasures would MOST effectively address the specific vulnerabilities exploited in this incident?

(A) Install antivirus software on all workstations and require passwords to be changed every 30 days (B) Block all external email at the network level and restrict internet access to a single supervised workstation (C) Implement email filtering and require all staff to complete phishing awareness training, then enforce multi-factor authentication on all accounts (D) Require all passwords to contain at least 20 characters and deploy a network intrusion detection system at each office location

This incident exploited two specific vectors: a phishing email (social engineering) and single-factor credential use. Option B directly targets both — email filtering + training addresses the phishing vector, and MFA neutralizes stolen credentials.

(A) Incorrect — antivirus would not catch a credential phishing page, and forced rotation encourages weaker passwords.

(C) Incorrect — blocking all external email is operationally impractical for a medical practice.

(D) Incorrect — addresses password strength but not the phishing vector that initiated the compromise.

Exam Tip: “Most effective” countermeasure questions require matching the solution to the specific attack vectors in the scenario — not just picking the most technically impressive option.

Q5 Topic 1.5 — AI in Cyber Defense

After the breach, Greenfield’s IT consultant recommends deploying an AI-powered email security tool. The office manager asks how it would differ from the practice’s existing spam filter, which uses a static list of blocked senders and keywords. Which of the following BEST describes a capability unique to the AI-based solution?

(A) It analyzes patterns in email metadata and content to flag messages that deviate from normal communication behavior, even from previously unseen senders (B) It blocks all emails from external senders not on an approved contact list, eliminating the possibility of phishing entirely (C) It requires each sender to solve a CAPTCHA before their email is delivered, preventing automated phishing campaigns (D) It encrypts all incoming email attachments so that malicious payloads cannot execute when opened by staff members

AI-powered email security uses behavioral analysis and anomaly detection — identifying unusual patterns like a first-time sender impersonating a known vendor, atypical urgency language, or suspicious link structures. This is fundamentally different from static rule-based filtering.

(A) Incorrect — describes an allowlist approach, not AI behavioral analysis.

(C) Incorrect — describes a challenge-response mechanism, not AI analysis.

(D) Incorrect — encryption protects data in transit; it does not prevent phishing attacks.

Exam Tip: AI-based tools detect anomalies by learning “normal” patterns. Static tools match against known-bad signatures. The key difference = AI catches novel, previously unseen threats.

— End of Scenario 1 —

Scenario 2 of 3

Apex Event Staffing

Apex Event Staffing is a temporary staffing agency that provides workers for concerts, festivals, and corporate events. Employees use a mobile app to view schedules, accept shifts, and submit timesheets. The app authenticates users with an email address and password only.

During a large outdoor music festival, an Apex supervisor named Marcus connected to what appeared to be the venue’s free Wi-Fi network, labeled “FestivalGuest_Free.” He logged into the Apex app and approved payroll for 40 workers. The following Monday, several employees reported that their direct deposit bank account numbers had been changed without authorization.

An investigation revealed that the “FestivalGuest_Free” network was not operated by the venue. The attacker had intercepted data transmitted over the fraudulent network, including session tokens used by the Apex app. Separately, Apex’s IT team found that three corporate accounts had been accessed using credentials obtained from an unrelated data breach at a fitness tracking service where employees had registered with their work email addresses.

Q6 Topic 1.3 — Public Wi-Fi

The fraudulent “FestivalGuest_Free” network is an example of which type of wireless attack?

(A) A denial-of-service attack — the attacker overwhelmed the venue’s legitimate network, forcing users onto an alternative connection (B) A brute force attack — the attacker systematically guessed the venue’s Wi-Fi password to gain administrative control of the router (C) An evil twin attack — the attacker created a network with a name designed to appear legitimate so that users would connect to it voluntarily (D) A SQL injection attack — the attacker inserted malicious commands into the venue’s Wi-Fi login portal to redirect traffic

An evil twin is a rogue access point configured to mimic a legitimate network name, tricking users into connecting. Once connected, the attacker can intercept unencrypted traffic.

(A) Incorrect — a DoS attack disrupts availability rather than intercepting data.

(B) Incorrect — brute force targets password cracking, not creating fake networks.

(D) Incorrect — SQL injection is a web application attack unrelated to Wi-Fi spoofing.

Exam Tip: Evil twin = fake Wi-Fi that looks real. The name is the trap — users connect voluntarily because the SSID appears legitimate.

Q7 Topics 1.3 + 1.2 — Cross-Topic

The attacker intercepted session tokens rather than Marcus’s actual password. Which of the following BEST explains why session tokens present a security risk even when a user’s password is strong?

(A) Session tokens contain the user’s password in an encoded format that any attacker can easily reverse (B) Session tokens grant authenticated access to an account without requiring the password to be entered again, allowing an attacker to impersonate the user (C) Session tokens are permanently valid and can never be revoked by the application server once they are issued (D) Session tokens disable multi-factor authentication for the remainder of the browsing session, removing all secondary protections

Session tokens represent an already-authenticated state. An attacker who captures a valid token can access the account as if they had logged in, bypassing the password entirely.

(A) Incorrect — tokens are not encoded passwords; they are separate authentication artifacts.

(C) Incorrect — tokens typically have expiration times and can be invalidated server-side.

(D) Incorrect — MFA status and session tokens are managed independently.

Exam Tip: Session hijacking bypasses authentication entirely. Even strong passwords and MFA cannot protect against an already-captured valid session token.

Q8 Topic 1.2 — Password Attacks

Three Apex corporate accounts were compromised using credentials from an unrelated fitness tracking service breach. This attack technique is BEST described as:

(A) A rainbow table attack — the attacker used precomputed hash values to reverse-engineer the employees’ passwords from the fitness service database (B) Credential stuffing — the attacker used email and password pairs leaked from one service to attempt logins on a different, unrelated service (C) Keylogging — the attacker installed software on employee devices that recorded keystrokes and transmitted the captured passwords (D) Shoulder surfing — the attacker observed employees entering their credentials at the fitness tracking service and later replayed them on the Apex system

Credential stuffing specifically exploits password reuse across services — leaked credentials from one breach are systematically tested against other platforms.

(A) Incorrect — rainbow tables crack password hashes, not exploit cross-service reuse.

(C) Incorrect — keylogging requires malware on the victim’s device, which is not described.

(D) Incorrect — shoulder surfing requires physical proximity, which does not match this scenario.

Exam Tip: Credential stuffing vs. brute force: stuffing uses known valid credentials from other breaches; brute force guesses unknown passwords. The attack vector is password reuse.

Q9 Topic 1.4 — AI-Based Attacks

Following the breach, an Apex executive receives a voicemail that sounds exactly like the CEO instructing her to wire emergency funds to a vendor. The voice was generated using publicly available recordings from conference presentations. This attack is BEST classified as:

(A) A social engineering attack using AI-generated voice cloning to impersonate a trusted authority figure (B) A man-in-the-middle attack using intercepted phone calls to alter the CEO’s spoken instructions in real time (C) A denial-of-service attack that floods the executive’s voicemail system to prevent her from receiving legitimate messages (D) A brute force attack that cycles through pre-recorded voice samples until one bypasses the voicemail system’s caller ID verification

AI voice cloning (deepfake audio) uses machine learning models trained on samples of a target’s speech to generate convincing synthetic audio. This is a social engineering attack because it relies on the victim trusting the apparent source.

(A) Incorrect — the audio was generated from scratch, not intercepted and modified in real time.

(C) Incorrect — a DoS attack targets availability, not impersonation.

(D) Incorrect — this fabricates a technique that does not exist in practice.

Exam Tip: AI-generated deepfakes (voice, video, text) are a form of social engineering because they exploit human trust. The AI is the tool; the manipulation of trust is the attack.

Q10 Topics 1.5 + 1.1 — Cross-Topic

Apex decides to deploy an AI-powered threat detection platform across its systems. During the first month, the platform flags a legitimate bulk payroll email from the HR director as a potential phishing attempt. This type of error is known as a false positive. Which of the following BEST explains why false positives are a significant concern when deploying AI-based security tools?

(A) False positives prove that the AI system is fundamentally unreliable and should be replaced with manual security reviews for all communications (B) False positives only occur when AI security tools are used without encryption, so enabling TLS on all communications would eliminate them entirely (C) False positives are impossible to reduce once an AI system has been deployed because the model cannot be retrained on new data (D) False positives can cause employees to distrust or ignore security alerts over time, potentially leading them to overlook genuine threats

Alert fatigue from excessive false positives is a well-documented problem in security operations. When users repeatedly encounter incorrect warnings, they begin dismissing alerts reflexively — including real threats.

(A) Incorrect — false positives are expected and manageable; they do not prove fundamental unreliability.

(C) Incorrect — AI models are routinely retrained and fine-tuned to reduce false positives.

(D) Incorrect — encryption (data protection) and detection accuracy (classification) are unrelated concepts.

Exam Tip: Alert fatigue is the #1 practical risk of false positives. The danger is not that the AI is wrong once — it is that repeated false alarms train humans to stop paying attention.

— End of Scenario 2 —

Scenario 3 of 3

Ridgeway School District

Ridgeway School District serves 8,000 students across 12 schools. The district recently adopted a cloud-based learning management system (LMS) where teachers post assignments, grades, and student records. Teachers authenticate using their district email and a password they create during onboarding. The district does not require multi-factor authentication.

A parent reported that her child’s grades had been altered in the LMS. The district’s technology coordinator investigated and found that a teacher’s account had been compromised. Access logs showed the unauthorized changes were made from a device connected to the public Wi-Fi network at a local library. Further analysis revealed that the compromised teacher had clicked a link in a text message claiming her district email storage was full and required immediate action. The link led to a convincing replica of the district’s email login page.

Additionally, the technology coordinator discovered that an AI-powered chatbot on a third-party tutoring website had been collecting student names and grade levels from publicly shared LMS links that teachers had posted on social media. The chatbot used this data to generate personalized phishing messages sent to parents, requesting “tuition verification payments.”

Q11 Topic 1.1 — Social Engineering

The text message sent to the teacher is an example of which social engineering technique?

(A) Vishing — the attacker made a phone call impersonating district IT support to obtain the teacher’s credentials (B) Whaling — the attacker targeted a high-ranking district executive with a carefully crafted email requesting financial information (C) Smishing — the attacker sent a fraudulent text message containing a malicious link to harvest login credentials (D) Pretexting — the attacker created a false identity as a fellow teacher to build a long-term relationship before requesting sensitive information

Smishing (SMS + phishing) is a social engineering attack delivered via text message. The attack used a fabricated urgency trigger (“storage full”) and a malicious link — classic phishing tactics delivered through the SMS channel.

(A) Incorrect — vishing uses voice calls, not text messages.

(C) Incorrect — whaling targets senior executives, and the attack used a text, not an email.

(D) Incorrect — pretexting involves building a fabricated scenario over time; this was a one-shot text attack.

Exam Tip: Phishing = email. Smishing = SMS/text. Vishing = voice/phone. The delivery channel determines the classification, even though the manipulation tactics are similar.

Q12 Topics 1.3 + 1.2 — Cross-Topic

The unauthorized grade changes were made from a public library Wi-Fi network. Which of the following countermeasures would have been MOST effective at preventing the attacker from using the stolen credentials to access the LMS?

(A) Requiring all LMS users to connect through a VPN that encrypts traffic between the user’s device and the district’s network (B) Enforcing multi-factor authentication so that a stolen password alone is not sufficient to gain account access (C) Installing a firewall at the public library to filter malicious traffic before it reaches the district’s servers (D) Configuring the library’s Wi-Fi router to block access to all educational websites during non-school hours

The attacker already had valid credentials. The question asks what prevents use of stolen credentials specifically. MFA ensures that possessing the password alone is insufficient — a second factor (phone, token, biometric) would also be required, blocking the attacker.

(A) Incorrect — a VPN protects data in transit but would not prevent an attacker who already has valid credentials from logging in from any location.

(C) Incorrect — the district has no authority to install firewalls at a public library.

(D) Incorrect — blocking websites by time is impractical and does not address credential theft.

Exam Tip: VPN protects traffic in transit. MFA protects the account itself. When credentials are already stolen, MFA is the correct countermeasure — not VPN.

Q13 Topic 1.4 — AI-Based Attacks

The AI chatbot collected student data from publicly shared LMS links and used it to generate personalized phishing messages to parents. Which of the following statements about this attack are correct?

I. The chatbot performed automated reconnaissance by scraping publicly accessible data to build targeted victim profiles.
II. The personalized messages are more likely to succeed than generic phishing because they reference specific, verifiable details about the recipient’s child.
III. This attack would have been prevented entirely if the district had installed antivirus software on all teacher devices.

(A) I only (B) I and II only (C) II and III only (D) I, II, and III

Statement I is correct — the chatbot performed automated OSINT (open-source intelligence) gathering from publicly accessible links. Statement II is correct — personalization dramatically increases phishing success rates because recipients see specific details that appear legitimate. Statement III is incorrect — antivirus software on teacher devices would not prevent an external chatbot from scraping publicly shared links on social media.

(A) Incomplete — Statement II is also correct.

(C) Incorrect — includes the false Statement III.

(D) Incorrect — Statement III is false; antivirus does not prevent external data scraping.

Exam Tip: AI lowers the cost and effort of reconnaissance. What once required manual research can now be automated at scale — making targeted attacks accessible to less sophisticated attackers.

Q14 Topics 1.1 + 1.4 — Cross-Topic

The phishing messages sent to parents referenced their children by name and grade level. Compared to a generic phishing campaign that sends identical messages to thousands of recipients, this AI-assisted approach is MOST accurately described as:

(A) A brute force attack, because the chatbot generated thousands of message variations to find one that works (B) A man-in-the-middle attack, because the chatbot positioned itself between the parents and the district’s communication system (C) A denial-of-service attack, because the volume of personalized messages overwhelmed the parents’ email systems (D) Automated spear phishing at scale, because AI enabled individually tailored messages targeting specific recipients using harvested personal data

Traditionally, spear phishing required manual effort to research and customize each message, limiting its scale. AI enables the same level of personalization to be applied automatically to thousands of targets simultaneously — creating spear phishing at mass scale.

(A) Incorrect — brute force refers to systematically guessing passwords or keys, not message variation.

(C) Incorrect — DoS attacks target system availability, not individual deception.

(D) Incorrect — MITM intercepts communications between two parties; the chatbot sent new messages, it did not intercept existing ones.

Exam Tip: AI’s biggest impact on social engineering = it makes targeted attacks scalable. What was once expensive, one-at-a-time spear phishing can now be automated for thousands of targets.

Q15 Topic 1.5 — AI in Cyber Defense

The district’s technology coordinator proposes deploying an AI-based anomaly detection system that monitors LMS access patterns. Which of the following scenarios would this system be LEAST likely to detect as suspicious?

(A) A teacher’s account accessing the LMS from an unfamiliar IP address in a different state at 2:00 AM on a Saturday (B) A single account downloading the complete grade records for every student in the district within a 10-minute window (C) A teacher logging in during normal school hours from the same device and location she uses every day, then modifying grades for her own students (D) Five failed login attempts on a teacher’s account within 30 seconds, followed by a successful login from an IP address that has never previously accessed the system

AI anomaly detection works by identifying deviations from established behavioral baselines. Option B describes activity that perfectly matches the teacher’s normal pattern — same time, same device, same location, same type of action. If an attacker uses stolen credentials in a way that mimics the legitimate user’s exact behavior, anomaly detection has the least signal to flag it.

(A) Likely flagged — unusual time, unusual location, and unusual IP address are strong anomaly signals.

(C) Likely flagged — bulk data access far exceeds normal teacher behavior and triggers volume-based alerts.

(D) Likely flagged — rapid failed attempts followed by success from a new IP is a classic brute force pattern.

Exam Tip: “LEAST likely to detect” questions test whether you understand the limitations of a technology. AI anomaly detection is powerful but struggles when malicious activity perfectly mimics legitimate behavior.

— End of Scenario 3 —

Questions Correct

Scenario 1

Scenario 2

Scenario 3

Take Unit 1 Exam → Back to Course Hub

← Unit 1 Exam (20 MCQ) Course Hub →

AP Cybersecurity Unit 1 Scenario Practice | APCSExamPrep.com | Built by Tanner Crow, AP CS Teacher (11+ years)
AP® is a registered trademark of the College Board, which was not involved in the production of this content.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

Send me free AP CS exam tips — daily practice questions, study resources, and exam strategies. + 20% OFF TUTORING
Unsubscribe anytime.

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]