AP Cybersecurity Unit 2 Exam

AP Cyber Hub Unit 2 2.1 ▼ Lesson Ex 1 Ex 2 Lab Quiz 2.2 ▼ Lesson Ex 1 Ex 2 Lab Quiz 2.3 ▼ Lesson Ex 1 Ex 2 Lab Quiz 2.4 ▼ Lesson Ex 1 Ex 2 Lab Quiz 2.5 ▼ Lesson Ex 1 Ex 2 Lab Quiz Unit 2 Exam

Unit 2 • End-of-Unit Exam

Unit 2 Exam: Securing Spaces

20 questions covering all Unit 2 topics — CIA Triad, Defense-in-Depth, Physical Security, Risk Assessment, and Access Controls

Score: 0 / 0 Answer each question individually to see feedback

Exam Strategy: Predict your answer before selecting. Use “slash the trash” — eliminate obviously wrong choices first. Key words are bolded and underlined. Several questions have code-style scenarios — classify before choosing.

Q1 CIA Triad

A security analyst states: “Encrypting data at rest protects Integrity because it ensures the data has not been modified.” What is WRONG with this statement?

(A) Encryption at rest primarily protects Confidentiality, not Integrity. Cryptographic hashing protects Integrity. (B) The statement is correct — encryption does protect Integrity by making data unreadable to unauthorized users. (C) Encryption at rest protects Availability, because encrypted data remains accessible to authorized users. (D) The statement is wrong because encryption only applies to data in transit, never data at rest.

Encryption at rest protects Confidentiality — it prevents unauthorized parties from reading the data. It does NOT protect Integrity. Integrity is protected by cryptographic hashing (MD5, SHA-256) which detects whether data has been altered. An encrypted file can still be corrupted or modified by an attacker who overwrites bytes — encryption won’t detect that. A hash will.

(B) Incorrect — this is the specific flaw in the original statement being tested.

(C) Incorrect — availability concerns uptime and access, not encryption.

(D) Incorrect — encryption absolutely applies to data at rest (BitLocker, AES-256 on SSDs).

Q2 CIA Triad

Vantex Financial Group suffers a ransomware attack. The malware encrypts all files on the file server and displays a ransom demand. Which of the following CIA properties are DIRECTLY VIOLATED?

I. Confidentiality
II. Integrity
III. Availability

(A) I only (B) II and III only (C) III only (D) I, II, and III

Availability is directly violated — files are inaccessible (encrypted, unreadable). Integrity is directly violated — the files have been modified (encrypted) without authorization. Confidentiality depends on whether data was exfiltrated — modern ransomware often does exfiltrate first (double extortion), but the scenario only describes encryption and a ransom demand, not confirmed exfiltration. The direct violation is II and III.

(A) Incorrect — Confidentiality alone is not what ransomware primarily attacks.

(C) Incorrect — Integrity is also violated because files are modified (encrypted) without authorization.

(D) Incorrect — Confidentiality is not confirmed violated without evidence of data exfiltration.

Q3 Defense-in-Depth

A network architect proposes: “We have deployed two identical enterprise firewalls in parallel. This gives us defense-in-depth at the perimeter layer.” Which statement BEST identifies the flaw in this reasoning?

(A) Two firewalls provide redundancy, not defense-in-depth. Defense-in-depth requires different control types at different layers. (B) The statement is correct — any duplication of a security control qualifies as defense-in-depth. (C) The flaw is using parallel firewalls — they should be deployed in series to create a layered defense. (D) Defense-in-depth only applies to the application and data layers, not the perimeter layer.

Defense-in-depth means different types of controls across multiple layers — physical, perimeter, network, host, application, data, and human. Two identical firewalls are redundancy within a single layer. An attacker who bypasses one firewall’s ruleset will bypass the identical second. Redundancy improves availability; it does not add independent security barriers. Defense-in-depth would be: firewall + network segmentation + host-based IDS + data encryption.

(A) Incorrect — this is the exact misconception the question tests.

(B) Incorrect — series vs. parallel placement is irrelevant if both use identical rule sets.

(C) Incorrect — defense-in-depth applies across all seven layers.

Q4 Defense-in-Depth

An attacker with stolen credentials logs into Vantex’s VPN, moves laterally to the file server, and begins exfiltrating data. Which of the following controls would have INDEPENDENTLY slowed or detected the attack at different layers?

I. Network segmentation restricting VPN users from directly reaching the file server
II. A second firewall identical to the perimeter firewall
III. Data loss prevention (DLP) scanning outbound traffic for financial record patterns

(A) I only (B) II and III only (C) I and III only (D) I, II, and III

I — True: Network segmentation (network layer) would prevent the lateral move from VPN to file server, stopping the attack before exfiltration. III — True: DLP (data layer) would detect the outbound financial data pattern even if the attacker reached the server. II — False: A second identical firewall provides redundancy, not an independent barrier. If the attacker used valid credentials that passed the first firewall, identical rules on the second will also pass them.

(A) Incorrect — DLP (III) would also independently help.

(B) Incorrect — a duplicate firewall adds no independent protection; DLP does.

(D) Incorrect — II does not provide independent protection as explained.

Q5 Physical Security

A security manager classifies the following as a preventive physical control: “A prominently displayed sign at the server room entrance reading ‘AUTHORIZED PERSONNEL ONLY — ALL ENTRY LOGGED AND MONITORED.’” What is WRONG with this classification?

(A) The sign is a deterrent control, not preventive. It raises perceived risk but does not physically block unauthorized entry. (B) The sign is a detective control because it mentions monitoring and logging. (C) The classification is correct — any sign that restricts access is preventive. (D) The sign is corrective, not preventive, because it informs employees of a policy violation.

A sign cannot physically stop anyone from entering. It is a deterrent control — it discourages access by raising the perceived probability of being caught. A preventive control actually blocks entry: a locked door, badge reader, or mantrap. The mention of logging makes the sign appear to have a detective element, but the logging itself (if real) would be detective — the sign just claims monitoring occurs.

(B) Partially tempting, but the sign’s primary function is to deter, not detect. The actual log system is the detective control.

(C) Incorrect — labeling something “restricted” does not make it physically restrictive.

(D) Incorrect — corrective controls restore systems after an incident.

Q6 Physical Security

A Vantex employee holds the door open for a person in a delivery uniform who claims to have a package. The delivery person enters the secure area and leaves a USB drive on a desk. Which of the following are ACCURATELY classified?

I. The employee holding the door open is an example of tailgating
II. The USB drive is a baiting attack
III. A mantrap would have prevented both the tailgating and the USB delivery

(A) I and II only (B) II only (C) I, II, and III (D) I and III only

I — True: Holding the door = tailgating (piggybacking). The delivery person followed without independent authentication. II — True: The USB drive left on a desk is a classic baiting attack — relies on curiosity to get a victim to plug it in. III — True: A mantrap (two-door airlock with single-occupancy enforcement) physically prevents tailgating — only one person can be in the airlock at a time, so the delivery person could not follow the employee through. It would also mean their package is inspected, preventing USB planting.

(A) Incorrect — III is also accurate.

(B) Incorrect — I and III are also accurate.

(D) Incorrect — II is also accurate.

Q7 Risk Assessment

A risk analyst at Vantex calculates: “The ALE for our web server SQL injection vulnerability is $180,000. We will purchase a Web Application Firewall (WAF) for $200,000/year. Since the WAF costs more than the ALE, it is not cost-effective and we should accept the risk.” What is WRONG with this analysis?

(A) ALE only measures direct financial loss. The analyst ignored regulatory fines, reputational damage, and customer breach notification costs that would likely exceed $200,000. (B) The analysis is correct — if a control costs more than the ALE, accepting the risk is always the right decision. (C) The analyst should have used qualitative, not quantitative, risk assessment for a web server vulnerability. (D) The flaw is that ALE cannot be used for vulnerabilities — it only applies to physical asset loss.

The core flaw is that the ALE calculation only captured direct financial loss from the breach itself. For a financial institution like Vantex, a SQL injection compromise of customer data would likely trigger: GDPR/CCPA fines, PCI-DSS penalties, customer notification costs, lawsuit settlements, and reputational damage causing customer attrition. These commonly dwarf the direct loss. A rigorous quantitative analysis includes total impact, not just immediate asset loss.

(B) Incorrect — cost-benefit analysis requires complete total cost of impact, not just the ALE figure.

(C) Incorrect — quantitative is appropriate here; the method isn’t the problem, the incomplete inputs are.

(D) Incorrect — ALE applies to any risk with estimable frequency and impact, not just physical assets.

Q8 Risk Assessment

Vantex’s server farm is valued at $2,000,000. Security analysts estimate that a fire would destroy 40% of the facility. Historical data shows a fire occurs on average once every 5 years.

What is the Annual Loss Expectancy (ALE) for this fire risk?

(A) $160,000 (B) $400,000 (C) $800,000 (D) $2,000,000

Step 1 — SLE (Single Loss Expectancy) = Asset Value × Exposure Factor = $2,000,000 × 0.40 = $800,000. Step 2 — ARO (Annual Rate of Occurrence) = 1 event per 5 years = 0.2. Step 3 — ALE = SLE × ARO = $800,000 × 0.2 = $160,000. The key mistake is confusing SLE ($800K) with ALE. ALE accounts for how often the event occurs per year.

(A) $800,000 — this is the SLE (the loss from a single event), not the ALE.

(B) $400,000 — this has no formula basis; a common random distractor.

(C) $2,000,000 — this is the total asset value, the starting point, not the answer.

Q9 Risk Assessment — Response Strategies

Vantex purchases cyber liability insurance to cover financial losses from data breaches. Which risk response strategy does this BEST represent, and why?

(A) Mitigate — insurance reduces the likelihood of a breach occurring (B) Transfer — the financial impact of the risk is shifted to the insurance company (C) Accept — Vantex acknowledges the risk exists and takes no action to change it (D) Avoid — insurance eliminates the risk entirely by compensating for losses

Transfer: Insurance shifts the financial consequence of the risk to the insurer. Critically: the risk itself is not eliminated — the breach can still happen. Insurance does nothing to reduce likelihood (that’s mitigation). The distinction: transfer moves the financial burden; mitigation reduces probability or impact directly.

(A) Incorrect — insurance does not reduce breach likelihood; controls like MFA and patching do.

(C) Incorrect — accept means acknowledging risk AND taking no compensating action at all.

(D) Incorrect — avoid means eliminating the activity that creates the risk (e.g., not storing that data). Insurance cannot avoid a risk.

Q10 Access Controls

A Vantex security policy states: “All employees must use Multi-Factor Authentication (MFA) when logging in. Employees must enter their password and then answer a security question to complete the MFA process.” What is WRONG with this policy?

(A) MFA requires factors from different categories. A password and a security question are both “something you know,” making this single-factor authentication with two steps. (B) The policy is correct — any login requiring two inputs qualifies as MFA. (C) Security questions are too strong a factor — MFA should use weaker second factors to avoid user friction. (D) MFA is unnecessary if the password is sufficiently complex. The policy should focus on password strength instead.

True MFA requires factors from at least two different categories: something you know, something you have, or something you are. Password (know) + security question (know) = still just one factor category. Both can be phished or guessed. This is 2-step verification, not MFA. Real MFA: password (know) + authenticator app code (have) = two different categories.

(B) Incorrect — counting inputs is the exact misconception being tested. Category diversity is what defines MFA.

(C) Incorrect — security questions are actually among the weakest second factors, not the strongest.

(D) Incorrect — MFA provides independent protection that password complexity alone cannot.

Q11 Access Controls

A Vantex database contains three tables: CustomerAccounts, LoanApplications, and ExecutiveCompensation. A loan officer role needs access to CustomerAccounts and LoanApplications only. Currently, all employees are assigned to a single “Staff” role with access to all three tables.

Which access control change BEST applies the principle of least privilege, and which model does it implement?

(A) Grant the loan officer individual access to all three tables, then manually revoke ExecutiveCompensation — implements DAC (B) Create a LoanOfficer role with access to only CustomerAccounts and LoanApplications; assign loan officers to that role — implements RBAC (C) Require loan officers to request access to ExecutiveCompensation through a manager each time they need it — implements MAC (D) Encrypt ExecutiveCompensation so loan officers cannot read it even if they access it — implements a CIA Integrity control

Role-Based Access Control (RBAC) assigns permissions to roles, not individuals. Creating a LoanOfficer role with exactly the permissions needed applies least privilege — users only get access to what their job requires. This scales: adding a new loan officer means assigning them the role, not manually configuring 30+ permissions. RBAC is the dominant enterprise access model for exactly this reason.

(A) Incorrect — granting full access and revoking specific items is the inverse of least privilege; it starts too permissive.

(C) Incorrect — this describes a workflow, not an access control model; MAC uses sensitivity labels set by administrators, not manager approval requests.

(D) Incorrect — encryption is a confidentiality control, not an access control model, and doesn’t solve the authorization problem.

Q12 CIA Triad — Applied

Vantex discovers that a disgruntled employee with database access has been changing loan interest rates in the CustomerAccounts table — lowering rates for friends and raising them for others. The changes were not detectable until a customer complained.

Which CIA property was PRIMARILY violated, and which control would have MOST DIRECTLY detected this attack?

(A) Confidentiality violated; encryption of the database would have prevented the changes (B) Availability violated; database backups would have restored the correct rates (C) Integrity violated; cryptographic hashing or database audit logs would have detected unauthorized modifications (D) Integrity violated; encrypting the database at rest would have prevented unauthorized changes

Integrity is violated — data was modified without authorization. The employee had legitimate access credentials, so confidentiality was not violated (no unauthorized disclosure). Availability was not violated (data remained accessible). The detection control is audit logging (records every modification with user and timestamp) or cryptographic hashing of records (any change invalidates the hash). Encryption does not prevent or detect changes by an authorized user.

(A) Incorrect — the employee had authorized access; encryption prevents unauthorized reading, not authorized writing.

(B) Incorrect — availability means uptime/access, not accuracy. The data was accessible; it was wrong.

(D) Tempting but wrong — correctly identifies Integrity but names encryption as the control. Encryption at rest does nothing to prevent or detect modification by an authorized user with valid credentials.

Q13 Defense-in-Depth — Seven Layers

An attacker sends a phishing email that tricks an employee into downloading a malware payload. The malware then attempts to move laterally to other systems. Which of the following controls operate at DIFFERENT defense-in-depth layers and could INDEPENDENTLY stop or detect this attack chain?

I. Security awareness training (Human layer)
II. Email filtering with attachment sandboxing (Perimeter/Application layer)
III. A second identical perimeter firewall (Perimeter layer)

(A) I only (B) I and II only (C) II and III only (D) I, II, and III

I — True: Training (Human layer) could prevent the employee from clicking the phishing link entirely. II — True: Email sandboxing (Application/Perimeter layer) detonates the attachment in a safe environment before delivery, stopping the malware from reaching the user. III — False: A second identical firewall is redundancy, not a different layer. It uses the same rules and would pass the same phishing email.

(A) Incorrect — email sandboxing (II) would also independently stop the attack.

(C) Incorrect — a duplicate firewall (III) provides no independent protection.

(D) Incorrect — III is redundancy, not defense-in-depth.

Q14 Physical Security

Vantex is assessing physical security controls at its main branch. Classify each control correctly: (1) A guard station visible from the parking lot. (2) A badge reader on the server room door. (3) CCTV cameras inside the server room recording to a 90-day archive. (4) A warning sign: “This area is under 24/7 surveillance.”

Which answer CORRECTLY classifies all four controls?

(A) 1-Preventive, 2-Detective, 3-Detective, 4-Deterrent (B) 1-Deterrent, 2-Preventive, 3-Detective, 4-Deterrent (C) 1-Deterrent, 2-Preventive, 3-Preventive, 4-Detective (D) 1-Detective, 2-Preventive, 3-Detective, 4-Preventive

1 — Deterrent: Visible guard presence raises perceived risk but does not physically block access. 2 — Preventive: Badge reader physically blocks entry without authorization. 3 — Detective: CCTV recording identifies that an intrusion occurred after the fact. 4 — Deterrent: A sign about surveillance deters by raising perceived monitoring probability — the sign itself neither blocks nor records.

(A) Incorrect — classifies the guard (1) as preventive, but a guard that is visible from a distance deters rather than blocks.

(C) Incorrect — CCTV recording (3) is detective, not preventive; cameras do not block intrusions.

(D) Incorrect — a surveillance sign (4) deters, not prevents; signs cannot block physical entry.

Q15 Risk Assessment — Threat vs. Vulnerability

A Vantex IT manager says: “Our primary threat is the unpatched Apache server running on port 8080. We need to mitigate this threat immediately.” A security analyst replies: “That is not a threat — that is something else.” The analyst is CORRECT because:

(A) An unpatched server is a vulnerability — a weakness that could be exploited. The threat would be the ransomware operators who might exploit it. (B) An unpatched server is a risk — the combination of the server weakness and the likelihood of exploitation. (C) An unpatched server is an asset — it has value to the organization and must be protected. (D) The analyst is wrong — any known security weakness that can be exploited is correctly classified as a threat.

Vulnerability is a weakness in your own systems or processes. An unpatched server is a vulnerability you own and can fix by patching. A threat is an external actor or event: the hackers scanning for that CVE, the ransomware group targeting financial institutions, the disgruntled employee. You cannot eliminate threats — you can only reduce your vulnerability to them and your impact when they succeed. This distinction is foundational to the risk formula: Risk = Threat × Vulnerability × Impact.

(B) Tempting — an unpatched server does contribute to risk, but it is the vulnerability component, not risk itself. Risk requires combining threat × vulnerability × impact.

(C) Incorrect — the server is an asset, but the unpatched state of the server is the vulnerability.

(D) Incorrect — the analyst is correct. Misusing the term “threat” for “vulnerability” leads to misprioritized responses.

Q16 Access Controls — AAA Framework

After Vantex discovers the loan rate tampering incident, security leadership requires that every database query be logged with the employee’s identity, the resource accessed, the action performed, and the timestamp.

This logging requirement primarily implements which component of the AAA security framework, and what is its PRIMARY security purpose?

(A) Authentication — to verify the employee’s identity before each query (B) Authorization — to enforce which resources each employee can access (C) Accounting — to create an audit trail of actions taken by authenticated users (D) Authentication — to ensure the database queries cannot be repudiated

Accounting (also called Auditing) is the third A in AAA. After authentication (who are you?) and authorization (what can you do?), accounting answers what did you actually do? — recording a timestamped log of actions. This supports forensic investigation, compliance auditing, and non-repudiation (the employee cannot deny the action if the log shows it). The requirement describes accounting precisely: every action logged with identity and timestamp.

(A) Incorrect — authentication verifies identity at login, not per-query action logging.

(B) Incorrect — authorization controls what resources are accessible, not what actions were taken on them.

(D) Partially correct logic (non-repudiation is a benefit) but misidentifies the component as authentication.

Q17 Defense-in-Depth & Physical Security

A Vantex branch is designing its security architecture. The security team proposes: (1) A fence around the building perimeter. (2) Badge readers at all exterior doors. (3) A mantrap at the server room entrance. (4) Motion-activated interior cameras with offsite recording. (5) Host-based antivirus on all servers inside the room.

How many DISTINCT defense-in-depth layers do these five controls collectively address?

(A) 2 distinct layers — all five are physical security controls (B) 3 distinct layers — Physical, Detective, and Preventive layers (C) 2 distinct layers — Physical layer (1-4) and Host layer (5) (D) 5 distinct layers — each control operates independently and represents a unique layer

Controls 1–4 (fence, badge readers, mantrap, cameras) all operate at the Physical layer of defense-in-depth — they control physical access to the facility. Control 5 (host antivirus) operates at the Host layer — securing the individual endpoint. So the five controls span 2 distinct layers: Physical (1-4) and Host (5). Detective vs. Preventive is a control classification, not a defense-in-depth layer name.

(A) Incorrect — host antivirus is not a physical security control; it is a host-layer control.

(B) Incorrect — Detective and Preventive describe how a control works, not which defense-in-depth layer it belongs to.

(D) Incorrect — the seven layers of defense-in-depth are fixed categories; multiple controls can belong to the same layer.

Q18 Risk Assessment — Qualitative vs. Quantitative

A Vantex CISO presents two risk assessments to the board. Assessment A states: “The risk of a DDoS attack against our loan portal is HIGH.” Assessment B states: “A DDoS event has an SLE of $350,000 and an ARO of 0.25, yielding an ALE of $87,500 annually.” Which statement BEST describes the difference?

(A) Assessment A is quantitative; Assessment B is qualitative (B) Assessment A is qualitative; Assessment B is quantitative. B is more useful for justifying a specific security budget allocation. (C) Both assessments are quantitative because both describe the same risk (D) Assessment A is qualitative; Assessment B is quantitative. A is more useful because it is easier for executives to understand.

A — qualitative (uses a subjective label: HIGH). B — quantitative (uses dollar figures and formulas: SLE, ARO, ALE). B is more useful for budget justification: you can argue “spend up to $87,500/year on DDoS mitigation because that’s the ALE.” The trap in (D): while A is easier to understand, B is more useful for financial decisions — which is specifically what the question asks about. Qualitative has its own value (faster, broader risk overview) but not for specific budget allocation.

(A) Incorrect — reverses the classifications entirely.

(C) Incorrect — describing the same risk does not make them both quantitative; the method of measurement differs.

(D) Correctly identifies the types but wrong conclusion — quantitative is more useful for budget allocation decisions.

Q19 CIA Triad & Access Controls — Cross-Topic

A Vantex network engineer makes a configuration error that causes the loan origination system to be publicly accessible on the internet without authentication for 4 hours. During this window, an external party downloads the entire LoanApplications database. Audit logs show no data was modified.

Which CIA properties were violated, and which access control failure was the ROOT CAUSE?

(A) Confidentiality violated; root cause was failure of authentication — the system allowed access without verifying identity (B) Confidentiality and Integrity violated; root cause was failure of authorization — the external party had a role with too many permissions (C) Availability violated; root cause was a configuration error, not an access control failure (D) Confidentiality and Availability violated; root cause was failure of authentication combined with no network-layer firewall

Confidentiality was violated — sensitive data was disclosed to an unauthorized external party. Integrity was NOT violated — logs confirm no modification. Availability was NOT violated — the system was accessible (too accessible). The root cause was authentication failure: the system exposed a resource without requiring identity verification first. Authorization (what you can do) is irrelevant when authentication (who you are) was skipped entirely — authentication is always the prerequisite.

(B) Incorrect — Integrity was not violated (no modifications confirmed). Authorization failure implies an authenticated user had wrong permissions; here, there was no authentication at all.

(C) Incorrect — a misconfiguration that removes authentication is an access control failure.

(D) Incorrect — Availability was not violated (data was accessible, not unavailable). The firewall absence is secondary; the primary failure is missing authentication.

Q20 Unit 2 Integration — All Topics

Vantex’s CISO receives a board report with the following four security decisions: (I) Deployed two identical enterprise firewalls at the perimeter for redundancy. (II) Purchased cyber liability insurance to cover breach costs. (III) Set all employees to a single “AllAccess” RBAC role for convenience. (IV) Classified the risk of a SQL injection attack as HIGH severity with no further analysis.

Which of the four decisions represents a security BEST PRACTICE?

(A) Decision I — redundant firewalls provide defense-in-depth at the perimeter (B) Decision II — cyber insurance is a valid risk transfer strategy (C) Decision III — a single role simplifies RBAC administration and applies least privilege organization-wide (D) Decision IV — qualitative risk assessment is sufficient for all risk management decisions

Decision II is a best practice — cyber liability insurance is a legitimate and recognized risk transfer strategy (shifting financial impact to the insurer). Decision I is redundancy, not defense-in-depth. Decision III violates least privilege — “AllAccess” is the exact opposite. Decision IV uses qualitative assessment correctly, but stopping at HIGH with no follow-up ALE calculation means no budget justification and no mitigation plan — it’s incomplete risk management, not best practice.

(A) Incorrect — redundant identical firewalls are NOT defense-in-depth; they are redundancy within a single layer.

(C) Incorrect — a single “AllAccess” role is the direct opposite of least privilege; it grants maximum permissions to everyone.

(D) Incorrect — qualitative HIGH is a starting point, not a complete risk management decision; no mitigation strategy or budget justification follows.

Unit 2 Exam Complete

out of 20

Back to Course Hub Unit 2 Study Guide →

← Lesson 5 Quiz Course Hub Unit 2 Study Guide →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

Send me free AP CS exam tips — daily practice questions, study resources, and exam strategies. + 20% OFF TUTORING
Unsubscribe anytime.

✉

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]