Harder scenarios · 4 questions · Spot the flaw, compare detections · 25–30 min
🎯 Before You Start
Exercise 1 trained single-category identification. Exercise 2 pushes further: blended scenarios with overlapping behaviors, analyst-report critiques, and detection-strategy tradeoffs. Expect tougher distractors — multiple options will feel plausible on first read. That is intentional.
Strategy: identify the ONE detail in the stem that eliminates each distractor. Slash the trash before you commit.
✎ Applied Challenge — 4 Questions
Question 1 of 4 — Multi-Select Evidence EvaluationA security analyst must decide whether an active incident is a ransomware outbreak or a worm. Which of the following observations would support classifying it as a worm rather than ransomware? Select ALL that apply. No credit for selecting incorrect options.
Question 2 of 4 — Spot the Error in the PlaybookA new incident responder wrote this playbook for detecting fileless malware. Which step is WRONG and why?
FILELESS MALWARE DETECTION - DRAFT
Step 1: Run full antivirus scan of the hard drive for known signatures.
Step 2: Check memory for suspicious PowerShell / WMI processes.
Step 3: Review EDR behavioral alerts for unusual child-process chains.
Step 4: Capture a memory dump before rebooting the machine.
Question 3 of 4 — Detection Strategy TradeoffAn organization is evaluating three detection approaches. Which statement BEST captures the tradeoff a CISO must weigh when choosing between signature-based detection and behavioral detection?
Question 4 of 4 — Attribute the Delivery VectorA school district’s MDM suddenly pushes a “routine security update” signed by the correct certificate. The update contains malware. Within hours, 2,000 student devices are compromised. Which delivery vector BEST describes how the malware arrived?
0 / 4Questions correct — review any incorrect answers above, then move to the Lab.
🚀 Extension Challenge
Pick one of the four malware families from Lesson 4.2 (virus, worm, trojan, ransomware, spyware, rootkit, botnet agent, fileless). Find one recent (2022 or later) real-world incident in that family. In 3–5 sentences, describe: (1) the delivery vector, (2) the payload’s goal, (3) how it was detected, and (4) what defenders could have done earlier to prevent it.
This is the exact structure AP Cyber FRQ-style scenario questions expect. Practicing it now pays off on exam day.
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed.
Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Typically responds within 24 hours
✓
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.