AP Cybersecurity CED Explained
What’s on the AP Cybersecurity Exam: Every Topic, Explained
Last reviewed: March 2026 — reflects the official College Board AP Cybersecurity Course and Exam Description (CED). 2025–2026 is the national 2026–27 launch year.AP Cybersecurity is College Board’s newest course — and the first AP course directly tied to an industry credential. This page translates the CED into plain English for every topic across all five units: what it means, what the exam tests, and what trap most students fall into.
This is your first-mover advantage. The course launches nationally in Fall 2026. Students preparing now are building a foundation before the field gets crowded.
Students who earn a qualifying score on the AP Cybersecurity exam receive two things: potential college credit at participating institutions, and a free voucher for the CompTIA Security+ exam — the most widely recognized entry-level cybersecurity certification globally, valued at $350+. No other AP course offers this. CompTIA Security+ is required or preferred for thousands of government and private-sector cybersecurity positions.
AP Cybersecurity is in its first national pilot for 2025–2026. Only schools selected for the pilot take the exam in Spring 2026. The course launches broadly to all schools in Fall 2026, with the first national exam in May 2027. If your school is a pilot school, you are among the first students in the country to take this exam. If your school is not yet a pilot school, studying now means you are completely prepared when your school offers it in 2026–2027.
The 3 Core Skills That Thread Through Every Unit
Every topic in every unit is tied to one or more of three skills. The exam questions are framed around these skills — not just what you know, but what you can do with what you know.
Why these skills matter for the exam: When you see a question you’re unsure about, ask yourself: is this asking me to identify a threat (Analyze), prevent it (Mitigate), or find evidence it happened (Detect)? That framing will point you to the right answer.
Unit 1: Introduction to Security
Weeks 1–4 — social engineering, password attacks, wireless threats, AI-driven attacks, AI defenseUnit 1 establishes the foundational security concepts that everything else builds on. It focuses on threats that target humans and emerging technologies. No networking or device knowledge is needed yet — this is about understanding how attackers exploit people and wireless connections.
Social Engineering
In plain English: Social engineering attacks manipulate people psychologically rather than exploiting technical vulnerabilities. Phishing (email), vishing (voice), smishing (SMS), and pretexting are the main types. The attacker exploits trust, urgency, or authority to extract information or access.
Exam tests: Identifying types of social engineering attacks from scenario descriptions, distinguishing phishing from vishing from smishing, recognizing red flags in communications.
⚠ Trap:The exam describes a scenario and asks what type of attack it is. Phishing uses deceptive email. Vishing uses phone calls. Smishing uses text messages. Pretexting creates a fabricated scenario. The trap is confusing phishing (always email) with the others.
Password Attacks
In plain English: Common password attacks: brute force (try every combination), dictionary attacks (try common words/passwords), credential stuffing (try leaked username/password pairs from other breaches), and password spraying (try one common password against many accounts). Mitigations: strong passwords, MFA, account lockout policies.
Exam tests: Identifying which attack type matches a description, understanding why each mitigation works against specific attack types.
⚠ Trap:Account lockout stops brute force but not password spraying (which uses few attempts per account intentionally to avoid lockout). The exam tests this distinction specifically.
Wireless Security Risks
In plain English: Public Wi-Fi risks: evil twin attacks (fake access point mimicking a legitimate one), man-in-the-middle interception, and eavesdropping. War driving: scanning for wireless networks from a vehicle. Jamming: disrupting wireless signals. Mitigation: VPNs, HTTPS, avoiding sensitive transactions on public Wi-Fi.
Exam tests: Identifying wireless attack types from scenarios, knowing which mitigation addresses which threat.
⚠ Trap:An evil twin attack uses a legitimate-looking network name (SSID) to trick users into connecting. The attacker can then intercept all traffic. The trap: students confuse evil twin (active impersonation) with passive eavesdropping.
AI-Based Attacks
In plain English: Generative AI amplifies existing attacks: AI-generated phishing emails are more convincing and personalized at scale. Voice cloning (deepfake audio) enables vishing attacks that sound like trusted individuals. AI-generated images and video (deepfakes) can impersonate executives or create fake evidence.
Exam tests: Understanding how AI augments traditional attack methods, identifying AI-enabled attack scenarios.
⚠ Trap:AI-based attacks are harder to detect because they bypass signature-based defenses — the content looks and sounds legitimate. The exam asks what makes an AI-assisted attack more dangerous than the traditional version.
Leveraging AI in Cyber Defense
In plain English: AI can analyze massive logs for anomalies faster than humans. Machine learning models detect unusual patterns that indicate attacks. AI tools help prioritize alerts and reduce analyst fatigue. However, AI defenses can be fooled by adversarial inputs.
Exam tests: Understanding how AI is used in defensive security tools, knowing the limitations of AI-based defenses.
⚠ Trap:AI defense tools are not foolproof. Attackers can craft adversarial inputs that fool ML models. The exam tests whether you understand both the benefits AND the limitations of AI in defense.
Full reference: Unit 1 Study Guide
Unit 2: Securing Spaces
Weeks 5–10 — CIA triad, risk management, physical security, security controls, defense in depthUnit 2 introduces the conceptual framework for all of cybersecurity: risk. Before you can secure anything, you have to understand what you’re protecting, what threatens it, and how to evaluate trade-offs between security and cost.
Risk Fundamentals: Assets, Threats, Vulnerabilities
In plain English: An asset is anything worth protecting (data, hardware, people). A threat is a potential cause of harm. A vulnerability is a weakness that could be exploited. Risk = the likelihood a threat exploits a vulnerability and causes harm to an asset. All three must be present for risk to exist.
Exam tests: Distinguishing assets from threats from vulnerabilities in scenario descriptions, calculating or comparing risk levels.
⚠ Trap:A vulnerability alone is not a risk. A threat alone is not a risk. Risk requires all three components: an asset, a threat that targets it, and a vulnerability that allows the threat to succeed. The exam tests this distinction.
Risk Management Strategies
In plain English: Four strategies: Avoid (eliminate the activity causing the risk), Transfer (shift risk to another party, e.g., insurance), Mitigate (reduce likelihood or impact), Accept (acknowledge and do nothing). No strategy eliminates all risk — residual risk always remains.
Exam tests: Identifying which risk management strategy applies to a given scenario, understanding when each strategy is appropriate.
⚠ Trap:The exam gives a scenario and asks which strategy an organization is using. Transfer = cyber insurance or outsourcing. Mitigate = adding security controls. Accept = deciding the cost of mitigation exceeds the risk. Residual risk always remains after mitigation.
Security Controls
In plain English: Controls are categorized two ways. By type: Physical (locks, cameras), Technical (firewalls, encryption), or Managerial (policies, training). By function: Preventive (stop attacks), Detective (identify attacks), or Corrective (recover after attacks). Defense in depth uses multiple layers of controls.
Exam tests: Classifying a security control by both type and function, identifying gaps in a security posture.
⚠ Trap:The exam asks you to classify controls by BOTH dimensions. A security awareness training program is Managerial AND Preventive. A log monitoring system is Technical AND Detective. Don’t just identify one dimension.
Physical Security
In plain English: Physical attacks: tailgating (following authorized person through secure door), piggybacking (with the person’s knowledge), dumpster diving (retrieving discarded sensitive documents). Physical mitigations: mantraps, badge access, visitor logs, clean desk policy, shredding documents.
Exam tests: Identifying physical attack types, matching physical mitigations to specific threats.
⚠ Trap:Tailgating and piggybacking are distinct. Tailgating = unauthorized person sneaks in without authorized person’s knowledge. Piggybacking = authorized person holds the door open knowingly. The exam distinguishes them.
Defense in Depth
In plain English: Defense in depth is the strategy of using multiple layers of security controls so that if one layer fails, others still protect the asset. No single control is sufficient. Layers can include physical, network, host, application, and data controls.
Exam tests: Identifying which layer of defense a control belongs to, evaluating whether a security strategy has adequate depth.
⚠ Trap:Defense in depth is not about redundancy (having two of the same thing). It’s about diversity of control types across layers. Two firewalls is not defense in depth. A firewall + IDS + encryption + physical lock is defense in depth.
Full reference: Unit 2 Study Guide
Unit 3: Securing Networks
Weeks 11–18 — network attacks, firewalls, ACLs, VLANs, IDS/IPS/SIEMUnit 3 is the most technically detailed unit. It covers how network attacks work and the specific tools used to prevent and detect them. Understanding OSI/TCP-IP model basics helps, but the exam focuses on how security tools function, not deep networking theory.
Network Attack Types
In plain English: Key network attacks: DoS/DDoS (flood a server with traffic to make it unavailable), man-in-the-middle (attacker intercepts communication between two parties), ARP poisoning (redirect traffic by corrupting ARP tables), DNS spoofing (redirect users to malicious sites by corrupting DNS), port scanning (identify open ports to find attack surfaces).
Exam tests: Identifying attack types from scenario descriptions, understanding what each attack achieves.
⚠ Trap:DoS vs DDoS: DoS is from one source, DDoS uses many compromised systems (botnet) simultaneously. DDoS is much harder to block because you can’t simply block one IP address.
Firewalls and ACLs
In plain English: A firewall filters network traffic based on rules. ACLs (Access Control Lists) define which traffic is permitted or denied based on IP address, port, and protocol. Stateful firewalls track connection state. Next-generation firewalls (NGFW) inspect packet contents. Default deny: block all traffic unless explicitly permitted.
Exam tests: Reading and interpreting firewall rules, understanding what traffic a given ACL would permit or deny.
⚠ Trap:Default deny (block everything except what is explicitly allowed) is more secure than default permit (allow everything except what is explicitly blocked). The exam asks which approach is more secure — always default deny.
Network Segmentation and VLANs
In plain English: Network segmentation divides a network into zones to limit the spread of attacks. VLANs (Virtual Local Area Networks) create logical network segments on the same physical infrastructure. A DMZ (demilitarized zone) is a network segment for public-facing servers, isolated from the internal network.
Exam tests: Understanding why segmentation limits damage from a breach, identifying what belongs in a DMZ vs. internal network.
⚠ Trap:If an attacker compromises a system in a flat network, they can move laterally to all other systems. Segmentation contains the breach. The exam asks why a company would put a web server in a DMZ — to isolate it from the internal network.
Intrusion Detection and Prevention
In plain English: IDS (Intrusion Detection System) monitors traffic and alerts on suspicious activity but does not block it. IPS (Intrusion Prevention System) monitors and actively blocks suspicious traffic. Signature-based detection compares against known attack patterns. Anomaly-based detection identifies deviations from a baseline.
Exam tests: Distinguishing IDS from IPS, understanding signature vs. anomaly detection, knowing limitations of each.
⚠ Trap:IDS detects and alerts. IPS detects and blocks. The key distinction: IDS is passive, IPS is active. Signature-based systems cannot detect zero-day attacks (no known signature exists yet). Anomaly-based can, but generates more false positives.
SIEM and Log Analysis
In plain English: SIEM (Security Information and Event Management) aggregates logs from multiple systems and correlates events to identify threats. Logs are the primary evidence for detecting attacks that have already occurred. Key logs: authentication logs, firewall logs, system event logs.
Exam tests: Understanding what SIEM does, reading log entries to identify indicators of compromise.
⚠ Trap:SIEM does not prevent attacks — it detects them after the fact by correlating log data. A SIEM alert means an attack may be happening or may have happened. The exam asks what a SIEM is used for — detection and correlation, not prevention.
Full reference: Unit 3 Study Guide
Unit 4: Securing Devices
Weeks 19–26 — malware, authentication, device hardening, IoT security, forensic logsUnit 4 shifts from network-level security to individual device security. It covers the threats that target endpoints — computers, phones, and IoT devices — and the controls used to harden them.
Malware Types
In plain English: Major malware types: Virus (attaches to legitimate files, spreads when files are shared), Worm (self-replicates across networks without user action), Ransomware (encrypts files, demands payment), Trojan (disguises itself as legitimate software), Spyware (secretly monitors and transmits user activity), Rootkit (hides itself deep in the OS to evade detection).
Exam tests: Identifying malware type from behavioral description, understanding how each spreads.
⚠ Trap:Worms spread WITHOUT user action — they self-replicate. Viruses require a user to execute an infected file. The exam gives a scenario where malware is spreading and asks the type — if no user did anything, it’s a worm.
Authentication Factors and MFA
In plain English: Four authentication factor types: Knowledge (something you know — password, PIN), Possession (something you have — token, phone), Biometric (something you are — fingerprint, face), Location (somewhere you are — GPS, IP range). MFA requires two or more different factor types. Two passwords = not MFA.
Exam tests: Classifying authentication factors by type, understanding why MFA is stronger than single-factor authentication.
⚠ Trap:MFA requires factors from DIFFERENT categories. A password + security question is both Knowledge — that is single-factor authentication, not MFA. A password (Knowledge) + phone authenticator (Possession) IS MFA.
Device Hardening
In plain English: Device hardening reduces attack surface by removing unnecessary software, disabling unused services and ports, applying patches and updates, configuring host-based firewalls, and enforcing password complexity policies. Patch management ensures vulnerabilities are closed promptly.
Exam tests: Identifying hardening measures, understanding why each reduces risk, knowing that patching addresses known vulnerabilities.
⚠ Trap:Hardening is about removing or disabling things, not adding them. An unhardened device has many attack surfaces. Removing unused software and disabling unused ports reduces those surfaces. The exam asks which action hardens a device — the answer is usually removal or disabling.
IoT Security
In plain English: IoT devices (smart home devices, industrial sensors, medical devices) often have weak default credentials, lack patch support, and cannot run traditional security software. They expand the attack surface significantly. Best practices: change default passwords, isolate IoT devices on a separate network segment, apply firmware updates.
Exam tests: Understanding unique security challenges of IoT, identifying appropriate mitigations.
⚠ Trap:IoT devices are uniquely vulnerable because manufacturers often abandon security updates, default passwords are rarely changed, and the devices cannot run antivirus software. The exam asks what makes IoT security different from traditional endpoint security.
Forensic Log Analysis
In plain English: After an incident, security analysts review authentication logs, system event logs, and access logs to reconstruct what happened. Indicators of compromise (IoCs) in logs include: failed login attempts, logins at unusual times, access to unusual resources, large data transfers.
Exam tests: Reading log entries to identify suspicious activity, understanding what constitutes an IoC.
⚠ Trap:Forensic analysis is retrospective — it tells you what happened, not what is happening now. The exam gives you a log excerpt and asks you to identify the attack type or the attacker’s behavior from the evidence.
Full reference: Unit 4 Study Guide
Unit 5: Securing Applications and Data
Weeks 27–32 — application vulnerabilities, cryptography, encryption, hashing, PKIUnit 5 is the most abstract unit. It covers how data is protected at rest and in transit through cryptography, and how application-layer vulnerabilities are created and exploited. Cryptography concepts are tested conceptually — you do not need to perform calculations.
Application Vulnerabilities
In plain English: Applications become vulnerable through poor input handling. SQL injection: attacker inserts SQL commands into an input field to manipulate a database. Cross-site scripting (XSS): attacker injects malicious scripts into a web page viewed by other users. Input validation and parameterized queries are the primary mitigations.
Exam tests: Identifying SQL injection and XSS from scenario descriptions, understanding how each is exploited and mitigated.
⚠ Trap:SQL injection attacks the database by inserting commands in form fields. XSS attacks other USERS of the site by injecting scripts that run in their browsers. They target different victims.
Cryptography Fundamentals
In plain English: Encryption converts plaintext to ciphertext to protect confidentiality. Decryption reverses it. Encryption protects data at rest (stored files) and data in transit (network transmission). Encryption does not protect data integrity or authenticate identity on its own.
Exam tests: Understanding what encryption does and does not provide, knowing the difference between protecting data at rest vs. in transit.
⚠ Trap:Encryption ensures confidentiality but not integrity or authentication by itself. If an attacker modifies encrypted data, encryption will not detect the modification. That requires hashing or digital signatures.
Symmetric and Asymmetric Encryption
In plain English: Symmetric encryption: same key encrypts and decrypts (fast, but key distribution is a problem). AES is the standard symmetric algorithm. Asymmetric encryption: public key encrypts, private key decrypts (solves key distribution, but slower). RSA is the standard asymmetric algorithm. HTTPS uses asymmetric to exchange a symmetric session key.
Exam tests: Distinguishing symmetric from asymmetric encryption, understanding the key distribution problem, knowing AES and RSA.
⚠ Trap:Symmetric is fast but requires securely sharing the key first. Asymmetric solves this but is slower. HTTPS actually uses both: asymmetric encryption to securely exchange a symmetric key, then symmetric encryption for the session. The exam tests whether you understand why both are used.
PKI and Digital Certificates
In plain English: Public Key Infrastructure (PKI) is the system that manages digital certificates. A Certificate Authority (CA) issues certificates that bind a public key to an identity. Digital certificates enable HTTPS and verify that a website is what it claims to be. Certificate revocation handles compromised certificates.
Exam tests: Understanding how certificates verify identity, knowing what a CA does, recognizing certificate-related attacks.
⚠ Trap:A digital certificate is trusted because it was signed by a CA. If a CA is compromised, all certificates it issued become untrustworthy. The exam asks what a CA does and why trust in certificates depends on trust in the CA.
Hashing and Data Integrity
In plain English: A hash function converts data into a fixed-length value (hash/digest). The same input always produces the same hash. Any change to the input produces a completely different hash. Hashes cannot be reversed. Uses: verifying file integrity, storing passwords securely (hashed, not plaintext), digital signatures.
Exam tests: Understanding what hashing provides (integrity verification), knowing it is one-way, knowing password hashing.
⚠ Trap:Hashing is NOT encryption. You cannot decrypt a hash to get the original value. Passwords should be stored as hashes so that even if the database is stolen, attackers cannot recover plaintext passwords. The exam tests this distinction frequently.
Full reference: Unit 5 Study Guide
Frequently Asked Questions
Official source: This page is based on the College Board AP Cybersecurity Course and Exam Description (PDF). Always verify against the official document for the most current information.
Where to Go From Here
- AP Cybersecurity Complete Course Guide — Full course hub with all units, lessons, and exercises
- Unit 1 Study Guide — Social engineering, password attacks, wireless threats, AI
- Unit 2 Study Guide — Risk management, physical security, security controls
- Unit 3 Study Guide — Network attacks, firewalls, IDS/IPS, SIEM
- Unit 4 Study Guide — Malware, authentication, device hardening, IoT
- Unit 5 Study Guide — Cryptography, encryption, hashing, application security
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]