How many questions are on the AP Cybersecurity Practice Exam?

This practice exam contains 40 multiple choice questions and 3 free response questions, covering all 5 units of the AP Cybersecurity course framework. The exam is designed to simulate a realistic AP Cybersecurity Exam experience with scenario-based questions and detailed explanations.

Is this AP Cybersecurity Practice Exam free?

Yes. This full-length practice exam is completely free. It includes 40 interactive MCQs with instant scoring and detailed explanations, plus 3 FRQs with sample responses. No account or payment required.

What units does the AP Cybersecurity Practice Exam cover?

The exam covers all 5 units: Unit 1 (Introduction to Security, 7 questions), Unit 2 (Securing Spaces, 9 questions), Unit 3 (Securing Networks, 10 questions), Unit 4 (Securing Devices, 8 questions), and Unit 5 (Securing Applications and Data, 6 questions), plus 3 FRQs spanning Units 2-5.

AP Cybersecurity Practice Exam: Full-Length 40 MCQ + 3 FRQ with Answers and Explanations

Full-Length Exam · 40 MCQ + 3 FRQ

AP Cybersecurity Practice Exam

A complete practice exam covering all 5 units with 40 scenario-based multiple choice questions and 3 free response questions. Interactive scoring with detailed explanations for every question.

By Tanner Crow, AP CS Teacher (11+ Years) · Aligned to the College Board Framework

Answered: 0 / 40

Correct: 0

Incorrect: 0

Exam Overview

This practice exam simulates the AP Cybersecurity Exam experience with 40 multiple choice questions (Section 1) and 3 free response questions (Section 2). Questions are distributed across all five course units and test the three core skill categories: Analyze Risk, Mitigate Risk, and Detect Attacks.

How to take this exam: For each MCQ, read the scenario carefully, formulate your answer before looking at options, then select your choice and click “Check Answer.” For FRQs, attempt to write your response before clicking “Show Answer” to compare. For the best practice experience, try to complete all 40 MCQs in one sitting.

For a quick 15-question sampler, try our AP Cybersecurity Practice Questions page instead.

Section 1: Multiple Choice (40 Questions)

Unit 1: Introduction to Security

Questions 1–7

Question 1 · Unit 1 · Topic 1.1

A user receives a text message claiming to be from their bank: “ALERT: Unusual login detected on your account. Click here to verify your identity within 30 minutes or your account will be locked.” Which social engineering tactics are primarily being used in this message?

AFamiliarity and consensus, because the message pretends to be from a known institution and implies others would act quickly

BIntimidation and urgency, because the message threatens a negative consequence and imposes a time deadline

CScarcity and authority, because the message implies limited time and comes from a position of power

DPretexting and familiarity, because the adversary created a believable scenario involving a trusted entity

✅ Correct Answer: B

The message uses intimidation (threatening account lockout — a negative consequence) and urgency (the 30-minute deadline pressures the target to act quickly without verifying). While authority is partially present (the bank is a trusted entity), the primary lever is the threat + deadline combination. Scarcity (C) refers to limited availability of something, not time pressure.

Question 2 · Unit 1 · Topic 1.2

A system administrator reviews an authentication log and notices the following pattern: 47 failed login attempts for the user account “admin” between 2:00 AM and 2:15 AM, all from IP address 203.0.113.45, followed by a successful login at 2:16 AM. Which type of attack does this evidence MOST likely indicate?

ASocial engineering, because the adversary manipulated the administrator into providing credentials

BCredential stuffing, because the adversary used default administrative credentials

CAn online password attack, because many failed attempts from one source preceded a successful login

DA rainbow table attack, because the adversary systematically tested pre-computed password hashes

✅ Correct Answer: C

The pattern of many rapid failed attempts from a single IP followed by success is characteristic of an online password attack (brute force or dictionary attack against a live authentication portal). Credential stuffing (B) uses stolen credentials and would typically show fewer attempts. A rainbow table attack (D) is an offline attack against a captured hash database, not a live login portal. Social engineering (A) does not produce this log pattern.

Question 3 · Unit 1 · Topic 1.3

An adversary drives through a business district with specialized equipment that detects wireless network signals extending outside buildings. The adversary records the SSID, encryption type, and signal strength of each network detected. This activity describes which type of attack?

AWar driving — the adversary is performing reconnaissance to identify wireless networks and their properties

BAn evil twin attack — the adversary is setting up a fake access point to intercept traffic

CA jamming attack — the adversary is flooding the wireless frequency range to disrupt communications

DARP poisoning — the adversary is sending falsified ARP packets to redirect network traffic

✅ Correct Answer: A

War driving is when adversaries drive or walk around a target area to detect wireless network beacons, gathering information about SSIDs, encryption types, and areas where the signal extends beyond the physical building. This is a reconnaissance activity, not an active attack. An evil twin (B) involves setting up a fake access point. Jamming (C) involves disrupting signals. ARP poisoning (D) targets internal network tables, not wireless signals.

Question 4 · Unit 1 · Topic 1.4

An adversary uses a generative AI tool to craft a phishing email in perfect Japanese, targeting employees at a Tokyo-based company. The email contains no grammatical errors or unnatural phrasing. Which AI capability is the adversary primarily exploiting?

AAI-powered voice cloning to impersonate a Japanese-speaking executive

BAI-enhanced coding tools to write malware that bypasses Japanese antivirus software

CAI reconnaissance tools that scan social media for personal information about targets

DAI language generation that creates convincing phishing messages in any target language

✅ Correct Answer: D

The adversary is using a generative AI tool (LLM) to create phishing messages in a language they may not speak natively. The course framework specifically notes that AI allows adversaries to craft phishing messages in any language that read as though written by a native speaker, eliminating the traditional indicator of unnatural language in phishing emails. The scenario does not involve voice cloning (A), malware development (B), or social media reconnaissance (C).

Question 5 · Unit 1 · Topic 1.5

A security team uses an AI-powered tool to analyze application code and identify vulnerabilities. The AI tool recommends several code changes. According to AP Cybersecurity best practices, what should happen NEXT?

AThe AI tool should automatically implement the recommended changes and deploy to production

BA knowledgeable programmer should review the recommendations before any changes are implemented

CThe security team should run the AI tool a second time to verify the initial recommendations

DThe AI tool’s recommendations should be ignored because AI cannot reliably analyze code

✅ Correct Answer: B

The course framework repeatedly emphasizes that AI recommendations should always be reviewed by a knowledgeable human before being implemented. This applies to code vulnerability fixes, firewall rule suggestions, and detection rules. AI should never automatically deploy changes (A). Running the tool again (C) does not substitute for human review. Ignoring AI entirely (D) wastes a valuable defensive tool.

Question 6 · Unit 1 · Topic 1.3

Consider the following statements about adversary classifications:

I. Low-skilled adversaries can only exploit known vulnerabilities using tools created by others.
II. High-skilled adversaries have the capacity to discover undocumented vulnerabilities known as zero days.
III. Adversary motivation is limited to financial gain.

Which of the statements above are correct?

AI only

BIII only

CI, II, and III

DI and II only

✅ Correct Answer: D

Statement I is correct: low-skilled adversaries rely on tools created by others that exploit known vulnerabilities. Statement II is correct: high-skilled adversaries can create new tools, modify existing ones, and discover zero-day vulnerabilities. Statement III is incorrect: adversaries have a variety of motivations including greed, desire for recognition, dedication to a cause, revenge, politics, and beliefs.

Question 7 · Unit 1 · Topic 1.4

A company employee receives a video call from someone who appears to be the CEO, requesting an urgent transfer of proprietary files. The employee notices the CEO’s lip movements seem slightly out of sync with the audio. Which defense is MOST appropriate in this situation?

AUse a pre-established shared secret to verify the caller’s identity before taking any action

BEnable MFA on the video conferencing platform to prevent unauthorized logins

CInstall anti-malware software on the employee’s device to detect deepfake software

DAvoid entering personal data into AI-powered tools to prevent data extraction

✅ Correct Answer: A

The scenario describes a likely deepfake video call using AI-generated voice and image. A shared secret (A) is the most direct defense — a phrase known only to the real CEO and trusted employees that verifies identity in high-stakes situations. MFA (B) protects account login but does not verify the identity of someone already on a call. Anti-malware (C) does not detect deepfakes on the caller’s end. Option D is a general AI safety practice unrelated to this specific attack.

Unit 2: Securing Spaces

Questions 8–16

Question 8 · Unit 2 · Topic 2.1

An adversary calls a company’s reception desk and says: “Hi, this is Dave from the IT department. I’m troubleshooting a server issue and need to verify some account credentials.” The adversary is not actually from the IT department. This social engineering tactic is BEST classified as:

AUrgency — the adversary is creating a time-sensitive situation

BConsensus — the adversary is implying that others have already complied

CPretexting combined with authority — the adversary created a believable reason and impersonated someone with power

DFamiliarity — the adversary is pretending to be someone the receptionist knows personally

✅ Correct Answer: C

The adversary uses pretexting (creating a believable story about troubleshooting a server issue) combined with authority (impersonating someone from the IT department, a position of power over technical matters). No time deadline is given (not urgency). The adversary does not claim others have complied (not consensus). Familiarity would require pretending to be a personal acquaintance, not just someone from a department.

Question 9 · Unit 2 · Topic 2.1

During a cyberattack, an adversary uses open source intelligence (OSINT) to gather publicly available information about a target organization from websites and social media. This activity occurs in which phase of a cyberattack?

AReconnaissance — gathering information about the target before launching an attack

BInitial access — establishing a foothold on the target’s computer

CLateral movement — escalating privileges to access other systems

DEvading detection — removing log files and evidence of the attack

✅ Correct Answer: A

The reconnaissance phase is when adversaries gather as much information as possible about their target, often using OSINT (freely available information from websites, social media, and public records). This happens before any active attack. Initial access (B) is establishing a foothold. Lateral movement (C) happens after access is gained. Evading detection (D) is the final phase.

Question 10 · Unit 2 · Topic 2.1

A company discovers that a former employee who was recently terminated has been accessing internal systems using credentials that were never deactivated. The former employee downloaded proprietary research data and sold it to a competitor. This adversary is BEST classified as:

AA script kiddie motivated by recognition and using tools created by others

BAn insider adversary motivated by revenge who exploited legitimate credentials

CA hacktivist motivated by a social or political cause

DA cyberterrorist motivated by politics seeking to disrupt critical infrastructure

✅ Correct Answer: B

Insider adversaries are unique threats because they already have legitimate credentials and access. This former employee used credentials that were never revoked — legitimate access that should have been removed. The motivation (revenge after termination, plus financial gain from selling data) aligns with typical insider threat motivations. Script kiddies (A) lack the insider access described. Nothing indicates a social cause (C) or critical infrastructure disruption (D).

Question 11 · Unit 2 · Topic 2.1

A risk assessment determines that a specific vulnerability has a high likelihood of being exploited but would result in low severity of damage. The cost of mitigation significantly exceeds the potential financial loss. Which risk management strategy is MOST appropriate?

ARisk avoidance — stop the activity generating the risk entirely

BRisk mitigation — implement security controls to reduce the likelihood

CRisk transference — purchase insurance to cover the potential loss

DRisk acceptance — acknowledge the risk because the cost of mitigation exceeds the expected loss

✅ Correct Answer: D

When the cost of mitigation significantly exceeds the expected loss from an attack, risk acceptance is appropriate. The framework states that organizations favor solutions that are cost-effective — costing less to install and maintain than the expected loss. Since this vulnerability has low severity and mitigation is too expensive, accepting the residual risk is the most rational strategy.

Question 12 · Unit 2 · Topic 2.1

Which of the following BEST describes the relationship between confidentiality, integrity, and availability in the CIA triad?

AThey are three complementary principles that together define a comprehensive security posture, and a strong security strategy addresses all three

BThey are ranked in order of importance, with confidentiality always taking priority over integrity and availability

CThey are mutually exclusive — improving one necessarily degrades the others

DThey apply only to digital data and have no relevance to physical security controls

✅ Correct Answer: A

The CIA triad consists of three complementary principles that together form the foundation of information security. Confidentiality ensures only authorized access, integrity ensures data accuracy, and availability ensures access when needed. A defense-in-depth strategy addresses all three. They are not ranked (B) — the priority depends on context. They are not mutually exclusive (C). They apply to both digital and physical security (D).

Question 13 · Unit 2 · Topic 2.2

An adversary enters a restricted data center by walking closely behind an authorized employee who badges through a secure door. The employee does not notice the adversary following them. Which physical attack is this, and which control would MOST effectively prevent it?

APiggybacking; security awareness training to teach employees to check behind them

BShoulder surfing; a privacy screen filter on nearby workstations

CTailgating; an access control vestibule that only allows one person through at a time

DCard cloning; requiring biometric authentication instead of badge access

✅ Correct Answer: C

This is tailgating because the adversary follows closely behind without the employee’s knowledge. (If the employee knowingly held the door, it would be piggybacking.) An access control vestibule (also called a mantrap) physically prevents more than one person from passing through at a time, directly stopping tailgating. Training (A) helps but is less reliable than a physical control. Shoulder surfing (B) involves watching someone enter credentials. Card cloning (D) addresses a different attack vector.

Question 14 · Unit 2 · Topic 2.3

A company’s workstation security policy requires employees to lock their computers before leaving their desks, use privacy screen filters, connect to surge protectors, and clear sensitive documents from their workstations. This policy is an example of which type of security control?

AA physical control, because it involves tangible items like surge protectors and screen filters

BA managerial control, because it is a set of rules and procedures that specify security requirements

CA technical control, because it involves computer settings like screen locks

DA corrective control, because it fixes problems after a security incident occurs

✅ Correct Answer: B

A security policy is a managerial control — it is a set of rules, guidelines, and procedures that specify what security measures should be in place. While the policy mentions physical items (surge protectors) and technical actions (locking computers), the policy itself is managerial. The individual items it mandates may be physical or technical controls, but the document that requires them is managerial.

Question 15 · Unit 2 · Topic 2.4

A security team is deciding where to place motion sensors in a corporate building. Which placement strategy would produce the FEWEST false alarms while still being effective?

AIn the main lobby where all employees enter and exit the building

BIn the employee cafeteria during lunch hours when traffic is heaviest

CIn open-plan office areas where employees work throughout the day

DIn the server room where traffic is unexpected and access is restricted to few people

✅ Correct Answer: D

Motion sensors should be placed in areas where traffic is unexpected, like server rooms or areas with restricted access. In high-traffic areas (lobbies, cafeterias, offices), motion sensors create many false alarms, which leads to alert fatigue — responders become accustomed to false alerts and take them less seriously. Server rooms (D) have minimal legitimate traffic, so any motion detected is genuinely suspicious.

Question 16 · Unit 2 · Topic 2.1

A risk assessment document includes the following entry: “Vulnerability: Unencrypted customer database. Asset value: $2.4 million. Likelihood: High (known exploit, low skill required). Severity: $800,000 estimated loss. Risk rating: 9/10.” This assessment uses which type of risk analysis?

AQualitative only, because it uses a numeric rating scale

BQualitative only, because it uses descriptive terms like “High”

CA combination of quantitative and qualitative, because it uses both numeric values and descriptive terms

DQuantitative only, because it assigns dollar amounts to the asset value and expected loss

✅ Correct Answer: C

This assessment uses both quantitative and qualitative methods. The quantitative elements include the dollar amounts ($2.4M asset value, $800K estimated loss) and the numeric rating (9/10). The qualitative element is the descriptive term “High” for likelihood. In practice, organizations often combine both approaches for a more complete risk picture.

Unit 3: Securing Networks

Questions 17–26

Question 17 · Unit 3 · Topic 3.1

An adversary sends falsified ARP packets to a network’s default gateway, causing the gateway’s ARP table to associate the target device’s IP address with the adversary’s MAC address. All traffic intended for the target now routes through the adversary’s device. This describes which type of attack?

AMAC flooding — overwhelming a switch’s address table to force broadcast mode

BARP poisoning — modifying the ARP table to redirect traffic through the adversary’s device (an on-path attack)

CDNS poisoning — planting fake DNS records to redirect browser traffic to malicious sites

DA smurf attack — flooding the network with ICMP requests to create a denial of service

✅ Correct Answer: B

ARP poisoning sends falsified ARP packets to the default gateway, modifying its ARP table to link the target’s IP address with the adversary’s MAC address. This redirects traffic through the adversary, creating an on-path (man-in-the-middle) attack. MAC flooding (A) targets switch MAC tables with many different addresses. DNS poisoning (C) targets DNS records. A smurf attack (D) uses ICMP broadcasts.

Question 18 · Unit 3 · Topic 3.4

A network administrator needs a firewall that can inspect packet headers, track the state of active connections, perform deep packet inspection, and filter traffic by application type. Which type of firewall meets ALL of these requirements?

AA stateless firewall, because it can filter by IP addresses, ports, and protocols

BA stateful firewall, because it tracks connection states in addition to packet headers

CA stateless firewall combined with a separate IDS for deep packet inspection

DA next-generation firewall (NGFW), because it combines stateless and stateful capabilities with intrusion prevention and application-level filtering

✅ Correct Answer: D

A next-generation firewall (NGFW) has all capabilities of stateless and stateful firewalls plus advanced features including intrusion prevention, deep packet inspection, and filtering by application type. A stateless firewall (A) only filters by packet headers. A stateful firewall (B) adds connection tracking but not deep packet inspection or application filtering. The combination in (C) does not provide application-level filtering.

Question 19 · Unit 3 · Topic 3.4

A firewall has these ACL rules in order:

Rule 1: ALLOW inbound TCP port 443 from ALL
Rule 2: ALLOW inbound TCP port 22 from 10.0.0.0/8
Rule 3: DENY inbound TCP ALL from ALL

Which statement about this configuration is correct?

AHTTPS traffic (port 443) is allowed from any source, SSH traffic (port 22) is allowed only from the 10.0.0.0/8 subnet, and all other inbound TCP traffic is denied

BAll inbound TCP traffic is denied because Rule 3 overrides Rules 1 and 2

CSSH traffic from any source is allowed because Rule 2 permits traffic from the 10.0.0.0/8 range which includes all addresses

DThe rules create a conflict that would cause the firewall to fail to process any traffic

✅ Correct Answer: A

ACL rules are checked in order, and the first matching rule executes. Rule 1 allows HTTPS (443) from anywhere. Rule 2 allows SSH (22) only from 10.0.0.0/8. Rule 3 denies everything else. Rules do not override each other (B) — they execute sequentially. The 10.0.0.0/8 subnet (C) covers 10.0.0.0–10.255.255.255, not all addresses. ACL rule sets do not create conflicts (D) — the order resolves all ambiguity.

Question 20 · Unit 3 · Topic 3.3

A network architect places a web server that handles public customer requests in a network segment between two firewalls — one facing the public internet and one facing the internal corporate network. This segment is separate from the internal network where employee data is stored. This architecture describes a:

AVLAN — a logical separation of devices on a central switch

BVPN — an encrypted tunnel for remote access to the internal network

CScreened subnet (DMZ) — a segment between the public internet and internal network for publicly-facing resources

DSubnet created by port security on the switch to limit MAC addresses

✅ Correct Answer: C

A screened subnet (DMZ) sits between the public internet and the internal network, typically protected by firewalls on both sides. It holds publicly-facing resources (like web servers) to keep them separated from sensitive internal systems. VLANs (A) logically separate devices on switches but don’t describe this specific two-firewall architecture. A VPN (B) provides encrypted remote access. Port security (D) limits MAC addresses per port.

Question 21 · Unit 3 · Topic 3.5

A company’s SIEM system generates 500 alerts per day, but investigation reveals that 95% of them are false positives. Security analysts have started dismissing alerts without investigation because they assume most are false. This condition is known as:

AA false negative, because real attacks are being missed by the detection system

BA signature mismatch, because the detection rules are outdated

CAnomaly-based detection failure, because the baseline was recorded on a compromised system

DAlert fatigue, because the high false positive rate causes responders to take alerts less seriously

✅ Correct Answer: D

Alert fatigue occurs when responders become accustomed to false positives and begin taking alerts less seriously, assuming they are false before investigating. This is a critical risk because real attacks hidden among the false alerts may go uninvestigated. A false negative (A) is when detection misses an attack — here the system is detecting too much, not too little.

Question 22 · Unit 3 · Topic 3.5

A security team is choosing between signature-based and anomaly-based detection for a network that processes high volumes of traffic with inconsistent patterns due to seasonal business fluctuations. Which detection method is MOST appropriate and why?

ASignature-based, because it is more efficient for high-volume traffic and does not require consistent baseline patterns

BAnomaly-based, because it can detect novel attacks that signatures cannot

CAnomaly-based, because the inconsistent patterns provide a more interesting baseline for analysis

DNeither method is appropriate — the team should rely on manual log review instead

✅ Correct Answer: A

Signature-based detection is preferred here for two reasons: (1) it is more efficient for high-volume traffic because it runs faster than anomaly-based methods, and (2) anomaly-based detection requires consistent traffic patterns to establish a reliable baseline. With inconsistent seasonal patterns, anomaly detection would produce excessive false positives, as normal business fluctuations would appear anomalous.

Question 23 · Unit 3 · Topic 3.1

An adversary sends many Ethernet frames to a network switch, each with a different source MAC address. Once the switch’s MAC address table is full, the switch begins forwarding all frames to every port. The adversary’s goal in this attack is to:

ARedirect specific traffic through the adversary’s device by modifying the ARP table

BCapture all network traffic by forcing the switch into broadcast mode (eavesdropping)

CPrevent legitimate users from accessing the network by flooding it with ICMP requests

DRedirect browser traffic to a credential-harvesting website by poisoning DNS records

✅ Correct Answer: B

MAC flooding overwhelms a switch’s MAC address table, forcing the switch into broadcast mode. In broadcast mode, all frames are sent to every port, allowing the adversary to eavesdrop (sniff) all network traffic. This is distinct from ARP poisoning (A, which modifies gateway ARP tables), a smurf/DDoS attack (C, which uses ICMP), and DNS poisoning (D, which targets DNS records).

Question 24 · Unit 3 · Topic 3.2

A wireless security policy requires the following: users must authenticate through an EAP connected to an approved authentication server, all wireless traffic must be encrypted using AES with a minimum key length, and beacon frame broadcasting must be disabled. Disabling beacon frames primarily makes it harder for adversaries to:

ADecrypt captured wireless traffic without the encryption key

BPerform a denial of service attack against the wireless access point

CDiscover the existence and basic properties of the wireless network

DConduct a brute force attack against the authentication server

✅ Correct Answer: C

Beacon frames broadcast a network’s SSID and basic properties (like encryption protocols). Disabling beacon frame broadcasting makes it harder for adversaries to discover that the network exists and learn its basic properties — they would need to use more advanced techniques to detect the network. It does not affect encryption strength (A), DoS attacks (B), or authentication attacks (D).

Question 25 · Unit 3 · Topic 3.3

An adversary finds an open, unused network port in a conference room. They plug in their own wireless access point, creating a connection to the internal LAN. Authorized employees can now unknowingly connect to this adversary-controlled access point. This is known as:

AAn evil twin attack, because the adversary created a wireless network with a deceptive SSID

BMAC spoofing, because the adversary is impersonating a legitimate device on the network

CA smurf attack, because the adversary is sending traffic to the broadcast address

DA rogue access point, because the adversary plugged an unauthorized WAP into the internal network

✅ Correct Answer: D

A rogue access point is created when an adversary plugs an unauthorized wireless access point into an open network port, gaining direct access to the internal LAN and potentially allowing wireless access from outside the physical space. While similar to an evil twin (A), the distinction is that a rogue AP is physically connected to the internal network, bypassing firewalls entirely. An evil twin mimics a legitimate network’s SSID but is not connected to the target’s infrastructure.

Question 26 · Unit 3 · Topic 3.5

A network administrator notices that no wireless devices in the building’s east wing can connect to the Wi-Fi network, while devices in all other areas connect normally. A scan reveals strong electromagnetic noise in the wireless frequency range localized to the east wing. This evidence indicates:

AAn evil twin attack targeting the east wing’s access point

BA jamming attack flooding the east wing with electromagnetic interference in the wireless range

CDNS poisoning affecting devices that connect through the east wing’s switch

DARP poisoning redirecting east wing traffic through an adversary’s device

✅ Correct Answer: B

A jamming attack floods a specific area with strong electromagnetic signals in the same frequency range as the wireless network, preventing legitimate traffic between the access point and users. The localized nature (only the east wing) and the detection of EM noise in the wireless range are the definitive indicators. An evil twin (A) would allow connections to a fake network, not prevent all connections. DNS poisoning (C) and ARP poisoning (D) do not affect wireless signal strength.

Unit 4: Securing Devices

Questions 27–34

Question 27 · Unit 4 · Topic 4.1

A manufacturing plant uses internet-connected sensors to monitor water pressure in pipes. These sensors have minimal processing power, limited storage, and run specialized instruction sets. They are connected to the internet for remote monitoring. These devices are BEST classified as:

APersonal computers configured for industrial use

BServer computers providing monitoring services

CHandheld computers running on battery power

DIoT devices with embedded computers designed for a specific function

✅ Correct Answer: D

IoT (Internet of Things) devices are everyday devices with embedded computers. The sensors have minimal processing power and storage, specialized instruction sets, and are connected to the internet — all characteristics of embedded/IoT devices. They are not personal computers (A), servers (B), or handheld devices (C). IoT devices are often uniquely vulnerable because they tend to be slower, cheaper, and harder to update.

Question 28 · Unit 4 · Topic 4.1

An employee downloads a free PDF converter tool from the internet. After installation, the employee’s computer begins running slowly, and an investigation reveals that the tool installed a hidden program giving an adversary remote access to the machine. The hidden program is BEST classified as:

AA worm, because it spread from the internet to the employee’s computer without human interaction

BA trojan containing a RAT, because malware was hidden in legitimate-looking software and provided remote access

CRansomware, because it is degrading the computer’s performance

DA logic bomb, because it activated after installation when specific conditions were met

✅ Correct Answer: B

The malware was hidden inside software that appeared legitimate (a PDF converter) — the defining characteristic of a trojan. The hidden program providing remote access is a Remote Access Trojan (RAT). It is not a worm (A) because the employee actively downloaded and installed it (worms spread without human interaction). Slow performance alone does not indicate ransomware (C). A logic bomb (D) triggers on specific conditions, not immediately after installation.

Question 29 · Unit 4 · Topic 4.1

Consider the following malware descriptions:

I. Spreads from one computer to another without human interaction
II. Requires a user to execute or open a file to activate
III. Embeds in the operating system and can make itself invisible to detection tools

Which malware types do these descriptions correspond to, respectively?

AI: Virus, II: Worm, III: Trojan

BI: Trojan, II: Ransomware, III: Spyware

CI: Worm, II: Virus, III: Rootkit

DI: Worm, II: Logic bomb, III: Keylogger

✅ Correct Answer: C

Description I (spreads without human interaction) = Worm. Description II (requires user activation) = Virus. Description III (embeds in OS and hides from detection) = Rootkit. The key distinctions: viruses need user action while worms don’t, and rootkits are uniquely capable of controlling the OS and hiding themselves from detection tools.

Question 30 · Unit 4 · Topic 4.2

A cryptographic hash function produces a 256-bit output. Which of the following statements about this hash function is NOT true?

AGiven a hash output, the original input can be efficiently computed using the correct decryption key

BThe same input will always produce the same 256-bit hash output

CTwo different inputs could theoretically produce the same hash output, which is called a collision

DThe output length is always 256 bits regardless of the size of the input

✅ Correct Answer: A

Statement A is NOT true — cryptographic hash functions have pre-image resistance, meaning it is infeasible to determine the original input from the hash output. There is no “decryption key” for a hash because hashing is one-way, not encryption. Statements B (repeatability), C (collision possibility), and D (fixed output length) are all true properties of cryptographic hash functions.

Question 31 · Unit 4 · Topic 4.2

An adversary captures a company’s password database and discovers the passwords are hashed but not salted. The adversary has a pre-computed rainbow table. Against which of the following password configurations would the rainbow table attack be MOST effective?

AA 24-character randomly generated password with mixed case, numbers, and symbols

BA password that was hashed with SHA-512 instead of MD5

CA password stored with a unique per-user salt before hashing

DA common 8-character password like “Password1” that appears in widely-used password dictionaries

✅ Correct Answer: D

Rainbow tables are pre-computed mappings of common passwords to their hashes. They are most effective against short, common passwords (D) because these passwords are most likely to appear in the pre-computed table. A 24-character random password (A) is extremely unlikely to be in any rainbow table. SHA-512 vs. MD5 (B) does not affect the attack — rainbow tables can be built for any algorithm. Salting (C) would defeat the attack entirely, but the scenario states passwords are NOT salted.

Question 32 · Unit 4 · Topic 4.1

A hospital’s network monitoring system detects that an employee’s computer is sending data to an unknown external IP address at regular intervals. Investigation reveals no unauthorized software on the disk. The malicious code appears to be running in RAM and using legitimate system programs to exfiltrate data. This malware is BEST classified as:

AA virus that activated when the employee opened a file

BRansomware that is encrypting and transmitting hospital data

CFileless malware that lives in RAM and uses legitimate programs to compromise the device

DA keylogger that is recording and transmitting the employee’s keystrokes

✅ Correct Answer: C

Fileless malware is malicious code that lives in RAM (not on disk) and uses legitimate programs already installed on the device to compromise it. The key indicators are: no unauthorized software found on disk + code running in memory + using legitimate system programs. A virus (A) would leave files on disk. Ransomware (B) would encrypt files and display a ransom demand. A keylogger (D) records keystrokes specifically, not general data exfiltration.

Question 33 · Unit 4 · Topic 4.2

An organization’s security policy requires passwords to be at least 16 characters, use a mix of uppercase, lowercase, numbers, and special characters spread throughout the password, and enable MFA for all accounts. This policy MOST directly addresses which vulnerability?

AWeak authentication that could be exploited by automated password attacks

BUnpatched software that could be exploited by known vulnerability exploits

COpen network ports that could allow adversaries to connect to devices

DMissing anti-malware software that could leave devices vulnerable to trojans

✅ Correct Answer: A

The policy specifically targets authentication strength — longer passwords with distributed special characters resist brute force and dictionary attacks, while MFA adds an additional layer. This directly addresses the vulnerability of weak authentication being exploited by automated password attacks. The policy does not address software patching (B), open ports (C), or anti-malware (D).

Question 34 · Unit 4 · Topic 4.2

An adversary attempts the password “admin123” against 10,000 different user accounts on a corporate network, hoping that at least one user has this common password. This attack is BEST described as:

AA brute force attack that tests all possible password combinations

BPassword spraying, because one common password is tested against many accounts

CA dictionary attack that tests a list of common passwords against one account

DCredential stuffing, because the adversary is using previously stolen credentials

✅ Correct Answer: B

Password spraying is when an adversary attempts a common password against many different user accounts. This differs from brute force (A, which tests all possible combinations against one account), a dictionary attack (C, which tests many common passwords against one account), and credential stuffing (D, which uses previously stolen username/password pairs).

Unit 5: Securing Applications and Data

Questions 35–40

Question 35 · Unit 5 · Topic 5.4

Two parties need to establish a secure communication channel over the internet. They have never communicated before and have no shared secret key. They decide to use asymmetric encryption to exchange a symmetric key, then switch to symmetric encryption for the actual data. Why is this combined approach used instead of using asymmetric encryption for all data?

AAsymmetric encryption is significantly slower than symmetric encryption, so the combined approach uses asymmetric only for the small key exchange and symmetric for the faster bulk data encryption

BAsymmetric encryption cannot encrypt large files, so symmetric encryption is required for any data larger than the key size

CSymmetric encryption is more secure than asymmetric encryption, so it should be used whenever possible

DAsymmetric encryption requires both parties to share a secret key in advance, which symmetric encryption does not

✅ Correct Answer: A

The combined approach exists because asymmetric encryption is significantly slower than symmetric encryption. It is computationally expensive for large amounts of data. By using asymmetric encryption only for the small key exchange (solving the key distribution problem) and then switching to the faster symmetric algorithm for bulk data, systems get the best of both approaches. Option D reverses the key-sharing properties — symmetric requires a shared key, asymmetric does not.

Question 36 · Unit 5 · Topic 5.4

A company needs to verify that a downloaded software update has not been tampered with during transit. The software vendor publishes a SHA-256 hash of the original file on their website. After downloading the update, the company should:

ADecrypt the file using the vendor’s public key and compare the plaintext to the expected content

BEncrypt the file using AES and verify the ciphertext matches the published hash

CCompute the SHA-256 hash of the downloaded file and compare it to the vendor’s published hash

DSubmit the file to an AI-powered tool that can determine if the file has been modified

✅ Correct Answer: C

Because hash functions are repeatable (same input = same output), computing the SHA-256 hash of the downloaded file and comparing it to the vendor’s published hash verifies data integrity. If the hashes match, the file has not been modified. Hashing is not encryption (A), so there is no decryption step. AES encryption (B) is unrelated to integrity verification. While AI (D) could help, the standard and most direct method is hash comparison.

Question 37 · Unit 5 · Topic 5.5

A web application allows users to enter their name in a form field. An adversary enters a string that causes the application to execute unintended commands on the database server, returning records from a table the application was never designed to access. Which TWO practices would MOST effectively prevent this vulnerability?

I. Input validation — checking that user input conforms to expected formats
II. Encrypting the database with AES-256
III. Input sanitization — removing or escaping potentially dangerous characters from user input
IV. Enabling MFA for database administrators

AII and IV only

BI and III only

CI and II only

DIII and IV only

✅ Correct Answer: B

Input validation (I) checks that user input conforms to expected formats (rejecting unexpected characters), and input sanitization (III) removes or escapes potentially dangerous characters before they reach the database. Together, they directly prevent injection attacks by ensuring user input cannot be interpreted as commands. Database encryption (II) protects data at rest but does not prevent the application from executing malicious queries. MFA for admins (IV) controls access but does not address the application’s input handling vulnerability.

Question 38 · Unit 5 · Topic 5.4

A user sends an encrypted email to a colleague using the colleague’s public key. Which statement about this communication is correct?

AAnyone with the sender’s public key can decrypt and read the email

BThe email can be decrypted using the colleague’s public key

CThe email can only be decrypted by the sender using their private key

DThe email can only be decrypted by the colleague using their private key

✅ Correct Answer: D

In asymmetric encryption, data encrypted with a public key can only be decrypted with the corresponding private key. Since the email was encrypted with the colleague’s public key, only the colleague’s private key can decrypt it. The public key cannot decrypt what it encrypted (B). The sender’s keys are not involved in decryption (A, C).

Question 39 · Unit 5 · Topic 5.4

A Certificate Authority (CA) issues a digital certificate to a company’s web server. The primary purpose of this digital certificate is to:

ABind the server’s public key to the company’s verified identity, enabling users to trust they are communicating with the legitimate server

BEncrypt all data stored on the server using the CA’s private key

CReplace the need for symmetric encryption by providing a permanent asymmetric key for all communications

DPrevent adversaries from performing denial of service attacks against the server

✅ Correct Answer: A

A digital certificate issued by a CA binds a public key to a verified identity, creating a chain of trust. When users connect to the server, they can verify (through the CA’s signature on the certificate) that the public key truly belongs to the legitimate company, not an impersonator. Certificates do not encrypt stored data (B), do not eliminate the need for symmetric encryption (C), and do not prevent DoS attacks (D).

Question 40 · Unit 5 · Topic 5.5

Consider the following statements about encryption and hashing:

I. Encryption is a two-way process — data can be encrypted and then decrypted with the appropriate key.
II. Hashing is a one-way process — the original input cannot be recovered from the hash output.
III. AES is a hashing algorithm commonly used to verify data integrity.

Which of the statements above are correct?

AI only

BIII only

CI and II only

DI, II, and III

✅ Correct Answer: C

Statement I is correct: encryption is two-way (encrypt with a key, decrypt with a key). Statement II is correct: hashing is one-way with pre-image resistance. Statement III is incorrect: AES (Advanced Encryption Standard) is a symmetric encryption algorithm, not a hashing algorithm. Hashing algorithms include SHA-256, SHA-512, and MD5. This distinction between encryption and hashing is fundamental to the course.

Section 2: Free Response (3 Questions)

For each FRQ, read the scenario and all parts carefully. Write your response on paper or in a text editor before clicking “Show Answer” to compare with the sample response. Points are noted for each part.

Free Response Question 1 · Units 1–2

Physical Security Risk Assessment

Scenario

You are a security consultant hired to assess the physical security of Greenfield Community Library. The library is open to the public from 8 AM to 9 PM daily. During your assessment, you observe the following:

• The server room containing the library’s patron database (names, addresses, library card numbers) is located in the basement. The door has a standard key lock, and the key is kept at the front circulation desk in an unlabeled drawer.
• The basement hallway leading to the server room has no cameras or motion sensors.
• Library staff use a shared computer at the circulation desk. The computer remains logged in throughout the day and is never locked when staff step away. The computer connects to the same network as the server.
• The library’s Wi-Fi network is open (no password required) and uses the SSID “Greenfield-Library.”
• A recently posted sign near the entrance reads: “Free Wi-Fi! Network: Greenfield-Library”

(a) Identify THREE distinct physical or security vulnerabilities from the scenario above. For each vulnerability, explain what asset is at risk and how an adversary could exploit it. (3 points)

(b) For each vulnerability identified in part (a), recommend a specific security control and classify it as physical, technical, or managerial. Explain how each control mitigates the associated risk. (3 points)

(c) Explain why a defense-in-depth strategy is important for the library’s server room specifically, and describe how at least TWO layers of defense would work together. (2 points)

Free Response Question 2 · Unit 3

Network Security Configuration

Scenario

You are a network security engineer at Coastal Medical Group, a healthcare organization with two networks:

• Internal Network: Contains the Electronic Health Records (EHR) server, employee workstations, and a file server with patient billing data.
• Public Network Segment: Contains a web server that allows patients to schedule appointments and view test results online.

Currently, both networks share a single firewall with the following ACL rules (in order):

Rule 1: ALLOW inbound TCP port 443 from ALL
Rule 2: ALLOW inbound TCP port 80 from ALL
Rule 3: ALLOW inbound TCP port 22 from ALL
Rule 4: DENY inbound TCP ALL from ALL

The organization has experienced unauthorized SSH login attempts from external IP addresses targeting the EHR server.

(a) Identify TWO network security vulnerabilities in the current configuration that could put patient data at risk. For each vulnerability, explain the potential impact. (2 points)

(b) Rewrite the firewall ACL rules to address the vulnerabilities you identified. Your new rules should allow patients to access the web server, restrict SSH to the internal network only, and deny all other inbound traffic. Write the rules in order. (3 points)

(c) Recommend a network architecture change that would further protect the EHR server, and explain which detection tool you would deploy to monitor for attacks on the internal network. Justify your choices. (3 points)

Free Response Question 3 · Units 4–5

Device Compromise Investigation

Scenario

You are a forensic analyst at a financial services company. The security team has detected suspicious activity on the network and has asked you to investigate. They provide you with the following evidence from an employee workstation (Workstation-47):

Authentication Log (excerpt):
03-07 08:15:22 jsmith Login     SUCCESS Workstation-47
03-07 08:17:05 jsmith Login     SUCCESS FileServer-02
03-07 12:30:00 jsmith Logout    SUCCESS Workstation-47
03-07 23:41:12 admin    Login     FAIL     Workstation-47
03-07 23:41:18 admin    Login     FAIL     Workstation-47
03-07 23:41:25 admin    Login     FAIL     Workstation-47
03-07 23:41:33 admin    Login     FAIL     Workstation-47
03-07 23:42:01 admin    Login     SUCCESS Workstation-47
03-07 23:43:17 admin    Login     SUCCESS FileServer-02
03-07 23:44:55 admin    Login     SUCCESS EHR-Server-01
03-08 00:12:33 admin    Logout    SUCCESS EHR-Server-01

Additional findings: No malware files were found on Workstation-47’s hard drive, but memory analysis reveals unknown code running in RAM that is communicating with an external IP address. The company’s passwords are hashed with SHA-256 but are not salted.

(a) Analyze the authentication log and identify at least THREE indicators of compromise (IoCs). For each IoC, explain why it is suspicious. (3 points)

(b) Based on the additional findings, identify the type of malware present on Workstation-47 and explain why the company’s password storage practice made the attack easier. Recommend a specific improvement. (3 points)

(c) Map the adversary’s actions to the phases of a cyberattack described in the course framework. Identify at least THREE phases evident in this scenario. (2 points)

How Did You Do?

Your MCQ score is tracked above. For the FRQs, compare your written responses to the sample answers and assess your own performance honestly.

35–40 MCQ correct: Excellent. You have strong command of all five units. Focus remaining study on any topics where you missed questions.

28–34 MCQ correct: Good foundation. Review the unit study guides for the units where you scored lowest and practice more scenario-based questions.

20–27 MCQ correct: Solid start but significant gaps remain. Work through our complete study guide unit by unit and retake this exam after review.

Below 20: Focus on building foundational understanding. Start with Unit 1 in our structured course and work through each unit’s study guide, exercises, and quizzes before retaking this exam.

Study Guide → Full Course → Get 1-on-1 Tutoring →

Related Resources

📄 Exam Format Guide

Sections, skills, Bluebook, credential details, and AP Cyber vs CSP comparison.

📚 Complete Study Guide

All 5 units, 220+ key terms, exam strategies, and unit-by-unit breakdowns.

✍ 15-Question Sampler

Quick 15-question practice set covering all 5 units with explanations.

📚 Full AP Cyber Course

Lessons, exercises, quizzes, unit exams — the complete structured course.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com