Where can I find AP Cybersecurity practice questions?

APCSExamPrep.com offers 250+ AP Cybersecurity practice questions across all five units, aligned to the official College Board course framework. This page features 15 free sample MCQs with detailed explanations. Additional practice is available through unit quizzes, unit exams, and the full AP Cybersecurity course.

What types of questions are on the AP Cybersecurity Exam?

The AP Cybersecurity Exam has two sections: Multiple Choice questions connected to realistic job scenarios, and Free Response questions using cybersecurity artifacts like log files, network diagrams, and packet captures. MCQs require analyzing scenarios and applying cybersecurity concepts, not just recalling definitions.

How many practice questions should I do for AP Cybersecurity?

Aim for at least 40-50 practice questions per unit for thorough preparation. Focus on scenario-based questions that require applying concepts to new situations. After completing practice questions, review explanations for both correct and incorrect answers to deepen your understanding.

AP Cybersecurity Practice Questions: 15 Free MCQs with Answers & Explanations (All 5 Units)

15 Free Questions · All 5 Units

AP Cybersecurity Practice Questions

Scenario-based multiple choice questions aligned to the official College Board framework. Test your knowledge, check your answers, and read detailed explanations.

By Tanner Crow, AP CS Teacher (11+ Years) · 250+ Questions Available

Answered: 0 / 15

Correct: 0

Incorrect: 0

How to Use These Practice Questions

These 15 questions sample all five AP Cybersecurity units. For each question, read the scenario carefully, formulate your answer before looking at the options, then select your choice and click “Check Answer” to see if you’re right. Use the detailed explanations to understand why each answer is correct — and why the alternatives are not.

Want more? Our full AP Cybersecurity course includes 250+ questions, unit quizzes, and complete unit exams.

Unit 1: Introduction to Security

Questions 1–3

Question 1 · Unit 1 · Topic 1.1

An employee receives an email claiming to be from the company’s IT department. The email states: “Your account will be deactivated within 2 hours unless you verify your credentials immediately.” The email contains a link to a login page. Which combination of social engineering tactics does this email primarily use?

AFamiliarity and scarcity

BAuthority and urgency

CConsensus and intimidation

DPretexting and familiarity

✅ Correct Answer: B

Authority is used because the adversary impersonates the IT department — a position of power over the employee. Urgency is created by the 2-hour deadline, pressuring the target to act quickly without verifying. Option A is wrong because scarcity refers to limited availability (not time pressure), and familiarity means pretending to be someone the target knows personally. Option C is wrong because consensus involves social pressure from peers, not a deadline. Option D is wrong because while pretexting (creating a believable story) is present, the primary combination is authority + urgency.

Question 2 · Unit 1 · Topic 1.3

A student notices their internet speed drops significantly while studying at a coffee shop. They check the Wi-Fi settings and find two networks: “CoffeeShop_Guest” (which requires a password) and “CoffeeShop_Free” (which is open). They are connected to “CoffeeShop_Free.” The coffee shop confirms their official network is “CoffeeShop_Guest.” Which type of attack is the student most likely a victim of?

AA jamming attack targeting the legitimate network’s frequency range

BA war driving attack that detected the coffee shop’s wireless signal

CAn evil twin attack using a similarly named, unprotected access point

DA denial of service attack flooding the network with ICMP requests

✅ Correct Answer: C

An evil twin attack is when an adversary sets up a wireless access point with an SSID similar to a legitimate network. The student joined an open network with a similar name to the real one — a classic evil twin. A jamming attack (A) would prevent all wireless connections, not just slow them down. War driving (B) is reconnaissance to detect networks, not an attack that affects the victim. A DoS attack (D) would make the network completely unavailable, not redirect traffic through a fake network.

Question 3 · Unit 1 · Topic 1.4

An adversary uses an AI tool to create a realistic voice clone of a company executive and calls the finance department requesting an urgent wire transfer. Which defense would be LEAST effective against this specific attack?

AEstablishing a shared secret phrase that must be provided for high-stakes requests

BRequiring a secondary verification through a different communication channel

CImplementing a policy requiring written authorization for wire transfers above a threshold

DEnabling multifactor authentication on the company’s email system

✅ Correct Answer: D

The attack uses a voice clone over a phone call — it does not involve the email system at all. Enabling MFA on email (D) would protect against email-based attacks but does nothing to verify the identity of a phone caller. Options A, B, and C all directly address the voice impersonation: a shared secret (A) verifies identity through knowledge only the real person would have, secondary verification (B) contacts the executive through a different channel, and requiring written authorization (C) adds a control that cannot be bypassed by a voice call alone.

Unit 2: Securing Spaces

Questions 4–6

Question 4 · Unit 2 · Topic 2.1

A company’s risk assessment identifies that its customer database server is in a room with a standard key lock, no surveillance cameras, and an unmonitored hallway. The server stores credit card data for 50,000 customers. An analyst classifies this as a high risk. Which factor BEST justifies the “high” classification?

AThe combination of a high-value asset with multiple exploitable physical vulnerabilities

BThe absence of technical controls like firewalls on the server

CThe possibility that a cyberterrorist group could target the company

DThe company’s failure to conduct employee security awareness training

✅ Correct Answer: A

Risk assessment considers both likelihood and severity. The high classification is justified because the asset is extremely valuable (50,000 credit card records = high severity) and the physical vulnerabilities are easily exploitable (basic lock, no cameras, unmonitored hallway = high likelihood). Option B mentions technical controls that are not part of the scenario — the question describes physical vulnerabilities. Option C speculates about a specific adversary type without evidence. Option D identifies a missing control but doesn’t capture the core risk calculation (asset value × vulnerability exploitability).

Question 5 · Unit 2 · Topic 2.2

An adversary enters a restricted area by carrying a large box of equipment and asking an authorized employee to hold the door open. The employee willingly holds the door, believing the adversary is a legitimate delivery person. This scenario describes which physical attack?

ATailgating — the adversary followed closely behind without the employee’s knowledge

BPiggybacking — the adversary used social engineering to get the employee to grant access

CShoulder surfing — the adversary observed the employee’s access credentials

DCard cloning — the adversary duplicated the employee’s access card

✅ Correct Answer: B

This is piggybacking because the adversary used social engineering (pretending to be a delivery person with a large box) to manipulate the authorized person into knowingly granting access. The key distinction: in tailgating, the authorized person is unaware the adversary is following behind. In piggybacking, the authorized person knowingly (but mistakenly) allows the adversary access. The employee actively held the door open — that is piggybacking, not tailgating.

Question 6 · Unit 2 · Topic 2.1

Consider the following statements about risk management strategies:

I. Risk avoidance stops the activity generating the risk entirely.
II. Risk transference eliminates the vulnerability from the system.
III. Residual risk is the risk that remains after avoidance, transference, and mitigation.

Which of the statements above are correct?

AI and II only

BII and III only

CI and III only

DI, II, and III

✅ Correct Answer: C

Statement I is correct: risk avoidance stops the risk-generating activity. Statement II is incorrect: risk transference places the burden of risk on another entity (like insurance), but it does not eliminate the vulnerability itself — the vulnerability still exists, the financial impact is simply shifted. Statement III is correct: residual risk is explicitly defined as the risk remaining after all management strategies have been applied, and it represents the level of risk an organization accepts.

Unit 3: Securing Networks

Questions 7–9

Question 7 · Unit 3 · Topic 3.4

A network administrator configures a firewall with the following ACL rules in order:

Rule 1: DENY inbound TCP port 80 from 192.168.1.0/24
Rule 2: ALLOW inbound TCP port 80 from ALL
Rule 3: DENY inbound TCP ALL from ALL

A device with IP address 192.168.1.15 sends an HTTP request (TCP port 80) to the network. What happens to this traffic?

AThe traffic is denied because Rule 1 matches first and blocks port 80 from that subnet

BThe traffic is allowed because Rule 2 permits all inbound port 80 traffic

CThe traffic is denied because Rule 3 blocks all inbound TCP traffic

DThe traffic is allowed because specific subnet rules take lower priority than broader rules

✅ Correct Answer: A

ACL rules are checked in order, and the first matching rule is executed. The device at 192.168.1.15 is in the 192.168.1.0/24 subnet, so Rule 1 matches first and denies the traffic. Rule 2 is never reached for this specific source. Option D is incorrect because ACL rules are strictly sequential — more specific rules do not automatically override broader ones; only their position in the rule order matters.

Question 8 · Unit 3 · Topic 3.5

A hospital’s network stores patient medical records and processes real-time monitoring data from ICU equipment. The security team is choosing a detection method. The network has consistent traffic patterns, the data is highly sensitive, and the team is concerned about novel attack methods that have no known signatures. Which detection method is MOST appropriate?

ASignature-based detection, because it is fast and has almost no false positives

BAnomaly-based detection only, because it can detect novel attacks

CSignature-based detection, because the consistent traffic patterns make anomaly detection unnecessary

DHybrid detection, because the data sensitivity justifies the higher cost and the network needs both known and unknown threat coverage

✅ Correct Answer: D

Three factors point to hybrid detection: (1) the data is highly sensitive (patient records + ICU data), justifying the higher cost, (2) the concern about novel attacks means signature-based alone is insufficient (it cannot detect new attacks without known signatures), and (3) the consistent traffic patterns make anomaly-based detection effective (it works best when there is a reliable baseline). Hybrid combines both methods for the most comprehensive coverage.

Question 9 · Unit 3 · Topic 3.1

A network administrator notices that a switch has entered broadcast mode, sending all frames to every port instead of forwarding them to specific destinations. Analysis reveals an unusual surge of Ethernet frames, each with a different source MAC address. Which attack does this evidence indicate?

AARP poisoning, because the adversary is sending falsified ARP packets

BMAC flooding, because the switch’s MAC address table has been overwhelmed

CDNS poisoning, because the adversary is redirecting traffic to a malicious server

DA smurf attack, because the network is being flooded with broadcast traffic

✅ Correct Answer: B

A MAC flooding attack sends the target switch many Ethernet frames, each with a different MAC address, which overwhelms the switch’s MAC address table and forces it into broadcast mode. This allows the adversary to eavesdrop on all network traffic. ARP poisoning (A) modifies the ARP table on a default gateway, not a switch’s MAC table. DNS poisoning (C) targets DNS records, not switches. A smurf attack (D) uses ICMP requests, not Ethernet frames with different MAC addresses.

Unit 4: Securing Devices

Questions 10–12

Question 10 · Unit 4 · Topic 4.1

A company discovers that files on several employee computers have been encrypted and a message demands cryptocurrency payment for the decryption key. Investigation reveals the malware was embedded in what appeared to be a legitimate software update that employees downloaded and installed. The malware involved in this attack is BEST classified as which combination of types?

AA worm and spyware, because it spread automatically and monitored user activity

BA virus and a rootkit, because it required user activation and hid in the operating system

CA trojan and ransomware, because it was hidden in legitimate-looking software and encrypted files for ransom

DA logic bomb and keylogger, because it triggered under specific conditions and captured credentials

✅ Correct Answer: C

The malware was embedded in what appeared to be a legitimate software update — this is the defining characteristic of a trojan (malware hidden in harmless-looking software). The malware then encrypted files and demanded payment — this is ransomware. It is not a worm (A) because it required users to download and install it (worms spread without human interaction). It is not a rootkit (B) because the scenario describes file encryption, not OS-level hiding. It is not a logic bomb (D) because it executed immediately upon installation, not when specific conditions were met.

Question 11 · Unit 4 · Topic 4.2

Two users at the same company both set their password to “Summer2026!” but their stored password hashes are completely different. Which security mechanism makes this possible?

AEach user’s password is combined with a unique salt before hashing

BThe system uses a different hash algorithm for each user

CThe passwords are encrypted with different symmetric keys

DThe hash function generates random output each time it is called

✅ Correct Answer: A

Salt is a few random bits unique to each user that are hashed together with the password. Even though both users have the same password, their different salts produce different hash outputs. Option B is wrong because organizations use the same hash algorithm for all users. Option C confuses encryption with hashing — passwords should be hashed, not encrypted. Option D is wrong because a key property of cryptographic hash functions is that they are repeatable — the same input always produces the same output. Salt changes the input, not the function’s behavior.

Question 12 · Unit 4 · Topic 4.2

An adversary has obtained a copy of a company’s password hash database. The adversary uses a pre-computed table that maps common passwords to their hash outputs and searches for matches. Which type of attack is this, and which defense would render it ineffective?

AA brute force attack; enabling multifactor authentication would prevent it

BA dictionary attack; requiring longer passwords would prevent it

CA credential stuffing attack; account lockout policies would prevent it

DA rainbow table attack; salting passwords before hashing would render it ineffective

✅ Correct Answer: D

A rainbow table is a pre-computed table mapping passwords to their hashes. The adversary searches this table for matches against the captured hashes. Salting defeats rainbow tables because each user’s salt changes the hash input, making pre-computed tables useless — the adversary would need a separate rainbow table for every possible salt value. This is an offline attack (using a captured database), so account lockout (C) does not apply. It is not brute force (A) because the adversary is not testing every combination, and it is not a dictionary attack (B) because the adversary is using pre-computed hashes, not submitting passwords to a live system.

Unit 5: Securing Applications and Data

Questions 13–15

Question 13 · Unit 5 · Topic 5.4

A company needs to allow remote employees to securely send confidential documents to the main office. The company wants to ensure that only the intended recipient can read each document, but the sender and recipient have never exchanged a secret key. Which approach addresses this requirement?

AEncrypt the document using AES with a shared symmetric key

BEncrypt the document using the recipient’s public key so only their private key can decrypt it

CHash the document using SHA-256 and send the hash along with the document

DEncrypt the document using the sender’s private key so the recipient can verify the sender’s identity

✅ Correct Answer: B

Asymmetric encryption solves the key distribution problem. The sender encrypts with the recipient’s public key (freely available), and only the recipient’s private key (kept secret) can decrypt it. Option A fails because AES requires a shared symmetric key that the parties have never exchanged. Option C is wrong because hashing provides integrity (verifying the document wasn’t modified), not confidentiality (hashing does not hide the document’s content). Option D provides authentication (proving the sender’s identity) but not confidentiality — anyone with the sender’s public key could decrypt it.

Question 14 · Unit 5

Consider the following statements about cryptographic concepts:

I. Hashing is a two-way function that can be reversed with the correct key.
II. Symmetric encryption uses one key for both encryption and decryption.
III. Asymmetric encryption is typically slower than symmetric encryption.

Which of the statements above are correct?

AI and II only

BI and III only

CII and III only

DI, II, and III

✅ Correct Answer: C

Statement I is incorrect: hashing is a one-way function with pre-image resistance — it cannot be reversed. There is no key involved in hashing. Statement II is correct: symmetric encryption uses a single shared key. Statement III is correct: asymmetric encryption is computationally slower than symmetric encryption, which is why real-world systems often use asymmetric encryption to exchange a symmetric key, then use the faster symmetric algorithm for the actual data.

Question 15 · Unit 5 · Topic 5.5

A web application allows users to search for products by entering a product name into a search field. An adversary enters a specially crafted string into the search field that causes the application to return data from a table it was not intended to access. Which security practice would MOST directly prevent this type of vulnerability?

AValidating and sanitizing all user input before passing it to database queries

BEnabling a network intrusion detection system to monitor for suspicious traffic

CEncrypting the database with AES-256 to protect stored data

DImplementing multifactor authentication for all user accounts

✅ Correct Answer: A

The scenario describes an injection attack where user input is being copied directly into database queries without validation. Input validation and sanitization (A) directly prevents this by checking and cleaning user input before it reaches the database. Encryption (C) protects data at rest but does not prevent the application from executing malicious queries. An IDS (B) might detect the attack but does not prevent the underlying vulnerability. MFA (D) controls who accesses the system but does not address how the application handles user input.

How Did You Do?

If you scored 12–15 correct: You have a strong foundation across all five units. Focus your remaining study time on the topics where you missed questions and practice with timed conditions.

If you scored 8–11 correct: You have a solid start but need deeper review in certain units. Identify the units where you missed the most questions and work through our detailed unit study guides.

If you scored 7 or below: No worries — this is a diagnostic tool, not a final grade. Start with our complete AP Cybersecurity Study Guide for a structured overview, then dive into each unit guide for comprehensive content.

Want 250+ More Questions Like These?

250+Practice Questions

5Unit Study Guides

1,845+Verified Tutor Hours

451+5-Star Reviews

Full AP Cyber Course → Study Guide →

Related AP Cybersecurity Resources

📄 Exam Format Guide

Sections, skills, Bluebook platform, and AP Cybersecurity Credential details.

📚 Complete Study Guide

All 5 units, key vocabulary, exam strategies, and detailed unit breakdowns.

📚 Full AP Cyber Course

Lessons, exercises, quizzes, unit exams — the complete structured course.

👩‍🎓 1-on-1 Tutoring

Personalized prep from a teacher with 11+ years and 451+ five-star reviews.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Typically responds within 24 hours

✓

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

Name *

Email *

I am a... (optional)

Which course? (optional)

Phone (optional)

How did you find us? (optional)

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Message (optional — leave blank if just subscribing)

✉

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

⏱

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com