AP Cybersecurity 2.4: Detecting Physical Attacks
Topic 2.4: Detecting Physical Attacks
Cameras, security guards, motion sensors, locks, and access control vestibules — and how to place and combine them to detect physical attacks. Master the CED core detection framework, then explore real-world extensions including door-duration monitoring and integrated systems.
Topic 2.4 — What Is Testable
| CED Ref | Essential Knowledge | Covered In |
|---|---|---|
| 2.4.A.1 | Cameras: capture visual record; feed recorded AND monitored for max effect; recordings help after-incident investigation | Section 2 |
| 2.4.A.2 | Security guards: monitor area and respond to suspicious activity | Section 2 |
| 2.4.A.3 | Motion sensors: alert security to movement in an area | Section 2 |
| 2.4.A.4 | Employees: often first to notice unauthorized person; can alert security | Section 2 |
| 2.4.B.1 | Camera placement: visual coverage, angle, tamper risk; points of ingress and egress often monitored | Section 3 |
| 2.4.B.2 | Motion sensors: place where traffic unexpected (server rooms); high-traffic areas create false alarms reducing alert credibility | Section 3 |
| 2.4.B.3 | Locks on all entries to sensitive areas; access control vestibule for particularly sensitive areas | Section 3 |
| 2.4.B.4 | Stationary guards: funnel points (entry gates, lobbies); Patrolling guards: perimeters and exterior areas | Section 3 |
| 2.4.C.1 | Cameras + facial recognition: alerts when unauthorized individuals enter; live/recorded footage tracks path | Section 4 |
| 2.4.C.2 | Motion detectors + cameras: motion alert → camera check → verify breach before dispatching response | Section 4 |
| 2.4.C.3 | Door-duration entry log: sensor records door-open time; longer-than-normal = potential piggybacking/tailgating | Section 4 |
Source: AP Cybersecurity CED, Effective Fall 2026. AP Skills: 3.A Monitoring methods • 3.B Detection strategies
- 2.4.1 — Learning Objectives (3 min)
- 2.4.2 — Detection Controls Overview (2.4.A) (8 min)
- 2.4.3 — Placing Detection Controls (2.4.B) (10 min)
- 2.4.4 — Applying Detection (2.4.C) (10 min)
- 2.4.5 — Beyond the AP Core: Integrated Systems (8 min)
- 2.4.6 — Worked Scenarios (CFU 6–10) (10 min)
- 2.4.7 — Quick Reference & FAQ (6 min)
Students answer independently before the lesson. No notes.
- A camera records but no one watches the live feed. What does the CED say both recording AND monitoring provide that recording alone cannot?
- Motion sensors: (a) main lobby (300 daily visitors) or (b) server room (4 IT staff). Which reduces detection effectiveness over time, and why?
- A badge log shows the same Badge ID at Building A at 9:00 AM and Building B — 25 minutes away — at 9:04 AM. The owner confirms they were at Building A all morning. What does this indicate?
Answers: (1) Recording = after-incident investigation; monitoring = real-time detection. (2) Lobby — false alarms from 300 daily users cause alert fatigue. (3) Card cloning — impossible travel.
12.4.1 — Learning Objectives
- Identify cameras, security guards, motion sensors, locks, and access control vestibules as physical security detection controls (2.4.A)
- Determine effective placement of cameras, motion sensors, guards, and locks for detecting physical attacks (2.4.B)
- Apply detection techniques — cameras with facial recognition, motion detectors paired with cameras, and door-duration entry log analysis — to identify physical attacks (2.4.C)
- Recognize that employees working in a physical space are often the first to detect unauthorized persons (2.4.A.4)
- Explain why false alarms undermine detection effectiveness and how placement decisions prevent them (2.4.B.2)
22.4.2 — Detection Controls (LO 2.4.A)
The AP CED identifies four primary detection controls: (1) Cameras — capture a visual record of adversary activity; (2) Security guards — monitor and respond to suspicious activity; (3) Motion sensors — alert security to movement; (4) Employees — often the first to notice an unauthorized person and alert security.
According to the AP CED, which of the following is explicitly identified as a physical security detection control alongside cameras, security guards, and motion sensors?
32.4.3 — Placing Detection Controls (LO 2.4.B)
Knowing which controls to use is only half the answer. The CED devotes a full learning objective to where to place each control — placement determines detection effectiveness.
Camera Placement (CED 2.4.B.1)
| Camera Location | What It Detects | CED Reasoning |
|---|---|---|
| Points of ingress and egress (CED term) | All persons entering and leaving; timing of entry events; after-hours access | Explicitly named by CED 2.4.B.1 as primary camera placement priority |
| Server rooms and restricted corridors | Proximity to high-value areas; loitering; adversary path after entry | CED: "what a camera in a specific area could capture an adversary doing" |
| Lobby and reception | Visitor movement; piggybacking from lobby into secured areas | High-traffic entry point where identity verification matters |
| Perimeter and exterior areas | Vehicle behavior; dumpster diving activity; perimeter breaches | Paired with guard coverage for perimeter (CED 2.4.B.4) |
The CED explicitly notes that camera placement must consider the ability to be tampered with. A camera positioned where an adversary can easily cover, reposition, or destroy it provides false security. High-security areas should use cameras mounted out of reach and at angles that are difficult to block.
Motion Sensor Placement (CED 2.4.B.2)
False alarms degrade detection effectiveness. When a motion sensor in a busy hallway fires 50 times per day from normal traffic, security staff begin ignoring alerts — including real ones. Placing sensors in low-traffic, high-security areas maximizes the signal-to-noise ratio. This is a directly testable CED concept (2.4.B.2).
Lock and Access Control Vestibule Placement (CED 2.4.B.3)
Guard Deployment (CED 2.4.B.4)
| Factor | Stationary Guard | Patrolling Guard |
|---|---|---|
| CED deployment recommendation | Places that funnel traffic — entry gates, main entrances, lobbies, secure area entries | Perimeters and exterior areas |
| Key advantage | Constant protection at a specific high-value checkpoint | Harder for adversary to plan around; creates time pressure |
| Adversary response | Must pass the guard directly — high deterrence at that point | Cannot time attacks reliably — window between patrols is unpredictable |
The CED states that motion sensors in high-traffic areas create many false alarms, making alarms less likely to be taken seriously. What is the correct placement principle for motion sensors?
According to the CED (2.4.B.4), which deployment is best suited for security guards at a large campus with a main entrance lobby and a large exterior perimeter?
42.4.4 — Applying Detection Techniques (LO 2.4.C)
The CED identifies three specific application techniques for physical attack detection.
According to CED 2.4.C.3, how can reviewing entry logs detect potential piggybacking or tailgating at a badge-access door?
Which of the following statements about physical attack detection are TRUE according to the AP CED?
I. Motion detectors work best when paired with cameras — the camera allows visual verification of whether a motion alert is real or a false alarm.
II. Patrolling guards are specifically recommended for main entrances and lobbies because their unpredictable movement is more effective at funnel points.
III. Cameras can be paired with facial recognition software to alert when unauthorized individuals enter controlled areas.
52.4.5 — Beyond the AP Core: Real-World Extensions
The AP exam tests the CED core above (2.4.A–C). The concepts below are real-world physical security tools used by security professionals. Understanding them deepens your ability to reason about scenarios, but they are enrichment, not required CED content. AP exam questions will not ask about access logs, impossible travel, or integrated SIEM systems as core content.
Access Log Analysis (Real-World Extension)
Modern card reader systems log every badge event — who, when, where, granted or denied. Security analysts review these logs for anomaly patterns that camera and motion sensors cannot detect on their own:
| Anomaly Pattern | What It Indicates | Attack Detected |
|---|---|---|
| Impossible Travel | Same badge ID at two locations physically impossible to reach in elapsed time | Card cloning — duplicate card in use while original is with owner |
| After-Hours Access by Non-Authorized Role | Badge access to sensitive areas outside normal hours for that role | Unauthorized access; potential insider threat |
| Excessive Denied Attempts | Repeated failed access attempts at a door or from one badge ID | Physical access attempt; testing cloned badge data |
| Extended Door-Open Events | Door open significantly longer than normal per the CED entry log method | Tailgating / piggybacking — CED 2.4.C.3 (this specific pattern IS in the CED) |
CCTV vs. IP Cameras (Real-World Context)
While the CED simply says "cameras," real deployments choose between two types. CCTV (Closed-Circuit Television) uses dedicated coaxial cables to a local recorder — isolated from networks, harder to hack remotely. IP cameras transmit digital video over a standard network — higher resolution, remote access, integration with other systems, but require cybersecurity measures to protect the camera network itself from attack.
Xtensr Labs installs CCTV cameras at all building entrances and exits. How is this control correctly classified, and what does the CED say the camera feed should do for maximum effect?
✎ Predict first: A security team proposes installing motion sensors in the main lobby, the server corridor, and the executive conference room. Based on CED placement principles, which location is most problematic?
A security team proposes motion sensors in three areas: (1) main lobby (200 employees pass through daily), (2) server corridor (accessed only by 6 IT staff), (3) executive conference room (accessed only for scheduled meetings). Based on CED 2.4.B.2, which placement decision is most likely to undermine detection effectiveness?
A security consultant states: "Installing CCTV cameras at all building entrances provides sufficient physical security detection. Cameras capture everything that happens, so no other detection controls are needed." Which statement correctly identifies what is wrong?
After a physical security incident at Xtensr Labs, a forensic review reveals that an adversary entered the server corridor at 11:47 PM and spent 22 minutes inside before leaving. The adversary used a valid badge. The camera was not being monitored live. How should the detection system have flagged this incident before the adversary completed their objective?
Which detection mechanism does the CED explicitly identify that is absent from the plan described?
72.4.7 — Quick Reference & FAQ
4 detection controls (2.4.A): Cameras • Security guards • Motion sensors • Employees
Camera placement (2.4.B.1): Points of ingress/egress • Consider coverage, angle, tamper risk
Motion sensor placement (2.4.B.2): Low-traffic, unexpected-traffic areas • Avoid high-traffic (false alarms)
Lock placement (2.4.B.3): All entries to sensitive areas; access control vestibule for particularly sensitive
Guard deployment (2.4.B.4): Stationary = funnel points; Patrolling = perimeters/exterior
Applying detection (2.4.C): Cameras + facial recognition • Motion + paired camera workflow • Door duration in entry logs detects piggybacking/tailgating
| Control | CED Function | Best Placement | Attack It Detects |
|---|---|---|---|
| Cameras | Visual record; monitored + recorded (2.4.A.1) | Ingress/egress, restricted corridors, sensitive areas | Any physical intrusion with visual signature |
| Security Guards | Monitor + respond (2.4.A.2) | Stationary at funnel points; patrolling at perimeters | Suspicious behavior, unauthorized presence |
| Motion Sensors | Alert to movement (2.4.A.3) | Low-traffic, unexpected-activity areas (server rooms) | Unauthorized presence in restricted areas |
| Employees | Notice and report (2.4.A.4) | All areas where employees work | Unauthorized persons in work areas |
| Entry Log (Door Duration) | Audit trail analysis (2.4.C.3) | All badge-access doors | Piggybacking/tailgating (longer-than-normal door open) |
-
What does the CED mean by "points of ingress and egress"?
Ingress means entry points (doors, gates, access points into a building or area). Egress means exit points. The CED (2.4.B.1) specifies that points of ingress and egress are often monitored by camera because every unauthorized access must enter through some ingress point, and tracking egress helps timeline investigations. These are the highest-priority camera placements.
-
Why do false alarms matter for physical security detection?
The CED (2.4.B.2) explicitly addresses this: false alarms in high-traffic areas make alarms "less likely to be taken seriously when there is a real security event." This is the physical security equivalent of the boy who cried wolf — when security staff experience constant false alerts, they stop responding urgently. Effective detection requires high signal, low noise, which is why motion sensors belong in low-traffic, high-security areas rather than busy hallways.
-
How does a camera feed need to be managed for maximum effect?
The CED (2.4.A.1) specifies two requirements: the feed must be recorded AND monitored. Recording alone means breaches are only discovered after the fact during review. Monitoring alone without recording means events cannot be analyzed after the fact. Both together provide real-time detection capability AND forensic investigation capability. Recordings are especially valuable in after-incident investigation to reconstruct the adversary's path and actions.
-
Is facial recognition required AP content for Topic 2.4?
Yes — the CED (2.4.C.1) includes it explicitly: "Cameras can be paired with facial recognition software that can provide alerts when unauthorized individuals enter controlled areas." However, the CED uses "can be paired with" — it is a capability, not a requirement. The AP exam may ask you to identify it as a camera enhancement capability, but it will not assume all camera systems have facial recognition.
1-on-1 Expert Support
Get personalized help from an AP Cybersecurity instructor — 2,067+ verified hours, 5.0 rating, 499+ reviews.
Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. 2,067+ verified tutoring hours on Wyzant, 5.0 rating from 499+ reviews. AP CSA students score 5s at more than double the national average.
+Continue Learning
Students submit before leaving.
- The CED identifies four physical security detection controls. List all four. Which is most commonly forgotten by students? (AP Skill: Detect Attacks)
- Motion sensors: (a) lobby with 500 daily visitors or (b) server room with 3 IT staff. Apply CED 2.4.B.2 to recommend placement and explain the false alarm risk. (AP Skill: Detect Attacks)
- Describe the CED-specified workflow (2.4.C.2) for using motion sensors and cameras together. Why is the pairing more effective than either alone? (AP Skill: Detect Attacks)
- An entry log shows a specific door was open for 47 seconds when normal single-person entries average 6 seconds. What does CED 2.4.C.3 say this indicates, and what should the security team do next? (AP Skill: Detect Attacks)
- A campus has one main entrance lobby and a large exterior perimeter. Two guards available. Apply CED 2.4.B.4 to determine the correct deployment of each guard and explain why. (AP Skill: Detect Attacks)
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]