The AP Cybersecurity Exam is 2 hours and 10 minutes and consists of two sections: 60 multiple-choice questions worth 70% of your score and one free-response question worth the remaining 30%. The MCQs cover all five units of the course across three skill categories, while the single FRQ is a Device Security Analysis task that asks you to read sources like firewall configs, permission settings, and log files to identify issues and evaluate security controls. The guides on this page walk you through both sections, including how to read artifacts efficiently, how to respond to each task verb, and where points are most commonly lost.
The AP Cybersecurity Exam is 2 hours and 10 minutes long and consists of two sections: 60 multiple-choice questions worth 70% of your score and one free-response question worth 30%. The MCQ section runs 80 minutes, and the FRQ section has a suggested time of 50 minutes. The single FRQ is a Device Security Analysis prompt where you read simulated sources about a digital device and analyze them for security issues, attack evidence, and the effects of configuration changes and security controls.
Section I: Multiple Choice 60 questions, 80 minutes, 70% of your score. Questions pull from all five units of the course and are organized around three assessed skill categories. You have roughly 80 seconds per question, so reading efficiently and recognizing what each question is actually testing matters more than rushing through.
Section II: Free Response 1 question, suggested 50 minutes, 30% of your score. This is the Device Security Analysis task. You receive several simulated sources tied to a single digital device. Sources can include firewall configurations, file-system permissions, security policies, and log files. The FRQ assesses Skill Category 2 (Mitigate Risk) and Skill Category 3 (Detect Attacks).
The exam draws from all five course units:
All five units are in scope for the MCQ section. The FRQ focuses specifically on device-level analysis, so Units 3 and 4 tend to show up most directly in that task.
The FRQ is the part of the exam that requires the most preparation in terms of process, not just content knowledge. You get multiple sources and need to do four things: identify security issues, find evidence of attacks or unauthorized activity, describe how configuration or permission changes affect the device and its users, and evaluate how security controls influence network traffic and device behavior.
The sources you receive can include log files like /var/log/auth.log, /var/log/nginx/access_log, and /var/log/app/network_app.log, as well as firewall rules, permission tables, and written security policies. Your job is to cite specific evidence from those sources and explain your reasoning clearly.
Task verbs matter on this question. The five verbs used on the FRQ are identify, explain, describe, determine, and write. Each one asks for something different, and matching your response to the verb is one of the most reliable ways to earn full credit on parts you actually understand.
For the MCQ section, the main skills are reading scenario artifacts accurately, applying security concepts to realistic situations, and avoiding common traps like confusing similar controls or misreading what a log entry shows. The MCQ guide on this page covers skill weighting, artifact reading workflows, and the question types you will see most often.
For the FRQ, the most useful preparation is building a repeatable reading workflow for the sources you receive. The Device Security Analysis FRQ guide walks through how to approach each source type, how to cite evidence in a way that holds up, and the mistakes that cost points even when your underlying analysis is correct. The task verbs guide gives you response models for each of the five verbs so you know exactly what your answer needs to include.
For scenario practice, the Cybersecurity Scenario Practice and Cybersecurity Technical Skills resources on this page give you additional opportunities to work through realistic situations before exam day.
The 70/30 split means the MCQ section carries more weight, but the FRQ is not a small portion of your score. Thirty percent is significant, and the Device Security Analysis task rewards preparation because the format is consistent. You know going in that you will get multiple sources, a set of sub-questions with specific task verbs, and a focus on Skill Categories 2 and 3.
On the MCQ side, 80 seconds per question is workable if you read with a purpose. Identify what the question is asking, locate the relevant concept or artifact detail, and eliminate answers that misapply the concept before committing to your choice.
The guides linked on this page cover each part of the exam in detail. Start with the section that feels least familiar, and use the task verbs guide alongside the FRQ guide so your written responses match what the scoring criteria expect.
The AP Cybersecurity Exam is 2 hours and 10 minutes long. Section I has 60 multiple-choice questions in 80 minutes, worth 70% of your score. Section II has one free-response question, the Device Security Analysis, with a suggested 50 minutes and worth 30% of your score.
The Device Security Analysis is the single free-response question on the AP Cybersecurity Exam. It gives you several simulated sources about one digital device, such as firewall configs, file-system permissions, security policies, and log files, and asks you to identify security issues, find evidence of attacks, and evaluate security controls.
The 60 MCQs cover all five course units and are organized around three assessed skill categories, each appearing at roughly 25 to 35 percent of the section. Questions test your ability to identify threats, mitigate risk, and detect attacks across scenarios involving networks, devices, and applications.
The AP Cybersecurity Device Security Analysis FRQ uses five task verbs: identify, explain, describe, determine, and write. Each verb signals a different type of response. Matching your answer to the correct verb is one of the most reliable ways to earn full credit, even on parts you find straightforward.
Focus on the five course units, then practice reading artifacts like logs, firewall configs, and permission tables quickly and accurately. Use the MCQ guide to learn skill weighting and trap patterns, and use the FRQ guide to build a repeatable workflow for the Device Security Analysis question before exam day.
The FRQ provides multiple simulated sources tied to a single digital device. These typically include firewall settings, file-system permissions, security policies, and log files such as auth logs, web server access logs, and application network logs. Your job is to cite specific evidence from these sources in your responses.
