This guide helps you understand the single free-response question on the AP Cybersecurity Exam and how to work through it efficiently. You will learn what the Device Security Analysis task asks for, what kinds of sources you get, and how to cite evidence and explain your reasoning so your analysis holds up.
Where the FRQ Fits on the Exam
The AP Cybersecurity Exam is 2 hours and 10 minutes total. Section II is the free-response section: it has 1 FRQ, a suggested time of 50 minutes, and it counts for 30% of your exam score.
The Device Security Analysis description emphasizes Skill Categories 2 (Mitigate Risk) and 3 (Detect Attacks). The skills reference also marks Skill Category 1 (Analyze Risk) as FRQ-applicable, so source-based risk reasoning can still matter when a prompt shows vulnerabilities, threats, attack methods, likelihood, impact, or a compromised asset. The exact prompt may use only some of those moves, so answer the task verbs and sources provided.
| Section | Type | Questions | Weight | Timing |
|---|---|---|---|---|
| I | Multiple-Choice | 60 | 70% | 80 min |
| II | Free-Response | 1 | 30% | 50 min |
What Device Security Analysis Looks Like
The FRQ gives you several simulated sources about a single digital device. You analyze those sources to identify security issues, detect and classify attacks from digital evidence, explain permission settings, describe the impact of configuration or permission changes, and evaluate how security controls, such as firewalls or automated systems, influence network traffic and device behavior.
Sources may include broad categories such as security policies, firewall configurations, file-system permissions, and log files. The task can also ask you to evaluate how controls such as firewalls or automated systems influence network traffic and device behavior. The exact labels and formats can vary, so focus on what each provided source says about the same device rather than expecting a specific operating system, service, or file path.
The official core tasks are source-based. You may need to identify security issues from the provided sources, detect evidence of attacks, describe attacks, explain permission settings, or explain the impact of policy or configuration modifications using evidence from those sources.
Because every source describes the same device, your strongest answers connect evidence across sources. A firewall rule plus a matching log entry tells a more complete story than either one alone.
Security policies are the baseline for what should be true. Use them to identify security issues such as settings that violate policy, permissions that allow too much access, or traffic behavior that contradicts the device's required security posture. A finding does not have to be an active attack to matter; it can be a misconfiguration, weak control, or policy-compliance problem shown by the sources.
Skills This FRQ Uses
The FRQ centers on mitigation and detection.
| Skill category | What it can ask you to do |
|---|---|
| Mitigate Risk | Identify controls, explain how they reduce risk, determine layered controls, evaluate the impact of protective strategies, and write or recognize defensive changes when the prompt asks |
| Detect Attacks | Identify monitoring methods, determine strategies and methods for detecting attacks, evaluate threat-detection methods, and classify attacks from digital evidence |
Know the Task Verbs
The prompt uses specific task verbs, and each one signals what graders expect. Match your response to the verb instead of dumping everything you know.
- Identify: Point to a concept or a specific piece of evidence from the sources.
- Describe: Lay out a process or an outcome with enough detail to be clear.
- Explain: Give reasons that account for an outcome, backed by specific evidence.
- Determine: Apply criteria or reasoning to the sources to reach a specific result.
- Write: Produce a proper command that has the indicated effect.
When a part says Write, give a clean, correct command and nothing extra. When a part says Explain, your reason must tie back to evidence in the provided sources.
A Practical Workflow for 50 Minutes
Use a rough time budget so you do not get stuck on one part. The plan below keeps you moving while leaving room to connect evidence.
- Read the prompt first (about 3 minutes). Note the task verb in each prompt part. This helps you decide which sources to check first.
- Skim every source once (about 7 minutes). Tag source details that may show a security issue, attack evidence, configuration effect, permission effect, or control behavior.
- Answer part by part (about 35 minutes). For each part, cite the source detail that supports your claim. A log line, firewall rule, permission string, or policy statement is useful when it directly supports the answer.
- Review (about 5 minutes). Check that every Explain answer has a reason plus evidence, and that any commands are syntactically clean.
How to Cite Evidence Well
Generic claims do not earn credit on an evidence-based FRQ. Tie each conclusion to a specific source detail and then say why that detail matters.
A reliable pattern is claim, then evidence, then reasoning. State what you found, point to the artifact, and explain how it shows a security issue or an attack.
For example, suppose a sample authentication log shows many failed logins from one IP followed by a success:
</>Code02:14:09 Failed password for admin from 203.0.113.45 02:14:11 Failed password for admin from 203.0.113.45 02:14:13 Accepted password for admin from 203.0.113.45
A strong response says: this is an indicator of a password attack. Repeated failed password entries for admin from the same IP, 203.0.113.45, followed by an accepted password, suggest a brute-force or password-guessing attempt that ultimately succeeded. That cites the artifact, classifies the attack type, and explains the reasoning.
Connecting Controls to Behavior
Part of this FRQ asks how security controls influence network traffic and device behavior. When you discuss a firewall rule or an automated system, describe what traffic it allows, blocks, flags, or changes and the effect on users.
If you propose a change, name the change and its consequence. For example, blocking inbound traffic on a port closes off an attack path but may also stop a legitimate service, so note both the security gain and the user impact.
If the prompt asks you to Write a defensive command or rule, keep it focused on producing the indicated effect in the provided source context.
Reading File-System Permissions
File-system permissions may appear as one kind of simulated source, so be fluent in reading and explaining them. A string like rwxr-x-- means the owner has read, write, and execute, the group has read and execute, and everyone else has no access. If the prompt asks what a permission setting means, translate each user class and permission into plain language before explaining the security effect.
If a sensitive file shows broad access for others, that is a weak access-control finding. Tie it back to risk: weak access controls let more users, and potentially an adversary who compromises an account, view or edit files they should not touch. If the permission setting is appropriate, explain why it matches the file's purpose and the policy baseline instead of treating every permission as a problem.
If a prompt asks about a permission change, explain both effects: how the change affects the device's security behavior and how it affects legitimate users. For example, removing write access can protect integrity, but it can also prevent a user group from updating files they previously needed to maintain.
Common Mistakes to Avoid
These traps cost points even when students understand the material. Watch for them as you write.
- Vague claims with no source. Saying "the logs look suspicious" earns nothing. Quote the line and explain why it is suspicious.
- Answering the wrong verb. If the part says Determine, give a specific result, not a general description.
- Ignoring user impact. When asked about a configuration change, address both security effect and effect on legitimate users.
- Writing sloppy or offensive commands. Commands should be correct and defensive. Match the exact effect the prompt requests.
- Treating sources in isolation. The device is one system. Link the firewall config, the permissions, and the logs when the evidence connects.
- Spending all your time on one part. Each part is worth points. Move on and come back if needed.
Quick Self-Check Before You Submit
Run through this short list during your review window. It catches the most common gaps.
- Did every Explain answer include a reason and specific evidence?
- Did you reference the log fields, IPs, rules, permission strings, or policy statements that support the answer?
- Did your Write answers produce the requested effect with clean syntax?
- Did you explain permission settings when the prompt asks what they mean or whether they are appropriate?
- Did you address how controls or changes affect both the device and users?
- Did you connect evidence across sources where it lined up?
If you can answer yes to all six, your Device Security Analysis response is doing what the exam rewards: precise evidence and clear reasoning grounded in the provided sources.
Frequently Asked Questions
How many FRQs are on the AP Cybersecurity Exam?
There is one free-response question.
What sources appear in the Device Security Analysis FRQ?
You get several simulated sources about one digital device.
Which skills does the AP Cybersecurity FRQ assess?
The FRQ assesses Skill Category 2 (Mitigate Risk) and Skill Category 3 (Detect Attacks).
How should I cite evidence on the AP Cybersecurity FRQ?
Use a claim, evidence, reasoning pattern. State what you found, reference the exact log line, firewall rule, or permission string, and explain why it shows a security issue or attack.