Section I of the AP Cybersecurity Exam is the larger exam section at 70% of your score. This guide helps you handle the multiple-choice questions efficiently, keep the full course scope in view, and review the official Section I skill expectations.
What the MCQ Section Looks Like
The multiple-choice section gives you 60 questions in 80 minutes, and it counts for 70% of your exam score. That works out to about 80 seconds per question, so you need a reading method that is fast but accurate.
All five units of the course are assessed in Section I. The official Section I weighting is by skill category, not by unit. College Board does not publish a unit-by-unit percentage breakdown for the AP Cybersecurity MCQs, so use the five units as your content checklist and the three skill categories as your weighting guide. The free-response section is a separate Device Security Analysis prompt worth 30%, but the MCQs cover the broadest range of content.
Use course knowledge first, then read the question carefully for any additional technical details it provides. Do not rely on a fixed MCQ source package. Section I is organized by skills across all five units, not by one repeated artifact format.
How the Questions Are Weighted
The MCQ section is organized around three assessed skill categories, each appearing at roughly 25 to 40% of the section.
| Skill Category | Approximate MCQ Weight | What It Tests |
|---|---|---|
| Skill Category 1: Analyze Risk | 25-40% | Identifying vulnerabilities, threats, and attack methods; determining how adversaries could exploit vulnerabilities to compromise assets; evaluating and documenting likelihood and impact, with and without AI support |
| Skill Category 2: Mitigate Risk | 25-40% | Choosing controls, evaluating the impact of protective strategies with and without AI support, and recognizing how mitigations are implemented or logged |
| Skill Category 3: Detect Attacks | 25-40% | Monitoring systems, classifying attacks from evidence, and evaluating the impact of threat-detection methods |
Notice that Skill Category 4, Collaborate, is part of the course framework but does not apply to the MCQ or FRQ sections. Those collaboration skills still matter in class work, but Section I focuses on Analyze Risk, Mitigate Risk, and Detect Attacks.
Because each tested skill can swing between a quarter and 40% of the section, you cannot safely ignore any of the three. Strong coverage across analysis, mitigation, and detection is the safest preparation plan.
How to Read MCQ Prompts
MCQs assess your understanding of the skills and learning objectives from the course framework. The official exam description does not prescribe one repeated MCQ source package. Do not assume Section I will use the same multi-source Device Security Analysis package as the FRQ, and do not assume every question will use the same kind of artifact. Use the course knowledge and question information in front of you.
Use a consistent four-step workflow:
- Identify which official skill category the question is testing: Analyze Risk, Mitigate Risk, or Detect Attacks.
- Find the relevant detail in the prompt.
- Match that detail to a course concept, learning objective, or risk-management idea.
- Eliminate options that the evidence does not support.
Full Skill Breadth
Across the 60 MCQs, prepare for the full tested skill set from Skill Categories 1-3:
| Skill | What to recognize on MCQs |
|---|---|
| 1.A | Identify vulnerabilities, threats, and attack methods, with and without AI support, and explain how they generate risk |
| 1.B | Determine how adversaries exploit vulnerabilities to compromise an asset |
| 1.C | Evaluate the likelihood and impact of risks, with and without AI support |
| 1.D | Recognize clear documentation of likelihood and impact, such as a risk note that states the asset, vulnerability, threat, likely effect, and evidence for the risk level |
| 2.A | Identify security controls and explain how they mitigate risks |
| 2.B | Determine layered security controls that address vulnerabilities |
| 2.C | Evaluate the impact of protective risk-management strategies, with and without AI support |
| 2.D | Recognize how mitigations are implemented and logged, such as a setting change, policy update, access-control change, firewall rule, alert, ticket, or record that shows the mitigation occurred |
| 3.A | Identify monitoring methods and explain how they detect attacks |
| 3.B | Determine strategies and methods to detect attacks |
| 3.C | Evaluate the impact of threat-detection methods |
| 3.D | Detect and classify cyberattacks by analyzing digital evidence, with and without AI support |
Collaboration skills 4.A-4.D are part of the course framework, but they are not assessed on either exam section.
For evaluate prompts, do more than name a control or detection method. Explain its impact using the information in the question.
For documentation questions, look for records that make the risk understandable to another person: what asset is affected, what vulnerability or threat creates risk, how likely the risk is, what impact it could have, and what evidence supports that judgment.
For mitigation questions, recognize the control, the risk it reduces, and what evidence would show the mitigation was applied or logged.
The content breadth spans all five units: introduction to security, securing spaces, securing networks, securing devices, and securing applications and data. These units are assessed in Section I as course content coverage. The official weighting is still by Skill Category 1, 2, and 3, not by unit percentage.
Section I is 60 multiple-choice questions across those course contexts. The detailed simulated-source set of security policies, firewall configurations, file-system permissions, and log files is the official FRQ format, so do not assume MCQs will use that same source package.
Use that same three-skill lens across each unit:
- Introduction to security: connect introductory threats, risk reasoning, mitigation, detection, and AI-related security ideas.
- Securing spaces: apply risk, mitigation, and detection logic to physical security contexts.
- Securing networks: apply risk, mitigation, and detection logic to network security contexts.
- Securing devices: apply risk, mitigation, and detection logic to device security contexts.
- Securing applications and data: apply risk, mitigation, and detection logic to application and data security contexts.
For Unit 1, focus on the relationship among assets, vulnerabilities, threats, likelihood, impact, and risk. For Unit 2, apply the same risk logic to physical spaces and physical controls. For Unit 3, apply it to computer networks and defense in depth. For Unit 4, apply it to devices, authentication, malware, and monitoring. For Unit 5, apply it to applications and data. These are content areas to review, not official MCQ percentage buckets.
Two skill statements deserve extra attention:
- Skill 2.B: determine layered security controls that address vulnerabilities. This means choosing controls that work together, not relying on a single defense.
- Skill 3.D: detect and classify cyberattacks by analyzing digital evidence with and without AI support. This means connecting the evidence provided in the question to the type of attack and understanding when AI-supported analysis still needs human judgment.
A Time and Pacing Plan
With roughly 80 seconds per question, sort items into three buckets as you go.
- Bucket 1: You know it. Answer and move on.
- Bucket 2: You can solve it from the provided evidence but it takes work. Mark it and come back if time allows.
- Bucket 3: You are stuck. Eliminate what you can, choose your best option, and flag it.
Never leave a question blank, since there is no penalty for guessing. Aim to finish a first pass with time left for the flagged questions.
Common Traps to Avoid
Do not pick an answer just because it uses scary security vocabulary. The correct choice must be supported by the course concept and the information in the question, not by the most dramatic term.
Do not confuse the three skill categories. A question can describe an attack but actually ask which control mitigates it, or it can ask you to detect rather than fix. Read the stem to see whether you are analyzing, mitigating, or detecting.
When a question includes source-style evidence, read that evidence before leaning on the answer choices. Forming an expectation first keeps you from being steered by an attractive but wrong distractor.
Final Prep Checklist
Before test day, make sure you can do each of these from memory:
- Explain how adversaries exploit vulnerabilities to compromise assets.
- State the difference between analyzing, mitigating, and detecting in one sentence each.
- Explain how a mitigation changes risk and how that change could be documented or logged.
- Determine strategies and methods to detect attacks.
- Evaluate the impact of threat-detection methods.
- Connect vulnerabilities, attacks, mitigations, and detection to defense in depth across all five units.
If you can do those quickly, you are ready to move through 60 questions in 80 minutes without panic.
Frequently Asked Questions
How many questions are on the AP Cybersecurity multiple-choice section and how much is it worth?
Section I has 60 multiple-choice questions and you get 80 minutes to complete them.
Which skills are tested on the AP Cybersecurity MCQ section?
The MCQs are organized around three skill categories: Analyze Risk, Mitigate Risk, and Detect Attacks. Each appears at roughly 25 to 40% of the section.
What kinds of technical artifacts appear in AP Cybersecurity MCQs?
Scenario questions can include security review findings, file-permission strings, access-control emails, firewall ACLs, hashing function outputs, phishing emails, server access logs, authentication logs, and ARP reply logs.
What is the best way to read an artifact question quickly?
Use a four-step workflow: identify the artifact type, find the one value that breaks the expected pattern, match that anomaly to a vulnerability or control or attack, and eliminate options the evidence does not support.