AP exam review verified for 2027

AP Cybersecurity Cybersecurity Skills Review

AP Cybersecurity is organized around four skill categories rather than isolated content topics, so every unit asks you to analyze risk, mitigate it, detect attacks, or collaborate on a task. Knowing what each skill demands and how it shows up on the exam is the fastest way to build consistent, transferable performance.

Use the topic guides below to go deep on any individual skill category.

What are the AP Cybersecurity cybersecurity skills?

AP Cybersecurity structures its entire course around skill categories instead of standalone knowledge units. That means the same analytical moves you practice in one domain, say identifying a vulnerability in a physical access scenario, transfer directly to a network or software scenario on the exam.

The four skill categories are: SC1 Analyze Risk, SC2 Mitigate Risk, SC3 Detect Attacks, and SC4 Collaborate. SC1 and SC2 appear across every unit and carry the heaviest exam weight. SC3 focuses on monitoring, log analysis, and attack classification. SC4 is about teamwork and AI-assisted collaboration, assessed mainly in course projects.

Skills run across every unit

You do not finish Analyze Risk and move on. Every domain, physical security, network security, software security, applies all four skill categories. Expect exam questions to embed SC1 or SC2 reasoning inside any topic area.

AI support is part of the skill

SC1, SC2, and SC3 each include tasks done with AI support and tasks done without it. The exam distinguishes between these, so you need to know both what AI tools can assist with and what you must reason through independently.

Collaborate is real but not exam-scored the same way

SC4 builds habits that mirror actual cybersecurity team operations: shared goals, divided roles, and AI as a team tool. It does not appear on the multiple-choice or free-response sections, but the reasoning it develops supports your work in SC1 through SC3.

Risk is the thread connecting all four skills

You analyze risk first (SC1), then choose controls to reduce it (SC2), then monitor to catch what gets through (SC3), and you do all of this as part of a team using both human judgment and AI tools (SC4). Every exam question is somewhere on that chain.

Course skills study guides

1

Analyze Risk

Identify vulnerabilities and threats, determine how adversaries exploit them, and evaluate and document likelihood and impact. This skill anchors the exam and appears in every domain.

open guide
2

Mitigate Risk

Select and layer security controls to reduce identified risks, evaluate how well they work, and log your mitigations with justification. Matching the right control to the right vulnerability is the core task.

open guide
3

Detect Attacks

Monitor systems, analyze log files and other digital evidence, classify attacks, and evaluate detection methods. Both independent analysis and AI-assisted analysis are in scope.

open guide
4

Collaborate

Set shared team goals, assign roles, use AI as a team tool, and complete your assigned work. Assessed in course projects and team scenarios rather than on the multiple-choice or free-response sections.

open guide

Cybersecurity skills review notes

SC1

Analyze Risk: the core process

Analyze Risk asks you to identify vulnerabilities and threats, determine how adversaries could exploit them, and then evaluate and document the likelihood and impact of each risk. This is the foundation skill because you cannot choose a control or set up detection without first understanding what you are protecting against and why it matters.

  • Vulnerability: A weakness in a system, process, or asset that an adversary could exploit.
  • Threat: A potential event or actor that could exploit a vulnerability to cause harm.
  • Likelihood: How probable it is that a threat will successfully exploit a vulnerability.
  • Impact: The severity of harm to an organization if a risk is realized.
  • Risk documentation: Recording identified vulnerabilities, threats, likelihood, and impact in a structured format so decisions can be justified.
Can you take a scenario, name a specific vulnerability, identify the threat actor or event, and then justify a likelihood and impact rating with evidence from the scenario?
StepWhat you doCommon error
Identify vulnerabilityName the specific weakness in the asset or processDescribing the attack instead of the weakness
Identify threatName the actor or event that could exploit itConfusing threat with vulnerability
Evaluate likelihoodUse scenario evidence to rate probabilityAsserting high or low without justification
Evaluate impactExplain consequences to the organizationListing generic harms instead of scenario-specific ones
DocumentRecord findings in a structured, traceable waySkipping documentation or being vague
SC2

Mitigate Risk: choosing and layering controls

Mitigate Risk is about selecting protective and deterrent security controls, layering them so they cover identified vulnerabilities, evaluating how well they work, and logging what you implemented and why. The key move is matching a specific control to a specific vulnerability and explaining the connection, not just listing security tools.

  • Security control: A safeguard or countermeasure applied to reduce the likelihood or impact of a risk.
  • Layered defense: Using multiple overlapping controls so that if one fails, others still protect the asset.
  • Mitigation logging: Recording which controls were implemented, where, and why, to support accountability and future review.
  • Control evaluation: Assessing whether a chosen control actually reduces the identified risk and to what degree.
Given a vulnerability from SC1, can you name a specific control, explain exactly how it addresses that vulnerability, and describe what a layered approach would add?
Control typeExampleWhat risk it addresses
PreventiveMulti-factor authenticationUnauthorized access via stolen credentials
DeterrentSecurity camera signagePhysical intrusion attempts
DetectiveIntrusion detection systemMalicious traffic reaching internal systems
CorrectivePatch management processExploitation of known software vulnerabilities
SC3

Detect Attacks: monitoring, evidence, and classification

Detect Attacks covers what happens after controls are in place. You set up detection methods, monitor systems, analyze digital evidence like log files, and classify the attacks you find. Both human analysis and AI-assisted analysis are in scope. The skill requires you to move from raw evidence to a specific, justified conclusion about what kind of attack occurred.

  • Log analysis: Examining system, network, or application logs to find indicators of malicious activity.
  • Attack classification: Identifying the type of attack based on evidence, such as phishing, denial of service, or SQL injection.
  • Detection method: A tool or process used to identify signs of compromise, such as signature-based or anomaly-based detection.
  • Digital evidence: Data artifacts, including logs, alerts, and file changes, that indicate an attack occurred or is in progress.
  • Indicator of compromise: A specific observable artifact that suggests a system has been attacked or is under attack.
Given a log excerpt or scenario, can you identify the specific indicator of compromise, name the attack type, and explain how the evidence supports that classification?
Detection approachHow it worksLimitation
Signature-basedMatches known attack patterns against traffic or filesMisses novel or zero-day attacks
Anomaly-basedFlags behavior that deviates from a baselineCan produce false positives on unusual but legitimate activity
AI-assistedUses machine learning to identify patterns across large data setsRequires quality training data; can reflect biases in that data
SC4

Collaborate: team roles, shared goals, and AI as a tool

Collaborate is the skill of working effectively with other people and with AI to complete a cybersecurity task. In practice this means setting shared objectives at the start, assigning roles based on what the task needs, using AI tools as a genuine team resource rather than a shortcut, and completing your assigned work so the group can finish. This skill is assessed in course projects and team scenarios, not on the multiple-choice or free-response exam sections.

  • Shared objective: A clearly stated goal that all team members understand and are working toward.
  • Role assignment: Dividing responsibilities among team members based on task requirements and individual strengths.
  • AI as team tool: Using AI to assist with research, analysis, or documentation as part of a collaborative workflow, not as a replacement for team reasoning.
  • Task completion: Finishing your assigned portion of the work at the quality and time the team needs.
In a team scenario, can you articulate the shared goal, explain your specific role, describe how AI was used as a tool, and account for your individual contribution?
Collaboration elementStrong performanceWeak performance
Shared objectiveTeam states a specific, measurable goal before startingTeam starts work without agreeing on what success looks like
Role assignmentRoles match task demands and are clearly communicatedRoles are vague or duplicated, causing gaps or conflicts
AI useAI assists with a defined subtask; team evaluates its outputAI output is accepted without review or used to replace team reasoning
Individual contributionAssigned work is completed on time and at expected qualityWork is incomplete or handed off without communication

Common mistakes

Describing the attack instead of the vulnerability

In SC1, students often write what an attacker does rather than naming the weakness that makes the attack possible. The vulnerability is the gap in the system; the attack is what exploits it. Keep them separate.

Listing controls without connecting them to risks

SC2 is not a list of security tools. Every control you name needs to be tied to a specific vulnerability or threat from your SC1 analysis. A control without a connection is not a mitigation, it is just a term.

Stopping at attack identification in SC3

Naming the attack type is not enough. You need to cite the specific evidence from the log or scenario that supports your classification. Unsupported classifications do not demonstrate SC3 reasoning.

Treating AI support as optional or invisible

The course explicitly distinguishes tasks done with AI from tasks done without it. Ignoring AI as a factor, or failing to evaluate AI output critically, misses a tested component of SC1, SC2, and SC3.

Applying skills only in the domain where you first learned them

Students who practice SC1 only in network security scenarios often struggle when the same skill appears in a physical security or software context. The skill is the same; the domain details change.

How this guide shows up on the AP exam

SC1 and SC2 anchor multiple-choice reasoning

Most multiple-choice questions require you to identify a vulnerability or threat and then evaluate a control or response. Even questions that look like pure content recall are testing whether you can apply SC1 or SC2 logic to a specific scenario detail.

SC3 appears in evidence-based and scenario questions

Free-response and scenario-based questions often present log data, network diagrams, or event sequences and ask you to identify what happened and how you know. That is SC3 in direct form: move from evidence to a classified, justified conclusion.

AI support is an explicit exam variable

The exam distinguishes between tasks performed with AI assistance and tasks performed independently. Expect questions that ask you to evaluate what an AI tool produced, identify its limitations, or describe what human judgment added to the analysis.

Review checklist

  • Distinguish vulnerability from threatA vulnerability is the weakness; a threat is the actor or event that could exploit it. Mixing these up in SC1 analysis breaks the entire risk chain.
  • Justify likelihood and impact with scenario evidenceDo not assert that a risk is high or low without pointing to specific details in the scenario. Unsupported ratings are incomplete SC1 responses.
  • Match controls to specific vulnerabilities in SC2Name the control, name the vulnerability it addresses, and explain the connection. Listing controls without linking them to identified risks does not demonstrate SC2 proficiency.
  • Describe layering, not just a single controlSC2 expects you to explain why multiple overlapping controls are stronger than one. Identify what each layer covers and what gap it closes.
  • Move from evidence to classification in SC3When analyzing a log or scenario, name the specific indicator of compromise, then name the attack type, then explain how the evidence supports that conclusion. Skipping the evidence-to-conclusion link is the most common SC3 gap.
  • Account for AI use accuratelySC1, SC2, and SC3 each include tasks done with AI support and tasks done without it. Know which is which and be able to describe what the AI tool contributed versus what you reasoned independently.
  • Apply skills across domainsPractice running SC1 through SC3 in physical, network, and software security contexts. The exam embeds these skills in any domain, so domain-specific practice gaps become exam gaps.

How to study cybersecurity skills

Start with the SC1 topic guideAnalyze Risk is the foundation for everything else. Read the Analyze Risk topic guide, then practice taking a short scenario and writing out vulnerability, threat, likelihood, and impact before moving to SC2 or SC3.
Work SC2 immediately after SC1 practiceUse the same scenario you analyzed in SC1 and apply SC2: choose a control, explain why it addresses the specific vulnerability you identified, and add a second layer. This builds the SC1-to-SC2 chain the exam tests.
Practice SC3 with log-based scenariosRead the Detect Attacks topic guide and then work through scenarios that include log excerpts or event timelines. Practice naming the indicator of compromise, classifying the attack, and writing a one-sentence evidence justification.
Review SC4 in the context of course projectsRead the Collaborate topic guide and reflect on how your team set goals, divided roles, and used AI in any project work. SC4 habits are built through practice, not memorization.
Run cross-domain review sessionsTake one scenario from each major domain, physical, network, software, and apply SC1 through SC3 to each. This is the most direct way to close domain-specific skill gaps before the exam.

More ways to review

Topic study guides

Open the individual guides for Cybersecurity Skills when you want a closer review of one topic.

browse guides
Ready to review Cybersecurity Skills?Start with the notes, check the topic cards, and use the practice or resource links when they are available for this course.