AP exam review verified for 2027

AP Cybersecurity Cybersecurity Technical Skills Review

AP Cybersecurity technical skills cover the hands-on tasks you must perform on the exam: reading and writing commands, interpreting file permissions, tracing firewall rules, and analyzing network diagrams. These are not background knowledge questions but applied tasks where exact syntax, rule order, and diagram interpretation determine whether your response earns credit.

Use the five topic guides below to practice each skill area before your exam.

What are the AP Cybersecurity cybersecurity technical skills?

AP Cybersecurity tests technical skills differently from most AP courses. Instead of explaining what a firewall does in general, you are given an ACL and asked which packets are allowed. Instead of defining encryption, you are given a command and asked what it produces or asked to write the correct command yourself. Precision matters at every step.

Technical skills on this exam fall into three categories: command-line tasks (writing or reading chmod, openssl, and hash commands), access control tasks (reading and modifying firewall ACL rules and file permissions), and network analysis tasks (interpreting diagrams to identify risk, segmentation, and trust boundaries). Each skill maps to specific free-response and multiple-choice question types.

Command-Line Tasks

When a free-response prompt uses the verb Write, you must produce exact command syntax. This includes chmod with symbolic or numeric notation, openssl commands for symmetric and asymmetric encryption, RSA key generation, and hash verification. Reading command output as evidence is also tested, so you need to know what correct and incorrect output looks like.

Access Control Configuration

File permissions and firewall ACL rules both require you to trace who can do what and why. For permissions, you read ls -l and getfacl output, then apply chmod to reach a target state. For firewalls, you trace a packet through an ordered rule set and determine whether it is allowed or denied, then write or modify rules to meet a scenario's requirements.

Network Diagram Analysis

Network diagrams are evidence, not illustrations. You identify firewall placement, DMZ structure, segmentation choices, and trust boundaries, then connect those layout decisions to specific risks or controls. The exam expects you to explain why a device's position in the diagram matters, not just label what it is.

Precision is the skill

Every technical task on this exam rewards specificity. A chmod command with the wrong octet, a firewall rule with the wrong port, or a diagram interpretation that ignores a trust boundary will not earn full credit. Practice by working through each command and rule set step by step, checking your output against what the scenario actually requires.

Course skills study guides

1

Command Line Guide

Covers chmod, openssl, hashing, ls -l, and getfacl with exact syntax. Use this guide to practice both reading command output as evidence and writing commands that produce a required effect.

open guide
2

Cryptography Commands Guide

Walks through symmetric encryption, RSA key generation, and hash verification with worked examples. Focuses on what each command does, what input and output to expect, and when each is the right tool.

open guide
3

File Permissions and chmod Guide

Teaches you to read ls -l and getfacl output, apply symbolic and numeric chmod, and connect permission analysis to the Device Security Analysis free-response question.

open guide
4

Firewall and ACL Configuration Guide

Explains how to trace a packet through an ordered ACL, identify which rule applies, and write or modify rules to meet a scenario's traffic requirements. Covers default deny and rule order logic.

open guide
5

Network Diagram Guide

Teaches you to read diagrams as security evidence: firewall placement, DMZ structure, segmentation, and trust boundaries. Connects layout decisions to specific risks and controls.

open guide

Cybersecurity technical skills review notes

Command-Line Syntax

Reading and Writing Commands on the Exam

The exam distinguishes between two command tasks. Read tasks give you a command or its output and ask you to interpret what it does or what it reveals about a device's security state. Write tasks require you to produce a syntactically correct command that achieves a stated effect. Both appear in free-response and multiple-choice contexts.

  • chmod (symbolic): Uses letters and operators to set permissions, for example chmod g-w filename removes write from the group.
  • chmod (numeric): Uses three-digit octal notation where each digit represents owner, group, and other permissions, for example chmod 644 sets rw-r--r--.
  • ls -l: Lists files with a permission string, owner, group, size, and timestamp. The first ten characters encode file type and rwx permissions for owner, group, and other.
  • getfacl: Displays access control list entries for a file, showing named user and group permissions beyond the standard owner/group/other model.
  • openssl enc: Encrypts or decrypts a file using a symmetric cipher. Requires specifying the algorithm, input file, output file, and key or passphrase.
  • openssl genrsa / rsa: Generates an RSA private key and extracts the corresponding public key for asymmetric encryption tasks.
  • sha256sum: Generates or verifies a SHA-256 hash of a file to confirm integrity. A mismatch between stored and computed hashes indicates tampering or corruption.
Can you write a chmod command that sets a file to owner read-write, group read-only, and no permissions for others, using both symbolic and numeric notation?
Task verbWhat you must doWhere it appears
WriteProduce exact command syntax that achieves the stated effectFree-response Device Security Analysis
ReadInterpret a command or its output as evidence about security stateMultiple-choice and free-response
ModifyChange an existing command or rule to meet new requirementsFree-response firewall and permission tasks
File Permissions

Interpreting and Changing File Permissions

File permissions on Linux control read (r), write (w), and execute (x) access for three categories: owner, group, and other. The exam tests whether you can read a permission string, identify a security problem, and apply the correct chmod command to fix it. Both ls -l and getfacl output appear as evidence in Device Security Analysis scenarios.

  • Permission string: The ten-character output from ls -l, such as -rwxr-xr--, where positions 2-4 are owner, 5-7 are group, and 8-10 are other permissions.
  • Principle of least privilege: Users and processes should have only the permissions they need. Overly permissive settings like 777 are a security finding you must identify and correct.
  • Execute bit on scripts: A script file needs the execute bit set for the intended user or group. Missing execute permission is a common scenario where you must write a chmod fix.
  • setuid / setgid: Special permission bits that run a file with the owner's or group's privileges. These appear in security analysis as potential privilege escalation risks.
Given the output -rwxrwxrwx for a sensitive configuration file, what security problem does this represent and what chmod command corrects it?
NotationExampleMeaning
Symbolicchmod o-rwx fileRemove all permissions from other
Numericchmod 640 fileOwner rw, group r, other none
getfacl outputuser:alice:r--Named user alice has read-only access via ACL entry
Firewall ACL Rules

Tracing Packets Through Firewall Rule Sets

Firewall ACL rules are evaluated in order, and the first matching rule wins. The exam gives you a rule set and a packet description, then asks whether the packet is allowed or denied and why. You may also need to write a new rule or identify which existing rule is causing an unintended effect. Default deny means any packet not matched by an explicit allow rule is blocked.

  • Rule order: ACLs are processed top to bottom. A packet matches the first rule whose source IP, destination IP, port, and protocol all match, then stops. Order determines outcome.
  • Default deny: An implicit or explicit deny-all rule at the end of an ACL blocks any traffic not matched by a prior allow rule. This is the secure baseline.
  • Port and protocol specificity: Rules must specify the correct port number and protocol (TCP or UDP). A rule allowing TCP port 443 does not affect UDP traffic on the same port.
  • Inbound vs. outbound: ACL direction matters. An inbound rule on an interface filters traffic entering that interface. Misidentifying direction is a common source of misconfiguration.
A rule set allows TCP 443 from any source to a web server, then denies all traffic. A client sends a UDP request to port 443. What happens and which rule applies?
Rule componentWhat to checkCommon error
Source IPDoes the packet's source match the rule's source range?Using the wrong subnet mask or confusing source and destination
Destination portDoes the packet's destination port match exactly?Allowing port 80 when the scenario requires 443
ProtocolIs the protocol TCP or UDP as specified?Writing a TCP rule when the service uses UDP
Rule positionIs a more specific rule placed before a broader one?Placing a deny-all before the intended allow rules
Network Diagrams

Reading Diagrams as Security Evidence

Network diagrams on the exam are not decoration. Each device placement, connection, and boundary communicates something about risk and controls. You need to identify where firewalls sit relative to traffic flow, what a DMZ isolates and why, how segmentation limits lateral movement, and what trust boundaries separate zones. Then you connect those observations to specific security implications.

  • Trust boundary: A line in the diagram where traffic transitions from one trust level to another, typically enforced by a firewall or router. Traffic crossing a trust boundary should be filtered.
  • DMZ (demilitarized zone): A network segment that sits between the internet and the internal network, hosting public-facing services like web servers while isolating them from internal resources.
  • Segmentation: Dividing a network into separate zones so that a compromise in one zone does not automatically give access to others. Limits lateral movement by attackers.
  • Firewall placement: A firewall placed between the internet and a server provides perimeter defense. A firewall placed between internal segments provides internal segmentation. Position determines what traffic it can filter.
  • Attack path: The sequence of hops an attacker would take through the diagram to reach a target. Identifying attack paths helps you evaluate whether controls are placed correctly.
A diagram shows a web server connected directly to the internet with no firewall between it and the internal database. What risk does this layout create and what change would reduce it?
Diagram featureSecurity implicationExam question type
Firewall between internet and DMZFilters inbound traffic before it reaches public-facing serversIdentify the control and explain its effect
No firewall between DMZ and internal LANA compromised DMZ server can reach internal resources directlyIdentify the vulnerability and recommend a fix
Flat network with no segmentationLateral movement is unrestricted once an attacker is insideExplain the risk and describe a segmentation solution
Cryptography Commands

Applying Encryption and Hashing Commands

Cryptography command tasks require you to know which tool to use for which purpose, what the correct syntax looks like, and what the output means. Symmetric encryption uses a shared key and is faster but requires secure key exchange. Asymmetric encryption uses a key pair and solves the key distribution problem. Hashing verifies integrity but does not encrypt data.

  • Symmetric encryption (openssl enc): Both parties use the same key to encrypt and decrypt. Faster than asymmetric but requires a secure channel to share the key. Used for bulk data encryption.
  • Asymmetric encryption (RSA): Uses a public key to encrypt and a private key to decrypt. Solves key distribution because the public key can be shared openly. Used for key exchange and digital signatures.
  • Hash function (sha256sum): Produces a fixed-length digest from input data. Any change to the file produces a different hash. Used to verify that a file has not been altered.
  • Key generation (openssl genrsa): Creates an RSA private key of a specified bit length. The corresponding public key is extracted separately. Key length affects security strength.
  • Hash verification workflow: Store the hash of a known-good file, then recompute the hash later and compare. A mismatch is evidence of tampering or corruption.
You need to send a large encrypted file to a colleague and also prove the file was not altered in transit. Which two commands do you use and in what order?
GoalToolKey concept
Encrypt a file with a shared passwordopenssl enc with a symmetric cipherBoth parties must already share the key securely
Encrypt so only the recipient can decryptopenssl with recipient's RSA public keyRecipient decrypts with their private key
Verify a file has not been modifiedsha256sum and compare to stored hashHash mismatch means the file changed

Common mistakes

Writing chmod with the wrong octet order

Numeric chmod digits go owner, group, other in that order. Writing 467 instead of 764 reverses the intended permissions. Always map each digit to its category before writing the command.

Stopping at the wrong ACL rule

Students often match a packet to a rule that shares one attribute (same port) but does not match all required fields (source IP, protocol). A rule only matches when every field in that rule matches the packet. Keep checking until all fields align.

Confusing encryption and hashing

Hashing is not encryption. A hash cannot be reversed to recover the original file, and it does not protect confidentiality. Using sha256sum when the task requires confidentiality, or using openssl enc when the task requires integrity verification, will not earn credit.

Describing a diagram instead of analyzing it

Saying a firewall is between the internet and the DMZ describes the diagram. Explaining that this placement filters inbound traffic before it reaches public-facing servers analyzes it. Exam responses that only describe layout without stating the security implication score lower.

Ignoring default deny when tracing ACLs

If a packet does not match any explicit rule, it hits the default deny and is blocked. Students who conclude a packet is allowed because no deny rule explicitly names it are missing the implicit deny-all at the end of the rule set.

How this guide shows up on the AP exam

Device Security Analysis free-response question

This is the primary location where technical skills are scored. You will be given a scenario that may include a network diagram, file permission output, firewall ACL, or command to interpret. Tasks use verbs like Write, Identify, Explain, and Modify. Exact syntax and specific security reasoning are required for full credit.

Multiple-choice items with command output and diagrams

Multiple-choice questions present permission strings, ACL rule sets, network diagrams, or command outputs as the stimulus. You must interpret the technical evidence to select the correct answer. These items test the same read skills as the free-response question but in a selected-response format.

Units 3, 4, and 5 content connections

Network diagrams and firewall rules map to Unit 3 (Securing Networks) and Unit 4 (Securing Devices). File permissions and cryptography commands map to Unit 4 and Unit 5 (Securing Applications and Data). Technical skill tasks on the exam are always grounded in these unit contexts, so knowing which skill belongs to which defensive domain helps you interpret scenario prompts correctly.

Review checklist

  • Write chmod in both notationsGiven a target permission state, produce the correct symbolic command (chmod g-w file) and the equivalent numeric command (chmod 640 file). Verify you can convert between the two without a reference.
  • Trace a packet through an ACLGiven a rule set and a packet description, identify the first matching rule and state whether the packet is allowed or denied. Confirm you are checking source IP, destination IP, port, and protocol against each rule in order.
  • Identify the right cryptography toolFor each scenario, decide whether symmetric encryption, asymmetric encryption, or hashing is the correct tool. Know the openssl command structure for each and what the output looks like.
  • Read a network diagram for riskLook at a diagram and identify at least one trust boundary, one segmentation decision, and one potential attack path. Explain what each firewall placement does and does not protect.
  • Interpret ls -l and getfacl outputRead a permission string and identify the owner, group, and other permissions. Spot overly permissive settings and state which principle they violate. Read a getfacl output and identify any named-user ACL entries.
  • Connect technical findings to security implicationsFor every command output, permission string, ACL, or diagram you analyze, practice stating the security implication in one sentence. The exam rewards responses that explain why a finding matters, not just what it shows.

How to study cybersecurity technical skills

Start with file permissionsRead the File Permissions and chmod Guide. Practice converting permission strings to chmod commands in both symbolic and numeric notation until you can do it without looking up the octet values. This skill appears in both multiple-choice and free-response contexts.
Work through firewall ACL tracingRead the Firewall and ACL Configuration Guide. Take a sample rule set and trace several different packets through it, writing down which rule matches and why. Practice writing a new rule that allows or denies a specific traffic type without disrupting existing rules.
Practice cryptography commands with worked examplesRead the Cryptography Commands Guide and the Command Line Guide together. For each command type, write out the full syntax from memory, then check it against the guide. Focus on knowing when to use symmetric versus asymmetric encryption and how hash verification works step by step.
Analyze network diagrams for security implicationsRead the Network Diagram Guide. Find or draw a simple network diagram with a DMZ, internal LAN, and internet connection. Identify every trust boundary, label what each firewall filters, and write one sentence about the risk created by each design choice.
Simulate a Device Security Analysis responseCombine all four skill areas into a single practice session. Given a scenario with a network diagram, a permission string, an ACL, and a command output, write a response that identifies findings, states their security implications, and recommends specific technical fixes using correct command syntax.

More ways to review

Topic study guides

Open the individual guides for Cybersecurity Technical Skills when you want a closer review of one topic.

browse guides

Frequently Asked Questions

What technical skills does AP Cybersecurity test on the exam?

AP Cybersecurity tests your ability to read and write firewall ACL rules, interpret file permissions, run command-line tools like chmod and openssl, analyze network diagrams, and apply cryptography commands. These skills appear in both multiple-choice scenario items and the free-response Device Security Analysis question.

What is the Device Security Analysis free-response question in AP Cybersecurity?

The Device Security Analysis is a free-response question that gives you several sources from one device, such as firewall configurations, file-permission strings, and log files. You analyze those sources to identify security problems, explain how configurations affect users, and write proper commands or rule changes to fix the issues.

How do firewall ACL rules work in AP Cybersecurity?

Firewall ACL rules are evaluated in order from top to bottom. Each rule specifies a source IP, destination IP, port, protocol, and an allow or deny action. The first rule that matches a packet applies, and most rule sets end with a default deny that blocks any traffic not explicitly permitted.

What Linux commands do you need to know for AP Cybersecurity?

The key commands are chmod for setting file permissions, ls -l and getfacl for reading permissions, and openssl for encrypting, decrypting, generating RSA key pairs, and verifying file hashes. Free-response Write tasks require exact syntax, so practicing the full command structure matters more than memorizing definitions.

How do file permissions work in AP Cybersecurity?

Linux file permissions control read, write, and execute access for three groups: the owner, the group, and all other users. The ls -l command displays a permission string like -rwxr, r, and chmod changes those permissions using either symbolic notation (u+x) or numeric notation (755).

What cryptography commands are covered in AP Cybersecurity?

AP Cybersecurity covers symmetric encryption with shared keys, asymmetric encryption using RSA key pairs, and hash-based file integrity verification. The focus is on applying openssl commands correctly: knowing which flags to use, what input each command expects, and when to choose symmetric versus asymmetric encryption for a given scenario.

Ready to review Cybersecurity Technical Skills?Start with the notes, check the topic cards, and use the practice or resource links when they are available for this course.