Device Security Analysis is a focused collection of guides built around the AP Cybersecurity free-response question. That single FRQ gives you several simulated sources from one device and asks you to identify vulnerabilities, analyze attack evidence, and recommend mitigations. The three guides here cover the core skills that question demands: reading and interpreting logs, cross-referencing multiple source types, and writing organized incident reports with properly cited evidence. Together they walk you through exactly how to approach the task from raw sources to a complete, scorable response.
Device Security Analysis is the free-response section of the AP Cybersecurity Exam. It is a single multi-part question worth 30% of your total score, and you get a suggested 50 minutes to complete it. The question gives you several simulated sources from one digital device, which can include security policies, firewall configurations, file-system permissions, and log files. Your job is to read those sources together, identify security issues, spot evidence of attacks, and explain how configuration or permission changes would affect the device and its users.
The guides on this page build the three core skills that Device Security Analysis tests directly: reading logs, cross-referencing multiple sources, and writing up findings in a clear, evidence-based report.
You receive a packet of simulated documents. Think of it as a snapshot of a real device under investigation. The sources might include an acceptable use policy, a firewall rule table, a directory listing with file permissions, and several log files from different services. None of the sources is labeled "the important one." Part of the task is figuring out which details matter and how they connect across documents.
The question then asks you to do things like identify a misconfiguration, classify an attack based on log evidence, explain the risk a vulnerability creates, or recommend a specific mitigation. Responses need to cite the source material. Saying "there is a problem with the firewall" earns nothing. Pointing to a specific rule, explaining what it allows that it should not, and connecting that to a realistic threat is what earns points.
Only two skill categories are assessed on the free-response section: Skill Category 2 (Mitigate Risk) and Skill Category 3 (Detect Attacks). Every part of every Device Security Analysis question maps to one of those two categories.
Log analysis is one of the most directly testable skills in the entire course. The log reading guide on this page covers the four log types you are most likely to see: authentication logs, network logs, application logs, and nginx access logs. For each type, you will learn which fields carry the most meaning, what normal activity looks like, and what patterns signal an indicator of compromise.
On the free-response question, you will often have multiple log files from the same device covering the same time window. That overlap is intentional. An authentication log might show repeated failed logins from one IP address at the same time a network log shows unusual outbound traffic. Neither source alone tells the full story. Reading them together does.
The log guide also covers how to write log-based evidence in your response so it actually counts. Quoting a timestamp and a username is a start. Explaining what that entry indicates about attacker behavior is what earns the point.
The source analysis guide covers the workflow that separates strong responses from weak ones. When you get four or five documents about the same device, the instinct is to read each one separately and answer each sub-question from whichever source seems most relevant. That approach misses the connections the question is designed to test.
A more effective approach is to build a mental map of the device as you read. What does the policy say should be true? What does the firewall configuration actually allow? What do the permissions show about who can access what? What do the logs show about what has actually happened? Mismatches between those layers are almost always where the points are.
The source analysis guide walks through a cross-checking workflow, explains how to cite evidence so it counts toward scoring, and identifies the most common traps that cost points on this question type.
The incident report guide covers how to structure your written response. Device Security Analysis is not a fill-in-the-blank question. It asks you to explain your reasoning, and the quality of that explanation matters.
A strong response organizes each finding around the same basic structure: what the issue is, where in the sources you found evidence of it, what risk it creates, what the impact would be if exploited, and what mitigation would address it. That structure keeps your response focused and makes it easy for a scorer to follow your logic.
The incident report guide also covers how to handle follow-up parts of the question, which often ask you to extend your analysis. For example, after identifying a vulnerability, a follow-up might ask how a specific configuration change would affect both security and usability. Those parts reward responses that think through second-order effects, not just the obvious fix.
Log reading, source analysis, and incident reporting are not skills that appear only on the free-response question. They run through Units 3, 4, and 5, which cover securing networks, securing devices, and securing applications and data. The detection skills in those units build toward exactly the kind of analysis the FRQ requires.
If you are working through Unit 4 on securing devices or Unit 5 on securing applications and data, the guides here will reinforce what you are learning in those units and show you how those concepts translate into exam responses. The Cybersecurity Technical Skills and Cybersecurity Scenario Practice pages are also useful companions for building the hands-on fluency that makes source analysis faster and more accurate under timed conditions.
The Device Security Analysis is the single free-response question on the AP Cybersecurity Exam, worth 30% of your score. You get a suggested 50 minutes to analyze simulated sources from one device, including logs, firewall configs, permissions, and policies, then identify security issues, detect attacks, and recommend mitigations.
The Device Security Analysis task typically provides several simulated sources tied to a single device. These can include security policy documents, firewall configuration files, file-system permission settings, authentication logs, network logs, and application logs. Strong responses treat these as a connected set and cross-reference them rather than analyzing each source in isolation.
Focus on the meaningful fields in each log type: timestamps, IP addresses, status codes, usernames, and actions. Look for indicators of compromise like repeated failed logins, unusual access times, or unexpected IP addresses. On the FRQ, always cite specific log lines as evidence rather than making general claims about what the log shows.
The Device Security Analysis FRQ assesses Skill Category 2 (Mitigate Risk) and Skill Category 3 (Detect Attacks). Log reading connects especially to detection skills 3.D and 4.4.D, where you classify attacks using digital evidence, and to 5.6.E, which covers analyzing logs for application-layer attacks.
Quote or paraphrase specific lines from the provided sources and explain what they show. Vague references to a log or policy do not earn full credit. Point to exact fields, values, or rules, then connect them to a security finding or attack classification. Precision in citing evidence is what separates strong responses from weak ones.
Unit 4 covers the concepts behind securing devices, including hardware, software, and configuration principles. The Device Security Analysis page focuses on applying those concepts in the exam's free-response format. It provides guides on reading logs, cross-referencing sources, and writing incident reports, all skills needed to perform well on the actual FRQ.
