---
title: "Device Security Analysis"
description: "Device Security Analysis - Ap Cybersecurity unit content"
canonical: "https://fiveable.me/ap-cybersecurity/device-security-analysis"
type: "unit"
subject: "AP Cybersecurity"
unit: "Device Security Analysis"
---

# Device Security Analysis

## Overview

This collection focuses entirely on the Device Security Analysis free-response question. The three guides cover log analysis, source cross-referencing, and incident report writing, which are the three core skills the FRQ tests. Students who struggle on this task usually read sources in isolation, cite evidence vaguely, or skip the mitigation and follow-up sections of their response.

## AP CED Alignment

This unit hub is organized around AP Course and Exam Description topics, skills, and exam task types when they are available in the source data.
- Start here: Log Analysis Guide
- Core FRQ skill: Source Analysis Guide
- Writing practice: Incident Report Guide
- Log Analysis: Reading logs for the FRQ
- Source Cross-Referencing: Reading sources as a connected set
- Incident Report Writing: Structuring your FRQ response

## Topics

- [Start here: Log Analysis Guide](/ap-cybersecurity/device-security-analysis/cybersecurity-log-analysis-guide/study-guide/IWpYZi6GBGMUAEftFlk8): Begin with this guide if you are unsure how to read log files or which fields to focus on. It covers the four log types most likely to appear in the Device Security Analysis scenario and teaches you how to spot indicators of compromise and cite them precisely.
- [Core FRQ skill: Source Analysis Guide](/ap-cybersecurity/device-security-analysis/cybersecurity-source-analysis-guide/study-guide/ZVmneCmHMiwCBZM0RsPu): Use this guide to practice the cross-referencing workflow. It is most useful after you can read individual logs and are ready to connect evidence across multiple source types into a single coherent finding.
- [Writing practice: Incident Report Guide](/ap-cybersecurity/device-security-analysis/cybersecurity-incident-report-guide/study-guide/mNVRygSBDK70LF8f5mpB): Use this guide last to practice structuring your findings into the six-part report format the FRQ expects. It is especially useful for students who understand the security issues but lose points because their written responses are disorganized or incomplete.

## Review Notes

### Log Analysis: Reading logs for the FRQ

The log analysis guide focuses on four log types you are likely to see in the Device Security Analysis scenario: authentication logs, network logs, application logs, and nginx access logs. For each type, you need to identify the meaningful fields and explain what an anomalous value indicates.

- **Indicator of compromise (IoC)**: A specific observable in a log, such as repeated failed login attempts from one IP or an unexpected outbound connection, that suggests malicious activity.
- **Timestamp correlation**: Matching events across different log types by time to show that two events are related, for example a failed auth attempt followed immediately by a successful one from the same IP.
- **Status code analysis**: Using HTTP status codes in access logs to identify scanning (many 404s), successful exploitation (200 on a sensitive endpoint), or brute force (repeated 401s).

**Checkpoint:** Can you look at a block of nginx access log lines and identify which entries suggest reconnaissance, which suggest a successful attack, and what fields you would cite as evidence?

Log type | Key fields to check | Common IoC pattern
--- | --- | ---
Auth log | Username, timestamp, success/failure, source IP | Many failures then one success from same IP
Network log | Source IP, destination port, protocol, bytes | Unexpected outbound traffic on unusual port
Application log | Endpoint, method, response code, user agent | Repeated 404s or access to admin paths
Nginx access log | IP, request path, status code, referrer | Scanning pattern across many paths in short window

### Source Cross-Referencing: Reading sources as a connected set

The source analysis guide gives you a workflow for the Device Security Analysis task. Before writing any finding, read all sources and mark where they overlap or contradict. A firewall rule permitting port 22 from any IP, combined with an auth log showing SSH login attempts from an external address, is a stronger finding than either source alone.

- **Cross-reference**: Connecting information from two or more sources to support a single finding, for example matching a policy prohibition with a log entry that shows the prohibited action occurring.
- **Evidence citation**: Quoting or paraphrasing the specific field, line, or value from a source that proves your claim, rather than summarizing the source generally.
- **Configuration gap**: A discrepancy between what a policy or best practice requires and what a firewall rule, permission setting, or log entry shows is actually happening.

**Checkpoint:** Given a firewall config, a permissions list, and an auth log, can you identify one finding that requires evidence from at least two of those sources?

Weak response | Strong response
--- | ---
'The log shows suspicious activity.' | 'Auth log line 47 shows five failed SSH attempts from 203.0.113.4 between 02:14 and 02:15, followed by a successful login at 02:16, indicating a successful brute force attack.'
'The firewall rules are misconfigured.' | 'Firewall rule 3 permits inbound traffic on port 22 from any source (0.0.0.0/0), which contradicts the network policy requiring SSH access to be restricted to the internal subnet 10.0.0.0/24.'

### Incident Report Writing: Structuring your FRQ response

The incident report guide teaches you the six-part structure the Device Security Analysis FRQ expects: finding, evidence, risk, impact, recommended mitigation, and follow-up. Each section has a specific job. Skipping risk or impact is a common reason students lose points even when their evidence is correct.

- **Finding**: A clear statement of the security issue identified, naming the vulnerability, misconfiguration, or attack type.
- **Risk**: The likelihood and severity of harm if the issue is not addressed, often tied to the sensitivity of the data or system involved.
- **Mitigation**: A specific, actionable change that would reduce or eliminate the identified risk, such as restricting a firewall rule, revoking a permission, or enabling multi-factor authentication.
- **Follow-up**: Additional steps after the immediate fix, such as monitoring for recurrence, notifying affected users, or conducting a broader audit.

**Checkpoint:** Write a two-sentence finding and a one-sentence mitigation for a scenario where an employee account has read and write permissions to a directory that the access policy says should be read-only.

Report section | What to include | What to avoid
--- | --- | ---
Finding | Specific vulnerability or attack type with source reference | Vague language like 'there is a problem with the account'
Evidence | Exact field, value, or line from the source | Paraphrasing the whole source without a specific cite
Mitigation | Concrete change to config, permission, or policy | Generic advice like 'improve security practices'

## Study Guides

- [How to Read Cybersecurity Logs for AP Cybersecurity](/ap-cybersecurity/device-security-analysis/cybersecurity-log-analysis-guide/study-guide/IWpYZi6GBGMUAEftFlk8)
- [AP Cybersecurity Source Analysis Guide](/ap-cybersecurity/device-security-analysis/cybersecurity-source-analysis-guide/study-guide/ZVmneCmHMiwCBZM0RsPu)
- [AP Cybersecurity Incident Report Guide](/ap-cybersecurity/device-security-analysis/cybersecurity-incident-report-guide/study-guide/mNVRygSBDK70LF8f5mpB)

## Common Mistakes

- **Reading sources one at a time instead of together**: Students who read each source independently miss the connections the FRQ is designed to test. A log entry and a firewall rule that point to the same issue together constitute a finding; either one alone is just an observation.
- **Citing sources without specific evidence**: Writing 'the log shows suspicious activity' does not earn evidence points. You need to name the specific field, value, timestamp, or line that proves your claim.
- **Skipping risk and impact sections**: Students often write a strong finding and mitigation but omit risk and impact because they feel redundant. These sections have separate scoring weight and require you to explain consequences, not just describe the issue.
- **Writing generic mitigations**: Phrases like 'update the firewall' or 'improve access controls' do not demonstrate understanding. A strong mitigation names the specific rule, permission, or setting to change and explains why that change addresses the identified risk.
- **Treating the scenario as a multiple-choice question**: The Device Security Analysis task rewards explanation and evidence, not just correct identification. Naming the attack type without explaining how the log evidence supports that classification will not earn full credit.

## Exam Connections

- **The Device Security Analysis FRQ is the only free-response question**: The AP Cybersecurity Exam has one FRQ, and it is always a Device Security Analysis task. Every skill in these three guides, log reading, source cross-referencing, and incident report writing, is directly tested in that single question. There is no other FRQ to prepare for.
- **Log analysis also appears on the multiple-choice section**: Detection skills 3.D, 4.4.D, and 5.6.E are tested in multiple-choice questions that present log excerpts and ask you to classify attacks or identify indicators of compromise. The log analysis guide builds the same reading skill you need for both question types.
- **Workplace-style scenarios span Units 3, 4, and 5**: The incident report format and source analysis workflow are not limited to the FRQ. Multiple-choice questions across Units 3, 4, and 5 present policy documents, firewall configurations, and permission tables and ask you to evaluate security decisions. The cross-referencing habit these guides build applies throughout the exam.

## Final Review Checklist

- **Identify the four log types**: You can name auth, network, application, and nginx access logs and describe at least one key field and one common IoC pattern for each.
- **Cite evidence at the field level**: When you identify a security issue, you can point to a specific log line, firewall rule number, or permission entry rather than summarizing the source in general terms.
- **Cross-reference at least two sources per finding**: You can connect a policy document, firewall config, permission list, or log entry to at least one other source to build a stronger finding than any single source supports alone.
- **Write all six report sections**: Your practice responses include finding, evidence, risk, impact, mitigation, and follow-up. You are not skipping risk or follow-up because they feel optional.
- **Write specific mitigations**: Your recommended mitigations name a concrete action, such as restricting a firewall rule to a specific subnet, revoking write permissions for a role, or enabling MFA on an account, rather than offering generic security advice.

## Study Plan

- **Day 1: Build log reading fluency**: Read the Log Analysis Guide and practice identifying key fields in each log type. Write out what each field tells you and what an anomalous value would look like. Focus on auth and nginx access logs first since they appear most often in exam scenarios.
- **Day 2: Practice cross-referencing**: Read the Source Analysis Guide and work through the cross-checking workflow with a practice scenario. Take any two source types, list what each one tells you independently, then list what they tell you together. Write one finding that requires both sources.
- **Day 3: Write a full incident report**: Read the Incident Report Guide and then write a complete six-section response to a practice scenario. Check that every section is present and that your evidence section cites a specific field or line rather than summarizing the source.
- **Day 4: Review and tighten**: Reread your Day 3 response and apply the common mistakes checklist. Revise any mitigations that are generic, any evidence citations that are vague, and any sections you skipped. Compare your revised response to the report structure in the Incident Report Guide.

## More Ways To Review

- [Topic study guides](/ap-cybersecurity/device-security-analysis#topics)

## FAQs

### What is the Device Security Analysis FRQ on the AP Cybersecurity Exam?

The Device Security Analysis is the single free-response question on the AP Cybersecurity Exam, worth 30% of your score. You get a suggested 50 minutes to analyze simulated sources from one device, including logs, firewall configs, permissions, and policies, then identify security issues, detect attacks, and recommend mitigations.

### What sources are included in the AP Cybersecurity Device Security Analysis task?

The Device Security Analysis task typically provides several simulated sources tied to a single device. These can include security policy documents, firewall configuration files, file-system permission settings, authentication logs, network logs, and application logs. Strong responses treat these as a connected set and cross-reference them rather than analyzing each source in isolation.

### How do you read cybersecurity logs for the AP Cybersecurity Exam?

Focus on the meaningful fields in each log type: timestamps, IP addresses, status codes, usernames, and actions. Look for indicators of compromise like repeated failed logins, unusual access times, or unexpected IP addresses. On the FRQ, always cite specific log lines as evidence rather than making general claims about what the log shows.

### Which AP Cybersecurity skill categories are tested on the Device Security Analysis FRQ?

The Device Security Analysis FRQ assesses Skill Category 2 (Mitigate Risk) and Skill Category 3 (Detect Attacks). Log reading connects especially to detection skills 3.D and 4.4.D, where you classify attacks using digital evidence, and to 5.6.E, which covers analyzing logs for application-layer attacks.

### How should you cite evidence in the AP Cybersecurity Device Security Analysis response?

Quote or paraphrase specific lines from the provided sources and explain what they show. Vague references to a log or policy do not earn full credit. Point to exact fields, values, or rules, then connect them to a security finding or attack classification. Precision in citing evidence is what separates strong responses from weak ones.

### How is the Device Security Analysis page different from the AP Cybersecurity Unit 4 content?

Unit 4 covers the concepts behind securing devices, including hardware, software, and configuration principles. The Device Security Analysis page focuses on applying those concepts in the exam's free-response format. It provides guides on reading logs, cross-referencing sources, and writing incident reports, all skills needed to perform well on the actual FRQ.

## Structured Data

```json
{"@context":"https://schema.org","@type":"FAQPage","inLanguage":"en","mainEntity":[{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/device-security-analysis#what-is-the-device-security-analysis-frq-on-the-ap-cybersecurity-exam","name":"What is the Device Security Analysis FRQ on the AP Cybersecurity Exam?","acceptedAnswer":{"@type":"Answer","text":"The Device Security Analysis is the single free-response question on the AP Cybersecurity Exam, worth 30% of your score. You get a suggested 50 minutes to analyze simulated sources from one device, including logs, firewall configs, permissions, and policies, then identify security issues, detect attacks, and recommend mitigations."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/device-security-analysis#what-sources-are-included-in-the-ap-cybersecurity-device-security-analysis-task","name":"What sources are included in the AP Cybersecurity Device Security Analysis task?","acceptedAnswer":{"@type":"Answer","text":"The Device Security Analysis task typically provides several simulated sources tied to a single device. These can include security policy documents, firewall configuration files, file-system permission settings, authentication logs, network logs, and application logs. Strong responses treat these as a connected set and cross-reference them rather than analyzing each source in isolation."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/device-security-analysis#how-do-you-read-cybersecurity-logs-for-the-ap-cybersecurity-exam","name":"How do you read cybersecurity logs for the AP Cybersecurity Exam?","acceptedAnswer":{"@type":"Answer","text":"Focus on the meaningful fields in each log type: timestamps, IP addresses, status codes, usernames, and actions. Look for indicators of compromise like repeated failed logins, unusual access times, or unexpected IP addresses. On the FRQ, always cite specific log lines as evidence rather than making general claims about what the log shows."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/device-security-analysis#which-ap-cybersecurity-skill-categories-are-tested-on-the-device-security-analysis-frq","name":"Which AP Cybersecurity skill categories are tested on the Device Security Analysis FRQ?","acceptedAnswer":{"@type":"Answer","text":"The Device Security Analysis FRQ assesses Skill Category 2 (Mitigate Risk) and Skill Category 3 (Detect Attacks). Log reading connects especially to detection skills 3.D and 4.4.D, where you classify attacks using digital evidence, and to 5.6.E, which covers analyzing logs for application-layer attacks."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/device-security-analysis#how-should-you-cite-evidence-in-the-ap-cybersecurity-device-security-analysis-response","name":"How should you cite evidence in the AP Cybersecurity Device Security Analysis response?","acceptedAnswer":{"@type":"Answer","text":"Quote or paraphrase specific lines from the provided sources and explain what they show. Vague references to a log or policy do not earn full credit. Point to exact fields, values, or rules, then connect them to a security finding or attack classification. Precision in citing evidence is what separates strong responses from weak ones."}},{"@type":"Question","@id":"https://fiveable.me/ap-cybersecurity/device-security-analysis#how-is-the-device-security-analysis-page-different-from-the-ap-cybersecurity-unit-4-content","name":"How is the Device Security Analysis page different from the AP Cybersecurity Unit 4 content?","acceptedAnswer":{"@type":"Answer","text":"Unit 4 covers the concepts behind securing devices, including hardware, software, and configuration principles. The Device Security Analysis page focuses on applying those concepts in the exam's free-response format. It provides guides on reading logs, cross-referencing sources, and writing incident reports, all skills needed to perform well on the actual FRQ."}}]}
```
