---
title: "C2 (Command and Control) — AP Cybersecurity Definition"
description: "C2 is the channel an attacker uses to remotely control a compromised device. Learn what command and control means, how malware uses it, and why it matters for AP Cybersecurity Unit 4."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/c2"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 4"
---

# C2 (Command and Control) — AP Cybersecurity Definition

## Definition

C2 (command and control) is the communication channel an adversary uses to remotely send instructions to and pull data from a device they've compromised, often through malware like a RAT, so they can control the machine without physical access.

## What It Is

C2 is short for **[command and control](/ap-cybersecurity/key-terms/command-and-control "fv-autolink")** (sometimes written C&C or C2). It's the link an attacker keeps open between their own system and a device they've broken into. Once [malware](/ap-cybersecurity/key-terms/malware "fv-autolink") lands on a target, the malware "phones home" to the attacker's server. From there the adversary can send commands and receive stolen data, all without ever touching the device physically.

Think of C2 like a remote [control](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") for a hijacked machine. The CED (EK 4.1.C.1) describes exactly this when it says an adversary can "take control of the device to issue their own commands including commands to steal or destroy information." That control has to travel over some channel, and C2 is that channel. A **remote access trojan (RAT)** is the classic tool that establishes one: it gives the attacker an ongoing connection so they can turn on a webcam, log keystrokes, or wipe the drive on demand.

## Why It Matters

C2 lives in **[Unit 4](/ap-cybersecurity/unit-4 "fv-autolink"): Securing Devices**, specifically topic 4.1 (Device Vulnerabilities and Attacks). It directly supports **[[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 4.1.C]**, which asks you to explain how adversaries exploit device vulnerabilities to cause loss, damage, disruption, or destruction. C2 is the mechanism behind "taking control of the device" in EK 4.1.C.1. It also feeds **[AP Cybersecurity 4.1.D]** on assessing risk, because a device with an active C2 channel means an attacker can impersonate users, remotely control the machine, or trigger ransomware (EK 4.1.D.1). If you can name how the attacker maintains control after the initial breach, you can reason about why the risk is high.

## Connections

### Remote Access Trojan / RAT (Unit 4)

A RAT is the malware that builds the C2 channel. The [trojan](/ap-cybersecurity/key-terms/trojan "fv-autolink") gets in disguised as harmless software, then opens a backdoor so the attacker can issue commands remotely. C2 is the connection; the RAT is what creates and uses it.

### Malware as a tool in an attack chain (Unit 4)

EK 4.1.B.2 says malware is usually one step toward a bigger goal, not the goal itself. C2 is the step that turns a one-time infection into ongoing access, which is why it's so dangerous compared to a [virus](/ap-cybersecurity/key-terms/virus "fv-autolink") that just damages a file.

### Device risk assessment (Unit 4)

C2 raises the risk level under [AP Cybersecurity 4.1.D] because it lets an attacker do everything EK 4.1.D.1 lists: remote control, [ransomware](/ap-cybersecurity/key-terms/ransomware "fv-autolink"), or wiping memory. A compromised server with a C2 channel is far higher risk than an isolated personal laptop.

## On the AP Exam

Expect C2 to show up in scenario-style MCQ stems describing an attacker who maintains remote access to a device after the initial infection. The right answer usually involves identifying that a backdoor or RAT has established command and control. On free-response, you'd use C2 to explain HOW an adversary causes damage after exploiting a vulnerability, tying it to [AP Cybersecurity 4.1.C], and to justify a high risk rating under [AP Cybersecurity 4.1.D]. The move to practice: don't just say "the device was hacked," explain that the attacker keeps a control channel open to issue ongoing commands.

## C2 vs RAT (remote access trojan)

These travel together but aren't the same thing. A RAT is the malware that breaks in and opens the door. C2 (command and control) is the communication channel the attacker uses through that door to send commands and pull data. The RAT is the tool; C2 is what the tool enables.

## Key Takeaways

- C2 stands for command and control, the channel an attacker uses to remotely send instructions to and steal data from a compromised device.
- C2 is what turns a one-time infection into ongoing remote control, which is why it makes a device's risk level high under [AP Cybersecurity 4.1.D].
- A RAT establishes the C2 channel, so on the exam you'll often see the two concepts paired in the same scenario.
- C2 is the mechanism behind EK 4.1.C.1's warning that an adversary can take control of a device to issue their own commands.
- When explaining an attack on the FRQ, name C2 to show HOW the attacker keeps access, not just that the device got infected.

## FAQs

### What is C2 in cybersecurity?

C2 means command and control. It's the communication channel an attacker uses to remotely control a device they've compromised, sending it commands and receiving stolen data, often through malware like a RAT.

### Is C2 the same as a RAT?

No. A RAT (remote access trojan) is the malware that opens the backdoor, while C2 is the channel the attacker uses through that backdoor to issue commands. Think of the RAT as the tool and C2 as what it lets the attacker do.

### Why does C2 make a device high risk?

Because an active C2 channel means the attacker can do everything EK 4.1.D.1 lists: remotely control the machine, run ransomware, impersonate a user, or wipe the drive. Ongoing control is far more dangerous than a single hit of damage.

### How does C2 fit into a cyberattack?

Malware usually isn't the end goal (EK 4.1.B.2). C2 is the step after the initial infection that gives the attacker persistent remote access, letting them carry out the rest of their plan over time.

### Will C2 be on the AP Cybersecurity exam?

It can appear in Unit 4 scenarios about device attacks. You'd use it to explain how an adversary maintains control of a device under [AP Cybersecurity 4.1.C] and to justify a risk rating under [AP Cybersecurity 4.1.D].

## Related Study Guides

- [4.1 Device Vulnerabilities and Attacks](/ap-cybersecurity/unit-4/device-vulnerabilities-and-attacks/study-guide/HACz1L7MBGLXO5AANWlK)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/c2#resource","name":"C2 (Command and Control) — AP Cybersecurity Definition","url":"https://fiveable.me/ap-cybersecurity/key-terms/c2","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/c2#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:26.941Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/c2#term","name":"C2","description":"C2 (command and control) is the communication channel an adversary uses to remotely send instructions to and pull data from a device they've compromised, often through malware like a RAT, so they can control the machine without physical access.","url":"https://fiveable.me/ap-cybersecurity/key-terms/c2","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.C"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 4, Topic 4.1, LO 4.1.D"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is C2 in cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"C2 means command and control. It's the communication channel an attacker uses to remotely control a device they've compromised, sending it commands and receiving stolen data, often through malware like a RAT."}},{"@type":"Question","name":"Is C2 the same as a RAT?","acceptedAnswer":{"@type":"Answer","text":"No. A RAT (remote access trojan) is the malware that opens the backdoor, while C2 is the channel the attacker uses through that backdoor to issue commands. Think of the RAT as the tool and C2 as what it lets the attacker do."}},{"@type":"Question","name":"Why does C2 make a device high risk?","acceptedAnswer":{"@type":"Answer","text":"Because an active C2 channel means the attacker can do everything EK 4.1.D.1 lists: remotely control the machine, run ransomware, impersonate a user, or wipe the drive. Ongoing control is far more dangerous than a single hit of damage."}},{"@type":"Question","name":"How does C2 fit into a cyberattack?","acceptedAnswer":{"@type":"Answer","text":"Malware usually isn't the end goal (EK 4.1.B.2). C2 is the step after the initial infection that gives the attacker persistent remote access, letting them carry out the rest of their plan over time."}},{"@type":"Question","name":"Will C2 be on the AP Cybersecurity exam?","acceptedAnswer":{"@type":"Answer","text":"It can appear in Unit 4 scenarios about device attacks. You'd use it to explain how an adversary maintains control of a device under [AP Cybersecurity 4.1.C] and to justify a risk rating under [AP Cybersecurity 4.1.D]."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 4","item":"https://fiveable.me/ap-cybersecurity/unit-4"},{"@type":"ListItem","position":4,"name":"C2"}]}]}
```
