Command and control in AP Cybersecurity

Command and control (C2) is the infrastructure and communication channel an adversary uses to remotely send instructions to a compromised device, letting them control it, steal data, or carry out the next stage of an attack.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is command and control?

Command and control, usually shortened to C2, is how an attacker stays in touch with a device they've already broken into. Once malware lands on a machine, it phones home to a server the adversary controls and waits for orders. The adversary can then issue commands remotely: turn on a webcam, log keystrokes, steal files, or wipe the drive.

This fits directly into [AP Cybersecurity 4.1.C], which describes how an adversary can "take control of the device to issue their own commands including commands to steal or destroy information." That "issue their own commands" part is C2 in action. The classic delivery tool is a remote access trojan (RAT), malware that hides inside harmless-looking software and quietly opens a door so the attacker can drive the device from anywhere.

Why command and control matters in AP Cybersecurity

C2 lives in Unit 4: Securing Devices, under topic 4.1 Device Vulnerabilities and Attacks. It connects two learning objectives. Under [AP Cybersecurity 4.1.B] you identify the malware used in an attack, and a RAT is the prime C2 carrier. Under [AP Cybersecurity 4.1.C] you explain how that malware lets an adversary remotely control the device and run their own commands. C2 is the bridge between "the device got infected" and "the adversary is now actively running the show," which is exactly the kind of cause-and-effect reasoning the exam wants you to spell out.

Keep studying AP Cybersecurity Unit 4

How command and control connects across the course

Remote Access Trojan / RAT (Unit 4)

A RAT is the most common way C2 gets set up. The trojan opens the back door, and C2 is the leash the attacker uses to walk the device around once that door is open.

Malware as a tool, not the goal (Unit 4)

EK 4.1.B.2 says malware is usually a step toward a bigger goal, not the goal itself. C2 is what turns a one-time infection into ongoing access, letting the adversary keep coming back to finish the plan.

Risk assessment for critical devices (Unit 4)

Under [AP Cybersecurity 4.1.D], the risk of a device being remotely controlled scales with how critical that device is. A C2 foothold on a server (EK 4.1.A.1) is far worse than one on a single laptop because of what it can reach.

Is command and control on the AP Cybersecurity exam?

Expect C2 to appear in multiple-choice stems that describe a scenario where malware "connects back to a remote server" or "lets an attacker issue commands," and you'll be asked to name the technique or the malware type behind it (often a RAT). No released FRQ has used the phrase verbatim, but it's exactly the kind of detail that earns points on a 4.1.C-style explanation prompt: when you're asked how an adversary exploits a vulnerability to cause loss or disruption, naming the C2 channel shows you understand that the attacker keeps active control, not just one-time access.

Command and control vs RAT (remote access trojan)

A RAT is the malware, the actual software planted on the device. C2 is the relationship and communication channel between that malware and the attacker. The RAT is the phone you secretly installed; C2 is the call coming through it. One is the tool, the other is the control it enables.

Key things to remember about command and control

  • Command and control (C2) is the channel an adversary uses to remotely send instructions to a device they've already compromised.

  • C2 is what makes an infection ongoing rather than a one-time event, because the attacker can keep issuing new commands.

  • A remote access trojan (RAT) is the most common malware used to establish C2 on a target device.

  • C2 supports [AP Cybersecurity 4.1.C], which describes adversaries taking control of a device to run their own commands.

  • The danger of C2 scales with the device's criticality, so C2 on a server is a higher risk than on a single personal computer.

Frequently asked questions about command and control

What is command and control (C2) in cybersecurity?

It's the infrastructure and communication link an attacker uses to remotely direct a compromised device, sending it commands to steal data, surveil the user, or destroy information. It connects the malware on the device back to a server the adversary controls.

Is command and control the same as a RAT?

No. A RAT (remote access trojan) is the malware planted on the device, while C2 is the channel the attacker uses to actually send commands through it. The RAT creates the access; C2 is how that access gets used over time.

Why is C2 dangerous if the device is already infected?

Because C2 turns a single infection into continuous control. Instead of one automated action, the adversary can keep logging in to issue new commands, like turning on a webcam, logging keystrokes, or wiping the drive, as described in EK 4.1.C.1.

How does C2 show up on the AP Cybersecurity exam?

It appears in Unit 4 (topic 4.1) scenarios where malware connects back to a remote server and lets an attacker issue commands. You'll typically identify the technique or the RAT behind it, and explain how it lets an adversary cause loss or disruption under [AP Cybersecurity 4.1.C].

What's the difference between malware and command and control?

Malware is the malicious software itself; C2 is what some malware enables, namely a remote attacker steering the device. Per EK 4.1.B.2, malware is a tool toward a bigger goal, and C2 is often how that goal gets carried out.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.