Data in use in AP Cybersecurity

Data in use is data that is actively being processed, accessed, or modified in a system's memory by an application or user, making it one of the three states of data that has to be secured (alongside data at rest and data in transit).

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is data in use?

Data lives in three states, and data in use is the one that's currently "open" and being worked on. Think of it as a document you have open and are editing on screen, the values an application is crunching in RAM, or a file an admin just decrypted to read. The data isn't sitting still on a drive (that's data at rest) and it isn't moving across a network (that's data in transit). It's loaded, active, and exposed.

That exposure is the whole point for AP Cybersecurity. When data is in use, it's often decrypted so the program can actually do something with it. If an adversary has access to the device or can compromise an account, they can read or alter that active data. EK 5.1.A.1 makes this concrete: anyone with access to a device can read unencrypted files. EK 5.1.A.2 adds the privilege angle. If a regular user has admin rights and gets compromised, the attacker inherits access to whatever files and applications that account can touch, including data currently in use.

Why data in use matters in AP Cybersecurity

This term lives in Unit 5: Securing Applications and Data, under topic 5.1 (Application and Data Vulnerabilities and Attacks). It supports [AP Cybersecurity 5.1.A] (how adversaries exploit application and file vulnerabilities) and [AP Cybersecurity 5.1.C] (assessing and documenting data risks). Data in use ties directly to the CIA triad from EK 5.1.C.1. Active data in memory can lose confidentiality if an attacker reads it, integrity if they alter it, and availability if they destroy or encrypt it. Knowing all three data states lets you reason about WHERE a vulnerability sits, which is exactly the kind of risk-assessment thinking 5.1.C wants from you.

Keep studying AP Cybersecurity Unit 5

How data in use connects across the course

Data at Rest and Data in Transit (Unit 5)

These three states are a set, and the exam expects you to tell them apart. Data at rest is stored on a drive, data in transit is moving over a network, and data in use is loaded and being processed right now. The fix differs for each, so naming the state is step one in any risk answer.

Privilege Escalation and Admin Users (Unit 5)

EK 5.1.A.2 explains that admin accounts can access nearly any file or application. If a regular user has admin rights and gets compromised, the attacker can reach data that's currently in use by other processes. The data state matters less than who controls the account holding it open.

The CIA Triad and Data Risk (Unit 5)

EK 5.1.C.1 frames data security as confidentiality, integrity, and availability. Data in use can be hit on all three fronts: read while decrypted (confidentiality), modified mid-process (integrity), or wiped from memory (availability). Connecting the state to the triad is how you write a complete risk argument.

Is data in use on the AP Cybersecurity exam?

Expect data in use to show up in multiple-choice stems that ask you to identify which state of data is being described or which protection applies. A stem might describe a document open in an editor or values an app is processing and ask you to label the state, or contrast it with data at rest and data in transit. On free-response risk questions tied to 5.1.C, you might need to explain how a vulnerability affects confidentiality, integrity, or availability of data that's actively being processed. No released FRQ has used this term verbatim, but distinguishing the three data states is exactly the kind of precise vocabulary that earns points on application-and-data questions.

Data in use vs data at rest

Data at rest is stored and not being touched, like a saved file sitting on a hard drive. Data in use is the same kind of file once it's been opened and loaded into memory for processing. The difference is activity: at rest means parked, in use means running. Encryption protects data at rest well, but data in use is often decrypted so it can actually be processed, which is what makes it vulnerable.

Key things to remember about data in use

  • Data in use is data being actively processed or accessed in memory, the third state alongside data at rest and data in transit.

  • Because data in use is often decrypted so an application can work with it, an attacker with device or account access can read or alter it (EK 5.1.A.1).

  • If a compromised account has admin privileges, the attacker can reach data in use across the system (EK 5.1.A.2).

  • Data in use can be attacked on all three CIA fronts: confidentiality, integrity, and availability (EK 5.1.C.1).

  • On the exam, the skill is correctly labeling which data state a scenario describes and matching the right protection to it.

Frequently asked questions about data in use

What is data in use in AP Cybersecurity?

Data in use is data that's currently being processed, accessed, or modified by an application or user, like a document open on screen or values loaded in RAM. It's one of the three data states covered in Unit 5, alongside data at rest and data in transit.

Is data in use more vulnerable than data at rest?

Often yes. Data at rest can be protected with encryption, but data in use is usually decrypted so the program can actually process it, leaving it exposed to anyone with device or account access (EK 5.1.A.1).

How is data in use different from data in transit?

Data in transit is moving across a network from one place to another. Data in use isn't moving anywhere; it's loaded into a system's memory and being actively worked on. Same data, different state.

How does data in use connect to the CIA triad?

Active data in memory can lose confidentiality if an attacker reads it, integrity if they modify it mid-process, and availability if they destroy or encrypt it. EK 5.1.C.1 frames all data security risks around these three properties.

Why does admin privilege matter for data in use?

Admin accounts can access nearly any file or application (EK 5.1.A.2). If an attacker compromises an account with admin rights, they can reach data that's currently in use by other processes across the system.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.