In AP Cybersecurity, a detective control is a security measure that identifies or records an attack after it has already occurred (or while it's happening), such as card reader logs or surveillance cameras, rather than stopping it beforehand.
A detective control is a security measure built to notice an attack, not prevent it. Think of it as the camera that catches the burglar on tape, not the lock that kept them out. It answers the question "did something bad happen, and who did it?"
This shows up in Topic 2.3 when a cyber defender decides how to handle a physical vulnerability. EK 2.3.B.1 says you consider how an adversary could exploit a weakness and then choose to prevent, detect, or correct the attack. Detective controls are the "detect" piece. The classic example from EK 2.3.B.4 is a card reader that records which employee badge accessed which door at what time. The reader doesn't necessarily stop a bad actor, but it leaves a trail you can review later to figure out what went wrong.
Detective controls live in Unit 2 (Securing Spaces), specifically Topic 2.3 (Protecting Physical Spaces). They support learning objective AP Cybersecurity 2.3.B, which asks you to determine mitigation strategies for physical vulnerabilities. The whole point of EK 2.3.B.1 is the prevent-detect-correct framework, and detective controls are one of those three buckets. Knowing which bucket a given control falls into is exactly the kind of sorting the exam rewards.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryPreventative Control (Unit 2)
These two are siblings under EK 2.3.B.1. A preventative control (fences, locks, bollards) tries to stop the attack before it starts, while a detective control just records that it happened. A fence keeps you out; a camera proves you tried to climb it.
Corrective Control (Unit 2)
Corrective controls clean up after detection. The order is usually detect first, correct second. Your card reader log spots the unauthorized entry (detect), then you change the locks or revoke the badge (correct).
Physical Control (Unit 2)
Detective controls describe what a control DOES (detect), while physical control describes WHERE it operates (the real-world space). A card reader is both at once: a physical control that happens to be detective.
Managerial Control (Unit 2)
Reviewing those card reader logs is a managerial activity tied to EK 2.3.A. The technology detects; the people and policies decide what the detection means and who acts on it.
Expect multiple-choice stems that hand you a list of security measures and ask you to classify them. A practice question gives bollards, turnstiles, and access control vestibules and asks which term describes them, and you have to recognize that those are physical (and mostly preventative), not detective. The trick is sorting controls by their function: does this thing stop an attack, notice an attack, or fix the damage? Card readers that log entries and surveillance cameras are your go-to detective examples. No released FRQ has used this term verbatim, but the prevent-detect-correct framework from EK 2.3.B.1 is exactly the kind of reasoning a free-response prompt about mitigation strategies would expect.
A preventative control stops an attack before it happens (a lock on a server cabinet keeps the device from being stolen). A detective control identifies an attack that already happened or is happening (the access log shows whose badge opened the cabinet). One blocks, the other records. A single device can do both, which is why people mix them up.
A detective control identifies or records an attack rather than preventing it.
Card reader logs and surveillance cameras are the textbook detective examples in Topic 2.3.
Detective controls are the "detect" piece of the prevent-detect-correct framework in EK 2.3.B.1.
On the exam, classify a control by its function: prevent, detect, or correct.
Detection usually comes before correction, so a detective control often triggers a corrective one.
It's a security measure that identifies or records an attack after (or while) it happens, like a card reader that logs which badge opened a door. It detects rather than prevents, and it lives in Topic 2.3 under learning objective AP Cybersecurity 2.3.B.
No. That's the most common mistake. A detective control notices and records the attack but doesn't block it. Stopping the attack beforehand is the job of a preventative control like a lock or a fence.
A preventative control blocks the attack before it happens (locks, bollards, gates), while a detective control records that it happened (camera footage, access logs). One acts before the event, the other captures evidence of it.
It can be. Per EK 2.3.B.4, a card reader records which employee badge accessed which entry, which makes it detective. If you frame the same reader as something that denies entry to bad badges, it acts preventatively too.
In Unit 2, Topic 2.3, usually in multiple-choice questions that ask you to classify security measures by function. Use the prevent-detect-correct framework from EK 2.3.B.1 to sort them.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.