Detective control in AP Cybersecurity

In AP Cybersecurity, a detective control is a security measure that identifies or records an attack after it has already occurred (or while it's happening), such as card reader logs or surveillance cameras, rather than stopping it beforehand.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is detective control?

A detective control is a security measure built to notice an attack, not prevent it. Think of it as the camera that catches the burglar on tape, not the lock that kept them out. It answers the question "did something bad happen, and who did it?"

This shows up in Topic 2.3 when a cyber defender decides how to handle a physical vulnerability. EK 2.3.B.1 says you consider how an adversary could exploit a weakness and then choose to prevent, detect, or correct the attack. Detective controls are the "detect" piece. The classic example from EK 2.3.B.4 is a card reader that records which employee badge accessed which door at what time. The reader doesn't necessarily stop a bad actor, but it leaves a trail you can review later to figure out what went wrong.

Why detective control matters in AP Cybersecurity

Detective controls live in Unit 2 (Securing Spaces), specifically Topic 2.3 (Protecting Physical Spaces). They support learning objective AP Cybersecurity 2.3.B, which asks you to determine mitigation strategies for physical vulnerabilities. The whole point of EK 2.3.B.1 is the prevent-detect-correct framework, and detective controls are one of those three buckets. Knowing which bucket a given control falls into is exactly the kind of sorting the exam rewards.

Keep studying AP Cybersecurity Unit 2

How detective control connects across the course

Preventative Control (Unit 2)

These two are siblings under EK 2.3.B.1. A preventative control (fences, locks, bollards) tries to stop the attack before it starts, while a detective control just records that it happened. A fence keeps you out; a camera proves you tried to climb it.

Corrective Control (Unit 2)

Corrective controls clean up after detection. The order is usually detect first, correct second. Your card reader log spots the unauthorized entry (detect), then you change the locks or revoke the badge (correct).

Physical Control (Unit 2)

Detective controls describe what a control DOES (detect), while physical control describes WHERE it operates (the real-world space). A card reader is both at once: a physical control that happens to be detective.

Managerial Control (Unit 2)

Reviewing those card reader logs is a managerial activity tied to EK 2.3.A. The technology detects; the people and policies decide what the detection means and who acts on it.

Is detective control on the AP Cybersecurity exam?

Expect multiple-choice stems that hand you a list of security measures and ask you to classify them. A practice question gives bollards, turnstiles, and access control vestibules and asks which term describes them, and you have to recognize that those are physical (and mostly preventative), not detective. The trick is sorting controls by their function: does this thing stop an attack, notice an attack, or fix the damage? Card readers that log entries and surveillance cameras are your go-to detective examples. No released FRQ has used this term verbatim, but the prevent-detect-correct framework from EK 2.3.B.1 is exactly the kind of reasoning a free-response prompt about mitigation strategies would expect.

Detective control vs preventative control

A preventative control stops an attack before it happens (a lock on a server cabinet keeps the device from being stolen). A detective control identifies an attack that already happened or is happening (the access log shows whose badge opened the cabinet). One blocks, the other records. A single device can do both, which is why people mix them up.

Key things to remember about detective control

  • A detective control identifies or records an attack rather than preventing it.

  • Card reader logs and surveillance cameras are the textbook detective examples in Topic 2.3.

  • Detective controls are the "detect" piece of the prevent-detect-correct framework in EK 2.3.B.1.

  • On the exam, classify a control by its function: prevent, detect, or correct.

  • Detection usually comes before correction, so a detective control often triggers a corrective one.

Frequently asked questions about detective control

What is a detective control in AP Cybersecurity?

It's a security measure that identifies or records an attack after (or while) it happens, like a card reader that logs which badge opened a door. It detects rather than prevents, and it lives in Topic 2.3 under learning objective AP Cybersecurity 2.3.B.

Does a detective control stop an attack?

No. That's the most common mistake. A detective control notices and records the attack but doesn't block it. Stopping the attack beforehand is the job of a preventative control like a lock or a fence.

How is a detective control different from a preventative control?

A preventative control blocks the attack before it happens (locks, bollards, gates), while a detective control records that it happened (camera footage, access logs). One acts before the event, the other captures evidence of it.

Is a card reader a detective control?

It can be. Per EK 2.3.B.4, a card reader records which employee badge accessed which entry, which makes it detective. If you frame the same reader as something that denies entry to bad badges, it acts preventatively too.

Where do detective controls show up on the AP Cybersecurity exam?

In Unit 2, Topic 2.3, usually in multiple-choice questions that ask you to classify security measures by function. Use the prevent-detect-correct framework from EK 2.3.B.1 to sort them.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.