---
title: "Detective Control — AP Cybersecurity Definition & Guide"
description: "A detective control finds attacks that already happened, like camera logs or card readers. Learn how it pairs with preventative and corrective controls for AP Cybersecurity."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/detective-control"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 2"
---

# Detective Control — AP Cybersecurity Definition & Guide

## Definition

In AP Cybersecurity, a detective control is a security measure that identifies or records an attack after it has already occurred (or while it's happening), such as card reader logs or surveillance cameras, rather than stopping it beforehand.

## What It Is

A **detective control** is a security measure built to *notice* an attack, not prevent it. Think of it as the [camera](/ap-cybersecurity/unit-2/detecting-physical-attacks/study-guide/Kb72LoynxAj68H4P71eN "fv-autolink") that catches the burglar on tape, not the [lock](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc "fv-autolink") that kept them out. It answers the question "did something bad happen, and who did it?"

This shows up in Topic 2.3 when a cyber defender decides how to handle a [physical vulnerability](/ap-cybersecurity/key-terms/physical-vulnerability "fv-autolink"). EK 2.3.B.1 says you consider how an adversary could exploit a weakness and then choose to **prevent, detect, or correct** the attack. Detective controls are the "detect" piece. The classic example from EK 2.3.B.4 is a card reader that records which employee badge accessed which door at what time. The reader doesn't necessarily stop a bad actor, but it leaves a trail you can review later to figure out what went wrong.

## Why It Matters

Detective controls live in [Unit 2](/ap-cybersecurity/unit-2 "fv-autolink") (Securing Spaces), specifically Topic 2.3 (Protecting Physical Spaces). They support learning objective [AP Cybersecurity](/ap-cybersecurity "fv-autolink") 2.3.B, which asks you to determine mitigation strategies for physical vulnerabilities. The whole point of EK 2.3.B.1 is the prevent-detect-correct framework, and detective controls are one of those three buckets. Knowing which bucket a given control falls into is exactly the kind of sorting the exam rewards.

## Connections

### [Preventative Control (Unit 2)](/ap-cybersecurity/key-terms/preventative-control)

These two are siblings under EK 2.3.B.1. A [preventative control](/ap-cybersecurity/key-terms/preventative-control "fv-autolink") (fences, locks, bollards) tries to stop the attack before it starts, while a detective control just records that it happened. A fence keeps you out; a camera proves you tried to climb it.

### [Corrective Control (Unit 2)](/ap-cybersecurity/key-terms/corrective-control)

[Corrective controls](/ap-cybersecurity/unit-2/cyber-foundations/study-guide/0oS8jJyX7iolYntwz5Eh "fv-autolink") clean up after detection. The order is usually detect first, correct second. Your card reader log spots the unauthorized entry (detect), then you change the locks or revoke the badge (correct).

### [Physical Control (Unit 2)](/ap-cybersecurity/key-terms/physical-control)

Detective controls describe what a control DOES (detect), while [physical control](/ap-cybersecurity/key-terms/physical-control "fv-autolink") describes WHERE it operates (the real-world space). A card reader is both at once: a physical control that happens to be detective.

### [Managerial Control (Unit 2)](/ap-cybersecurity/key-terms/managerial-control)

Reviewing those card reader logs is a managerial activity tied to EK 2.3.A. The technology detects; the people and policies decide what the detection means and who acts on it.

## On the AP Exam

Expect multiple-choice stems that hand you a list of security measures and ask you to classify them. A practice question gives bollards, turnstiles, and access control vestibules and asks which term describes them, and you have to recognize that those are physical (and mostly preventative), not detective. The trick is sorting controls by their function: does this thing stop an attack, notice an attack, or fix the damage? Card readers that log entries and surveillance cameras are your go-to detective examples. No released FRQ has used this term verbatim, but the prevent-detect-correct framework from EK 2.3.B.1 is exactly the kind of reasoning a free-response prompt about mitigation strategies would expect.

## detective control vs preventative control

A preventative control stops an attack before it happens (a lock on a server cabinet keeps the device from being stolen). A detective control identifies an attack that already happened or is happening (the access log shows whose badge opened the cabinet). One blocks, the other records. A single device can do both, which is why people mix them up.

## Key Takeaways

- A detective control identifies or records an attack rather than preventing it.
- Card reader logs and surveillance cameras are the textbook detective examples in Topic 2.3.
- Detective controls are the "detect" piece of the prevent-detect-correct framework in EK 2.3.B.1.
- On the exam, classify a control by its function: prevent, detect, or correct.
- Detection usually comes before correction, so a detective control often triggers a corrective one.

## FAQs

### What is a detective control in AP Cybersecurity?

It's a security measure that identifies or records an attack after (or while) it happens, like a card reader that logs which badge opened a door. It detects rather than prevents, and it lives in Topic 2.3 under learning objective AP Cybersecurity 2.3.B.

### Does a detective control stop an attack?

No. That's the most common mistake. A detective control notices and records the attack but doesn't block it. Stopping the attack beforehand is the job of a preventative control like a lock or a fence.

### How is a detective control different from a preventative control?

A preventative control blocks the attack before it happens (locks, bollards, gates), while a detective control records that it happened (camera footage, access logs). One acts before the event, the other captures evidence of it.

### Is a card reader a detective control?

It can be. Per EK 2.3.B.4, a card reader records which employee badge accessed which entry, which makes it detective. If you frame the same reader as something that denies entry to bad badges, it acts preventatively too.

### Where do detective controls show up on the AP Cybersecurity exam?

In Unit 2, Topic 2.3, usually in multiple-choice questions that ask you to classify security measures by function. Use the prevent-detect-correct framework from EK 2.3.B.1 to sort them.

## Related Study Guides

- [2.3 Protecting Physical Spaces](/ap-cybersecurity/unit-2/protecting-physical-spaces/study-guide/PhHFFwPlXGtEWL781jEc)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/detective-control#resource","name":"Detective Control — AP Cybersecurity Definition & Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/detective-control","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/detective-control#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:31.759Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/detective-control#term","name":"detective control","description":"In AP Cybersecurity, a detective control is a security measure that identifies or records an attack after it has already occurred (or while it's happening), such as card reader logs or surveillance cameras, rather than stopping it beforehand.","url":"https://fiveable.me/ap-cybersecurity/key-terms/detective-control","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 2, Topic 2.3, LO 2.3.B"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is a detective control in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"It's a security measure that identifies or records an attack after (or while) it happens, like a card reader that logs which badge opened a door. It detects rather than prevents, and it lives in Topic 2.3 under learning objective AP Cybersecurity 2.3.B."}},{"@type":"Question","name":"Does a detective control stop an attack?","acceptedAnswer":{"@type":"Answer","text":"No. That's the most common mistake. A detective control notices and records the attack but doesn't block it. Stopping the attack beforehand is the job of a preventative control like a lock or a fence."}},{"@type":"Question","name":"How is a detective control different from a preventative control?","acceptedAnswer":{"@type":"Answer","text":"A preventative control blocks the attack before it happens (locks, bollards, gates), while a detective control records that it happened (camera footage, access logs). One acts before the event, the other captures evidence of it."}},{"@type":"Question","name":"Is a card reader a detective control?","acceptedAnswer":{"@type":"Answer","text":"It can be. Per EK 2.3.B.4, a card reader records which employee badge accessed which entry, which makes it detective. If you frame the same reader as something that denies entry to bad badges, it acts preventatively too."}},{"@type":"Question","name":"Where do detective controls show up on the AP Cybersecurity exam?","acceptedAnswer":{"@type":"Answer","text":"In Unit 2, Topic 2.3, usually in multiple-choice questions that ask you to classify security measures by function. Use the prevent-detect-correct framework from EK 2.3.B.1 to sort them."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 2","item":"https://fiveable.me/ap-cybersecurity/unit-2"},{"@type":"ListItem","position":4,"name":"detective control"}]}]}
```
