DMZ in AP Cybersecurity

In AP Cybersecurity, a DMZ (demilitarized zone), also called a screened subnet, is a network segment created by firewall zones and rules that sits between public external networks and internal private networks, typically holding publicly facing resources in a lower security zone.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is the DMZ?

A DMZ, short for demilitarized zone, is a buffer zone for your network. It's a segment that sits between the open internet and your protected internal network. The CED calls it a screened subnet, and that name tells you how it's built: firewall zones and rules "screen" the traffic going in and out (EK 3.3.A.1).

Think of it like a lobby in a secure building. Visitors (internet users) can walk into the lobby to reach the front desk and public services, but they can't wander into the back offices where the real secrets live. You put your publicly facing resources, like a web server or email server, in the DMZ. That way the outside world can reach them, but if one of those servers gets compromised, the attacker is stuck in the lobby instead of inside your private network. The DMZ is a lower security zone than your internal network, exactly because it's exposed on purpose.

Why the DMZ matters in AP Cybersecurity

The DMZ lives in Unit 3: Securing Networks, under topic 3.3 on segmentation. It's the headline example for learning objective AP Cybersecurity 3.3.A (identify techniques for segmenting a network) and it backs up AP Cybersecurity 3.3.B (explain why segmentation increases security). The big idea is isolation: dividing a network into segments means an attack on one piece doesn't automatically reach the rest (EK 3.3.B.2). The DMZ is segmentation with a job, separating the stuff you must expose from the stuff you must protect.

Keep studying AP Cybersecurity Unit 3

How the DMZ connects across the course

Subnetting (Unit 3)

Subnetting is the broader tool for slicing a network into pieces by IP addressing, and a DMZ is a specific, purpose-built use of that idea. You subnet to contain a breach; you build a DMZ to contain the breach in your most exposed servers specifically.

Security Zones and Firewall Rules (Unit 3)

A DMZ only works because firewall rules define what's allowed to cross between zones. The same firewall that lets internet traffic reach your web server blocks that web server from freely touching your internal database (EK 3.3.B.3).

Network Segmentation as Defense in Depth (Unit 3)

Segmentation, including the DMZ, is one layer in a stacked defense. If an attacker gets your public web server, the segment boundary is the next wall they have to break, which buys you time and limits the blast radius.

Is the DMZ on the AP Cybersecurity exam?

Expect this on multiple-choice questions in scenario form. A classic stem describes a company hosting a web server and email server on a segment that's reachable from the internet but firewalled off from the internal corporate network, then asks which segmentation technique that is. The answer is a DMZ / screened subnet. Other stems ask which network component is "an example of a screened subnet" or which segment is "placed between a firewall and the internet to host publicly accessible servers." Your job is to recognize the setup: public-facing servers + firewall separation from internal network = DMZ. No released FRQ has used this term verbatim, but it's solid evidence for any short-answer or design question about why segmentation reduces risk.

The DMZ vs Internal subnet (general subnetting)

Both are segments, but they serve opposite purposes. A regular internal subnet is a private, higher-security zone you create to isolate trusted devices from each other. A DMZ is a lower-security zone built on purpose to expose public servers to the internet while keeping that exposure walled off from everything private.

Key things to remember about the DMZ

  • A DMZ (demilitarized zone) is the same thing the CED calls a screened subnet, so know both names.

  • It sits between the public internet and your private internal network and holds publicly facing resources like web and email servers.

  • The DMZ is a lower security zone than the internal network, which is the point: it exposes only what has to be exposed.

  • Firewall zones and rules are what create and enforce the DMZ boundary (EK 3.3.A.1).

  • If a server in the DMZ is compromised, segmentation keeps the attacker from reaching internal devices, which is the core security benefit (EK 3.3.B.2).

Frequently asked questions about the DMZ

What is a DMZ in cybersecurity?

A DMZ, or demilitarized zone, is a network segment that sits between the internet and a private internal network. It hosts publicly accessible servers in a lower security zone, separated from internal resources by firewall rules. The AP CED also calls it a screened subnet.

Is a DMZ the same as a screened subnet?

Yes. The AP Cybersecurity CED uses the terms interchangeably (EK 3.3.A.1). "Screened subnet" is the more technical name because firewalls screen the traffic crossing into and out of the zone.

How is a DMZ different from regular subnetting?

Subnetting is the general technique of dividing a network into subnets by IP addressing. A DMZ is one specific use of segmentation built to host public-facing servers in a low-security zone between the internet and the private network. All DMZs involve segmentation, but not all segments are DMZs.

Why put a web server in a DMZ instead of the internal network?

Because the web server has to be reachable from the internet, which makes it a likely attack target. Placing it in the DMZ means a compromise of that server stays contained in the low-security zone instead of giving the attacker a direct path into your internal database and private systems.

How does a DMZ show up on the AP Cybersecurity exam?

Usually as a multiple-choice scenario where a company hosts internet-facing servers separated by firewalls from its internal network, and you identify the technique or zone. The correct answer will be DMZ or screened subnet. It maps to topic 3.3 and learning objectives 3.3.A and 3.3.B.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.