Dumpster diving in AP Cybersecurity

In AP Cybersecurity, dumpster diving is a physical attack where an adversary searches through an organization's discarded trash to find sensitive information like network diagrams, employee lists, or passwords that can be used to compromise systems.

Verified for the 2027 AP Cybersecurity examLast updated June 2026

What is dumpster diving?

Dumpster diving is exactly what it sounds like. An adversary digs through a company's trash, recycling, or discarded papers looking for anything useful. The goal is information: network diagrams, employee directories, old hard drives, sticky notes with passwords, contracts, or printouts someone tossed without shredding.

It fits under Topic 2.2, Physical Vulnerabilities and Attacks, because it relies on physical access rather than hacking code. People assume that once something hits the trash it's gone, but a single thrown-away org chart can hand an attacker the names, roles, and details they need to launch a convincing social engineering attack later. That makes dumpster diving less about the trash itself and more about the recon it provides.

Why dumpster diving matters in AP Cybersecurity

This term lives in Unit 2: Securing Spaces, under Topic 2.2. It supports learning objective AP Cybersecurity 2.2.A, which asks you to identify common physical attacks, and connects directly to 2.2.B, where you explain how threats exploit physical vulnerabilities to cause loss or compromise. The big idea: physical weaknesses can defeat strong technical security. You can have firewalls and encryption, but if your shredder is broken and your trash bin is unguarded, an adversary doesn't need to touch your network to learn how it works.

Keep studying AP Cybersecurity Unit 2

How dumpster diving connects across the course

Social Engineering and Piggybacking (Unit 2)

Dumpster diving usually isn't the final attack, it's the warmup. The employee names and badge details an attacker pulls from the trash are what make a later piggybacking or impersonation attempt believable.

Physical Perimeter and Access Controls (Unit 2)

A dumpster sitting in an unmonitored parking lot is a gap in the physical perimeter. The same logic behind fencing, bollards, and badge access applies here: control who can reach your assets, including the ones you threw away.

Documenting Risk from Physical Vulnerabilities (Unit 2)

Per EK 2.2.C.1, physical access lets adversaries bypass technical controls. Unshredded sensitive documents in an open bin are a textbook high-risk vulnerability you'd flag when assessing an organization's physical security.

Is dumpster diving on the AP Cybersecurity exam?

On the multiple-choice section, expect a scenario stem where an attacker finds discarded network diagrams, employee lists, or documents in a trash bin, and you pick the term that names it. You need to recognize dumpster diving versus other physical attacks like shoulder surfing or piggybacking, since they often appear as answer choices for the same question. No released FRQ has used this term verbatim, but it fits any prompt asking you to identify physical vulnerabilities or recommend controls, where the right move is shredding sensitive documents and securing waste disposal.

Dumpster diving vs shoulder surfing

Both are low-tech physical attacks, but the timing is opposite. Shoulder surfing is real-time spying, watching someone type a PIN or password as it happens. Dumpster diving is after-the-fact scavenging through trash someone already threw out. One steals live info, the other digs up discarded info.

Key things to remember about dumpster diving

  • Dumpster diving is a physical attack where an adversary searches discarded trash for sensitive information that can be used to compromise an organization.

  • It maps to learning objective AP Cybersecurity 2.2.A, identifying common physical attacks, in Unit 2.

  • The danger is the recon it provides: names, network diagrams, and credentials that fuel later social engineering attacks.

  • The standard defense is shredding sensitive documents and securing trash and recycling so it can't be freely accessed.

  • Don't confuse it with shoulder surfing, which is watching someone enter info in real time rather than digging through discarded materials.

Frequently asked questions about dumpster diving

What is dumpster diving in AP Cybersecurity?

It's a physical attack where an adversary goes through an organization's trash to find useful information like discarded network diagrams, employee lists, or documents with passwords. It falls under Topic 2.2, Physical Vulnerabilities and Attacks.

Is dumpster diving actually a cyber attack if no hacking is involved?

Yes. The CED classifies it as a physical attack because physical access can bypass technical controls (EK 2.2.C.1). The attacker uses the information found in the trash to plan or launch a digital compromise later.

How is dumpster diving different from shoulder surfing?

Dumpster diving is scavenging through discarded trash after the fact, while shoulder surfing is watching someone enter a password or PIN in real time. Both are physical attacks, but one digs up old info and the other steals it live.

How do you defend against dumpster diving?

Shred sensitive documents before disposal, securely wipe or destroy old storage devices, and control physical access to trash and recycling bins. The goal is making sure discarded materials can't be reached or read by an adversary.

How does dumpster diving show up on the AP exam?

Expect a multiple-choice scenario where an attacker finds discarded documents or employee lists in a trash bin and you identify the attack. You'll need to tell it apart from shoulder surfing and piggybacking, which often appear as the other answer choices.

Keep studying AP Cybersecurity

Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.