A logic bomb is malicious code that stays inactive until a specific condition is met, like a certain date or a user action, at which point it executes its harmful payload (such as deleting files or crashing a system).
A logic bomb is malware that waits. Instead of running the moment it lands on a device, it stays dormant until a trigger condition is met, then it goes off. That trigger can be a calendar date, a specific time, a missing employee name in a database, or any condition the attacker codes in.
Under [AP Cybersecurity 4.1.B], a logic bomb is one of the malware types you identify in a cyberattack. What makes it sneaky is the delay. Regular malware tends to act right away, but a logic bomb can sit inside legitimate software for weeks or months looking completely harmless. That's why a disgruntled employee is the classic culprit: they have inside access, they embed the code, and they set it to detonate later (often after they're gone).
Logic bombs live in Unit 4: Securing Devices, specifically topic 4.1 Device Vulnerabilities and Attacks. They support [AP Cybersecurity 4.1.B], where you identify the type of malware used in an attack, and they connect to [AP Cybersecurity 4.1.C] and [AP Cybersecurity 4.1.D] because the payload they deliver can crash a system, wipe data, or destroy operations. The exam wants you to match a scenario to the right malware type. When you read about code that only fires on a condition, your brain should jump straight to "logic bomb" instead of generic "virus" or "worm."
Keep studying AP Cybersecurity Unit 4
Visual cheatsheet
view galleryMalware (Unit 4)
A logic bomb is one species in the larger malware family defined in EK 4.1.B.1. Think of malware as the genus and logic bomb as the specific type whose defining trait is a delayed, condition-based trigger.
Virus vs. Worm (Unit 4)
Viruses need a user to open or run a file, and worms spread on their own. A logic bomb is sorted by WHEN it acts (on a trigger) rather than HOW it spreads, so the same code could be delivered by a virus and still be a logic bomb.
Device Risk Assessment (Unit 4)
Under [AP Cybersecurity 4.1.D], a logic bomb planted in a critical system (like payroll or a server) is a high risk because its payload can destroy data or take down operations the moment it detonates.
On the multiple-choice section, logic bombs almost always appear as a scenario stem you have to classify. The dead giveaway is timing language: "will only execute on December 25th" or "triggers when an employee's name is removed from the database." When you see code that waits for a specific condition before activating, pick logic bomb, not ransomware or a generic virus. Watch out for the insider-threat framing too, since a disgruntled employee planting delayed code is the textbook setup. No released FRQ has used this term verbatim, but it fits the kind of malware-identification and device-risk questions Unit 4 rewards.
Both are damaging malware, but they're defined by different things. Ransomware is defined by its goal: it encrypts your files and demands payment for the key. A logic bomb is defined by its trigger: it waits for a condition before doing anything. A logic bomb COULD release ransomware as its payload, but if a question emphasizes a payment demand, choose ransomware; if it emphasizes a date or condition that fires the code, choose logic bomb.
A logic bomb is malware that stays dormant until a specific trigger condition is met, then executes its harmful payload.
The defining feature is the trigger, which can be a date, a time, or a specific event like an employee's name disappearing from a database.
On the AP exam, scenario stems with timing words like "only executes on December 25th" are pointing you toward logic bomb.
Disgruntled insiders are the classic source because they have the access to embed the code and set it to detonate after they leave.
A logic bomb is classified by WHEN it acts, while viruses and worms are classified by HOW they spread.
It's malicious code that sits inactive until a specific condition is met, then runs its payload. The condition is often a date, a time, or an event like a record being deleted, which is what separates it from malware that acts immediately.
No. Ransomware is defined by its goal of encrypting files and demanding payment, while a logic bomb is defined by its delayed trigger. A logic bomb could deliver ransomware as its payload, but if a question stresses a payment demand, answer ransomware.
A virus is classified by how it spreads (a user must open or run an infected file). A logic bomb is classified by when it activates (only when a trigger condition is met). The same malicious code can be both, depending on the question's focus.
Insiders have legitimate access to embed code in company systems like payroll, and the delayed trigger lets the damage happen long after they've left, making it harder to trace back to them.
Yes, it fits under topic 4.1 and learning objective [AP Cybersecurity 4.1.B] on identifying malware types. Expect scenario-based multiple-choice questions where you spot the timing or condition-based trigger and label it a logic bomb.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.