Network segmentation is the practice of dividing a network into smaller, isolated zones (often using VLANs or subnets) so that an attacker who compromises one device cannot freely move laterally to reach more sensitive systems.
Network segmentation means breaking one big flat network into smaller chunks that can't all talk to each other freely. Instead of every device sharing one open LAN, you carve it into separate zones, often with VLANs (virtual LANs) or subnets, and control traffic between them with firewalls. Think of it like adding interior doors to a building. If a burglar gets through the front door, they still can't wander into every room.
This matters because of how attackers behave once they're inside. Per EK 3.1.B.2, an adversary who compromises one device usually tries to leverage that foothold to compromise other devices on the same LAN. That sideways movement is called lateral movement (EK 3.1.C.1). Segmentation cuts those paths. A compromised printer on a guest VLAN simply has no route to your finance servers sitting in a separate, firewalled subnet.
Network segmentation lives in Unit 3: Securing Networks, anchored to Topic 3.1 Network Vulnerabilities and Attacks. It directly supports AP Cybersecurity 3.1.B (explaining how adversaries exploit network vulnerabilities) and AP Cybersecurity 3.1.C (assessing and documenting network risks). The CED ties it to the core idea that network vulnerabilities threaten confidentiality, integrity, and availability (EK 3.1.C.1). Segmentation is one of the cleanest defenses against the lateral movement described in EK 3.1.B.2, so it shows up whenever the exam asks you to recommend mitigations for a risky flat network.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryVLAN (Unit 3)
A VLAN is the most common tool for doing segmentation. It logically splits one physical switch into separate broadcast domains, so devices on different VLANs can't reach each other without passing through a router or firewall first.
Subnet (Unit 3)
Subnetting is segmentation at the IP layer. By dividing addresses into separate subnets, you create boundaries where a firewall can sit and filter traffic between zones, which is exactly how you box in an attacker.
Lateral movement and compromised devices (Unit 3, EK 3.1.B.2)
The whole point of segmentation is to break the chain in EK 3.1.B.2. If a foothold device can't reach high-value systems, the attacker's compromise stays small instead of spreading across the entire LAN.
Screened subnet (Unit 3)
A screened subnet (DMZ) is segmentation applied to public-facing servers. You put internet-exposed systems in their own isolated zone so a breach there never touches your internal network.
Expect network segmentation to appear in multiple-choice questions as a recommended mitigation. A stem might describe a flat network where one infected machine can reach everything, then ask what control would limit the damage. The right answer is usually segmentation, VLANs, or subnets. It also fits risk-assessment style questions tied to AP Cybersecurity 3.1.C, where you connect a vulnerability to its impact on confidentiality, integrity, or availability and then propose a fix. No released FRQ has used the term verbatim, but it supports the kind of mitigation reasoning the exam rewards: identify the vulnerability, explain the risk (lateral movement), recommend the control.
MAC filtering decides which individual devices are allowed on a network by checking their MAC addresses. Network segmentation decides which zones of the network can talk to each other once devices are already on. One is an access door (who gets in); the other is interior walls (where you can go after you're in).
Network segmentation divides one network into isolated zones so an attacker who breaches one device can't freely reach the rest.
It's the main defense against lateral movement, the behavior described in EK 3.1.B.2 where a compromised device is used to attack others on the LAN.
VLANs and subnets are the usual tools for segmentation, with firewalls controlling traffic between the resulting zones.
Segmentation protects confidentiality, integrity, and availability by keeping a breach contained instead of letting it spread.
A screened subnet (DMZ) is segmentation used to isolate public-facing servers from the internal network.
It's dividing a network into smaller, isolated zones, often with VLANs or subnets, so a compromise in one zone can't spread to more sensitive systems. It maps to Topic 3.1 in Unit 3 and supports learning objectives AP Cybersecurity 3.1.B and 3.1.C.
No. Segmentation doesn't keep attackers out of the network. It limits how far they can go once they're already inside by blocking lateral movement between zones. Keeping them out is the job of controls like firewalls, port security, and authentication.
MAC filtering controls which devices are allowed onto the network by checking their MAC addresses, while segmentation controls which network zones are allowed to talk to each other. Filtering is about getting on; segmentation is about where you can go after you're on.
Not quite. A VLAN is a tool you use to do segmentation. Segmentation is the broader strategy of isolating zones, and VLANs (along with subnets and firewalls) are how you actually build those zones.
Because the CED treats lateral movement (EK 3.1.B.2) as a major risk, and segmentation is the cleanest answer when a question asks how to contain a breach or reduce risk to confidentiality, integrity, and availability.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.