In AP Cybersecurity, piggybacking is a physical attack where an adversary uses social engineering to manipulate an authorized person into granting them access to a restricted area, such as asking someone to hold a door open.
Piggybacking is when an attacker talks their way into a secure space by getting an authorized person to let them in. It's a physical attack built entirely on social engineering, which means manipulating people rather than hacking systems (EK 2.2.A.1, EK 2.2.A.2).
The classic moves are simple and rely on human politeness. The adversary might carry something big and bulky so a helpful employee holds the door. They might pretend they forgot their access badge. Or they show up dressed as a maintenance worker who "just needs to check something" in a restricted room. In every case, the door is supposed to keep people out, but the attacker gets through because a real, badged person waved them in.
Piggybacking lives in Unit 2: Securing Spaces, specifically topic 2.2 Physical Vulnerabilities and Attacks. It directly supports learning objective AP Cybersecurity 2.2.A, which asks you to identify common physical attacks, and it connects to AP Cybersecurity 2.2.B and AP Cybersecurity 2.2.C on how threats exploit vulnerabilities to cause loss or unauthorized access. The big idea behind it: physical access lets an adversary bypass tons of technical controls (EK 2.2.C.1). All the firewalls and encryption in the world don't help if someone can just walk into the server room behind you.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view gallerySocial Engineering (Unit 2)
Piggybacking is social engineering applied to a physical door. The attacker hacks the person, not the lock, exploiting the natural urge to be helpful and hold the door.
Access Control Vestibule (Unit 2)
An access control vestibule (a mantrap) is the direct defense against piggybacking. It's a small room that only lets one person through at a time, so a second person can't slip in behind an authorized employee.
Badge Access (Unit 2)
Badge access systems are exactly what piggybacking sidesteps. The adversary never needs a valid badge if a real badge-holder opens the door for them, which is why technical controls alone don't stop this attack.
Physical Perimeter (Unit 2)
Piggybacking is one way attackers breach the physical perimeter without breaking anything. It shows why fencing, bollards, and locks only work if the people inside also follow access rules.
Expect piggybacking as a multiple-choice answer where the question describes a scenario and asks you to name the attack. Watch for the giveaway details: an adversary carrying a large box toward a server room and asking an employee to hold the door, or someone walking in behind a badged employee. You need to recognize the social engineering angle and pick "piggybacking" over near-miss options like shoulder surfing or card cloning. No released FRQ has used the term verbatim, but it fits any prompt asking you to assess physical vulnerabilities or recommend controls, where the right answer points toward an access control vestibule.
These get blurred constantly. In AP Cybersecurity, piggybacking involves manipulating an authorized person who knowingly lets the adversary in, like holding the door for someone carrying a box. Tailgating is sneaking in behind a person who never agreed and may not even notice, like slipping through a closing door. If the scenario describes consent or a helpful employee, it's piggybacking.
Piggybacking is a physical attack that uses social engineering to get an authorized person to grant access to a restricted area (EK 2.2.A.2).
Common tactics include carrying something bulky to get a door held, pretending to have forgotten an access token, or posing as a maintenance worker.
It works because it exploits human politeness, not technical flaws, so firewalls and encryption can't stop it.
Physical access from piggybacking lets an adversary bypass many technical security controls (EK 2.2.C.1).
An access control vestibule (mantrap) is the standard defense because it only admits one person at a time.
On the exam, look for scenarios where a badged employee willingly opens the door for the attacker.
It's a physical attack where an adversary uses social engineering to manipulate an authorized person into letting them into a restricted area, like asking someone to hold a secure door open (EK 2.2.A.2). It targets people, not technology.
No. Piggybacking involves an authorized person knowingly granting access, like a helpful employee holding the door. Tailgating is slipping in behind someone without their consent or knowledge. The exam often tests whether you can spot which one a scenario describes.
An access control vestibule (mantrap) is the main defense because it only lets one person through at a time. Training people not to hold doors for strangers and to challenge anyone without a visible badge also helps.
Because it bypasses badge access entirely. The attacker never needs a valid badge if a real employee opens the door for them, and physical access then lets them defeat many technical controls (EK 2.2.C.1).
Yes. It's tied to learning objective AP Cybersecurity 2.2.A in Unit 2 and shows up in multiple-choice scenarios where you identify the physical attack being described, often distinguished from shoulder surfing or card cloning.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.