In AP Cybersecurity, a subnet is a smaller, logically divided portion of a larger IP network. Splitting a network into subnets is a form of network segmentation that limits how far an adversary can move after compromising one device.
A subnet is a chunk of a bigger network that's been sliced off and given its own range of IP addresses. Think of one giant office network broken into smaller, walled-off neighborhoods. Devices inside the same subnet can talk to each other directly, while traffic between subnets has to pass through a router or default gateway, where you can apply rules and filtering.
Why bother slicing things up? Because a flat network where everything can reach everything is a security nightmare. If an adversary compromises one device, they can try to move laterally to reach more sensitive systems on the same LAN (EK 3.1.B.2). Subnetting puts boundaries between groups of devices, so a foothold in one area doesn't automatically grant access to the whole network. It's the practical building block of network segmentation, which is one of the main defenses Unit 3 cares about.
Subnets live in Unit 3: Securing Networks, anchored to topic 3.1 (Network Vulnerabilities and Attacks). The term supports AP Cybersecurity 3.1.B, where you explain how adversaries exploit network weaknesses, and AP Cybersecurity 3.1.C, where you assess the risks those weaknesses create. The big connection is EK 3.1.B.2 and EK 3.1.C.1: once an attacker compromises a device, they try to pivot to others on the LAN. Subnetting and segmentation are how you box them in. This ties directly into the CIA triad, since limiting lateral movement protects the confidentiality, integrity, and availability of sensitive systems.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryNetwork Segmentation (Unit 3)
Subnetting is segmentation in action. Network segmentation is the strategy of breaking a network into isolated parts, and creating subnets is one of the most common ways you actually do it. Same idea, different zoom level.
Lateral Movement on a LAN (Unit 3)
EK 3.1.B.2 says adversaries who compromise one device try to reach others on the LAN. Subnets are the speed bumps that slow this down, because crossing into another subnet means passing through a gateway where filtering can stop them.
Screened Subnet (Unit 3)
A screened subnet (sometimes called a DMZ) is a special subnet placed between the internet and your internal network, guarded by firewalls. It's a subnet built specifically to hold public-facing servers without exposing the rest of your LAN.
VLAN (Unit 3)
A VLAN does for switch ports what a subnet does for IP addresses. They often work together to logically separate devices that share the same physical hardware, both serving the segmentation goal.
Subnet shows up as a supporting concept rather than a standalone definition. On multiple-choice questions, expect it in scenarios about stopping an attacker from reaching sensitive systems, where segmenting the network into subnets is the correct mitigation. On free response, if you're asked to recommend defenses against lateral movement (EK 3.1.B.2) or to reduce risk from a network vulnerability (EK 3.1.C.1), naming subnetting or network segmentation as a control is a solid, CED-aligned answer. The move you want to make: connect subnets to limiting blast radius, not just to organizing IP addresses.
A subnet is a Layer 3 (IP-based) division using IP address ranges, while a VLAN is a Layer 2 (switch-based) division that logically groups switch ports. They both separate devices, but a subnet operates by IP addressing and a VLAN operates on the switch itself. In practice they're often paired, with each VLAN mapped to its own subnet.
A subnet is a smaller, logically divided portion of a larger IP network, and traffic between subnets must pass through a router or gateway.
Subnetting is a practical form of network segmentation, the main Unit 3 defense for boxing in attackers.
Its biggest security payoff is limiting lateral movement, so compromising one device doesn't expose the whole LAN (EK 3.1.B.2).
By restricting how far an adversary can reach, subnets help protect confidentiality, integrity, and availability (EK 3.1.C.1).
A subnet divides by IP address (Layer 3), while a VLAN divides by switch port (Layer 2), and they're often used together.
A screened subnet is a special subnet that isolates public-facing servers between the internet and your internal network.
A subnet is a smaller logical division of a larger IP network. In Unit 3, it matters because splitting a network into subnets is a form of segmentation that limits how far an attacker can move after breaking into one device.
Not exactly, but they're closely related. Network segmentation is the overall goal of isolating parts of a network, and subnetting is one of the most common ways to achieve it. Think of subnetting as segmentation done with IP address ranges.
A subnet separates devices by IP address at Layer 3, while a VLAN separates them by switch port at Layer 2. Both isolate devices for security, and they're frequently used together, with each VLAN matched to its own subnet.
Because traffic moving between subnets has to pass through a gateway where you can filter or block it. This slows or stops lateral movement (EK 3.1.B.2), so an attacker who compromises one device can't freely reach sensitive systems on another subnet.
A screened subnet, also called a DMZ, is a subnet placed between the internet and your internal network and guarded by firewalls. It hosts public-facing servers so outside users can reach them without gaining access to the rest of your LAN.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.