In AP Cybersecurity, subnetting is the process of dividing a network into smaller, isolated subnetworks (subnets) based on IP addressing, so that a compromise on one subnet can be contained and kept from spreading to others.
Subnetting is one way to do network segmentation: you split a larger network into smaller, separate pieces called subnets, organized by IP addressing. Each subnet acts like its own little neighborhood with its own range of addresses.
The security payoff comes from isolation. Per EK 3.3.A.2, if an attacker compromises a device, subnets can contain the damage so it doesn't automatically spread everywhere. And because each subnet is its own zone, you can apply different security policies to different subnets (EK 3.3.B.3), keeping high-value systems in a tighter zone than, say, a guest network.
Subnetting lives in Unit 3: Securing Networks, specifically topic 3.3 (Protecting Networks: Segmentation). It's the IP-addressing answer to learning objective AP Cybersecurity 3.3.A (identify techniques for segmenting a network) and supports 3.3.B (explain why segmentation increases security). The big idea is containment. Dividing traffic into subnets (EK 3.3.B.1, 3.3.B.2) means an attack on one segment doesn't get a free path to the rest of the network, which is exactly the kind of defense-in-depth thinking the exam rewards.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryScreened Subnet / DMZ (Unit 3)
A DMZ is segmentation done with firewall zones, while subnetting does it with IP address ranges. Both isolate traffic, but a screened subnet specifically parks public-facing servers in a lower-security zone between the internet and your private network.
Security Zones (Unit 3)
Subnetting is what makes higher-security and lower-security zones possible. Once devices are grouped into separate subnets, you can hand each subnet its own rules (EK 3.3.B.3), so sensitive systems get stricter controls than everyday traffic.
Attack Containment / Lateral Movement (Unit 3)
The whole point of subnetting is stopping an attacker from roaming freely. If one subnet is breached, the boundaries between subnets slow or block the move to other systems, which is the isolation idea in EK 3.3.B.2.
Expect subnetting in multiple-choice questions that hand you a scenario and ask you to name the segmentation technique. A typical stem describes wanting to stop a compromised device or server from reaching internal systems and asks which approach fits. Your job is to match the description to the right tool. Watch the wording closely: if the question talks about dividing by IP addressing or containing a breach within an address range, that's subnetting. If it describes firewall zones placing public-facing servers between the internet and the private network, that's a screened subnet (DMZ). No released FRQ has used the term verbatim, but the segmentation reasoning behind it is exactly the kind of 'why does this improve security' explanation an extended-response question could ask for.
Both are segmentation, so it's easy to mix them up. Subnetting divides the network by IP addressing to isolate traffic and contain compromises (EK 3.3.A.2). A screened subnet (DMZ) is created with firewall zones and rules to hold public-facing resources in a lower-security zone between the internet and the internal network (EK 3.3.A.1). On a question, the keyword 'firewall zone' or 'public-facing servers' points to DMZ; 'IP addressing' or 'divide into subnets' points to subnetting.
Subnetting divides a network into smaller isolated subnets based on IP addressing.
Its main security benefit is containment: if one subnet is breached, the damage is harder to spread to other subnets (EK 3.3.B.2).
Separate subnets let you apply different security policies, creating higher-security and lower-security zones (EK 3.3.B.3).
Subnetting and the screened subnet (DMZ) are both segmentation, but subnetting uses IP addressing while a DMZ uses firewall zones.
It's tested mostly in Unit 3 MCQs where you match a scenario to the correct segmentation technique.
Subnetting is the process of dividing a network into smaller, isolated subnetworks (subnets) based on IP addressing. It's a network segmentation technique in Unit 3 that helps contain attacks so a compromise on one subnet doesn't spread to the rest.
No. Both are forms of network segmentation, but subnetting divides the network by IP addressing, while a DMZ (screened subnet) uses firewall zones to place public-facing servers in a lower-security zone. The exam separates them by keyword: IP addressing means subnetting, firewall zones mean DMZ.
Because it isolates traffic. Splitting a network into subnets contains a breach to one segment (EK 3.3.B.2) and lets you apply different, stricter security policies to different subnets (EK 3.3.B.3), so attackers can't move freely across the whole network.
Look at the method described. If the scenario mentions dividing the network by IP addressing or containing a compromise within an address range, it's subnetting. If it describes firewall rules placing internet-facing servers between the public internet and the internal network, it's a screened subnet (DMZ).
Subnetting is in Unit 3: Securing Networks, topic 3.3. It supports learning objective AP Cybersecurity 3.3.A (identify segmentation techniques) and ties into 3.3.B (explain why segmentation increases security).
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.