In AP Cybersecurity, tailgating is a physical attack where an adversary follows an authorized person through a secured entrance without their knowledge or consent, gaining access to a restricted area without using credentials of their own.
Tailgating is when an attacker sneaks through a controlled door right behind someone who legitimately badged in. Picture an employee swiping into a server room. Before the door swings shut, a stranger slips in behind them, and the employee never notices. That's tailgating. The attacker borrowed someone else's authorized access without ever touching a badge reader.
This lives under CED topic 2.2, Physical Vulnerabilities and Attacks. It's a form of social engineering aimed at the physical world instead of an email inbox. The key detail is that the authorized person is unaware. They didn't agree to let anyone in, the attacker just exploited the moment the door was open. That's what separates tailgating from its close cousin, piggybacking.
Tailgating sits in Unit 2: Securing Spaces and directly supports learning objective AP Cybersecurity 2.2.A, which asks you to identify common physical attacks. It also ties into 2.2.B and 2.2.C, because once an attacker is physically inside a restricted space, they can bypass technical controls entirely. EK 2.2.C.1 makes this explicit: physical access to devices can defeat many layers of security. A firewall and strong passwords mean nothing if someone is standing in front of an unlocked server. Tailgating is the textbook example of why physical security is a real attack surface, not an afterthought.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryPiggybacking (Unit 2)
These are the same move with one difference in consent. In tailgating, the authorized person doesn't know you're behind them. In piggybacking (EK 2.2.A.2), they actively help you, like holding the door because you're carrying a big box. Same goal, different level of social engineering.
Access Control Vestibule (Unit 2)
An access control vestibule (a mantrap) is the direct countermeasure to tailgating. It's a small room with two doors where only one person can pass at a time, so no one can slip in behind you. If a question asks how to stop tailgating, this is the answer.
Badge Access (Unit 2)
Badge access is the control tailgating bypasses. The attacker never presents a badge, they just ride in on yours. This shows why a strong authentication system at the door still leaves a gap if people can physically slip through.
Tailgating shows up in multiple-choice scenario stems where you read a short story and pick the matching attack name. A typical stem describes an adversary walking behind an employee into a secure server room and slipping through the closing door without being noticed. Your job is to recognize that the authorized person was unaware, which makes it tailgating rather than piggybacking. Don't confuse it with shoulder surfing (watching someone type a PIN) or with piggybacking (where the authorized person knowingly helps). Read the stem for one word: did the employee help, or did the attacker sneak?
Both get an attacker through a secure door using someone else's access, but consent is the divider. Piggybacking means the authorized person knowingly helps, like holding the door for someone carrying a heavy box. Tailgating means the attacker slips through unnoticed and the authorized person never agreed to anything. Watch the stem for whether the employee was tricked into helping or simply didn't see the intruder.
Tailgating is a physical attack where an adversary follows an authorized person through a secure door without that person knowing.
It's classified as social engineering and falls under CED topic 2.2 and learning objective AP Cybersecurity 2.2.A.
The defining difference from piggybacking is consent: tailgating happens without the authorized person's awareness, piggybacking happens with their help.
An access control vestibule (mantrap) is the standard countermeasure because it only lets one person through at a time.
Tailgating matters because physical access lets an attacker bypass technical controls like firewalls and passwords (EK 2.2.C.1).
Tailgating is a physical attack where an adversary slips through a secured door behind an authorized person without that person noticing. It lets the attacker enter a restricted area without using any credentials of their own.
No. Both involve following someone through a secure door, but in piggybacking the authorized person knowingly helps you (like holding the door), while in tailgating they have no idea you're behind them. Consent is the dividing line.
An access control vestibule, also called a mantrap, is the main defense. It's a two-door space that only allows one person through at a time, so no one can slip in behind an authorized employee.
Because tailgating bypasses badge access entirely. The attacker never presents a badge, so strong door authentication doesn't help. Once inside, they can access devices physically and defeat technical security layers, which EK 2.2.C.1 describes.
Yes. Shoulder surfing is watching someone enter a PIN or password to steal it. Tailgating is physically following someone through a door. Both are physical attacks in Unit 2, but one steals information and the other gains entry.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.