In AP Cybersecurity, a threat is any person, event, or action that can exploit a vulnerability to compromise an asset. It is one of the three pieces of risk, alongside the vulnerability it targets and the asset it endangers.
A threat is anything with the potential to exploit a vulnerability and cause harm to an asset. Think of it as the "danger" side of the risk equation. Under EK 2.1.D.1, risk happens when a threat can exploit a vulnerability to compromise an asset. So a threat alone isn't risk. It only becomes risk when there's a weakness it can actually use and something valuable on the line.
Threats come in a lot of forms. They can be human adversaries like script kiddies, hacktivists, or insider adversaries (EK 2.1.B), each with different skills and motives. They can be the techniques those adversaries use, like social engineering attacks that manipulate people through pretexting, authority, or intimidation (EK 2.1.A). They can even be non-malicious, like a natural disaster knocking out availability. The exam wants you to recognize a threat, figure out what asset it endangers, and connect it to the right defense.
Threat lives in Unit 2: Securing Spaces, specifically topic 2.1 Cyber Foundations, and it's the glue holding that whole topic together. You'll see it in AP Cybersecurity 2.1.B (types of adversaries), 2.1.C (phases of a cyberattack), 2.1.D (the risk assessment process), and 2.1.G (why defense in depth is necessary). The CED literally builds risk out of three terms, threat, vulnerability, and asset, so if you can't define threat cleanly, the risk assessment objective falls apart. Every social engineering tactic in 2.1.A is a threat technique, and every security control in 2.1.F exists to counter some threat. It's the concept that turns a list of definitions into a connected story about how attacks happen and how defenders stop them.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryVulnerability and Asset in the Risk Equation (Unit 2)
Risk is the overlap of three things, and a threat is only one of them. A threat exploits a vulnerability to compromise an asset (EK 2.1.D.1). Remove any one piece and there's no risk, which is why patching a vulnerability can shut down a threat without ever touching the attacker.
Types of Adversaries (Unit 2)
Most threats are people. Script kiddies, hacktivists, and insider adversaries (EK 2.1.B) are all threat actors with different skill levels and motives. Insider adversaries are especially dangerous threats because they already hold legitimate credentials and access.
Defense in Depth / Layered Defense (Unit 2)
Defense in depth exists because no single control stops every threat. EK 2.1.G.2 says layering lets an organization address different types of threats, each with the control best suited to it. It's a direct answer to the fact that threats are varied.
Social Engineering Tactics (Unit 2)
Social engineering is a threat technique that targets people instead of systems. Pretexting, authority, intimidation, and consensus (EK 2.1.A) are all ways a threat actor manipulates a target into doing what they want, no exploit code required.
Multiple-choice questions love to hand you a scenario and ask you to identify the threat. A classic stem: an attacker emails employees claiming to be IT and demanding they verify credentials "or face account suspension," and you pick the social engineering technique at work (that one combines authority and intimidation). Another asks you to spot an example of an insider adversary threat. You're expected to read a situation, name the type of threat, and connect it to the right defense or risk factor. For free response, you may be asked to walk through a risk assessment, where you'd identify the threat, the vulnerability it exploits, and the asset at stake, then recommend a way to manage that risk (avoid, transfer, mitigate, or accept).
A threat is the potential source of harm (the attacker, the technique, the event). A vulnerability is the weakness that lets the threat get through (an unpatched system, a gullible employee). The threat is the burglar; the vulnerability is the unlocked window. EK 2.1.D.1 says risk happens only when a threat can actually exploit a vulnerability, so you need both for there to be real risk.
A threat is anything that can exploit a vulnerability to compromise an asset, and it's one of the three ingredients of risk.
A threat by itself is not risk; risk only exists when a threat has a vulnerability to exploit and a valuable asset to target (EK 2.1.D.1).
Threats include human adversaries like script kiddies, hacktivists, and insider adversaries, as well as the techniques they use, like social engineering.
Defense in depth is the answer to the variety of threats, since layering controls means each threat can be met by the control best suited to stop it (EK 2.1.G.2).
On the exam, you read a scenario, name the threat, and link it to the vulnerability, asset, or control involved.
A threat is any person, technique, or event that can exploit a vulnerability to harm an asset. It's the danger side of the risk equation defined in EK 2.1.D.1, alongside vulnerability and asset.
No. A threat is the source of potential harm, like an attacker or a phishing email, while a vulnerability is the weakness the threat exploits, like an unpatched system. You need both, plus an asset, for there to be actual risk.
No. A threat only creates risk when it can actually exploit a vulnerability to compromise an asset. If you close the vulnerability, the threat still exists but the risk drops, which is the whole point of risk mitigation.
Yes. Insider adversaries are a distinct type of threat (EK 2.1.B.3) and a uniquely dangerous one, because they already have legitimate credentials and access to systems and data.
Because threats come in many forms, no single control can stop them all. Defense in depth layers multiple controls so each type of threat is met by the control best suited to mitigate it (EK 2.1.G.2).
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.