AP exam review verified for 2027

AP Cybersecurity Unit 1 Review: Introduction to Security

Review AP Cybersecurity Unit 1 to build your foundation in how adversaries attack systems and how defenders respond. This unit covers social engineering, password attacks, public Wi-Fi threats, and how AI is reshaping both offense and defense.

Use the topic guides, key terms, and practice questions available for every topic in this unit to sharpen your understanding before the exam.

What is AP Cybersecurity unit 1?

Unit 1 establishes the adversarial mindset that runs through all of AP Cybersecurity. Before students secure spaces, networks, devices, or applications in later units, they need to understand how attacks actually work and why people fall for them.

Unit 1 covers how adversaries use psychological manipulation, weak authentication, wireless vulnerabilities, and AI-powered tools to compromise systems, and how defenders can counter each threat.

Humans as the attack surface

Social engineering targets people, not machines. Adversaries use intimidation and urgency to pressure targets into revealing credentials, clicking malicious links, or downloading malware, often through email, text, or social media.

Authentication as a control point

Weak passwords built on predictable patterns give adversaries a foothold. Strong, unique passwords combined with multifactor authentication (MFA) close the gap that online password attacks and dictionary attacks exploit.

AI changes the threat landscape

Generative AI and voice cloning let adversaries craft convincing phishing messages and impersonate real people. Defenders use AI in return to review configurations, scan code, and sort millions of network events to flag malicious activity.

Attackers exploit the weakest link

Whether the target is a person responding to a fake urgent email, a user with a guessable password, or a traveler connecting to an evil twin network, adversaries consistently look for the path of least resistance. Unit 1 trains you to recognize that path and understand the defenses that block it.

AP Cybersecurity unit 1 topics

1.1

Understanding Social Engineering

Covers how adversaries use intimidation, urgency, authority, familiarity, and scarcity to manipulate targets into revealing information, clicking malicious links, or downloading malware. Includes impacts such as impersonation, account takeover, and malware installation.

open guide
1.2

Suspicious Website Logins

Covers how adversaries exploit weak passwords and predictable patterns through online password attacks and dictionary attacks. Explains how to recognize attack signs in authentication logs and how strong passwords, passphrases, password managers, and MFA strengthen authentication.

open guide
1.3

Best Practices for Public Networks

Covers adversary skill levels and motivations, and three wireless attack types: evil twin, jamming, and war driving. Explains protective actions including verifying SSIDs, relying on HTTPS, and using a VPN on untrusted networks.

open guide
1.4

AI-Based Cybersecurity Attacks

Covers how adversaries use AI tools including LLMs, voice cloning, and deepfakes to enhance phishing, impersonation, reconnaissance, and malware development. Explains defenses including shared secrets, MFA, keeping sensitive data out of AI tools, and verifying AI output.

open guide
1.5

Leveraging AI in Cyber Defense

Covers how defenders use AI-powered tools to review security configurations, scan application code, suggest detection rules, and analyze large volumes of network events to detect threats. Emphasizes that human experts must review all AI recommendations before implementation.

open guide

Unit 1 review notes

1.1

Understanding Social Engineering

Social engineering attacks manipulate people rather than exploiting technical vulnerabilities. Adversaries use psychological principles to get targets to reveal sensitive information (elicitation), click malicious links, or download malicious files. Attacks arrive by email, text (smishing), phone (vishing), social media, or in person.

  • Intimidation: Threatening a target with negative consequences to pressure compliance, such as claiming an account will be closed unless the user acts immediately.
  • Urgency: Creating artificial time pressure so the target acts before thinking critically about whether the request is legitimate.
  • Elicitation: Subtly drawing out sensitive information from a target through seemingly normal conversation or requests.
  • Impact: personal info: Victims may hand over names, birthdates, pet names, or addresses that adversaries use to answer security challenge questions or impersonate the victim.
  • Impact: malware: Clicking a malicious link or downloading a malicious file can install malware that steals browser credentials or gives an adversary remote access.
Can you explain why urgency is effective as a psychological tactic and give one example of how an adversary would use it in a phishing email?
TacticPsychological PrincipleExample Delivery
IntimidationFear of negative consequencesEmail threatening account suspension
UrgencyPressure to act before thinkingText claiming a package will be returned in 2 hours
FamiliarityTrust in known entitiesMessage appearing to come from a coworker
AuthorityDeference to figures of powerImpersonating IT support or a manager
ScarcityFear of missing outOffer expiring in minutes to force a quick click
1.2

Suspicious Website Logins and Authentication

Online password attacks involve adversaries submitting login guesses to a live account using common passwords, predictable patterns, or stolen credentials. Weak passwords built on personal information make these attacks easier. Strong passwords and MFA are the primary defenses.

  • Signs of a password attack: Many failed logins in a short window, login attempts at unusual hours, and attempts from unrecognized devices all appear in authentication logs.
  • Dictionary attack: An adversary builds a list of likely passwords from personal information about the target, such as birthdays, pet names, and anniversaries, then uses an automated tool to submit them.
  • Weak password patterns: Common patterns include a word plus a two-digit year plus a special character at the end, or names of family members and pets.
  • Strong password practices: Passwords should be long, random, and unique per account. A password manager can generate and store them, or users can create long passphrases.
  • Multifactor authentication (MFA): Requires a second proof of identity, such as a one-time password (OTP) sent to a phone, in addition to the password, so a stolen password alone is not enough to gain access.
What three signs in an authentication log suggest an online password attack is underway, and what two defenses most directly reduce the risk?
Attack TypeHow It WorksKey Defense
Online password attackSubmits guesses directly to a live login pageAccount lockout policies and MFA
Dictionary attackUses a custom list built from target's personal infoAvoid personal info in passwords
Credential stuffingReplays username/password pairs stolen from other breachesUnique password per account
1.3

Best Practices for Public Networks

Public Wi-Fi is a convenient attack surface. Adversaries range from low-skilled users running downloaded tools to high-skilled operators who build custom exploits and discover zero-day vulnerabilities. Three wireless attack types appear on the exam: evil twin, jamming, and war driving.

  • Evil twin attack: An adversary sets up a wireless access point (WAP) with an SSID identical or similar to a legitimate network. Victims who connect unknowingly send their traffic through the adversary's network.
  • Jamming attack: An adversary floods the wireless frequency with electromagnetic signals, blocking legitimate traffic between users and the access point. This is a denial of service (DoS) attack.
  • War driving: An adversary drives or walks through an area scanning for wireless network beacons to map available networks and identify vulnerable targets.
  • VPN: A virtual private network encrypts all traffic from the user to the VPN operator's servers, preventing a rogue access point from reading the content, though the VPN provider itself can see the traffic.
  • HTTPS: An encrypted protocol that protects the content of web traffic even on an untrusted network; an evil twin adversary cannot read HTTPS traffic.
Describe how an evil twin attack works and identify two actions a user can take to reduce their risk on public Wi-Fi.
AttackMechanismEffect on Victim
Evil twinRogue WAP mimics legitimate SSIDTraffic captured by adversary
JammingEM signal floods wireless frequencyUsers lose network access (DoS)
War drivingScanning for network beacons while mobileAdversary maps vulnerable networks for later targeting
1.4

AI-Based Cybersecurity Attacks

AI does not create entirely new attack categories. It makes existing attacks, such as phishing, impersonation, and malware development, faster, cheaper, and more convincing. Adversaries use large language models (LLMs) to write polished phishing messages in any language and use voice cloning and deepfake technology to impersonate real people on calls or video.

  • Voice cloning and deepfakes: AI tools use existing voice and image samples to create a digital avatar that can impersonate someone on a phone call or video call, enabling financial fraud or credential theft.
  • LLM-generated phishing: Generative AI removes the grammatical errors that once helped users spot phishing messages, making AI-crafted messages harder to distinguish from legitimate communication.
  • Shared secrets: A pre-agreed word or phrase known only to two trusted parties can verify identity in high-stakes situations where voice or video impersonation is possible.
  • Prompt injection: An adversary embeds malicious instructions in content that an AI tool processes, causing the AI to take unintended actions or leak information.
  • Training data poisoning: Adversaries corrupt the data used to train an AI model so the model produces incorrect or harmful outputs.
Explain why LLM-generated phishing messages are harder to detect than traditional phishing, and name two defenses against AI-augmented impersonation attacks.
1.5

Leveraging AI in Cyber Defense

Defenders use AI-powered tools to handle the scale of modern network activity that humans cannot review manually. AI assists with hardening configurations, finding code vulnerabilities, suggesting detection rules, and sorting millions of daily network events to surface likely malicious activity. Human review of AI recommendations is always required before implementation.

  • Configuration review: AI tools analyze firewall rules and access controls and recommend more secure settings; a qualified security technician must verify recommendations before applying them.
  • Code vulnerability scanning: AI-powered tools scan application code to identify security flaws and suggest fixes; a knowledgeable programmer reviews findings before changes are made.
  • Automated detection systems: AI can suggest and apply detection rules that flag suspicious events; a detection engineer reviews rules before they go live.
  • Threat detection at scale: AI sorts millions of daily network events to separate likely malicious activity from harmless events, then alerts human analysts or triggers automated responses.
  • Human oversight requirement: AI assists but does not replace expert judgment. Every AI recommendation in a security context must be reviewed by a qualified human before it is acted on.
Name three specific tasks where AI-powered tools assist cyber defenders, and explain why human review is required in each case.
Defensive Use CaseWhat AI DoesWho Reviews
Configuration hardeningRecommends stronger firewall and access control settingsSecurity technician
Code vulnerability scanningIdentifies flaws and suggests mitigationsProgrammer
Detection rule creationSuggests rules for automated detection systemsDetection engineer
Threat detectionSorts network events and flags likely malicious activityCybersecurity analyst

Practice AP Cybersecurity unit 1 questions

Try AP-style multiple-choice questions and written prompts after you review the notes.

Example AP-style MCQs

open all practice
MCQ

AP-style practice question

Question

An AI-powered detection system at a financial institution identifies a user account downloading ten times its normal daily file volume at 2 a.m. The system is configured with two response options: alert a human analyst or automatically disable the account. Which configuration decision best reflects a layered security approach for this scenario?

Alert a human analyst first, because context such as a scheduled backup job could explain the anomaly before account access is disrupted

Automatically disable the account immediately, because any after-hours file download spike is definitively a sign of credential compromise

Ignore the alert entirely, because AI detection systems produce too many false positives to be actionable without additional corroborating evidence

Forward the alert directly to law enforcement, because internal analysts lack authority to investigate potential data theft incidents

MCQ

AP-style practice question

Question

A security analyst discovers that an adversary successfully bypassed a company's voice-based login system and also extracted confidential project details that an employee had previously typed into a public AI assistant. Which combination of defenses would have addressed both vulnerabilities simultaneously?

Enabling MFA to block voice-clone logins and prohibiting sensitive data entry into public AI tools to prevent prompt-based extraction

Establishing shared secrets with all employees and verifying all AI output using reputable non-AI sources for every login attempt

Enabling MFA to block voice-clone logins and verifying AI output with reputable sources to prevent prompt-based extraction

Prohibiting sensitive data entry into public AI tools to block voice-clone logins and enabling MFA to prevent prompt-based extraction

Key terms

TermDefinition
social engineeringAttacks that use psychological manipulation rather than technical exploits to trick targets into revealing information, clicking malicious links, or downloading malicious files.
intimidationA social engineering tactic that threatens a target with negative consequences to pressure them into complying with an adversary's request.
urgencyA social engineering tactic that creates artificial time pressure, preventing targets from thinking critically before acting.
elicitationSubtly drawing sensitive information out of a target through seemingly normal conversation or requests.
phishingA social engineering attack delivered by email that tricks recipients into revealing credentials, clicking malicious links, or downloading malware.
online password attackAn attack in which an adversary submits login guesses directly to a live account using common passwords, predictable patterns, or stolen credentials.
dictionary attackA password attack that uses a custom list of likely passwords built from personal information about the target, submitted by an automated tool.
multifactor authenticationAn authentication method requiring two or more proofs of identity, such as a password plus a one-time code, so a stolen password alone cannot grant access.
evil twin attackAn attack in which an adversary sets up a rogue wireless access point with an SSID matching a legitimate network to capture victim traffic.
jamming attackAn attack that floods a wireless frequency with electromagnetic signals to block legitimate network traffic, creating a denial of service condition.
war drivingThe practice of scanning for wireless network beacons while moving through an area to map available networks and identify vulnerable targets.
VPNA virtual private network that encrypts all user traffic to the VPN operator's servers, preventing a rogue access point from reading traffic content.
deepfakeAI-generated audio or video that realistically impersonates a real person, used by adversaries to commit fraud or extract sensitive information.
large language modelA generative AI system that adversaries can use to craft convincing, grammatically correct phishing messages in any language at scale.
zero dayAn undocumented vulnerability that has not been publicly disclosed or patched, discoverable only by high-skilled adversaries.

Common unit 1 mistakes

Confusing intimidation and urgency

Intimidation threatens negative consequences to force compliance. Urgency creates time pressure to prevent careful thinking. They often appear together in the same attack, but they are distinct psychological mechanisms and the exam may ask you to identify each separately.

Thinking HTTPS makes an evil twin harmless

HTTPS does protect the content of web traffic even on a rogue network, but an evil twin can still capture unencrypted traffic, DNS queries, and metadata. Verifying the SSID before connecting is still necessary.

Assuming a VPN makes public Wi-Fi fully safe

A VPN encrypts traffic between the user and the VPN provider, blocking the rogue access point from reading it. However, the VPN provider itself can see the traffic. A VPN shifts trust, it does not eliminate it.

Treating AI recommendations as automatically correct

AI-powered tools can suggest stronger configurations, flag code vulnerabilities, and propose detection rules, but every recommendation must be reviewed by a qualified human before implementation. AI assists; it does not replace expert judgment.

Overlooking MFA as a defense against AI impersonation

Voice cloning can defeat voice-based authentication alone. MFA adds a second factor that a cloned voice cannot satisfy, making it an effective layer of defense even when AI impersonation is convincing.

How this unit shows up on the AP exam

Scenario-based identification tasks

Expect questions that present a short attack scenario and ask you to identify the attack type, the psychological tactic used, or the adversary skill level. Practice reading scenarios carefully to distinguish, for example, an evil twin from a jamming attack, or intimidation from urgency in a phishing message.

Explain and justify defense choices

Questions may ask you to explain why a specific defense, such as MFA, a VPN, or a strong passphrase, addresses a particular threat. Be ready to connect the mechanism of the attack to the mechanism of the defense rather than just naming the tool.

AI attack versus AI defense reasoning

Because AI appears on both sides of Unit 1, questions may ask you to compare how AI is used offensively versus defensively, or to explain why human oversight is required even when AI tools are used for defense. Practice articulating the limits of AI recommendations in security contexts.

Final unit 1 review checklist

  • Identify social engineering tacticsBe able to name and explain intimidation, urgency, authority, familiarity, and scarcity, and describe how each manipulates a target's behavior.
  • Explain social engineering impactsKnow the three main outcomes: giving up personal information that enables impersonation, surrendering an OTP that enables account takeover, and downloading malware that compromises the device.
  • Recognize password attack signs and defensesList the three signs of an online password attack visible in authentication logs, and explain how long unique passwords, password managers, passphrases, and MFA each reduce risk.
  • Describe wireless attack typesExplain how evil twin, jamming, and war driving attacks work, including the role of SSIDs, WAPs, and electromagnetic signals, and identify the correct defense for each.
  • Classify adversaries by skill and motivationDistinguish low-skilled adversaries who use existing tools from high-skilled adversaries who create new tools and discover zero-day vulnerabilities. Know the range of motivations including greed, ideology, and revenge.
  • Explain AI-augmented attack typesDescribe how LLMs improve phishing quality, how voice cloning and deepfakes enable impersonation, and how prompt injection and training data poisoning target AI systems themselves.
  • Explain AI in cyber defense with human oversightName the four defensive use cases for AI tools (configuration review, code scanning, detection rules, threat detection) and state why a qualified human must review AI output before it is implemented.

How to study unit 1

Step 1: Social engineering tactics and impactsRead the Topic 1.1 guide and review the key terms for intimidation, urgency, elicitation, phishing, smishing, and vishing. Practice explaining how each tactic works and what happens to a victim who falls for it, focusing on the three impact categories: personal info, OTP theft, and malware.
Step 2: Password attacks and authentication defensesRead the Topic 1.2 guide and review the key terms for online password attack, dictionary attack, credential stuffing, MFA, OTP, passphrase, and password manager. Use the comparison table in the review notes to distinguish attack types and their specific defenses.
Step 3: Public Wi-Fi threats and wireless attack typesRead the Topic 1.3 guide and review the key terms for evil twin attack, jamming attack, war driving, SSID, WAP, VPN, and zero day. Practice classifying adversaries by skill level and matching each wireless attack to its mechanism and the correct defensive action.
Step 4: AI-augmented attacks and defensesRead the Topic 1.4 guide and review the key terms for deepfake, voice cloning, LLM, generative AI attack, prompt injection, and training data poisoning. For each AI attack type, write out the specific defense that counters it, including shared secrets and MFA for impersonation.
Step 5: AI in cyber defense and human oversightRead the Topic 1.5 guide and review the key terms for AI-powered cyber defense, automated detection system, and threat detection. Use the comparison table to connect each defensive use case to the correct human reviewer, then work through available practice questions to check your understanding across all five topics.

More ways to review

Topic study guides

Open the individual guides for Unit 1 when you want a closer review of one topic.

browse guides

Frequently Asked Questions

What topics are covered in AP Cyber Unit 1?

AP Cyber Unit 1 covers 5 topics: 1.1 Understanding Social Engineering, 1.2 Suspicious Website Logins, 1.3 Best Practices for Public Networks, 1.4 AI-Based Cybersecurity Attacks, and 1.5 Leveraging AI in Cyber Defense. Together they build a foundation in how adversaries attack systems and how to defend against them. See the full topic breakdown at /ap-cybersecurity/unit-1.

What's on the AP Cyber Unit 1 progress check (MCQ and FRQ)?

The AP Cyber Unit 1 progress check includes both MCQ and FRQ parts drawn from all five unit topics: social engineering, suspicious website logins, public network safety, AI-based attacks, and AI in cyber defense. MCQ questions test recognition of attack types and defensive strategies. FRQ questions ask you to explain or analyze a scenario using those same concepts. For matched practice questions that mirror the progress check format, visit /ap-cybersecurity/unit-1.

How do I practice AP Cyber Unit 1 FRQs?

AP Cyber Unit 1 FRQs most often come from topics like Understanding Social Engineering (1.1), Suspicious Website Logins (1.2), and AI-Based Cybersecurity Attacks (1.4). These questions typically ask you to identify an attack type, explain how it works, or recommend a defensive measure for a given scenario. To practice, write out short scenario-based responses, then check whether you named the specific attack or defense and explained the reasoning clearly. You can find Unit 1 FRQ practice at /ap-cybersecurity/unit-1.

Where can I find AP Cyber Unit 1 practice questions?

The best place to find AP Cyber Unit 1 practice questions, including multiple-choice and practice test sets, is /ap-cybersecurity/unit-1. That page has MCQ practice covering all five topics: social engineering, suspicious website logins, public network safety, AI-based attacks, and AI in cyber defense. Working through unit-specific MCQs before a full practice test helps you spot which topics need more review.

How should I study AP Cyber Unit 1?

Start AP Cyber Unit 1 by learning the attack types first: social engineering (1.1), weak authentication exploits (1.2), and public Wi-Fi threats (1.3). Once those feel solid, move to the AI topics (1.4 and 1.5), which build on the same attacker-vs-defender framework. For each topic, try to explain the attack in plain language, then name one concrete defense. That pattern shows up in both MCQ and FRQ questions. Find study guides and practice for all five topics at /ap-cybersecurity/unit-1.

Ready to review Unit 1?Start with the notes, check the topic cards, and use the practice or resource links when they are available for this course.