AP Cybersecurity › PLTW Unit 3

Unit 3 Network Security

Files, processes, Wireshark, firewalls, segmentation, and four layers of traffic analysis. The most AP-exam-aligned unit in the course. Ends with the Water Treatment Facility Breach — a critical infrastructure cyber case with a 72-hour deadline.

📋 PLTW Unit 3 · Tri 3🕐 ~5 weeks📺 14 Activities + Projects🎯 Problem: 3.4.1⏱️ 72-hour in-scenario deadline📝 AP Topics: 3.1–3.5 · 4.4 · 5.2
You just landed your first job as a Junior Security Analyst at the city's water department. Within weeks, the facility is hacked — and the city has three days of water left. Read the full case →
Activity — builds the skill
Project — applies it in a lab
PLTW Only — redirects to PLTW platform
Problem — capstone cyber case (do last)
3.1 — Files and Processes
Activity3.1.1

Commanding the OS

CLI fundamentals. Linux file system navigation, command-line tools, and abstraction layers. The hands-on foundation for every AP 5.2 access control lab that follows.

CLI navigationLinux file systemCommand-line toolsAP 5.2.C–D
🕐 2 class daysOpen Activity →
Activity3.1.2

Access Control

RBAC, RuBAC, DAC, MAC — compared side by side and applied in the virtual environment. Students configure access controls and justify their model choice in writing. The AP FRQ will ask them to do exactly this.

RBACDACMACRuBACchmod / chownAP 5.2.B–D
🕐 2–3 class daysOpen Activity →
Activity3.1.3

Analyzing Processes

Malicious process identification from behavior patterns. Authentication log reading introduced again — password spraying vs. credential stuffing vs. brute force — the IOC signatures that distinguish them from each other.

Process analysisPassword sprayingBrute forceCredential stuffingAP 4.4.A–D
🕐 2–3 class daysOpen Activity →
Project3.1.4

Find the Secrets

Project: Hidden file discovery and access control forensics. Students produce an IOC table in AP Skill 3.D format — evidence documented, confidence rated, source cited.

Hidden filesForensic discoveryIOC tableAP 5.2.C–DAP 4.4.A–DAP Skill 3.D
🕐 2–3 class daysOpen Project →
3.2 — Attacks from the Net
Activity3.2.1PLTW

Where Can I Learn More About Cybersecurity?

SANS, NIST, MITRE ATT&CK. Career orientation and resource literacy. PLTW-only content — but introducing the MITRE ATT&CK framework here pays dividends in every remaining unit.

MITRE ATT&CKNISTSANSCareer resourcesPLTW Only
🕐 1–2 class daysOpen Activity →
Activity3.2.2

Baseline Network Traffic

Wireshark returns. Capture baseline traffic, identify protocols, spot anomalies against the known-good baseline. ARP poisoning, MAC flooding, and DNS poisoning observed in actual packet captures. AP 3.1 attack vocabulary applied to real traffic.

WiresharkBaseline captureARP poisoningDNS poisoningDoS/DDoSAP 3.1.A–C
🕐 2–3 class daysOpen Activity →
Activity3.2.3

Unknown Network Traffic

Suspicious traffic investigation. IDS/IPS and SIEM introduced. The first full log-to-network-IOC workflow — the exact skill that AP 3.5.E tests directly on the exam.

Unknown trafficIDS / IPSSIEMNetwork IOCsAP 3.1.A–BAP 3.5.A–BAP 3.5.E
🕐 2–3 class daysOpen Activity →
Activity3.2.4

Analyze and Defend Network Attacks

Wireless security (WPA3, evil twin, deauthentication), firewall types, ACL rules, and firewall placement. AP Scenario 3A — hospital network firewall configuration — fits directly into this lab.

WPA3Evil twinFirewall typesACL rulesAP 3.2.A–BAP 3.4.A–DScenario 3A
🕐 2–3 class daysOpen Activity →
Activity3.2.5

Exploring Security Frameworks

NIST CSF and MITRE ATT&CK mapped to real network architecture. Network segmentation — DMZ and VLANs — as applied concepts placed on actual network diagrams rather than just defined.

NIST CSFMITRE ATT&CKDMZVLANsSegmentationAP 2.1.A–GAP 3.3.A–B
🕐 2 class daysOpen Activity →
Project3.2.6

Eradicate the Vulnerabilities

Project: Full network vulnerability remediation. Students implement and log mitigations in AP Skill 2.D format — the documentation habit the FRQ demands. Every fix gets a justification.

Vulnerability remediationMitigation loggingAP 3.1–3.5AP Skill 2.DAP Skill 2
🕐 2–3 class daysOpen Project →
3.3 — Analyzing the Net
Activity3.3.1

Analyzing Address

Address-layer attack analysis. ARP poisoning and IP spoofing identified in log output. AP 3.5.E applied directly — students identify IOCs from network address evidence in the packet capture.

ARP poisoningIP spoofingAddress IOCsAP 3.1.AAP 3.5.E.1–3
🕐 2 class daysOpen Activity →
Activity3.3.2

Analyzing Control

Control-plane attacks — MAC flooding and protocol exploitation. Activities 3.3.1 through 3.3.4 all analyze the same attack type from a different layer. Different lens, same detection skill.

MAC floodingControl-planeProtocol exploitationAP 3.1.BAP 3.5.E.4–5
🕐 2 class daysOpen Activity →
Activity3.3.3

Analyzing Packet Fragmentation

DoS and DDoS via fragmentation. Volumetric attack signatures in traffic logs. When the traffic itself is the weapon — and what the log looks like when a network is overwhelmed.

DoS / DDoSPacket fragmentationVolumetric attacksAP 3.1.AAP 3.5.E.6–7
🕐 2 class daysOpen Activity →
Activity3.3.4

Analyzing Wireless Authentication

WPA/WPA2/WPA3 authentication traffic. Evil twin and deauthentication attack patterns in wireless captures. Students read wireless IOCs the same way they read wired ones.

WPA2 / WPA3Evil twin patternDeauth attackWireless IOCsAP 3.2.A–B
🕐 2 class daysOpen Activity →
Project3.3.5

Analyzing the Attack

Project: Full network attack analysis from digital evidence. IOC table and incident summary written in AP Skill 3.D format. The exam FRQ rehearsal — same structure, same expectations.

Full attack analysisIOC tableIncident summaryAP 3.1–3.2AP 3.5.A–EAP Skill 3.D
🕐 2–3 class daysOpen Project →
3.4 — Secure the Net (Problem)
⚡ Problem3.4.1

Is the Network Under Water? · Water Treatment Facility Breach

The Unit 3 capstone cyber case. A critical infrastructure breach with a 3-day deadline. Requires all 14 preceding activities and projects. The most directly AP-exam-aligned Problem in the course.

AP Skills 1–3Critical infrastructureNetwork risk assessmentAP 3.1–3.5 (full)FRQ format
🕐 3–5 class daysOpen Case →
⛔ Problem 3.4.1 — Dependency Warning
All 14 activities and projects (3.1.1 → 3.3.5) must be complete before attempting the Water Treatment Facility Breach. This is the biggest dependency chain in the course. Do not skip steps.
Open Case →
🎓 AP Classroom — Progress Check
Unit 3 covers all of AP Unit 3 (Securing Networks). Complete the AP Unit 3 progress check after Problem 3.4.1 — this is the highest-stakes progress check before the exam.
AP Classroom →
Built with v0