Cyber Security Engineer Interview Questions

100 real questions from Google, Microsoft, CrowdStrike & Palo Alto. Model answers. What they’re actually scoring.

6 free answers — click any question to read the model answer + what they’re actually scoring
> filter: 100/100
network-infrastructure1 free ↓
01
You suspect lateral movement inside your network. Walk me through how you would investigate using network forensics and packet capture.
Tricky because the question is testing operational process, not just tool knowledge. Candidates who list tools without describing a hypothesis-driven workflow expose themselves.
free
The first thing I do is establish a timeline. If I have an EDR alert or a SIEM correlation that triggered the suspicion, I anchor on the timestamp and affected host. From there I pull NetFlow or firewall logs first, not full packet capture, because NetFlow is retention-friendly and gives me the connection graph: which hosts the suspected host communicated with, on which ports, and how much data moved. I am looking for patterns inconsistent with normal behavior: a workstation making SMB connections to 20 other workstations it has never talked to, which is likely Pass-the-Hash or SMB worm propagation; LDAP or Kerberos queries to a domain controller at unusual times or volume, suggesting credential enumeration; connections to internal hosts on ports like WinRM 5985 or RDP 3389 from a non-admin source. Once I have a set of suspicious host pairs from NetFlow, I check whether I have full packet capture for those flows. If SPAN or TAP data is available via a tool like Zeek or Wireshark, I reconstruct the sessions. For SMB lateral movement I look at SMB command sequences in the capture: do I see net use, PsExec patterns, or IPC$ share access? For command-and-control that has gone internal, I look at beaconing: regular intervals of small outbound connections. Zeek's conn.log is excellent for this because it gives per-connection duration and byte counts, making periodic beaconing stand out. I also correlate DNS logs: lateral movement tools often query internal hostnames they should not know about. If I find a compromised host, I image it before isolating it when possible, because isolation can trigger attackers to destroy evidence.
Insider read
Really testing: Whether you have a structured, hypothesis-driven methodology for network forensics rather than a list of tools. The interviewer is assessing incident response maturity.
The tell: Weak candidates say 'I would run Wireshark and look for suspicious traffic.' Strong candidates describe starting with metadata like NetFlow before full PCAP, anchor to a timeline, name specific lateral movement indicators like SMB spray patterns and beaconing intervals, and mention evidence preservation before isolation.
Follow-up: Zeek and Wireshark give you different data. In what scenario would you reach for Wireshark over Zeek, and why?
Say thisNetwork forensics starts with connection metadata to build the map, then drops into full packet capture to answer the question the map raises. Reaching for PCAP first without that orientation is how you drown in noise.
02
Explain the difference between stateless, stateful, and next-generation firewalls. When would you choose each?
Tricky because 'next-generation' is a marketing term, and interviewers want to hear you cut through the buzzword and describe what NGFW actually adds technically.
Full answer + insider read in the complete set.Unlock all 100 · $19
03
Compare IPsec and SSL/TLS VPNs. What are the security tradeoffs, and which would you deploy for remote access versus site-to-site?
Tricky because both 'work,' and candidates who have only used them as black boxes cannot explain the cryptographic and operational differences that drive real deployment choices.
Full answer + insider read in the complete set.Unlock all 100 · $19
04
What is the difference between an IDS and an IPS, and how does each one fail in a way the other does not?
Tricky because most candidates know the textbook definition but cannot articulate the evasion techniques that are specific to each deployment mode.
Full answer + insider read in the complete set.Unlock all 100 · $19
05
Describe how you would design network segmentation for a three-tier web application. What VLANs would you create and why?
Tricky because it is easy to describe VLANs in the abstract, but interviewers are probing whether you can model the blast radius of a compromise and design the controls to contain it.
Full answer + insider read in the complete set.Unlock all 100 · $19
06
How does DNS cache poisoning work, and what does DNSSEC actually do to prevent it?
Tricky because candidates often conflate DNSSEC with DNS over HTTPS and do not understand what DNSSEC does and does not protect against.
Full answer + insider read in the complete set.Unlock all 100 · $19
07
Walk through the TLS 1.3 handshake. How does it differ from TLS 1.2, and what attacks does the new design eliminate?
Tricky because many candidates can describe TLS 1.2 but cannot explain what TLS 1.3 specifically removed and why, which is exactly what the interviewer is probing.
Full answer + insider read in the complete set.Unlock all 100 · $19
08
Explain zero-trust network architecture. How does it differ from perimeter-based security, and what are the hard problems in implementing it?
Tricky because zero-trust is heavily over-marketed, and interviewers are filtering for candidates who have actually grappled with the implementation problems versus those who have read a vendor white paper.
Full answer + insider read in the complete set.Unlock all 100 · $19
09
Describe the main categories of DDoS attacks and explain the mitigation strategies for each. What does a layered defense look like in practice?
Tricky because DDoS has three distinct layers of attack and three distinct mitigation approaches, and conflating them reveals shallow understanding.
Full answer + insider read in the complete set.Unlock all 100 · $19
10
What are the main BGP security risks, and what does RPKI solve versus what it does not solve?
Tricky because BGP security is poorly understood outside of network security specialists, and many candidates conflate route hijacking with route leaks and do not know what RPKI actually validates.
Full answer + insider read in the complete set.Unlock all 100 · $19
11
Walk me through what happens at each layer of the OSI model when a packet is sent from one host to another. Where do security controls typically live?
Tests whether you can use the OSI stack as a working security tool, mapping controls and attack classes to specific layers instead of reciting a mnemonic.
Full answer + insider read in the complete set.Unlock all 100 · $19
12
Explain how NAT and PAT work, and describe the security implications. Does NAT provide meaningful security?
Tricky because many engineers conflate NAT with a firewall and believe that private address space provides security. Interviewers are probing whether you understand the distinction.
Full answer + insider read in the complete set.Unlock all 100 · $19
13
What is the security difference between a forward proxy and a reverse proxy? Describe an attack each one is uniquely positioned to stop.
Tricky because candidates often know what each proxy does functionally but cannot reason about the distinct threat models and the attacks that are unique to each position.
Full answer + insider read in the complete set.Unlock all 100 · $19
14
Explain 802.1X network access control. How does it work, and what attacks does it not prevent?
Tricky because 802.1X is widely deployed but has known gaps that well-read candidates know about, and interviewers are checking whether you have thought beyond the textbook.
Full answer + insider read in the complete set.Unlock all 100 · $19
15
An attacker is on a compromised host and is performing lateral movement. What network-level signals indicate this, and how do you tune your detection to separate it from normal IT operations?
Tricky because the challenge is not identifying the signals in theory but tuning detections against the noise of legitimate admin activity, which is where junior candidates go blank.
Full answer + insider read in the complete set.Unlock all 100 · $19
16
What information does an attacker gain from running Nmap against a target, and how would you detect and limit that exposure?
Tricky because the question has two parts, offensive and defensive, and candidates who only know one side reveal a gap.
Full answer + insider read in the complete set.Unlock all 100 · $19
17
What are honeypots and honeynets, and how do you deploy deception technology to add value without creating liability or operational noise?
Tricky because deception technology sounds straightforward but has deployment gotchas around legal liability, false positive management, and attacker evasion that separate theoretical from practical knowledge.
Full answer + insider read in the complete set.Unlock all 100 · $19
application-security1 free ↓
18
Walk me through the OWASP Top 10. Which entries do you think are most dangerous in practice and why?
Tests whether you can prioritize and reason about real-world impact, not just list entries from the doc.
free
The OWASP Top 10 is a consensus list of the most critical web application risk categories. The ones I think are most dangerous in practice are injection, particularly SQL injection, because a single unsanitized parameter can dump an entire database; broken access control, because it is pervasive and often lets any authenticated user reach any other user's data just by changing an ID; and cryptographic failures, because misconfigured TLS or weak password hashing silently exposes data at rest and in transit. Security misconfigurations and vulnerable dependencies round out the top of my personal danger list because they are everywhere and often go unnoticed for years. Injection and IDOR are high exploitability plus high impact, which is why they sit at the top. Insecure design and software and data integrity failures are newer entries that reflect supply chain and architectural risks that are harder to bolt on after the fact. I treat the list as a triage framework: know which categories your tech stack is most exposed to and attack those first.
Insider read
Really testing: Whether the candidate understands exploitability and real-world impact rather than just memorizing categories, and can reason about risk prioritization.
The tell: Weak candidates recite the list in order. Strong candidates pick two or three, explain the exploit chain, and connect it to their stack.
Follow-up: How would you incorporate the OWASP Top 10 into a secure development lifecycle rather than just a checklist at the end?
Say thisInjection and broken access control sit at the top of my personal danger list because they combine high exploitability with catastrophic impact.
19
Explain SQL injection: how it works, the variants, and what a complete defense looks like.
Tricky because many candidates know parameterized queries but miss second-order injection, blind variants, and the defense layers beyond just the query.
Full answer + insider read in the complete set.Unlock all 100 · $19
20
Explain cross-site scripting. What are the three types, and how does Content Security Policy actually reduce XSS impact?
Tricky because many candidates conflate stored and reflected XSS, few can explain DOM-based XSS properly, and fewer still can explain what CSP actually does versus what it cannot do.
Full answer + insider read in the complete set.Unlock all 100 · $19
21
What is CSRF, how does it differ from XSS, and why do SameSite cookies largely solve it?
Tricky because candidates often confuse CSRF and XSS, and many do not fully understand why SameSite works or its Lax versus Strict edge cases.
Full answer + insider read in the complete set.Unlock all 100 · $19
22
What is an IDOR vulnerability, and how do you systematically find and fix them in a large codebase?
Tricky because IDOR is conceptually simple but systematically finding every access control gap in a large app requires methodology, not just spot checks.
Full answer + insider read in the complete set.Unlock all 100 · $19
23
Explain the difference between authentication and authorization. Where do applications typically get this wrong?
Tricky because the conceptual distinction is easy to state, but real failures are subtle: a JWT that proves identity but grants the wrong permissions, or authorization logic scattered across dozens of endpoints.
Full answer + insider read in the complete set.Unlock all 100 · $19
24
How do JWTs work, and what are the most dangerous ways developers misuse them?
Tricky because JWT mechanics look simple, but the algorithm confusion attack and the none algorithm vulnerability are subtle and frequently appear in real-world CVEs.
Full answer + insider read in the complete set.Unlock all 100 · $19
25
Explain the OAuth2 authorization code flow. What makes it more secure than the implicit flow, and what is PKCE?
Tricky because many candidates can describe OAuth2 at a high level but cannot explain why the implicit flow was deprecated or articulate what PKCE protects against.
Full answer + insider read in the complete set.Unlock all 100 · $19
26
What is SSRF and what makes it particularly dangerous in cloud environments?
Tricky because SSRF sounds like a simple proxy abuse issue, but the cloud metadata service angle turns it into credential theft and full account compromise.
Full answer + insider read in the complete set.Unlock all 100 · $19
27
Explain XXE injection. How does it work, and why is it still found in modern applications?
Tricky because XXE requires understanding XML entity expansion, and candidates often do not know why it still appears in apps that use modern JSON APIs.
Full answer + insider read in the complete set.Unlock all 100 · $19
28
What is insecure deserialization, and why did it produce so many critical remote code execution vulnerabilities?
Tricky because the root cause is a trust boundary violation that many developers do not think about, and the Java gadget chain concept is non-obvious.
Full answer + insider read in the complete set.Unlock all 100 · $19
29
Compare SAST, DAST, and SCA. When do you run each in the development lifecycle and what does each miss?
Tricky because each tool class has a distinct blind spot, and a strong candidate knows that combining all three still leaves gaps that require manual review.
Full answer + insider read in the complete set.Unlock all 100 · $19
30
Log4Shell and SolarWinds represent two different supply chain attack patterns. Explain both and what controls could have limited the damage.
Tricky because candidates conflate supply chain attack with dependency vulnerability, but SolarWinds was a build pipeline compromise, not a CVE in a library, and the controls are fundamentally different.
Full answer + insider read in the complete set.Unlock all 100 · $19
31
What are the top security risks in REST API design, and how do you specifically address rate limiting, authentication, and schema validation?
Tricky because many candidates focus only on endpoint authentication and miss mass assignment, improper rate limiting design, and the value of strict schema validation as a defense.
Full answer + insider read in the complete set.Unlock all 100 · $19
32
Walk me through threat modeling using STRIDE. How would you apply it to a new feature in a practical team setting?
Tricky because candidates often know the STRIDE acronym but cannot translate it into a practical workshop that engineers will actually engage with.
Full answer + insider read in the complete set.Unlock all 100 · $19
33
How do you conduct a security-focused code review? What are you looking for beyond what SAST tools find?
Tricky because the value of a manual code review is exactly what automated tools miss, and a strong candidate can articulate that specifically.
Full answer + insider read in the complete set.Unlock all 100 · $19
34
You receive a bug bounty report claiming a critical SSRF. Walk me through how you triage, validate, and determine severity.
Tricky because triage requires distinguishing a genuine critical from an out-of-scope or overstated finding, and many candidates do not have a structured methodology.
Full answer + insider read in the complete set.Unlock all 100 · $19
cryptography-identity1 free ↓
35
Explain the core difference between symmetric and asymmetric encryption. When would you choose AES over RSA, and why?
Tests whether you understand the hybrid model (AES for data, RSA/ECC for key exchange) and why nobody uses RSA to encrypt bulk payloads.
free
Symmetric encryption uses one shared key for both encryption and decryption. AES is the standard -- it is fast, hardware-accelerated on modern CPUs, and suitable for bulk data. Asymmetric encryption uses a key pair: a public key to encrypt and a private key to decrypt. RSA is much slower and has a hard upper limit on the data size it can handle directly. In practice I never use RSA to encrypt actual payloads. I use RSA or ECC to encrypt a short symmetric key, then use AES to encrypt the data itself -- that is the hybrid model TLS and PGP both rely on. I would choose AES-256-GCM for encrypting files or database fields, and use RSA-2048 or P-256 only for key exchange or digital signatures.
Insider read
Really testing: Whether the candidate understands hybrid encryption as the real-world pattern, not just textbook definitions.
The tell: Weak candidates explain the math. Strong candidates immediately describe the hybrid model and name concrete algorithm variants like AES-256-GCM and P-256.
Follow-up: Why is AES-GCM preferred over AES-CBC for most new systems?
Say thisRSA encrypts a key, not the message. AES encrypts the message. Every production system that looks like it uses asymmetric encryption is actually a hybrid.
36
Why is MD5 broken, and what makes SHA-256 or SHA-3 better? Walk me through what collision resistance actually means.
Tricky because MD5 is still widely used for non-security purposes like checksums, so candidates need to separate integrity from cryptographic security without dismissing MD5 entirely.
Full answer + insider read in the complete set.Unlock all 100 · $19
37
How do digital signatures provide non-repudiation? Walk me through the signing and verification process.
Tricky because non-repudiation is often confused with authentication. Candidates also sometimes get the key usage backwards -- signing with private key, verifying with public key.
Full answer + insider read in the complete set.Unlock all 100 · $19
38
Walk me through the TLS 1.3 handshake step by step. What changed from TLS 1.2 and why does it matter?
Tricky because TLS 1.3 handshake details are dense, and interviewers often probe for understanding of why 1-RTT matters and what was removed, not just a sequence of steps.
Full answer + insider read in the complete set.Unlock all 100 · $19
39
Explain PKI and the certificate chain of trust. What happens when a root CA is compromised?
Tricky because candidates often describe the happy path of certificate validation without thinking about what breaks the chain and what real-world remediation looks like.
Full answer + insider read in the complete set.Unlock all 100 · $19
40
What is certificate pinning and HPKP? Why did HPKP get deprecated and what replaced it?
Tricky because HPKP sounded like a security improvement but became a notorious availability footgun, and candidates often do not know the specific failure modes that killed it.
Full answer + insider read in the complete set.Unlock all 100 · $19
41
What is forward secrecy and why does it matter? How does ephemeral Diffie-Hellman achieve it?
Tricky because candidates often know the definition but cannot explain the specific threat model: an attacker recording encrypted traffic today hoping to decrypt it after stealing the server's long-term key.
Full answer + insider read in the complete set.Unlock all 100 · $19
42
Why should you never use MD5 or SHA-1 to hash passwords? What makes bcrypt, scrypt, and Argon2 the right choices?
Tricky because candidates often say 'because they are fast' -- which is correct but incomplete. The deeper point is about GPU parallelism and the specific design properties that password hashing algorithms add.
Full answer + insider read in the complete set.Unlock all 100 · $19
43
What is an HSM and when would you use one? What problems does it solve that software key storage cannot?
Tricky because HSMs sound like a compliance checkbox to many candidates. The real answer requires understanding the specific threat of key extraction and why hardware root of trust matters.
Full answer + insider read in the complete set.Unlock all 100 · $19
44
Explain zero-knowledge proofs at a conceptual level. Give a real-world security use case where they are useful.
Tricky because ZKPs sound purely academic, but interviewers asking this in 2025 want to know if you have connected the concept to practical uses like privacy-preserving authentication or blockchain compliance.
Full answer + insider read in the complete set.Unlock all 100 · $19
45
Walk me through JWT security: how signing and verification work, common vulnerabilities, and how to mitigate them.
Tricky because the 'alg: none' attack is well known but candidates often miss the RS256-to-HS256 confusion attack, which is subtler and was responsible for real CVEs.
Full answer + insider read in the complete set.Unlock all 100 · $19
46
What are the differences between SAML, OAuth 2.0, and OpenID Connect? When would you use each?
Tricky because OAuth is for authorization and OIDC is for authentication, and candidates routinely conflate them or describe OAuth as an authentication protocol.
Full answer + insider read in the complete set.Unlock all 100 · $19
47
Walk me through MFA mechanisms: TOTP, hardware tokens, push notifications, and SMS. Rank them by security and explain bypass attacks against each.
Tricky because candidates know SMS is weak but often cannot articulate the specific attack vectors, and most do not know that push notification fatigue is an active attack technique with documented real-world incidents.
Full answer + insider read in the complete set.Unlock all 100 · $19
48
What are passkeys and FIDO2? How do they eliminate phishing compared to passwords and TOTP?
Tricky because passkeys are often described as 'passwordless login' without explaining the cryptographic property that makes them phishing-resistant -- which is the whole point.
Full answer + insider read in the complete set.Unlock all 100 · $19
49
How do tools like HashiCorp Vault and AWS Secrets Manager approach secrets management? What problems do they solve that environment variables do not?
Tricky because environment variables feel like a security improvement over hardcoded credentials, but they have serious problems candidates often have not thought through -- process listings, core dumps, and inherited child processes.
Full answer + insider read in the complete set.Unlock all 100 · $19
50
What is cryptographic randomness and why does entropy matter? What are the consequences of weak randomness in security applications?
Tricky because most candidates know to 'use a secure random library' but cannot explain what makes randomness cryptographically secure, what entropy actually is, or what real-world attacks have exploited weak RNG.
Full answer + insider read in the complete set.Unlock all 100 · $19
94 more answers + insider reads
// network · appsec · crypto · IR · cloud · architecture
Unlock all 100 · $19
incident-response-threat-detection1 free ↓
51
Walk me through the PICERL incident response lifecycle. Where do most teams actually fail in practice?
Tests operational maturity: where teams actually break down under pressure, not just whether you can recite the six phases.
free
PICERL is Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. In practice, teams tend to fail hardest at Preparation and Lessons Learned -- the two bookends. Preparation is under-invested because it's invisible until you need it: runbooks aren't updated, asset inventories are stale, and on-call contacts go dead. Lessons Learned is skipped or done badly because teams are exhausted and want to close the ticket. The result is the same incident type recurring six months later. During an actual response I've seen Identification drag on because nobody agreed on what 'confirmed incident' meant versus 'potential incident', which delays the decision to escalate. I try to drive consistency by writing a decision tree into the runbook: if X conditions are met, call it a P1 and page the CISO. Containment is where the isolate-versus-observe tradeoff lives -- you want to preserve evidence but not let the attacker pivot further. I document that decision explicitly in the ticket so legal and leadership understand why we waited. The phases look clean on paper; the job is making them work under pressure with incomplete information.
Insider read
Really testing: Whether the candidate has real IR experience beyond textbook knowledge, and whether they can self-critically identify operational gaps.
The tell: Weak candidates recite the acronym and stop. Strong candidates name a specific phase they've seen fail and explain the organizational reason why.
Follow-up: How do you decide when an investigation moves from Identification to Containment? What's your escalation threshold?
Say thisThe two phases teams neglect most are Preparation and Lessons Learned -- the bookends -- and that's exactly why the same incident types keep recurring.
52
How do you architect a SIEM correlation rule to detect lateral movement without drowning in false positives?
Tricky because SIEM tuning is genuinely hard -- generic answers about 'reducing noise' ignore the real engineering tradeoffs between detection coverage and analyst workload.
Full answer + insider read in the complete set.Unlock all 100 · $19
53
What is your threat hunting methodology, and how do you know when a hunt has found something real versus a false lead?
Tricky because threat hunting sounds impressive but many candidates describe it vaguely. Interviewers want to see a structured hypothesis-driven process.
Full answer + insider read in the complete set.Unlock all 100 · $19
54
Explain the difference between an IOC and an IOA, and tell me which one you trust more and why.
Tricky because candidates often memorize the definitions but don't have a principled view on operational trust -- which is what the interviewer actually cares about.
Full answer + insider read in the complete set.Unlock all 100 · $19
55
A suspicious binary lands on an endpoint. Walk me through your static and dynamic malware analysis process.
Tricky because candidates need to demonstrate actual tooling knowledge and sequencing -- doing dynamic analysis before static is an operational error that can contaminate evidence.
Full answer + insider read in the complete set.Unlock all 100 · $19
56
Your organization just discovered a ransomware infection spreading across the file servers at 3 AM. Walk me through your first 30 minutes.
Tricky because this tests crisis decision-making under pressure -- candidates who describe a perfect ordered process have never actually been paged at 3 AM.
Full answer + insider read in the complete set.Unlock all 100 · $19
57
Which Windows Event Log IDs do you consider essential for investigating a compromised host, and what does each one tell you?
Tricky because candidates who haven't done real Windows forensics will name one or two IDs and guess at others. The depth of the answer reveals actual hands-on experience.
Full answer + insider read in the complete set.Unlock all 100 · $19
58
Describe how you would perform memory forensics on a live compromised host. What are you looking for and what tools do you use?
Tricky because memory forensics sounds advanced but the core technique is straightforward -- candidates who haven't done it will describe disk forensics instead.
Full answer + insider read in the complete set.Unlock all 100 · $19
59
How do you maintain chain of custody when collecting digital evidence during an incident? Why does it matter for a security engineer?
Tricky because chain of custody feels like a legal formality, but candidates need to articulate why it matters operationally and technically, not just legally.
Full answer + insider read in the complete set.Unlock all 100 · $19
60
How do you use the MITRE ATT&CK framework in your day-to-day security work? Give me a concrete operational example.
Tricky because many candidates can describe the ATT&CK matrix at a high level but can't show how they've actually integrated it into detection engineering or incident response.
Full answer + insider read in the complete set.Unlock all 100 · $19
61
What's the difference between AV, EDR, and XDR, and when would you recommend one over another?
Tricky because the marketing around XDR is heavy and candidates often parrot vendor positioning rather than having a principled view on detection and response capability.
Full answer + insider read in the complete set.Unlock all 100 · $19
62
How do you detect command-and-control traffic in network logs? What patterns specifically distinguish C2 from legitimate traffic?
Tricky because C2 detection requires understanding both attacker tradecraft and how to analyze high-volume network data -- candidates without real network analysis experience will give generic answers.
Full answer + insider read in the complete set.Unlock all 100 · $19
63
How do you operationalize threat intelligence feeds in your environment? What's the workflow from raw feed to actionable detection?
Tricky because many organizations subscribe to threat intel feeds but don't actually use them well. The gap between 'we have threat intel' and 'threat intel improves our detections' is where this question probes.
Full answer + insider read in the complete set.Unlock all 100 · $19
64
When you detect an active intrusion, how do you decide between immediately isolating the affected host versus letting the attacker continue under observation?
Tricky because there's no universally correct answer -- it's a tradeoff with legal, operational, and investigative dimensions that candidates need to reason through explicitly.
Full answer + insider read in the complete set.Unlock all 100 · $19
65
What makes a post-incident review genuinely useful, and how do you prevent it from becoming a blame session or a checkbox exercise?
Tricky because almost everyone knows PIRs should be blameless, but candidates who've actually run them know that blameless culture is hard to achieve and requires specific facilitation techniques.
Full answer + insider read in the complete set.Unlock all 100 · $19
66
How do you structure SOC triage to manage alert fatigue without creating blind spots?
Tricky because alert fatigue is universally acknowledged but the candidate needs to describe systemic solutions, not just 'tune the rules' or 'hire more analysts.'
Full answer + insider read in the complete set.Unlock all 100 · $19
67
How do you detect and investigate insider threats, and how do you balance detection effectiveness with employee privacy?
Tricky because insider threat touches legal, HR, and ethical dimensions that purely technical candidates ignore -- and the privacy tension is exactly what experienced security engineers navigate daily.
Full answer + insider read in the complete set.Unlock all 100 · $19
cloud-container-security1 free ↓
68
Explain the shared responsibility model and where the security boundary sits for IaaS vs PaaS vs SaaS.
Tests whether you understand that “managed” doesn’t mean “secure by default” and can map the boundary precisely for each service model.
free
The shared responsibility model splits security duties between the cloud provider and the customer. For IaaS, the provider owns physical infrastructure, hypervisor, and network fabric. I own the OS, middleware, runtime, application code, and data. For PaaS, the provider also takes the OS and runtime, so my responsibility narrows to the application and data. For SaaS, I basically own data, access controls, and configuration. The critical thing people miss is that 'managed' does not mean 'secure by default.' An RDS instance is still my problem from the database account, network ACL, encryption-at-rest, and parameter group perspective. I always map out the boundary explicitly at the start of a project, because misunderstanding it is the root cause of most cloud breaches I have seen reviewed.
Insider read
Really testing: Whether the candidate understands that misconfiguration is the customer's problem regardless of service tier, and can articulate the boundary precisely rather than vaguely.
The tell: Weak candidates say the cloud provider handles security. Strong candidates immediately name specific controls that remain the customer's responsibility at each tier and cite real breach patterns (Capital One, Twitch) that stemmed from customer-side misconfiguration.
Follow-up: A developer tells you 'we use managed Kubernetes so we don't need to worry about node security.' How do you respond?
Say thisThe model tells you who is responsible, not who is capable. I own my data and my config at every tier.
69
Walk me through how an attacker escalates privileges in AWS after compromising an EC2 instance with an attached IAM role.
Tricky because many candidates describe the IMDS call correctly but stop there, missing the full privilege escalation chain from metadata to enumeration to lateral movement.
Full answer + insider read in the complete set.Unlock all 100 · $19
70
An S3 bucket containing customer PII was found publicly readable. Walk me through your incident response and long-term remediation.
Tricky because candidates jump straight to 'block public access' without discussing evidence preservation, scope assessment, or regulatory notification obligations.
Full answer + insider read in the complete set.Unlock all 100 · $19
71
Explain how SSRF can be chained to the cloud metadata service to achieve credential theft, and how you mitigate it.
Tricky because it requires connecting an application-layer vulnerability to cloud infrastructure, and candidates often describe SSRF generically without tying it specifically to IMDS exploitation.
Full answer + insider read in the complete set.Unlock all 100 · $19
72
How does Kubernetes RBAC work, and what are the most dangerous misconfigurations you look for in a cluster audit?
Tricky because candidates often describe RBAC at a surface level without knowing which specific verbs and resources create critical exposures.
Full answer + insider read in the complete set.Unlock all 100 · $19
73
What are pod security controls in Kubernetes, and how has the approach changed from PodSecurityPolicy to the current model?
Tricky because PSP was deprecated in 1.21 and removed in 1.25, so answers that focus on PSP alone reveal someone who has not kept up with the ecosystem.
Full answer + insider read in the complete set.Unlock all 100 · $19
74
Explain how a container escape works and what defenses prevent or detect it.
Tricky because container escapes span multiple mechanisms, and candidates who only know 'privileged container bad' miss deeper vectors like volume mounts, runc CVEs, and cgroup escapes.
Full answer + insider read in the complete set.Unlock all 100 · $19
75
How do you approach container image security, from build to runtime? What tools do you use and what do you actually act on?
Tricky because candidates list scanner names without explaining the triage discipline needed, or treat every CRITICAL finding as equally actionable.
Full answer + insider read in the complete set.Unlock all 100 · $19
76
What is a service mesh and how does mTLS inside one change your security posture compared to traditional network segmentation?
Tricky because candidates describe service mesh features generally without explaining the threat model it addresses or the residual risks it introduces.
Full answer + insider read in the complete set.Unlock all 100 · $19
77
What are the unique security considerations for serverless functions, and how do they differ from securing a traditional server?
Tricky because serverless eliminates some attack surface but creates new risks around function permissions, event injection, and ephemeral execution that candidates often overlook.
Full answer + insider read in the complete set.Unlock all 100 · $19
78
What is Cloud Security Posture Management (CSPM) and how does it fit into a security program alongside other controls?
Tricky because candidates either oversell CSPM as a complete solution or undersell it as just a compliance checker, missing its role in the detection and prevention hierarchy.
Full answer + insider read in the complete set.Unlock all 100 · $19
79
How do you scan infrastructure as code for security issues, and what types of problems does static IaC analysis catch versus miss?
Tricky because candidates often do not distinguish between what static analysis can detect versus what requires runtime or policy enforcement, leading to overconfidence in the tool.
Full answer + insider read in the complete set.Unlock all 100 · $19
80
Secrets keep showing up in environment variables, CI pipeline configs, and container images. What is the right architecture and what controls actually prevent it?
Tricky because the solution is not just 'use a secrets manager,' it requires addressing developer behavior, CI system design, and detection at multiple points.
Full answer + insider read in the complete set.Unlock all 100 · $19
81
How does multi-cloud identity federation work, and what are the security risks of federating identities across AWS, GCP, and Azure?
Tricky because federation is often treated as purely an IAM convenience feature, missing the trust chain implications and the blast radius if a federated identity provider is compromised.
Full answer + insider read in the complete set.Unlock all 100 · $19
82
Walk me through how you design VPC security for a three-tier web application. What do security groups actually enforce versus what they cannot?
Tricky because candidates often conflate security groups with NACLs, or treat security groups as a complete network security solution without understanding their stateful model and limits.
Full answer + insider read in the complete set.Unlock all 100 · $19
83
How do you ensure comprehensive audit logging in cloud environments, and what gaps do CloudTrail and Cloud Audit Logs typically leave?
Tricky because most candidates know CloudTrail exists but do not know which event categories are off by default, creating false confidence in audit coverage.
Full answer + insider read in the complete set.Unlock all 100 · $19
84
How do you design a zero-trust architecture for cloud workloads, and what is the difference between marketing zero-trust and actually implementing it?
Tricky because zero trust is heavily marketed and candidates often recite principles without being able to describe concrete implementation decisions or acknowledge the operational trade-offs.
Full answer + insider read in the complete set.Unlock all 100 · $19
security-architecture-behavioral1 free ↓
85
Walk me through your security architecture review process for a new system or feature.
Tests whether you run a structured threat model (STRIDE, trust boundaries, data-flow diagram) vs. a vibes-based review.
free
When a new system or feature comes in, I start by getting context before I open any diagrams. I meet with the engineering lead to understand what the system does, who the users are, and what data it touches. Then I ask for a data-flow diagram or create one with them if it does not exist. From there I identify trust boundaries, entry points, data stores, and privilege levels. I use STRIDE to systematically think through spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege for each boundary crossing. I document findings in a shared tracker, classify them by severity, and distinguish blockers from nice-to-haves. I schedule a review meeting where I present findings as trade-offs rather than mandates, so engineering understands the why. Before sign-off I verify that blockers are resolved or have an accepted risk decision with a named owner and a revisit date.
Insider read
Really testing: Whether the candidate treats architecture review as a gate or a partnership, and whether they apply systematic threat modeling versus ad-hoc intuition.
The tell: Weak candidates describe a checklist or compliance form. Strong candidates describe a repeatable, collaborative process with explicit trust-boundary analysis and documented risk decisions.
Follow-up: How do you handle it when a team is already mid-development and a full architecture review was never done?
Say thisA security review is not a gate, it is a risk conversation with a deliverable. My job is to make trade-offs visible, not to block shipping.
86
What are the practical trade-offs between defense-in-depth and zero-trust, and how do you decide which model to lean on?
Tricky because many candidates treat these as competing philosophies when they are actually complementary, and interviewers are probing for nuance not a textbook definition.
Full answer + insider read in the complete set.Unlock all 100 · $19
87
How have you applied NIST CSF or ISO 27001 in a real program, and what is the difference between using a framework as a checklist versus using it as a tool?
Tricky because most candidates can name the framework tiers or domains but struggle to articulate how they actually used it to drive decisions rather than produce audit artifacts.
Full answer + insider read in the complete set.Unlock all 100 · $19
88
How do you approach risk scoring, and when is CVSS insufficient for prioritization?
Tricky because CVSS is the industry default and candidates who do not use it look naive, but candidates who rely on it exclusively reveal that they do not understand its limitations.
Full answer + insider read in the complete set.Unlock all 100 · $19
89
You are hired as the first security engineer at a 200-person company with no existing security program. How do you spend your first 90 days?
Tricky because candidates often jump to technology solutions before establishing the baseline context that determines what technology is actually needed.
Full answer + insider read in the complete set.Unlock all 100 · $19
90
How do you manage vendor and third-party security risk, and what does a mature TPRM program look like?
Tricky because most candidates can describe a vendor questionnaire process but few can articulate how to make that process proportionate and actually reduce risk rather than just produce documentation.
Full answer + insider read in the complete set.Unlock all 100 · $19
91
What is the difference between compliance and security, and how do you explain that distinction to a business that believes being compliant means being secure?
Tricky because most candidates agree with the premise but struggle to give a concrete, business-relevant example that lands with a non-technical executive.
Full answer + insider read in the complete set.Unlock all 100 · $19
92
How would you design and launch a security champions program, and how do you measure whether it is working?
Tricky because candidates often describe training programs rather than the network-building and incentive design that makes champions effective long-term.
Full answer + insider read in the complete set.Unlock all 100 · $19
93
How do you embed security into a CI/CD pipeline without slowing down engineering velocity?
Tricky because the tension between security gates and developer speed is real, and a candidate who says there is no trade-off is not credible, but one who only talks about the friction has not solved the problem.
Full answer + insider read in the complete set.Unlock all 100 · $19
94
How do you communicate a serious security risk to a non-technical executive who controls the budget?
Tricky because candidates who translate risk into pure technical terms lose the audience, but candidates who over-simplify lose credibility. The skill is in calibrating the conversation to what the executive actually needs to decide.
Full answer + insider read in the complete set.Unlock all 100 · $19
95
Tell me about a time you discovered a critical vulnerability. Walk me through what you found, how you responded, and what you learned.
Tricky because interviewers are evaluating judgment and process under pressure, not just technical skill. A candidate who found a critical bug but escalated poorly or caused more harm than necessary reveals as much as the discovery itself.
Full answer + insider read in the complete set.Unlock all 100 · $19
96
How do you handle sustained pushback from an engineering team that consistently deprioritizes your security requirements?
Tricky because the right answer requires both empathy for engineering pressures and the ability to hold ground on controls that are non-negotiable, and candidates who are purely confrontational or purely accommodating both fail.
Full answer + insider read in the complete set.Unlock all 100 · $19
97
You inherit a vulnerability backlog with 800 open findings. How do you prioritize and how do you make progress without freezing the team?
Tricky because the instinct to score and sort every item first delays real progress. Interviewers are watching for candidates who can make smart triage decisions and start reducing risk immediately.
Full answer + insider read in the complete set.Unlock all 100 · $19
98
How do you build a security culture in an organization where security is seen as a compliance tax rather than a business enabler?
Tricky because cultural change is slow and structural, and candidates who describe it as a training initiative or a communications campaign reveal they do not understand how culture actually shifts.
Full answer + insider read in the complete set.Unlock all 100 · $19
99
You just completed a red team exercise. How do you run the debrief and translate findings into durable program improvements?
Tricky because the debrief is where many organizations squander the value of a red team engagement by treating it as a report-review meeting rather than a strategic learning event.
Full answer + insider read in the complete set.Unlock all 100 · $19
100
How do you stay current with the threat landscape, and how do you decide what is signal versus noise?
Tricky because saying you read security blogs and follow Twitter is a non-answer. Interviewers want to see a systematic, tiered approach to threat intelligence consumption that connects to real program decisions.
Full answer + insider read in the complete set.Unlock all 100 · $19
Complete set
94 more questions. Every answer. Every insider read.
Network security to cloud architecture. Cryptography to incident response. The exact words to say and what separates a pass from a fail.
$19
// one-time · lifetime access · all 100 questions
// interview bootcamp: $5,000+ · 1:1 coach: $200/hour · this playbook: $19
Unlock all 100 · $19
✓ 14-day money-back guarantee
// what happens when you pay
1Secure checkout opens. Card, Apple Pay, Google Pay or PayPal, processed by Stripe.
2All 100 unlock instantly. Your private link opens the moment payment clears.
3It's yours for good. The receipt email contains your permanent link. Lose it? Email us, we resend.
VISAMastercardAmexApple PayGoogle PayPayPal
// payment handled by Lemon Squeezy, our merchant of record. We never see your card details. Support: support@howto-playbooks.com
Common questions
Are these real interview questions?+
Yes. These are the questions that come up in security engineering interviews at Google, Microsoft, CrowdStrike, Palo Alto Networks, Okta, Cloudflare, and similar companies, covering network security, application security, cryptography, incident response, cloud security, and security architecture.
What's different from free question lists?+
Free lists give you questions. This gives you the model answer plus what the interviewer is actually scoring, the junior vs. senior tell, and the follow-up coming next.
What if it doesn't help?+
14-day, no-questions-asked refund. Email support@howto-playbooks.com with your order number and we refund in full.
What format is it?+
A single web page, bookmarkable, works on any device. All 100 questions expandable with answers and insider reads. Lifetime access.
How do I get access after paying?+
Instantly. The moment payment clears, your private link opens with all 100 questions and answers. Your receipt email contains the same permanent link, so you can come back anytime, on any device. If you ever lose it, email support@howto-playbooks.com and we resend it.
Is the payment secure?+
Yes. Checkout is handled by Lemon Squeezy, our merchant of record, with payments processed by Stripe, the same infrastructure used by Amazon and Shopify. Card, Apple Pay, Google Pay and PayPal are supported. Your card details never touch our servers.
// more playbooks: 100 questions each
$19 one-time
// 100 questions · insider reads · 14-day refund
Unlock all 100