You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A comprehensive guide to common interview questions, technical topics, and preparation strategies for cybersecurity roles. Organized by role type and difficulty level.
General Preparation Strategy
Know the fundamentals cold — networking (TCP/IP, DNS, TLS), OS internals (Windows/Linux), and the CIA triad
Practice explaining concepts simply — "explain this to a non-technical person" tests are common
Prepare a portfolio — HTB/THM writeups, CTF flags, home lab documentation, GitHub projects
Know your resume — every tool, cert, and project should be something you can discuss in depth
STAR format — behavioral questions: Situation, Task, Action, Result
Networking Fundamentals
Core Questions
Question
Key Points to Cover
Explain the OSI model and give examples at each layer
L1: cables/fiber, L2: Ethernet/MAC, L3: IP/routing, L4: TCP/UDP, L7: HTTP/DNS. Focus on L3-L7 for security work
What happens when you type google.com into a browser?
Cross-Site Request Forgery: trick authenticated user into making unwanted request. Prevent with CSRF tokens, SameSite cookies
What is SSRF?
Server-Side Request Forgery: make server fetch attacker-controlled URLs. Can hit internal services, cloud metadata APIs
Role-Specific Questions
SOC Analyst / Blue Team
Question
Answer Guidance
Walk me through how you would triage a phishing alert
Check headers (sender IP, SPF/DKIM/DMARC), inspect URLs/attachments in sandbox, identify recipients, search for similar emails, escalate or close
What is a false positive? How do you handle them?
Alert that fires when no real threat exists. Tune detection rules, document as known-good, add to whitelist with approval
What SIEM are you familiar with?
Mention Splunk (SPL queries), Sentinel (KQL), Elastic (EQL/KQL). Show you can write queries, not just read dashboards
Explain lateral movement and how to detect it
Moving from system to system using stolen creds or exploits. Look for: new logon events from known machine, admin share access (C$), PSExec/WMI/WinRM usage, unusual process lineage
What is a SOC playbook?
Step-by-step response procedure for a specific alert type. Reduces response time, ensures consistency
Correlate file system (MFT, $UsnJrnl), event logs, prefetch, registry hives, browser history to reconstruct attacker activity
What is chain of custody?
Documentation proving evidence has not been tampered with from collection through court. Hash evidence at collection
Application Security
Question
Answer Guidance
What is OWASP Top 10?
10 most critical web app security risks. 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable Components, Auth Failures, SSRF, etc.
How do you prevent SQL injection?
Parameterized queries / prepared statements. Input validation. Least-privilege DB accounts. WAF as defense-in-depth
What is IDOR?
Insecure Direct Object Reference: accessing resources by changing ID in request (e.g., /user/1234 → /user/1235). Missing authorization check
What is JWT and what vulnerabilities exist?
JSON Web Token: header.payload.signature. Attacks: alg=none (no sig verification), weak secret (crack with hashcat), key confusion RS256→HS256
What is the Same-Origin Policy?
Browser security: restricts scripts from one origin accessing resources from another. CORS relaxes this — misconfigured CORS = data theft
How would you perform a code review for security?
SAST tool first (Semgrep, Bandit). Then manual: input validation, auth checks, cryptography use, logging of sensitive data, error handling
Explain DevSecOps
Integrating security into CI/CD: SAST in PR checks, DAST in staging, SCA for dependencies, secrets scanning, IaC scanning
Cloud Security
Question
Answer Guidance
What is the shared responsibility model?
Cloud provider responsible for security OF the cloud (infra). Customer responsible for security IN the cloud (data, IAM, config)
How would you approach an AWS compromise?
Preserve CloudTrail logs, identify compromised IAM keys, revoke them, check for new IAM users/roles/policies, look for resource abuse (EC2, Lambda, S3 exfil)
What is an IAM role vs user?
User: long-term creds (access key/secret). Role: assumed temporarily, no long-term creds. Prefer roles over users
What is an S3 bucket misconfiguration?
Public ACLs, bucket policies granting * principal, missing encryption. Check with AWS Macie or CSPM tools
How do you detect cryptomining in AWS?
GuardDuty alert on EC2 cryptomining, unusual CPU/GPU spike, outbound traffic to mining pools, large unexpected billing
What is a CSPM tool?
Cloud Security Posture Management: continuously scans cloud configs for misconfigurations. Wiz, Prisma Cloud, Defender for Cloud
Explain IAM privilege escalation in AWS
iam:PassRole + EC2 launch rights = assume role with more privileges. iam:CreatePolicyVersion to add admin policy. Use tools like Pacu, Cloudsplaining
Behavioral / Soft Skill Questions
Question
Approach
Tell me about yourself
90 seconds: background, why security, current skills, what you are looking for next
Describe a time you found a critical vulnerability
Use STAR. Include impact, how you communicated it, how it was remediated
How do you stay current in cybersecurity?
Twitter/X follows, RSS feeds (Krebs, Bleeping Computer), HTB/THM weekly, CISA advisories, conference talks (DEF CON, Black Hat YouTube)
How do you explain a technical issue to a non-technical stakeholder?
Avoid jargon, use analogies, focus on business impact and risk, recommend specific actions
Tell me about a time you worked under pressure
Security incident scenarios work well. Show structured thinking (triage, escalation, resolution)
What do you do when you disagree with a security decision?
Raise concern with data, document it, accept decision if overruled — but escalate if it poses unacceptable risk
Where do you want to be in 5 years?
Show ambition tied to the role: certifications planned, skills to develop, leadership aspirations
Technical Practical Tests
Many companies include a practical component. Common formats:
CTF / Challenge Box
Practice on HackTheBox, TryHackMe, PicoCTF
Be comfortable with basic privesc on both Windows and Linux
Know how to enumerate quickly: nmap, gobuster/ffuf, enum4linux
A living document tracking identified risks, their likelihood, impact, owner, and treatment status. Updated regularly and reviewed by leadership
Explain the difference between a policy, standard, and procedure
Policy: high-level intent and direction. Standard: specific measurable requirement. Procedure: step-by-step instructions. Guidelines: recommended but not mandatory
What is NIST CSF 2.0 and what are its six functions?
Govern, Identify, Protect, Detect, Respond, Recover. CSF 2.0 added Govern as a new function covering strategy, roles, and organizational risk appetite
What is a SOC 2 Type II report?
AICPA audit of controls across 5 Trust Services Criteria over a 6-12 month period. Type I: design only (point-in-time). Type II: operating effectiveness over time
How do you perform a gap analysis?
Compare current-state controls against a target framework. Document gaps, assign risk ratings, prioritize by risk severity and remediation effort
What is a BIA (Business Impact Analysis)?
Identifies critical business functions and quantifies the impact of disruption. Outputs RTO, RPO, and MTD per critical function
Qualitative vs. quantitative risk assessment?
Qualitative: High/Medium/Low ratings — fast but subjective. Quantitative: dollar-value calculations (ALE = ARO x SLE) — more defensible for budget decisions
How would you build a third-party risk program?
Tier vendors by risk level (data access, operational criticality), define questionnaires per tier, review SOC 2 and ISO 27001 reports, perform on-site assessments for highest-risk vendors, include contractual security requirements
What is CMMC 2.0?
DoD framework for defense contractors: Level 1 (17 practices), Level 2 (110 NIST 800-171 practices), Level 3 (plus 24 NIST 800-172 practices). C3PAO third-party assessments required at Levels 2 and 3
How do you measure security program effectiveness?
KPIs: patch SLA compliance rate, phishing simulation click rate trend, MTTD/MTTR, critical vulnerability remediation rate, control test pass rates, audit findings closed on time
Threat Intelligence Analyst
Question
Answer Guidance
Explain the intelligence lifecycle
Planning and Direction -> Collection -> Processing -> Analysis -> Dissemination -> Feedback. Feedback loop refines future collection requirements
What is the difference between strategic, operational, and tactical intelligence?
Strategic: long-term executive-level trend reports. Operational: active campaign TTPs and threat actor profiles. Tactical: IOCs (IPs, hashes, domains) for immediate defensive use
What is the Diamond Model of Intrusion Analysis?
Framework with four vertices: Adversary, Capability, Infrastructure, Victim. Used to link intrusion events into campaigns and cluster activity for attribution
Cyber Kill Chain vs. ATT&CK?
Kill Chain (Lockheed Martin): 7 linear phases from Reconnaissance to Actions on Objectives. ATT&CK: granular non-linear taxonomy with 14 tactics and hundreds of techniques -- better for detection engineering and coverage gap analysis
What is MISP and how is it used?
Open-source Threat Intelligence Platform for sharing structured threat data. Supports STIX/TAXII, automated correlation, and galaxy clusters for tagging actors and malware families
How do you assess confidence in a report?
Evaluate source reliability (track record and access level), information credibility (corroboration, timeliness, internal consistency), and analysis quality. Apply the Admiralty Scale or ACH methodology
IOC types and their limitations?
Types: IPs, domains, URLs, file hashes, email addresses. Primary limitation: high perishability -- adversaries rotate infrastructure rapidly. TTPs are more durable indicators for long-term detection
What is STIX/TAXII?
STIX: structured JSON format for threat intelligence objects (indicators, campaigns, malware, TTPs, threat actors). TAXII: transport protocol for automated STIX data sharing between platforms
Describe a threat actor you know well
Example: APT29/Cozy Bear (Russian SVR) -- targets government and political organizations, responsible for SUNBURST supply chain attack, uses custom Cobalt Strike malleable C2, spearphishing, and living-off-the-land techniques across the entire kill chain
Salary Negotiation & Offer Evaluation
Know Your Market Value
Research compensation thoroughly before any negotiation. Key sources:
Ranges vary significantly by location, company size, industry, and clearance level. TS/SCI clearance typically commands a $20,000-$50,000+ premium.
Negotiation Principles
Get the offer in writing first. Never negotiate from a verbal offer.
Never anchor first. When asked for salary expectations: "I would prefer to discuss compensation once I understand the full scope of the role and total package."
Counter anchored high. If offered $95,000 and your market data supports $110,000-$120,000: "Based on my experience with [specific skills/certs] and current market data, I was targeting $110,000-$120,000. Is there flexibility?"
Evaluate total compensation. Bonus target, RSU vesting schedule, 401k match, health premiums, training budget ($5,000-$15,000/yr at top security employers), remote flexibility, and signing bonus all have real dollar value.
Use competing offers ethically."I have a competing offer at $X. I prefer your organization because of [genuine reason], but would need compensation closer to that level to accept."
Handling Negotiation Pushback
Pushback
Effective Response
"That is above our budget"
"Could we structure a 90-day review milestone with a defined path to $X?"
"We have a fixed salary band"
"What is the top of the band? Can we close the gap with signing bonus or additional PTO?"
"You lack the experience"
"Understood. Given my [cert/project/achievement], what would a 6-12 month milestone look like to reach that target?"
"We need an answer today"
"I need 48 hours to review the complete offer and benefits. I will confirm by [specific date and time]."
Never accept same-day pressure tactics. Legitimate offers allow at least 48-72 hours for consideration.
Governance, Risk & Compliance (GRC)
Question
Answer Guidance
What is a risk register?
A living document tracking identified risks, their likelihood, impact, owner, and treatment status. Updated regularly and reviewed by leadership
Explain the difference between a policy, standard, and procedure
Policy: high-level intent and direction. Standard: specific measurable requirement. Procedure: step-by-step instructions. Guidelines: recommended but not mandatory
What is NIST CSF 2.0 and what are its six functions?
Govern, Identify, Protect, Detect, Respond, Recover. CSF 2.0 added Govern as a new function covering strategy, roles, and organizational risk appetite
What is a SOC 2 Type II report?
AICPA audit of controls across 5 Trust Services Criteria over a 6-12 month period. Type I: design only (point-in-time). Type II: operating effectiveness over time
How do you perform a gap analysis?
Compare current-state controls against a target framework. Document gaps, assign risk ratings, prioritize by risk severity and remediation effort
What is a BIA (Business Impact Analysis)?
Identifies critical business functions and quantifies the impact of disruption. Outputs RTO, RPO, and MTD per critical function
Qualitative vs. quantitative risk assessment?
Qualitative: High/Medium/Low ratings — fast but subjective. Quantitative: dollar-value calculations (ALE = ARO x SLE) — more defensible for budget decisions
How would you build a third-party risk program?
Tier vendors by risk level (data access, operational criticality), define questionnaires per tier, review SOC 2 and ISO 27001 reports, perform on-site assessments for highest-risk vendors, include contractual security requirements
What is CMMC 2.0?
DoD framework for defense contractors: Level 1 (17 practices), Level 2 (110 NIST 800-171 practices), Level 3 (plus 24 NIST 800-172 practices). C3PAO third-party assessments required at Levels 2 and 3
How do you measure security program effectiveness?
KPIs: patch SLA compliance rate, phishing simulation click rate trend, MTTD/MTTR, critical vulnerability remediation rate, control test pass rates, audit findings closed on time
Threat Intelligence Analyst
Question
Answer Guidance
Explain the intelligence lifecycle
Planning and Direction -> Collection -> Processing -> Analysis -> Dissemination -> Feedback. Feedback loop refines future collection requirements
What is the difference between strategic, operational, and tactical intelligence?
Strategic: long-term executive-level trend reports. Operational: active campaign TTPs and threat actor profiles. Tactical: IOCs (IPs, hashes, domains) for immediate defensive use
What is the Diamond Model of Intrusion Analysis?
Framework with four vertices: Adversary, Capability, Infrastructure, Victim. Used to link intrusion events into campaigns and cluster activity for attribution
Cyber Kill Chain vs. ATT&CK?
Kill Chain (Lockheed Martin): 7 linear phases from Reconnaissance to Actions on Objectives. ATT&CK: granular non-linear taxonomy with 14 tactics and hundreds of techniques -- better for detection engineering and coverage gap analysis
What is MISP and how is it used?
Open-source Threat Intelligence Platform for sharing structured threat data. Supports STIX/TAXII, automated correlation, and galaxy clusters for tagging actors and malware families
How do you assess confidence in a report?
Evaluate source reliability (track record and access level), information credibility (corroboration, timeliness, internal consistency), and analysis quality. Apply the Admiralty Scale or ACH methodology
IOC types and their limitations?
Types: IPs, domains, URLs, file hashes, email addresses. Primary limitation: high perishability -- adversaries rotate infrastructure rapidly. TTPs are more durable indicators for long-term detection
What is STIX/TAXII?
STIX: structured JSON format for threat intelligence objects (indicators, campaigns, malware, TTPs, threat actors). TAXII: transport protocol for automated STIX data sharing between platforms
Describe a threat actor you know well
Example: APT29/Cozy Bear (Russian SVR) -- targets government and political organizations, responsible for SUNBURST supply chain attack, uses custom Cobalt Strike malleable C2, spearphishing, and living-off-the-land techniques across the entire kill chain
Salary Negotiation & Offer Evaluation
Know Your Market Value
Research compensation thoroughly before any negotiation. Key sources:
Ranges vary significantly by location, company size, industry, and clearance level. TS/SCI clearance typically commands a $20,000-$50,000+ premium.
Negotiation Principles
Get the offer in writing first. Never negotiate from a verbal offer.
Never anchor first. When asked for salary expectations: "I would prefer to discuss compensation once I understand the full scope of the role and total package."
Counter anchored high. If offered $95,000 and your market data supports $110,000-$120,000: "Based on my experience with [specific skills/certs] and current market data, I was targeting $110,000-$120,000. Is there flexibility?"
Evaluate total compensation. Bonus target, RSU vesting schedule, 401k match, health premiums, training budget ($5,000-$15,000/yr at top security employers), remote flexibility, and signing bonus all have real dollar value.
Use competing offers ethically."I have a competing offer at $X. I prefer your organization because of [genuine reason], but would need compensation closer to that level to accept."
Handling Negotiation Pushback
Pushback
Effective Response
"That is above our budget"
"Could we structure a 90-day review milestone with a defined path to $X?"
"We have a fixed salary band"
"What is the top of the band? Can we close the gap with signing bonus or additional PTO?"
"You lack the experience"
"Understood. Given my [cert/project/achievement], what would a 6-12 month milestone look like to reach that target?"
"We need an answer today"
"I need 48 hours to review the complete offer and benefits. I will confirm by [specific date and time]."
Never accept same-day pressure tactics. Legitimate offers allow at least 48-72 hours for consideration.
Related Resources
Career Paths — role descriptions, salary ranges, and progression maps