CompTIA Security+ interview questions
Foundational, vendor-neutral security knowledge — the baseline cert many roles ask for.
Is AES-256 dramatically more secure than AES-128 for real-world use?
For practical purposes, no. AES-128 already needs about 2^128 work to brute-force — utterly infeasible — so AES-256 doesn't make you meaningfully safer against brute force; it mainly adds margin (e.g. post-quantum headroom, compliance). Both are standardized and unbroken. Your mode (GCM), nonce handling, and key management matter far more than 128 vs 256. 'AES-256 is twice as secure' is the misconception.
A full antivirus scan came back clean — does that prove the machine isn't compromised?
No. Antivirus is one signal, not proof. It misses fileless and in-memory attacks, brand-new or obfuscated samples, living-off-the-land abuse of legitimate tools, and rootkits built to hide from it. Absence of evidence is not evidence of absence — real assurance comes from EDR telemetry, memory forensics, behavioral analysis, and IOC hunting. Treating a clean AV scan as proof of a clean system is a classic incident-response mistake.
Is a fingerprint or face scan an example of 'something you know'?
No. The three authentication factor categories are something you know (password/PIN), something you have (token/phone), and something you are (biometrics). A fingerprint or face scan is 'something you are', a measured physical trait. The gotcha: biometrics aren't secrets and can't be rotated — if your fingerprint template leaks, you cannot change your fingerprint. That's why biometrics work best as one factor, often unlocking a local key, rather than as a standalone password replacement.
How do you decrypt a SHA-256 hash back to the original input?
You don't — cryptographic hashes are one-way functions with no inverse. 'Cracking' a hash means guessing candidate inputs, hashing each, and comparing (dictionary, brute force, rainbow tables), which is exactly why slow salted hashes are used for passwords. There is no key that 'decrypts' a hash. If something can be decrypted it was encrypted, not hashed — and Base64 is reversible encoding, not hashing.
Your antivirus flagged the EICAR file — does that mean you're infected with a virus?
No. The EICAR test file is a deliberately harmless 68-byte ASCII string that every AV vendor agrees to detect, so you can safely verify detection and alerting without touching real malware. A hit means your AV is working — not that you are infected. It is not a virus and does nothing if executed. Mistaking an EICAR test detection for a real infection is a common early-career gotcha.
Does HTTPS hide which website you're visiting from your ISP or network?
Mostly no. The destination hostname is sent in the clear in the TLS ClientHello's SNI extension, and your DNS query usually reveals it too, so an ISP or network can see WHICH site you visit even over HTTPS — they just can't read the path or content. Encrypted ClientHello (ECH) and DNS-over-HTTPS can close this gap, but they aren't universal. 'HTTPS hides everything' is the misconception.
Does HTTPS protect data stored in the database (data at rest)?
No. TLS/HTTPS secures data in transit between client and server; once received, the data is decrypted and handled in plaintext by the app, then stored however the database is configured. Protecting data at rest is a separate concern — disk/column encryption, a KMS, and access control. Conflating 'we use HTTPS' with 'our stored data is encrypted' is a common and dangerous misconception.
Will switching the site to HTTPS prevent SQL injection and XSS?
No. HTTPS encrypts the channel so attackers can't read or tamper with traffic in transit, but the malicious input still arrives, is decrypted, and is processed by your app exactly as before. SQL injection and XSS are application-layer flaws fixed by parameterized queries and output encoding, not by transport encryption. The misconception assumes encryption sanitizes content — it doesn't; the attacker simply sends the payload over the HTTPS connection.
Is a device's MAC address permanent and globally unique?
No. A MAC is assigned by the vendor (OUI plus device id) and is 'burned in,' but essentially every OS lets you override it in software (macchanger, ip link set address). So MAC addresses are spoofable and must not be relied on for authentication — MAC filtering is weak, and phones now randomize MACs for privacy. 'Permanent and unique' is the misconception.
Does enabling MFA make an account impossible to phish?
No. MFA raises the bar a lot, but OTP and push factors are phishable: adversary-in-the-middle kits (e.g. Evilginx) proxy the login and relay the code in real time, and MFA-fatigue/push-bombing tricks users into approving. Captured codes are reusable within their short window. The misconception is 'MFA = unphishable'; the factor type is what matters. Phishing-resistant MFA — FIDO2/WebAuthn passkeys bound to the site's origin — is what actually defeats this.
Does NAT act as a firewall and secure your network?
No. NAT (and PAT) maps private addresses to a public IP and, as a byproduct, drops unsolicited inbound connections because no mapping exists for them. That's not a security policy — there's no inspection, no rules, no logging — and NAT traversal, hole punching, and outbound-initiated C2 pass right through. NAT is an addressing tool; you still need an actual firewall. 'NAT = firewall' is the misconception.
Your account was breached — does simply changing the password kick the attacker out?
Not by itself. Many systems keep existing sessions and previously issued tokens valid after a password change — OAuth refresh tokens, 'app passwords', API keys, and persistent cookies — so an attacker with a live session can stay in. The correct response is to change the password AND invalidate all sessions and tokens, revoke app credentials, and audit MFA devices and recovery settings. Assuming a password reset alone evicts the attacker is a classic incident-response mistake.
Is data sent via HTTP POST hidden or more secure than data sent via GET?
No. POST simply carries parameters in the request body instead of the URL; that body is plaintext and fully visible to anyone who can see the traffic unless HTTPS is used. POST is preferable for state-changing actions and keeps params out of URLs, logs, and browser history, but it provides no confidentiality on its own. The misconception confuses 'not in the URL' with 'encrypted' — only TLS encrypts either method's data in transit.
A server looks compromised — does rebooting or shutting it down fix the problem?
No. Most real intrusions establish persistence (services, scheduled tasks, run keys, implants) that survives a reboot, so the attacker simply returns. Worse, powering off wipes volatile evidence — running processes, network connections, in-memory malware, and encryption keys — that you need to scope the incident. The right move is to contain by isolating the host while preserving memory, then investigate. Rebooting or shutting down as a 'fix' is a damaging instinct.
Does a password salt need to be kept secret?
No. A salt is a unique, random value stored right alongside the hash; its job is to make identical passwords hash differently and to defeat precomputed rainbow tables — not to stay secret. It's fine if an attacker who steals the database also gets the salts. What actually protects passwords is a slow, salted hash (bcrypt, scrypt, Argon2). A separate, optional secret 'pepper' is a different concept.
What port does traceroute use?
Trick question — there's no single traceroute port. Classic Unix traceroute sends UDP datagrams to high, unlikely ports starting around 33434 with an increasing TTL; Windows tracert uses ICMP Echo instead. It works by reading the ICMP Time Exceeded messages routers return as the TTL expires, not by hitting a reserved port. And ICMP itself has no ports at all.
You're deciding how to store user passwords. What's the correct approach?
Password storage needs a deliberately slow, salted, memory-hard hash — bcrypt, scrypt, or Argon2 — so cracking stolen hashes is expensive and rainbow tables don't apply. A fast hash like SHA-256 is trivially brute-forced at scale; reversible encryption means one key compromise exposes every password at once; and plaintext is indefensible no matter how locked down the database is. Choose Argon2id (or bcrypt) with a tuned work factor and a unique per-user salt.
A scan shows your server still supports SSLv3/TLS 1.0 and RC4. What do you do?
SSLv3, TLS 1.0, and RC4 are broken or deprecated and enable downgrade and decryption attacks, so disable them and require TLS 1.2 or 1.3 with strong, forward-secret cipher suites — accepting the rare loss of very old clients. Leaving them on for compatibility keeps the weakness exploitable. Adding a second certificate or switching to a self-signed one doesn't remove the weak protocols, and self-signed certs harm trust without fixing the cryptography.
The help desk gets an urgent call demanding an immediate password reset for an executive, with no identity verification and lots of time pressure. What should the agent do?
Urgency, authority, and skipping verification are textbook social-engineering pressure aimed at a high-value account. The agent must follow the defined identity-verification process before resetting anything, and escalate if it can't be satisfied. Resetting on demand, using a guessable 'security question' like a favorite color, or emailing the new password to the caller all hand an attacker control of the executive's account.
A firewall review finds an 'any source / any destination / allow' rule near the top of the policy. What's the issue and fix?
Because firewalls evaluate rules top-down, a broad any/any allow near the top short-circuits every rule below it and permits all traffic — the firewall effectively stops enforcing anything. Replace it with explicit least-privilege rules for the flows actually needed, ordered so specific allows and denies take effect, ending in a default deny. Calling it efficient is wrong, moving it to the bottom can still shadow the default deny, and renaming changes nothing about what it permits.
EDR flags a process reading LSASS memory. Why does it matter and what do you do?
LSASS stores cached credentials and secrets, so an unexpected process reading its memory is a hallmark of credential theft (e.g., mimikatz-style dumping). Triage the offending process and parent, isolate the host to stop lateral movement, and rotate the credentials that could have been captured — including privileged and service accounts. It has nothing to do with graphics rendering or disk space, and ignoring it as normal can lead to domain-wide compromise. The benign-sounding distractors are exactly how analysts miss an active intrusion.
A user opened an Office document and enabled macros; EDR then shows a child process spawned by Word. What's your first action?
Word spawning a child process right after macros were enabled is a classic malicious-document initial-access pattern. Isolate the host to limit spread, capture volatile evidence, and investigate the spawned process, its network activity, and any persistence. Asking the user to close the file or repairing Office doesn't address an executing payload that may already have run. Doing nothing because the file came by email is backwards — email is exactly how this attack is delivered. Contain first, then investigate.
On Windows, an alert shows a new scheduled task launching PowerShell from %TEMP%. What is this likely to be and your move?
Legitimate software rarely runs PowerShell out of %TEMP% via a freshly created scheduled task — it's a common persistence and execution technique. Examine the task definition, the invoked script, the creating process and the timeline, contain the host, and sweep the environment for the same pattern. Updates don't look like this, blanket-trusting scheduled tasks ignores a known TTP, and deleting System32 breaks the OS while doing nothing about the threat. The first three options all reflect dangerously weak judgment.
A new VM was launched with SSH (22) and RDP (3389) open to 0.0.0.0/0. What's the right remediation?
Management ports open to the whole internet are scanned and brute-forced within minutes, so the fix is to shrink the attack surface: restrict the security-group ingress to known admin CIDRs or VPN, or remove inbound entirely using a bastion or SSM Session Manager. Moving SSH to a non-standard port is security by obscurity that scanners defeat trivially. A stronger password doesn't reduce the exposed surface or stop credential-stuffing. Trusting a host firewall ignores the attack surface the security group is openly advertising to the internet.
A critical unauthenticated RCE patch is out for an internet-facing server, but the team fears downtime. How do you proceed?
An internet-facing, unauthenticated RCE is emergency-grade: shrink the exposure window with a tested, staged or rolling deploy, and add compensating controls (restrict access, WAF rules) in the meantime. Waiting for the quarterly window leaves a wormable hole open for weeks. Blind production patching during business hours with no testing risks an outage and a botched rollback. Trusting the perimeter firewall does nothing — the service is already exposed and the exploit needs no credentials.
A developer accidentally pushed an AWS access key to a PUBLIC GitHub repo. What is the correct response order?
Treat any pushed secret as burned: revoke and rotate it first, because bots scrape public commits within seconds, then review CloudTrail for misuse and purge it from history. Deleting the commit doesn't help — the key is already cloned, forked, and cached by third parties. Making the repo private leaves a live, already-leaked key in attackers' hands. Adding the file to .gitignore does nothing for a secret that is already committed.
You discover the application logs full credit-card numbers and passwords in plaintext. What's the fix priority?
Sensitive data should never reach logs: redact or mask at the source first to stop the bleeding, then remediate the historical logs and tighten access. PCI DSS forbids storing full PANs and CVVs this way, and passwords should never be logged at all. 'Internal' logs are still a prime breach target. Encrypting or ACLing the store still leaves cleartext secrets sitting in logs for anyone with read access — backups, SIEM pipelines, and admins all see them.
An alert shows a user logging in from Paris and, five minutes later, from Singapore. Before declaring an incident, what do you check FIRST?
Validate before escalating. Corporate VPNs, cloud proxies (like CASB or M365 service IPs) and mobile carriers routinely produce false 'impossible travel,' so check the egress IPs, the MFA result, and the device/user-agent before pulling the trigger. Auto-locking on every hit causes alert fatigue and erodes user trust in the SOC. Assuming it's always a false positive misses real account takeover. Emailing the manager is slow and isn't a security control — the logs answer the question faster and more reliably.
A user reports they clicked a link in a suspicious email and typed their password into the page. What is your FIRST action?
Assume the password is already compromised: force a reset AND invalidate the account's active sessions and tokens, because a reset alone won't evict an attacker who already holds a live session or refresh token. Then hunt for anomalous logins, MFA prompts, mailbox rules and OAuth grants from the exposure window. Deleting the email or telling the user to change it "next time" leaves the account wide open. An antivirus scan addresses malware on the endpoint, not stolen credentials in the cloud.
Monday 9am, four alerts are open. Which do you work FIRST?
Triage by impact and reachability: credential dumping (a mimikatz signature) on a domain controller is a crown-jewel event that can lead to full domain compromise, so work it first. The external port scan was already blocked by the IDS, the unapproved browser extension is low severity, and an expired TLS cert on an internal test box is informational. The core SOC skill is prioritizing by blast radius and likelihood of escalation, not by alert age or how loud the alert is.
What are the benefits and risks of using AI in the SOC?
AI helps the SOC by triaging and de-duplicating alerts, summarizing incidents, enriching context, drafting detections, and accelerating analyst onboarding — reducing fatigue and dwell time. The risks: hallucinated or confidently wrong conclusions, automation bias where analysts stop verifying, prompt injection through attacker-controlled log or alert data, sensitive data leaking into third-party models, and adversaries using the same tools. Keep a human in the loop, verify outputs, and isolate untrusted inputs.
What is the difference between direct and indirect prompt injection?
Direct prompt injection is when a user types adversarial instructions straight into the prompt to override the system prompt or safety rules. Indirect prompt injection hides malicious instructions inside external content the model later ingests — a web page, email, PDF, or RAG document — so the attack fires without the victim ever typing it. Indirect injection is the bigger risk because the attacker and the victim are different people, and the payload rides in on data the app implicitly trusts.
What is insecure output handling in LLM apps, and how does it cause XSS or SSRF?
Insecure output handling is trusting what the model returns and passing it to a downstream system without validation or encoding. Because model output is attacker-influenceable, rendering it as raw HTML causes XSS, feeding it to a URL fetcher causes SSRF, and passing it to a shell or SQL query causes command or SQL injection. The fix is to treat model output exactly like untrusted user input: context-aware output encoding, allowlisting, sanitization, and parameterization before it reaches any sink.
How is a jailbreak different from a prompt injection?
A jailbreak targets the model's safety alignment — it tricks the model into producing content the provider tried to prohibit, like instructions for harm. Prompt injection targets the application's instruction hierarchy — it overrides the developer's system prompt or hijacks the model's behavior within an app, often via untrusted data. Jailbreaks attack the model; prompt injection attacks the surrounding system. They overlap, but the goal and the trust boundary they cross are different.
How do LLM applications leak sensitive information, and how do you prevent it?
LLM apps leak data several ways: the model memorizes and regurgitates sensitive training or fine-tuning data, the system prompt (which may hold secrets or logic) gets extracted, retrieved RAG documents expose data the user shouldn't see, and context from one user or session bleeds into another. Prevention means data minimization before training, never putting secrets in prompts, enforcing per-user authorization on retrieval, output filtering and PII redaction, and tenant isolation.
Distinguish credential stuffing from password spraying, including how each appears in logs.
Credential stuffing replays known username:password pairs from third-party breaches, betting on password reuse — high success rate per attempt, often distributed across many IPs and devices to look human. Password spraying tries one or two common passwords (like Winter2026!) across many accounts to stay under lockout thresholds. Stuffing exploits reuse; spraying exploits weak shared passwords. MFA defeats both.
Explain the Lockheed Martin Cyber Kill Chain and how a blue team uses it.
The Cyber Kill Chain models an intrusion as seven sequential stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Defenders map detections and controls to each stage; because the stages are sequential, breaking any single link — blocking the phishing email, killing C2 — disrupts the whole attack. It pushes you to detect early rather than only at the final breach.
Explain DNS data exfiltration and how a blue team would detect it.
DNS exfiltration encodes stolen data into DNS queries (e.g. long subdomain labels sent to an attacker-controlled authoritative server), abusing the fact that DNS is almost always allowed outbound and often unmonitored. Detect it with anomalies: unusually high query volume to one domain, long/high-entropy subdomains, many unique subdomains per parent domain, TXT/NULL record abuse, and queries to newly registered or rare domains.
What is the difference between EDR and traditional signature-based antivirus?
Traditional antivirus matches files against signatures of known malware and blocks or quarantines them — great for known threats, weak against novel or fileless attacks. EDR continuously records endpoint behavior (processes, network, registry, memory), uses behavioral analytics to detect suspicious activity, and lets responders investigate, hunt, and remotely contain or roll back. AV is prevention by signature; EDR adds visibility, detection, and response.
What are the phases of the incident response lifecycle, and why does the order matter?
The classic model is PICERL: Preparation, Identification (detection), Containment, Eradication, Recovery, and Lessons Learned. NIST groups it as Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activity. The order matters because you must scope and contain before you eradicate, and you only recover once the threat is removed — otherwise you reinfect. It is a loop, not a line: lessons learned feed back into preparation.
Explain the difference between Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).
An IOC is a forensic artifact that something bad already happened — a malicious file hash, a C2 IP or domain, a known-bad registry key. An IOA is a behavioral signal of an attack unfolding regardless of the specific tools — e.g. a Word document spawning PowerShell, then reaching out to the internet. IOCs are reactive and easy to evade by changing a hash; IOAs catch intent and survive tool changes.
Name the common ways malware persists on a Windows host across reboots, and how you would hunt for them.
Persistence is how malware survives reboots and logoffs. The staples on Windows are registry Run/RunOnce keys (HKLM and HKCU), scheduled tasks, and Windows services, plus startup folders, WMI event subscriptions, and DLL hijacks. You hunt them with autoruns/Sysinternals, Sysmon, and event logs — looking for unsigned binaries, odd paths like %AppData%, and entries created right after initial compromise.
Explain the order of volatility and why it drives the sequence of evidence collection in DFIR.
Order of volatility ranks evidence by how fast it vanishes, so you collect the most fragile first. Roughly: CPU registers/cache, then RAM and running state (processes, network connections, ARP), then temporary/swap files, then disk, then remote logging and monitoring data, and finally archival media and backups. You also work on forensic copies, hash them, and keep a chain of custody so evidence stays admissible.
Where are user password hashes stored on Windows and on Linux, and why do attackers target those files?
On Windows, local account hashes (NTLM) live in the SAM hive under C:\Windows\System32\config\SAM, protected while the OS runs; live credentials sit in LSASS memory, and domain hashes are in NTDS.dit on a domain controller. On Linux, hashes are in /etc/shadow (readable only by root), while /etc/passwd holds account metadata. Attackers steal these to crack passwords offline or pass-the-hash.
Explain process injection, give a couple of techniques, and say how a blue team detects it.
Process injection runs attacker code inside the memory space of a legitimate process so the activity blends in and inherits that process's trust. Classic techniques include DLL injection (CreateRemoteThread + LoadLibrary), process hollowing (start a benign process suspended, unmap it, write malicious code), and APC injection. Defenders detect it via EDR API hooks, anomalous parent/child or memory regions (RWX, unbacked executable memory), and Sysmon CreateRemoteThread events.
What is ransomware, and walk me through how you respond once it is actively encrypting systems.
Ransomware is malware that encrypts (and increasingly exfiltrates) data, then demands payment. In an active case: isolate affected hosts from the network without powering them off if you can preserve memory, identify scope, patient zero, and the strain, preserve evidence, find and evict the foothold and any backdoors, then restore from known-clean offline backups. Paying is a last resort and never guarantees recovery.
Explain how SPF, DKIM, and DMARC work together to prevent email spoofing.
SPF publishes which IPs may send mail for a domain. DKIM adds a cryptographic signature so the receiver can verify the message was not altered and came from the domain. DMARC ties SPF/DKIM results to the visible From: header via 'alignment', tells receivers what to do on failure (none/quarantine/reject), and sends reports. SPF and DKIM alone do not protect the From a user sees — DMARC is what enforces that.
Compare static and dynamic malware analysis, including the strengths and limits of each.
Static analysis examines a sample without executing it — hashes, strings, imports, headers, and disassembly — so it is safe and complete in coverage but defeated by packing and obfuscation. Dynamic analysis detonates the sample in an isolated sandbox and observes real behavior — files, registry, processes, network — which cuts through obfuscation but only reveals what runs in that session and can be evaded by sandbox-aware malware. Analysts combine both.
What is a honeypot, what types exist, and what value does it give a blue team?
A honeypot is a decoy system or service with no legitimate business use, deliberately exposed to attract attackers. Because nothing benign should ever touch it, any interaction is a high-confidence alert. Low-interaction honeypots emulate services cheaply; high-interaction ones are real systems that yield richer intel but carry more risk. Honeytokens are the same idea applied to fake credentials, files, or records. Value: early detection, low false positives, and threat intelligence.
Which Windows event IDs and logs would you pull first during an intrusion investigation?
The Security log is primary: 4624 successful logon (with logon type), 4625 failed logon, 4634/4647 logoff, 4672 special privileges assigned, 4720 account created, 4688 process creation (with command line if enabled), and 4768/4769 Kerberos. Add 7045 service install (System log), 4698 scheduled task created, and PowerShell script-block logging (4104). Logon type and command-line auditing are what make these logs useful.
How do you handle encryption at rest and in transit in the cloud?
Encryption in transit (TLS) protects data moving over the network from eavesdropping and tampering; enforce TLS everywhere and reject plaintext. Encryption at rest protects stored data on disks and backups, typically via KMS-managed keys using envelope encryption. Both are baseline controls, but neither stops an authorized-but-malicious request — the service decrypts transparently for valid callers — so access control still matters most.
IAM roles vs users vs policies — how do you apply least privilege in the cloud?
A user is a long-lived identity with permanent credentials; a role is an identity with no permanent credentials that any trusted principal can assume to get short-lived tokens; a policy is the JSON document that grants permissions, attached to either. Least privilege means preferring roles over users, scoping policies to specific actions and resources, and granting only what a task needs — then reviewing and pruning over time.
What's the difference between security groups and network ACLs?
Security groups are stateful firewalls attached to instances/ENIs: they allow rules only, and return traffic for an allowed flow is automatically permitted. Network ACLs are stateless filters at the subnet boundary: they have ordered allow and deny rules and you must explicitly allow return traffic on ephemeral ports. Security groups are the primary control; NACLs add coarse subnet-level guardrails like blocking an IP range.
Explain the cloud shared responsibility model.
The provider secures the cloud itself — physical data centers, hardware, the hypervisor, and the managed services they run. You secure what you put in the cloud — your data, identities, configurations, OS patching where applicable, and access controls. The exact line shifts: with IaaS you own the OS up, with SaaS you mostly own data and access.
What's the difference between Diffie-Hellman and RSA?
RSA is an asymmetric algorithm used to encrypt data or create digital signatures using a key pair. Diffie-Hellman is a key-agreement protocol that lets two parties derive a shared secret over a public channel without ever transmitting it. They solve different problems: RSA proves identity and can wrap keys; DH negotiates a session key — and its ephemeral variant gives forward secrecy.
What is a digital signature and how does it prove origin and integrity?
A digital signature is the hash of a message transformed with the signer's private key. The verifier recomputes the hash, applies the signer's public key, and checks they match. Because only the signer holds the private key, a valid signature proves the message came from them (authenticity), wasn't altered (integrity), and that they can't credibly deny it (non-repudiation).
How does an HMAC work and why use it instead of a plain hash?
HMAC is a keyed message authentication code: it hashes the message together with a secret key using a nested construction (inner and outer hash with key-derived pads). It proves both integrity (the message wasn't altered) and authenticity (it came from someone holding the key). A plain hash proves neither, since anyone can recompute it; HMAC also resists length-extension attacks.
How do JWTs work, and what security pitfalls should you watch for?
A JWT is three base64url parts — header, payload (claims), and signature — joined by dots. The server signs the header and payload with a secret or private key, and verifies that signature on each request to trust the claims without server-side session state. Pitfalls: accepting alg=none, RS256-to-HS256 key confusion, not validating expiry/issuer/audience, putting secrets in the readable payload, and no revocation path.
Explain how Kerberos authentication works with TGTs and service tickets.
Kerberos relies on a trusted Key Distribution Center (KDC). The client authenticates once to the Authentication Server and gets a Ticket-Granting Ticket (TGT) encrypted with the KDC's key. To reach a service, it presents the TGT to the Ticket-Granting Service and receives a service ticket encrypted with that service's key. The service decrypts and trusts it. Passwords never traverse the network, and tickets are time-limited.
Walk me through the OAuth 2.0 authorization code flow.
The app redirects the user to the authorization server to log in and consent. The server redirects back with a short-lived authorization code. The app's backend then exchanges that code (plus its client secret) at the token endpoint for an access token, over a server-to-server back channel. This keeps tokens out of the browser/URL. Public clients add PKCE to bind the code to the original requester.
How should passwords be stored, and why use bcrypt/scrypt/argon2 over fast hashes?
Store passwords using a deliberately slow, salted, adaptive password-hashing function — bcrypt, scrypt, or Argon2 — never a fast general-purpose hash like SHA-256 or MD5. Fast hashes are built for speed, so attackers with GPUs can test billions of guesses per second against a leaked database. Slow hashes have a tunable work factor (and memory cost) that makes each guess expensive, keeping brute force impractical even after a breach.
What is Perfect Forward Secrecy and why does it matter?
Perfect Forward Secrecy (PFS) means each session derives a unique key from an ephemeral key exchange that is thrown away afterward. If an attacker later steals the server's long-term private key, they still cannot decrypt previously captured traffic, because that key was never used to derive the session keys. It's achieved with ephemeral Diffie-Hellman (DHE/ECDHE).
What is a salt in password hashing, why is it used, and what is a pepper?
A salt is a unique, random value generated per user and combined with the password before hashing. It ensures identical passwords produce different hashes and makes precomputed attacks like rainbow tables useless, since the attacker would need a separate table per salt. Salts are stored alongside the hash. A pepper is an additional secret value, the same for all users, kept separately (e.g., in app config or an HSM) so a database leak alone isn't enough.
How does Single Sign-On work, and how do SAML and OIDC differ?
SSO centralizes authentication at an Identity Provider (IdP). When a user visits a Service Provider (the app), the app redirects to the IdP; the user logs in once, and the IdP returns a signed assertion or token vouching for their identity. SAML carries this as a signed XML assertion; OIDC carries it as a signed JSON ID token layered on OAuth 2.0. The app trusts the IdP's signature rather than handling passwords itself.
How does a TOTP authenticator app generate those 6-digit codes?
TOTP (Time-based One-Time Password) combines a shared secret, established at enrollment, with the current time divided into fixed windows (usually 30 seconds). It runs HMAC over the time-step counter with the secret, then truncates the result to a 6-digit code. Both the app and server hold the same secret and clock, so they independently compute the same code — no network call needed. The code rotates each window.
How do you secure Infrastructure as Code in the pipeline?
IaC scanning statically analyzes Terraform, CloudFormation, Kubernetes, and similar definitions against policy to catch misconfigurations — public S3 buckets, open security groups, missing encryption — before they're ever provisioned. Because the same template provisions many resources, fixing it once prevents repeated drift, and catching it pre-apply is far cheaper than remediating live cloud resources. Tools include Checkov, tfsec, and KICS, ideally enforced as policy-as-code gates.
What's the difference between SAST, DAST, and IAST?
SAST reads source code without running it, finding flaws like injection sinks early but with many false positives. DAST attacks the running app from the outside with no code visibility, finding real exploitable issues but late and with shallow coverage. IAST instruments the running app to correlate runtime behavior with code, getting accurate results with code context, but needs an exercised application and agent support.
What is an SBOM and why does it matter?
An SBOM is a machine-readable inventory of every component, library, and dependency in a piece of software, with versions and ideally hashes. It matters because when a new vulnerability drops, you can query your SBOMs to instantly answer 'are we affected and where?' instead of scrambling. The two dominant standards are SPDX and CycloneDX, and SBOMs are increasingly required by regulation and procurement.
Walk me through the TLS 1.3 handshake.
Client and server agree on a shared secret in a single round trip using ephemeral Diffie-Hellman (ECDHE). The ClientHello carries the supported groups and a key share; the server replies with its key share and certificate, both sides derive the same keys, and application data flows immediately — with forward secrecy by default.
Can you explain the CIA triad and why it matters?
The CIA triad is the three core goals of information security: confidentiality (only authorized parties can read data), integrity (data isn't altered without authorization), and availability (authorized users can access systems when needed). Almost every control maps to one or more of these.
Explain defense in depth and give an example.
Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. It assumes no single control is perfect — for example combining a firewall, network segmentation, endpoint protection, MFA, least privilege, and encryption rather than relying on a perimeter alone.
Can you explain the difference between hashing, encryption, and encoding?
Encoding (like Base64) is a reversible format change with no secret — not security. Encryption is reversible with a key and protects confidentiality. Hashing is a one-way function producing a fixed-length digest, used for integrity checks and password storage, and cannot be reversed back to the input.
Explain the difference between an IDS and an IPS.
An IDS (intrusion detection system) monitors traffic and raises alerts but does not block — it's typically out-of-band. An IPS (intrusion prevention system) sits inline in the traffic path and can actively drop or block malicious traffic. IPS prevents, but a false positive can break legitimate traffic.
Explain the principle of least privilege and how you'd apply it.
Least privilege means every user, process, and service gets only the minimum access required for its task, and nothing more. It limits the blast radius of a compromised account, reduces insider-threat risk, and shrinks the attack surface. You apply it via role-based access, regular access reviews, and just-in-time elevation.
What is MFA, and why is it more secure than a password alone?
MFA requires two or more authentication factors from different categories — something you know (password), something you have (phone/token), something you are (biometric). It helps because an attacker who steals one factor, like a password, still can't log in without the others. Phishing-resistant MFA like FIDO2 is strongest.
What is phishing, and what controls would you put in place to reduce it?
Phishing is social engineering that tricks people into revealing credentials, sending money, or running malware, usually via fake emails or sites. Defense is layered: email filtering and authentication (SPF/DKIM/DMARC), MFA to limit stolen-credential damage, user awareness training, and an easy way to report suspicious messages.
Explain symmetric versus asymmetric encryption and when each is used.
Symmetric encryption uses a single shared secret key for both encryption and decryption and is fast, but both parties must already share the key. Asymmetric uses a public/private key pair, solving the key-distribution problem but more slowly. Real protocols like TLS use asymmetric crypto to exchange a symmetric key, then switch to symmetric for the bulk data.
Explain the difference between TCP and UDP and when you'd use each.
TCP is connection-oriented and reliable: it uses a three-way handshake, guarantees ordered delivery, and retransmits lost packets. UDP is connectionless and fast with no delivery, ordering, or congestion guarantees. Use TCP for accuracy (web, email, file transfer) and UDP for speed-sensitive traffic (DNS, VoIP, streaming, gaming).
How do you distinguish a vulnerability from a threat from a risk?
A vulnerability is a weakness (unpatched software). A threat is an actor or event that could exploit it (a ransomware group). Risk is the combination of likelihood that a threat exploits a vulnerability and the impact if it does. Risk = threat x vulnerability x impact, and it's what you actually prioritize.
What is a firewall, and what's the difference between a stateless and a stateful one?
A firewall controls traffic between network zones by allowing or denying it based on rules. A stateless firewall evaluates each packet in isolation against rules; a stateful firewall tracks the state of connections so it can allow return traffic for sessions it permitted. Next-gen firewalls add application-layer awareness.
What is a zero-day, and how do you defend against something with no patch?
A zero-day is a vulnerability the vendor doesn't yet know about (or hasn't patched), so defenders have had 'zero days' to fix it. Since no patch exists, defense relies on layered controls, behavior-based detection, segmentation, least privilege, and fast incident response rather than a signature.
Is ARP a TCP or UDP protocol?
Neither. ARP is a Layer-2 (link-layer) protocol that is encapsulated directly in an Ethernet frame, not inside an IP packet. Because it never rides on IP, it cannot use TCP or UDP — those are Layer-4 transports that require IP underneath. ARP's job is to resolve a known IP address to the MAC address on the same local network segment.
Do you compress then encrypt, or encrypt then compress?
Compress first, then encrypt. Good encryption produces output that is statistically indistinguishable from random, so ciphertext has no patterns left to compress — compressing afterward is pointless. The important caveat: compressing secret and attacker-controlled data together before encryption can leak information through ciphertext length, which is exactly the CRIME and BREACH attacks.
Why is 'deleted' data often still recoverable?
Because 'delete' normally does not erase the data. It removes the filesystem metadata — the pointer/directory entry — and marks the blocks as free, but the original bytes stay on disk until the OS happens to reuse those blocks for new data. Until that overwrite occurs, forensic tools can carve the content straight back out.
What's the difference between encoding, encryption, and hashing?
Encoding transforms data into another format for compatibility and is fully reversible by anyone with no key (e.g. Base64, URL encoding) — it provides no confidentiality. Encryption is reversible only with a key and is what provides confidentiality. Hashing is a one-way function: you cannot recover the input from the output, which is why it suits integrity checks and password storage (with a salt and slow KDF).
Which is worse in security detection: a false positive or a false negative?
Generally a false negative is worse from a pure security standpoint: it means a real attack went undetected, so there is no response, no containment, and the breach can dwell undiscovered. But false positives are not harmless — high volumes cause alert fatigue, where analysts start ignoring alerts and miss the real one. The right answer names the trade-off, not just a winner.
On a firewall, would you rather a port be filtered or closed?
Filtered. A filtered port silently drops the packet, so the scanner gets no response and must wait for a timeout — it learns nothing about whether the host even exists, and scanning is slowed dramatically. A closed port sends back a TCP RST, which confirms the host is alive and responding, handing the attacker reconnaissance value for free.
If a site shows the padlock / HTTPS, is it safe?
No. The padlock means the transport is encrypted and the certificate is valid for that domain — it says nothing about whether the operator is honest or the content is malicious. Free, automated certificates mean phishing and malware sites almost always have a perfectly valid padlock too. HTTPS protects the channel, not the destination.
Does HTTPS fully prevent man-in-the-middle attacks?
Not on its own. HTTPS prevents MITM only when certificate validation is strictly enforced and the client reaches the site over HTTPS to begin with. If a rogue CA is trusted (corporate proxy, malware-installed root), if the user clicks through cert warnings, or if SSL stripping downgrades the connection to HTTP before TLS starts, an attacker can still sit in the middle.
Is HTTPS the same as SSL? And what's the difference between SSL and TLS?
HTTPS is not a protocol of its own — it is plain HTTP running inside an encrypted TLS tunnel. SSL is the old name: SSL 2.0/3.0 are the deprecated, insecure predecessors of TLS, which superseded them (TLS 1.0 through 1.3). When people say 'SSL certificate' or 'SSL', they almost always actually mean TLS.
MD5 and SHA-256 are both fast hashes — why is neither right for storing passwords?
Because they are fast. MD5 and SHA-256 are designed for speed, which is exactly wrong for passwords: an attacker who steals the hashes can compute billions of guesses per second on a GPU. The fix is a deliberately slow, memory-hard key-derivation function — bcrypt, scrypt, or Argon2 — combined with a per-user salt and a tunable work factor.
What port does ping use?
Trick question — ping uses no port. It runs on ICMP, which is a Layer-3 protocol that sits directly on top of IP. Ports only exist in Layer-4 protocols like TCP and UDP, so ICMP (and therefore ping) has none. ICMP uses type and code fields instead, e.g. Echo Request type 8 and Echo Reply type 0.
How many packets are exchanged in the TCP three-way handshake?
Three. The client sends a SYN, the server replies with a combined SYN-ACK (one packet that both acknowledges the client's SYN and sends the server's own SYN), and the client finishes with an ACK. The trick is that SYN-ACK is a single packet, not two, so the total is three — exactly what 'three-way' names.
How would you design and measure a security awareness and training program?
Treat awareness as behaviour change, not an annual checkbox. Make it role-based (a developer needs different content than finance), continuous rather than a once-a-year slideshow, and grounded in real risks like phishing, social engineering, and data handling. Reinforce it with phishing simulations, just-in-time nudges, and clear reporting channels. Measure outcomes — phishing report rates, click rates, time-to-report — not just completion percentages. Build a culture where people report mistakes without fear, because fear suppresses reporting.
What does modern NIST 800-63B guidance say about passwords?
Modern NIST SP 800-63B favors length over complexity: allow long passphrases (at least 8, support 64+), accept all characters including spaces, and don't impose composition rules like 'one uppercase, one symbol.' Screen new passwords against known-breached lists, drop mandatory periodic expiration (rotate only on evidence of compromise), and ditch knowledge-based 'security questions.' The aim is rules that resist real attacks instead of just annoying users into predictable patterns.
What is Privileged Access Management (PAM) and what problem does it solve?
PAM controls and monitors the accounts that can do the most damage — domain admins, root, service accounts. It vaults and rotates their credentials so secrets aren't shared or hardcoded, brokers sessions so admins never see the raw password, records what privileged users do, and ideally grants elevation just-in-time rather than standing access. The goal is to shrink the blast radius of the accounts attackers most want.
Define the common malware categories and explain how you classify a sample by behavior.
You classify by what the sample is built to do, observed from its behavior and capabilities. A dropper carries and writes a payload to disk; a loader fetches or injects the next stage, often only in memory; a RAT gives an operator interactive remote control; a wiper destroys data or boot records with no recovery intent; ransomware encrypts files and demands payment. Real samples often combine roles — a loader that deploys a RAT — so you describe the capability chain rather than forcing one label, and you map each behavior to ATT&CK techniques.
What are the signs of command-and-control beaconing, and how do you extract C2 indicators from a sample?
Command-and-control beaconing is the implant periodically calling home for instructions. You recognize it by regular, low-volume outbound callbacks at a roughly fixed interval — often with jitter to avoid looking mechanical — to a small set of destinations, frequently over HTTP/HTTPS or DNS with encoded or encrypted payloads and a distinctive User-Agent or URI pattern. You extract indicators statically by pulling domains, IPs, URIs and keys from strings and config blocks, and dynamically by detonating the sample against a faked network and capturing the actual callbacks, then map the behavior to ATT&CK and feed the IOCs into detection.
What are packers and obfuscation, and how do you detect them in a binary?
Packing compresses or encrypts the real payload and prepends a stub that unpacks it into memory at runtime; obfuscation transforms the code or data to resist reading and signatures. You detect packing from high section entropy near 8.0, a tiny or stub-only import table, unusual or writable-executable section names like UPX0, an entry point that sits outside .text, a large virtual size versus small raw size, and detectors like Detect It Easy or PEiD. None of these is conclusive alone, so analysts weigh several signals together and confirm by observing the unpack at runtime.
Walk me through the Windows PE file format and what parts you inspect when triaging a sample.
A PE file starts with the DOS header and its e_lfanew pointer to the PE/NT headers, which hold the File Header and Optional Header (entry point, image base, subsystem). It is divided into sections — .text for code, .data, .rdata, .rsrc for resources — each with a virtual address and raw size. During triage you read the import table for suspicious APIs, the section table for odd names and high entropy that hint at packing, the timestamp and rich header, embedded resources, and any digital signature. Mismatches between these tell you a lot before you ever run the file.
Describe how you build an isolated lab to analyze live malware safely.
A safe lab isolates the malware from anything it could harm. You run samples in disposable VMs on a hypervisor, take clean snapshots so you can revert after each detonation, and cut off real network access using a host-only network with a simulated internet (INetSim or FakeNet) or an air-gapped segment. You separate the analysis machine from a controlled gateway, never analyze on your daily-driver host, harden against VM-escape, handle samples as password-protected zips, and keep tooling and indicators off the detonation VM. The goal is to observe real behavior while guaranteeing the sample cannot reach production or the internet.
Walk me through your core tooling for static versus dynamic malware analysis and when you use each.
Static tooling reads the sample at rest: PEStudio, CFF Explorer and pefile for headers and imports, FLOSS and strings for embedded text, capa for capability mapping, and Ghidra or IDA for disassembly. Dynamic tooling watches it run inside an isolated VM: Procmon and Process Hacker for host activity, Wireshark and INetSim or FakeNet for faked network, Regshot for before/after diffs, and x64dbg for controlled stepping. The workflow is triage statically, detonate dynamically, then return to the disassembler to fill behavioral gaps.
Explain how YARA rules work and what makes a rule effective rather than brittle or noisy.
A YARA rule has a meta block, a strings section (text, hex, or regex patterns, including wildcards and jumps), and a condition that combines those matches with boolean and count logic. An effective rule keys on something durable and distinctive — a unique code stub, a mutex name, a config marker, or an unusual import combination — rather than on values an attacker trivially changes like a single hash or a generic string. You balance specificity against false positives, test against a clean corpus, and document the rule so others trust and maintain it.
What is coordinated vulnerability disclosure and how should it work?
Coordinated vulnerability disclosure is a process where a researcher reports a flaw privately to the vendor, both sides agree on remediation and a timeline, and details are published only after a fix is available (or an agreed deadline lapses). It balances giving defenders time to patch against the public's right to know. A security.txt file and a clear policy make reporting frictionless; bug bounty programs add structured rewards on top.
Walk me through the digital forensics and incident response process.
DFIR follows a disciplined process: identification (confirm and scope the incident), acquisition (preserve evidence following order of volatility, with forensic images and hashes), analysis (timeline, root cause, scope of compromise), and reporting (findings for technical and legal audiences). Chain of custody documents who handled each artifact and when, so the evidence holds up if it ever reaches court. Preserve before you remediate.
How do you use MITRE ATT&CK for threat-informed defense?
ATT&CK is a knowledge base of real adversary tactics (the why), techniques (the how), and procedures. You use it to map your existing detections onto the matrix, identify coverage gaps, and prioritize the techniques used by threat actors that actually target your sector. It gives a common language across CTI, detection engineering, and IR, turning 'are we secure?' into a concrete, measurable coverage map driven by real-world adversary behavior.
What is purple teaming and how do you run a purple team exercise?
Purple teaming is collaborative rather than adversarial: the red side executes specific, agreed TTPs (often mapped to MITRE ATT&CK) while the blue side watches their telemetry in real time to confirm whether each technique is logged, alerted, and detectable. You measure detection coverage technique-by-technique, tune detections and close gaps immediately, then re-test. The deliverable is improved, measurable detection — not a list of who 'won.'
Walk me through the vulnerability management lifecycle.
Vulnerability management is a continuous loop: discover assets and vulnerabilities (scanning, asset inventory), prioritize by real risk (CVSS plus exploitability, exposure, and asset criticality — frameworks like EPSS and SSVC help), remediate or mitigate, verify the fix, and report on trends and SLAs. The scan is the easy part; the discipline is prioritizing and closing the loop so risk actually goes down over time.
What ports do SSH, HTTP, HTTPS, DNS, RDP, and SMB use, and why do they matter?
SSH is TCP 22, HTTP is TCP 80, HTTPS is TCP 443, DNS is 53 (UDP and TCP), RDP is TCP 3389, and SMB is TCP 445. Knowing the well-known ports lets you read scan output, write firewall rules, and triage alerts quickly — a service on its expected port versus an unexpected one is an immediate signal.
How does DNS resolution work — recursive vs authoritative?
A stub resolver asks a recursive resolver for a name. If it isn't cached, the recursive resolver walks the hierarchy: it queries a root server (which points to the TLD), the TLD server (which points to the domain's authoritative servers), and finally the authoritative server, which holds the actual record. The answer is cached along the way per its TTL. DNS uses port 53 — UDP for most queries, TCP for large ones.
What is the difference between a forward proxy and a reverse proxy?
A forward proxy sits in front of clients and makes outbound requests on their behalf — used for egress control, filtering, caching, and anonymity. A reverse proxy sits in front of servers and receives inbound requests on their behalf — used for load balancing, TLS termination, caching, and as a security front for a WAF. The direction it faces, client-side or server-side, is the key distinction.
How does traceroute work, and what role does the TTL field play?
Traceroute discovers the routers between you and a destination by exploiting the TTL field. It sends packets with TTL=1, then 2, then 3, and so on. Each router decrements TTL; when TTL hits zero, that router drops the packet and returns an ICMP Time Exceeded message, revealing its address. By stepping the TTL up, traceroute maps each hop in order until the destination is reached.
What is NAT, and how does PAT differ from it?
NAT (Network Address Translation) rewrites the source and/or destination IP as packets cross a boundary, typically mapping private internal addresses to public ones. PAT (Port Address Translation, or NAT overload) extends this by also translating ports, letting many internal hosts share a single public IP — each flow distinguished by its port. PAT is what home and office routers use to put a whole LAN behind one address.
Explain the OSI model and what each layer adds.
The OSI model splits networking into seven layers, each adding one responsibility: Physical (bits on the wire), Data Link (frames and MAC addressing), Network (IP routing), Transport (TCP/UDP, ports, reliability), Session (managing connections), Presentation (encoding, encryption, compression), and Application (protocols like HTTP). Each layer wraps the one above it as data goes down the stack.
What is a subnet, and what does a subnet mask do?
A subnet is a logical subdivision of an IP network. The subnet mask marks which bits of an IP address are the network portion and which are the host portion — for example, /24 (255.255.255.0) means the first 24 bits identify the network and the last 8 identify hosts. Subnetting controls how traffic is routed and lets you segment a network into smaller broadcast domains.
Walk me through the TCP three-way handshake.
TCP opens a connection in three steps. The client sends a SYN with an initial sequence number, the server replies with SYN-ACK (acknowledging the client's number and sending its own), and the client returns an ACK. After this exchange both sides have agreed on starting sequence numbers and the connection is established for reliable, ordered byte delivery.
TCP vs UDP — how do they differ and when would you choose each?
TCP is connection-oriented: it handshakes, numbers bytes, retransmits losses, and controls congestion, giving reliable ordered delivery at the cost of latency and overhead. UDP is connectionless and fire-and-forget — no handshake, no retransmission, no ordering. Use TCP when correctness matters (web, email, file transfer) and UDP when speed matters more than perfection (DNS, VoIP, gaming, video).
How does the TCP/IP model compare to the OSI model?
The TCP/IP model has four layers — Link, Internet, Transport, and Application — and describes how the real internet works. OSI has seven. They map closely: TCP/IP's Application layer absorbs OSI's Application, Presentation, and Session; its Link layer combines OSI's Physical and Data Link. OSI is the better teaching and troubleshooting reference; TCP/IP is the implemented protocol suite.
What is a VLAN, and what is its security value?
A VLAN (Virtual LAN) logically partitions a physical switch into separate Layer 2 broadcast domains, so devices on different VLANs can't reach each other directly even on the same hardware. It's labeled with an 802.1Q tag on trunk links. The security value is segmentation: isolating user, server, guest, and IoT traffic limits broadcast scope and lateral movement, with inter-VLAN traffic forced through a router or firewall where policy is applied.
What is the difference between a VPN and a proxy?
A VPN creates an encrypted tunnel at the network/OS level, so all of a device's traffic is routed through it and protected end to end — used for secure remote access. A proxy operates at the application level, relaying traffic for specific apps or protocols and not necessarily encrypting it. The big differences are scope (whole-device vs per-application) and that a VPN encrypts by design while many proxies do not.
What is a DMZ in network architecture, and why would you use one?
A DMZ (demilitarized zone) is a network segment that sits between the untrusted internet and the trusted internal network, hosting public-facing services like web, mail, and DNS servers. Firewall rules let the internet reach the DMZ but tightly restrict the DMZ's access to the internal network. The goal is containment: if a public server is compromised, the attacker is stuck in the buffer zone rather than landing inside the LAN.
A client asks why they should pay for a pentest when they already run vulnerability scans. How do you answer?
A vulnerability scan is an automated, breadth-first inventory of potential weaknesses, often with false positives. A penetration test is human-driven: it validates findings, chains them together, and demonstrates real business impact through actual exploitation.
Explain defense in depth and give a concrete example of applying it.
Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. No single control is assumed perfect, so you stack preventive, detective, and responsive measures across the network, host, application, and data layers.
Walk me through how you would harden a fresh internet-facing Linux server.
Reduce attack surface (remove unused packages/services), enforce key-only SSH with no root login, keep the system patched, run a default-deny firewall exposing only needed ports, apply least privilege via sudo and file permissions, enable auditd and centralized logging, and add integrity monitoring plus MAC like SELinux or AppArmor.
How does hashing differ from encryption, and when would you use one over the other?
Encryption is reversible — with the key you get the plaintext back; it protects confidentiality. Hashing is a one-way function producing a fixed-size digest you cannot reverse; it verifies integrity and identity. Passwords should be hashed with a slow, salted algorithm like bcrypt or Argon2, never encrypted.
What is the principle of least privilege, and how would you enforce it in practice?
Least privilege means every user, process, or service gets only the minimum access required to do its job, and nothing more. It shrinks the blast radius of any compromise or mistake. You enforce it with role-based access, just-in-time elevation, regular access reviews, and removing standing admin rights.
How should secrets like API keys and database passwords be managed in an application?
Never hardcode secrets in source or commit them to git. Store them in a dedicated secrets manager or vault, inject them at runtime, scope access with least privilege, rotate regularly, and prefer short-lived dynamic credentials over long-lived static ones. Audit every access.
How would you secure a public-facing REST API?
Enforce TLS everywhere, authenticate every request (e.g. OAuth2/OIDC tokens), and authorize per-object so users can only reach their own data. Add input validation, rate limiting and quotas, schema validation, and thorough logging. The most common API flaw is broken object-level authorization, so check ownership on every resource access.
What is the difference between symmetric and asymmetric encryption, and when would you use each?
Symmetric encryption uses one shared key for both encrypt and decrypt — it's fast but the key must be shared securely. Asymmetric encryption uses a public/private key pair, solving key distribution but slowly. Real systems use asymmetric crypto to exchange a symmetric session key, then use the fast symmetric cipher for bulk data.
What is a PKI, and walk me through how a client validates a server's certificate.
A PKI is the system of CAs, certificates, and policies that binds public keys to identities. To validate a server cert a client builds a chain to a trusted root, verifies each signature, checks validity dates and the hostname, confirms key usage, and checks revocation via CRL or OCSP.
Your analysts are drowning in alerts. What is alert fatigue and what would you do about it?
Alert fatigue is the desensitization that sets in when analysts face too many low-value or false-positive alerts, causing them to miss or rush real ones. You fight it by tuning noisy rules, prioritizing by risk, deduplicating and grouping related alerts, automating repetitive enrichment with SOAR, and measuring alert quality, not just volume.
Both involve failed logins. How would you distinguish a brute-force attack from a password spray in your logs?
Brute force targets a single account with many password guesses, so you see many failures concentrated on one username. Password spray flips it: one or a few common passwords tried across many accounts, low and slow, so each account sees only a couple of failures. The detection signal is the ratio of accounts to failures and the timing, not raw failure counts.
Why are DNS logs useful for detection, and what threats can you find in them?
Almost everything touches DNS, so DNS logs reveal threats other sources miss: command-and-control beaconing (regular callbacks to a domain), DNS tunneling and exfiltration (high volume of long, encoded subdomains), and algorithmically generated (DGA) domains. You detect these through patterns like query regularity, entropy, record types, and volume rather than single bad lookups.
Can you explain how EDR, XDR, and SIEM differ and where each one fits?
EDR is endpoint-focused: it records and responds to process, file, and network activity on hosts. XDR extends that correlation across multiple domains — endpoint, network, identity, email, cloud — as one vendor-integrated stack. SIEM is the broad log-aggregation layer that ingests data from anything, including non-security sources, for detection, search, and compliance.
A rule is generating hundreds of false positives a day. How do you tune it down safely?
First understand why the rule is firing so much — find the common benign pattern behind the noise. Then write the narrowest possible exclusion (specific host, account, or behavior), document the rationale, and validate that a true positive would still fire. Avoid broad suppressions that quietly create blind spots.
An attacker has a foothold on one host. What signs of lateral movement would you hunt for?
Lateral movement is an attacker using a foothold to reach other systems. Signs include unexpected network logons (type 3) and RDP (type 10), access to admin shares like C$ and ADMIN$, remote-execution tools such as PsExec, WMI, and WinRM, pass-the-hash patterns, and a normally local account suddenly authenticating to many hosts.
How would you use the MITRE ATT&CK framework to improve your detection coverage?
ATT&CK is a knowledge base of real-world adversary tactics and techniques. In a SOC you map each detection rule to the techniques it covers, build a coverage map (often with the ATT&CK Navigator), then prioritize closing gaps based on which techniques are most relevant to your threat model and which you have no visibility into.
A user reports a suspicious email. Walk me through how you triage it safely.
Examine the email safely without clicking: check the headers and sender authentication (SPF/DKIM/DMARC), inspect URLs and attachments in a sandbox or with reputation tools, then scope it — who else received it, did anyone click or enter credentials. Based on findings, remediate by purging the email, blocking indicators, and resetting any exposed credentials.
We run both a SIEM and a SOAR. What does each one do, and how do they work together?
A SIEM ingests and correlates logs from across the estate to generate alerts — it is your detection and search layer. A SOAR sits downstream and automates the response: it runs playbooks, enriches alerts via integrations, and handles case management so analysts spend less time on repetitive steps.
A SIEM alert fires for a suspicious login. Walk me through how you triage it.
Confirm the alert is real before acting: read what fired and why, then enrich it — who is the user, is the source IP/geo/device expected, is this impossible travel, were there prior failures? Classify true vs false positive, escalate or contain if real (disable session, force MFA reset), and document everything so the next analyst can follow your reasoning.
Walk me through what Windows event IDs 4624, 4625, and 4688 mean and how you would use them in an investigation.
4624 is a successful logon, 4625 is a failed logon, and 4688 is a process creation. In an investigation you use 4625 to spot credential attacks, 4624 (with its logon type and source) to confirm a successful access and how it happened, and 4688 to see what was actually executed, ideally with command-line auditing enabled.
Get 100 cybersecurity interview questions + answers
Drop your email and we'll send you the free PDF pack and the flashcard deck.
No spam. Unsubscribe anytime.