Skip to content

Junior cybersecurity interview questions

A searchable bank of answered interview questions. Filter by role, topic, seniority and certification — or jump into a scored quiz.

71 questions questions in this set
Is a fingerprint or face scan an example of 'something you know'?

No. The three authentication factor categories are something you know (password/PIN), something you have (token/phone), and something you are (biometrics). A fingerprint or face scan is 'something you are', a measured physical trait. The gotcha: biometrics aren't secrets and can't be rotated — if your fingerprint template leaks, you cannot change your fingerprint. That's why biometrics work best as one factor, often unlocking a local key, rather than as a standalone password replacement.

JuniorIdentity & Access Management
The full answer
Does client-side (JavaScript) input validation make your app secure?

No. Client-side validation is purely a UX convenience — an attacker can disable JavaScript, edit the request in the browser or Burp, or call your API directly with curl, bypassing it entirely. Security checks (validation, authorization, sanitization) must be enforced on the server, the only place you control. The misconception is treating the browser as a trust boundary; it isn't, because the client runs on the attacker's machine. Client-side checks are great for fast feedback, never for security.

JuniorWeb Security
The full answer
How do you decrypt a SHA-256 hash back to the original input?

You don't — cryptographic hashes are one-way functions with no inverse. 'Cracking' a hash means guessing candidate inputs, hashing each, and comparing (dictionary, brute force, rainbow tables), which is exactly why slow salted hashes are used for passwords. There is no key that 'decrypts' a hash. If something can be decrypted it was encrypted, not hashed — and Base64 is reversible encoding, not hashing.

JuniorCryptography
The full answer
Your antivirus flagged the EICAR file — does that mean you're infected with a virus?

No. The EICAR test file is a deliberately harmless 68-byte ASCII string that every AV vendor agrees to detect, so you can safely verify detection and alerting without touching real malware. A hit means your AV is working — not that you are infected. It is not a virus and does nothing if executed. Mistaking an EICAR test detection for a real infection is a common early-career gotcha.

JuniorMalware
The full answer
Does HTTPS protect data stored in the database (data at rest)?

No. TLS/HTTPS secures data in transit between client and server; once received, the data is decrypted and handled in plaintext by the app, then stored however the database is configured. Protecting data at rest is a separate concern — disk/column encryption, a KMS, and access control. Conflating 'we use HTTPS' with 'our stored data is encrypted' is a common and dangerous misconception.

JuniorCryptographyWeb Security
The full answer
Will switching the site to HTTPS prevent SQL injection and XSS?

No. HTTPS encrypts the channel so attackers can't read or tamper with traffic in transit, but the malicious input still arrives, is decrypted, and is processed by your app exactly as before. SQL injection and XSS are application-layer flaws fixed by parameterized queries and output encoding, not by transport encryption. The misconception assumes encryption sanitizes content — it doesn't; the attacker simply sends the payload over the HTTPS connection.

JuniorWeb Security
The full answer
Does private / incognito browsing hide your activity from your ISP or employer?

No. Private/incognito mode only stops the local browser from saving history, cookies, and form data after the session — it does nothing to the network path. Your ISP, employer proxy, DNS resolver, and the sites you log into can all still see your activity. The misconception is 'incognito = invisible'; in reality it is privacy from other people using the same device, not anonymity from the network.

JuniorWeb SecurityNetworking
The full answer
Is 127.0.0.1 the only loopback address?

No. The whole 127.0.0.0/8 range is reserved for loopback, so 127.0.0.2, 127.1.1.1, and so on all resolve to the local host. This matters for SSRF and allow-list bypasses — an attacker may use 127.0.0.2 or other encodings to dodge a naive 'block 127.0.0.1' check — and for binding multiple local services. (In IPv6, loopback is the single address ::1.)

JuniorNetworkingLinux Internals
The full answer
Is a device's MAC address permanent and globally unique?

No. A MAC is assigned by the vendor (OUI plus device id) and is 'burned in,' but essentially every OS lets you override it in software (macchanger, ip link set address). So MAC addresses are spoofable and must not be relied on for authentication — MAC filtering is weak, and phones now randomize MACs for privacy. 'Permanent and unique' is the misconception.

JuniorNetworking
The full answer
Is data sent via HTTP POST hidden or more secure than data sent via GET?

No. POST simply carries parameters in the request body instead of the URL; that body is plaintext and fully visible to anyone who can see the traffic unless HTTPS is used. POST is preferable for state-changing actions and keeps params out of URLs, logs, and browser history, but it provides no confidentiality on its own. The misconception confuses 'not in the URL' with 'encrypted' — only TLS encrypts either method's data in transit.

JuniorWeb Security
The full answer
What port does traceroute use?

Trick question — there's no single traceroute port. Classic Unix traceroute sends UDP datagrams to high, unlikely ports starting around 33434 with an increasing TTL; Windows tracert uses ICMP Echo instead. It works by reading the ICMP Time Exceeded messages routers return as the TTL expires, not by hitting a reserved port. And ICMP itself has no ports at all.

JuniorNetworking
The full answer
Does using a VPN make you anonymous online?

No. A VPN encrypts traffic to the VPN server and hides your IP from the destination, but the provider can see and may log your activity, and logins, cookies, and browser fingerprinting still identify you. It moves trust from your local network/ISP to the VPN operator — that's privacy from the local network, not anonymity. Tor and strict operational discipline are different tools for a different goal.

JuniorNetworkingGovernance, Risk & Compliance
The full answer
The help desk gets an urgent call demanding an immediate password reset for an executive, with no identity verification and lots of time pressure. What should the agent do?

Urgency, authority, and skipping verification are textbook social-engineering pressure aimed at a high-value account. The agent must follow the defined identity-verification process before resetting anything, and escalate if it can't be satisfied. Resetting on demand, using a guessable 'security question' like a favorite color, or emailing the new password to the caller all hand an attacker control of the executive's account.

JuniorIdentity & Access ManagementThreat Intelligence
The full answer
A user opened an Office document and enabled macros; EDR then shows a child process spawned by Word. What's your first action?

Word spawning a child process right after macros were enabled is a classic malicious-document initial-access pattern. Isolate the host to limit spread, capture volatile evidence, and investigate the spawned process, its network activity, and any persistence. Asking the user to close the file or repairing Office doesn't address an executing payload that may already have run. Doing nothing because the file came by email is backwards — email is exactly how this attack is delivered. Contain first, then investigate.

JuniorWindows InternalsDFIR (Forensics & Incident Response)
The full answer
An alert shows a user logging in from Paris and, five minutes later, from Singapore. Before declaring an incident, what do you check FIRST?

Validate before escalating. Corporate VPNs, cloud proxies (like CASB or M365 service IPs) and mobile carriers routinely produce false 'impossible travel,' so check the egress IPs, the MFA result, and the device/user-agent before pulling the trigger. Auto-locking on every hit causes alert fatigue and erodes user trust in the SOC. Assuming it's always a false positive misses real account takeover. Emailing the manager is slow and isn't a security control — the logs answer the question faster and more reliably.

JuniorDFIR (Forensics & Incident Response)Identity & Access Management
The full answer
How is a jailbreak different from a prompt injection?

A jailbreak targets the model's safety alignment — it tricks the model into producing content the provider tried to prohibit, like instructions for harm. Prompt injection targets the application's instruction hierarchy — it overrides the developer's system prompt or hijacks the model's behavior within an app, often via untrusted data. Jailbreaks attack the model; prompt injection attacks the surrounding system. They overlap, but the goal and the trust boundary they cross are different.

JuniorAI & LLM Security
The full answer
What is the difference between EDR and traditional signature-based antivirus?

Traditional antivirus matches files against signatures of known malware and blocks or quarantines them — great for known threats, weak against novel or fileless attacks. EDR continuously records endpoint behavior (processes, network, registry, memory), uses behavioral analytics to detect suspicious activity, and lets responders investigate, hunt, and remotely contain or roll back. AV is prevention by signature; EDR adds visibility, detection, and response.

JuniorMalwareDFIR (Forensics & Incident Response)Windows Internals
The full answer
What are the phases of the incident response lifecycle, and why does the order matter?

The classic model is PICERL: Preparation, Identification (detection), Containment, Eradication, Recovery, and Lessons Learned. NIST groups it as Preparation; Detection and Analysis; Containment, Eradication and Recovery; and Post-Incident Activity. The order matters because you must scope and contain before you eradicate, and you only recover once the threat is removed — otherwise you reinfect. It is a loop, not a line: lessons learned feed back into preparation.

JuniorDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
Where are user password hashes stored on Windows and on Linux, and why do attackers target those files?

On Windows, local account hashes (NTLM) live in the SAM hive under C:\Windows\System32\config\SAM, protected while the OS runs; live credentials sit in LSASS memory, and domain hashes are in NTDS.dit on a domain controller. On Linux, hashes are in /etc/shadow (readable only by root), while /etc/passwd holds account metadata. Attackers steal these to crack passwords offline or pass-the-hash.

JuniorWindows InternalsLinux InternalsIdentity & Access Management
The full answer
What is a honeypot, what types exist, and what value does it give a blue team?

A honeypot is a decoy system or service with no legitimate business use, deliberately exposed to attract attackers. Because nothing benign should ever touch it, any interaction is a high-confidence alert. Low-interaction honeypots emulate services cheaply; high-interaction ones are real systems that yield richer intel but carry more risk. Honeytokens are the same idea applied to fake credentials, files, or records. Value: early detection, low false positives, and threat intelligence.

JuniorThreat IntelligenceNetworkingDFIR (Forensics & Incident Response)
The full answer
How do you handle encryption at rest and in transit in the cloud?

Encryption in transit (TLS) protects data moving over the network from eavesdropping and tampering; enforce TLS everywhere and reject plaintext. Encryption at rest protects stored data on disks and backups, typically via KMS-managed keys using envelope encryption. Both are baseline controls, but neither stops an authorized-but-malicious request — the service decrypts transparently for valid callers — so access control still matters most.

JuniorCloudCryptography
The full answer
Explain the cloud shared responsibility model.

The provider secures the cloud itself — physical data centers, hardware, the hypervisor, and the managed services they run. You secure what you put in the cloud — your data, identities, configurations, OS patching where applicable, and access controls. The exact line shifts: with IaaS you own the OS up, with SaaS you mostly own data and access.

JuniorCloudIdentity & Access Management
The full answer
What is a digital signature and how does it prove origin and integrity?

A digital signature is the hash of a message transformed with the signer's private key. The verifier recomputes the hash, applies the signer's public key, and checks they match. Because only the signer holds the private key, a valid signature proves the message came from them (authenticity), wasn't altered (integrity), and that they can't credibly deny it (non-repudiation).

JuniorCryptography
The full answer
What is a salt in password hashing, why is it used, and what is a pepper?

A salt is a unique, random value generated per user and combined with the password before hashing. It ensures identical passwords produce different hashes and makes precomputed attacks like rainbow tables useless, since the attacker would need a separate table per salt. Salts are stored alongside the hash. A pepper is an additional secret value, the same for all users, kept separately (e.g., in app config or an HSM) so a database leak alone isn't enough.

JuniorCryptographyIdentity & Access Management
The full answer
How does a TOTP authenticator app generate those 6-digit codes?

TOTP (Time-based One-Time Password) combines a shared secret, established at enrollment, with the current time divided into fixed windows (usually 30 seconds). It runs HMAC over the time-step counter with the secret, then truncates the result to a 6-digit code. Both the app and server hold the same secret and clock, so they independently compute the same code — no network call needed. The code rotates each window.

JuniorCryptographyIdentity & Access Management
The full answer
Can you explain the CIA triad and why it matters?

The CIA triad is the three core goals of information security: confidentiality (only authorized parties can read data), integrity (data isn't altered without authorization), and availability (authorized users can access systems when needed). Almost every control maps to one or more of these.

JuniorCryptographyIdentity & Access Management
The full answer
Explain defense in depth and give an example.

Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. It assumes no single control is perfect — for example combining a firewall, network segmentation, endpoint protection, MFA, least privilege, and encryption rather than relying on a perimeter alone.

JuniorNetworkingIdentity & Access Management
The full answer
Explain the difference between an IDS and an IPS.

An IDS (intrusion detection system) monitors traffic and raises alerts but does not block — it's typically out-of-band. An IPS (intrusion prevention system) sits inline in the traffic path and can actively drop or block malicious traffic. IPS prevents, but a false positive can break legitimate traffic.

JuniorNetworkingThreat Intelligence
The full answer
What is MFA, and why is it more secure than a password alone?

MFA requires two or more authentication factors from different categories — something you know (password), something you have (phone/token), something you are (biometric). It helps because an attacker who steals one factor, like a password, still can't log in without the others. Phishing-resistant MFA like FIDO2 is strongest.

JuniorIdentity & Access Management
The full answer
What is phishing, and what controls would you put in place to reduce it?

Phishing is social engineering that tricks people into revealing credentials, sending money, or running malware, usually via fake emails or sites. Defense is layered: email filtering and authentication (SPF/DKIM/DMARC), MFA to limit stolen-credential damage, user awareness training, and an easy way to report suspicious messages.

JuniorThreat IntelligenceIdentity & Access Management
The full answer
Explain symmetric versus asymmetric encryption and when each is used.

Symmetric encryption uses a single shared secret key for both encryption and decryption and is fast, but both parties must already share the key. Asymmetric uses a public/private key pair, solving the key-distribution problem but more slowly. Real protocols like TLS use asymmetric crypto to exchange a symmetric key, then switch to symmetric for the bulk data.

JuniorCryptography
The full answer
Explain the difference between TCP and UDP and when you'd use each.

TCP is connection-oriented and reliable: it uses a three-way handshake, guarantees ordered delivery, and retransmits lost packets. UDP is connectionless and fast with no delivery, ordering, or congestion guarantees. Use TCP for accuracy (web, email, file transfer) and UDP for speed-sensitive traffic (DNS, VoIP, streaming, gaming).

JuniorNetworking
The full answer
How do you distinguish a vulnerability from a threat from a risk?

A vulnerability is a weakness (unpatched software). A threat is an actor or event that could exploit it (a ransomware group). Risk is the combination of likelihood that a threat exploits a vulnerability and the impact if it does. Risk = threat x vulnerability x impact, and it's what you actually prioritize.

JuniorThreat Intelligence
The full answer
What is a firewall, and what's the difference between a stateless and a stateful one?

A firewall controls traffic between network zones by allowing or denying it based on rules. A stateless firewall evaluates each packet in isolation against rules; a stateful firewall tracks the state of connections so it can allow return traffic for sessions it permitted. Next-gen firewalls add application-layer awareness.

JuniorNetworking
The full answer
Is ARP a TCP or UDP protocol?

Neither. ARP is a Layer-2 (link-layer) protocol that is encapsulated directly in an Ethernet frame, not inside an IP packet. Because it never rides on IP, it cannot use TCP or UDP — those are Layer-4 transports that require IP underneath. ARP's job is to resolve a known IP address to the MAC address on the same local network segment.

JuniorNetworking
The full answer
Why is 'deleted' data often still recoverable?

Because 'delete' normally does not erase the data. It removes the filesystem metadata — the pointer/directory entry — and marks the blocks as free, but the original bytes stay on disk until the OS happens to reuse those blocks for new data. Until that overwrite occurs, forensic tools can carve the content straight back out.

JuniorDFIR (Forensics & Incident Response)
The full answer
What's the difference between encoding, encryption, and hashing?

Encoding transforms data into another format for compatibility and is fully reversible by anyone with no key (e.g. Base64, URL encoding) — it provides no confidentiality. Encryption is reversible only with a key and is what provides confidentiality. Hashing is a one-way function: you cannot recover the input from the output, which is why it suits integrity checks and password storage (with a salt and slow KDF).

JuniorCryptography
The full answer
If a site shows the padlock / HTTPS, is it safe?

No. The padlock means the transport is encrypted and the certificate is valid for that domain — it says nothing about whether the operator is honest or the content is malicious. Free, automated certificates mean phishing and malware sites almost always have a perfectly valid padlock too. HTTPS protects the channel, not the destination.

JuniorWeb Security
The full answer
Is HTTPS the same as SSL? And what's the difference between SSL and TLS?

HTTPS is not a protocol of its own — it is plain HTTP running inside an encrypted TLS tunnel. SSL is the old name: SSL 2.0/3.0 are the deprecated, insecure predecessors of TLS, which superseded them (TLS 1.0 through 1.3). When people say 'SSL certificate' or 'SSL', they almost always actually mean TLS.

JuniorNetworkingCryptography
The full answer
What port does ping use?

Trick question — ping uses no port. It runs on ICMP, which is a Layer-3 protocol that sits directly on top of IP. Ports only exist in Layer-4 protocols like TCP and UDP, so ICMP (and therefore ping) has none. ICMP uses type and code fields instead, e.g. Echo Request type 8 and Echo Reply type 0.

JuniorNetworking
The full answer
How many packets are exchanged in the TCP three-way handshake?

Three. The client sends a SYN, the server replies with a combined SYN-ACK (one packet that both acknowledges the client's SYN and sends the server's own SYN), and the client finishes with an ACK. The trick is that SYN-ACK is a single packet, not two, so the total is three — exactly what 'three-way' names.

JuniorNetworking
The full answer
What does modern NIST 800-63B guidance say about passwords?

Modern NIST SP 800-63B favors length over complexity: allow long passphrases (at least 8, support 64+), accept all characters including spaces, and don't impose composition rules like 'one uppercase, one symbol.' Screen new passwords against known-breached lists, drop mandatory periodic expiration (rotate only on evidence of compromise), and ditch knowledge-based 'security questions.' The aim is rules that resist real attacks instead of just annoying users into predictable patterns.

JuniorIdentity & Access Management
The full answer
Define the common malware categories and explain how you classify a sample by behavior.

You classify by what the sample is built to do, observed from its behavior and capabilities. A dropper carries and writes a payload to disk; a loader fetches or injects the next stage, often only in memory; a RAT gives an operator interactive remote control; a wiper destroys data or boot records with no recovery intent; ransomware encrypts files and demands payment. Real samples often combine roles — a loader that deploys a RAT — so you describe the capability chain rather than forcing one label, and you map each behavior to ATT&CK techniques.

JuniorMalwareDFIR (Forensics & Incident Response)
The full answer
Describe how you build an isolated lab to analyze live malware safely.

A safe lab isolates the malware from anything it could harm. You run samples in disposable VMs on a hypervisor, take clean snapshots so you can revert after each detonation, and cut off real network access using a host-only network with a simulated internet (INetSim or FakeNet) or an air-gapped segment. You separate the analysis machine from a controlled gateway, never analyze on your daily-driver host, harden against VM-escape, handle samples as password-protected zips, and keep tooling and indicators off the detonation VM. The goal is to observe real behavior while guaranteeing the sample cannot reach production or the internet.

JuniorMalwareDFIR (Forensics & Incident Response)
The full answer
What ports do SSH, HTTP, HTTPS, DNS, RDP, and SMB use, and why do they matter?

SSH is TCP 22, HTTP is TCP 80, HTTPS is TCP 443, DNS is 53 (UDP and TCP), RDP is TCP 3389, and SMB is TCP 445. Knowing the well-known ports lets you read scan output, write firewall rules, and triage alerts quickly — a service on its expected port versus an unexpected one is an immediate signal.

JuniorNetworking
The full answer
How does DNS resolution work — recursive vs authoritative?

A stub resolver asks a recursive resolver for a name. If it isn't cached, the recursive resolver walks the hierarchy: it queries a root server (which points to the TLD), the TLD server (which points to the domain's authoritative servers), and finally the authoritative server, which holds the actual record. The answer is cached along the way per its TTL. DNS uses port 53 — UDP for most queries, TCP for large ones.

JuniorNetworking
The full answer
Explain the OSI model and what each layer adds.

The OSI model splits networking into seven layers, each adding one responsibility: Physical (bits on the wire), Data Link (frames and MAC addressing), Network (IP routing), Transport (TCP/UDP, ports, reliability), Session (managing connections), Presentation (encoding, encryption, compression), and Application (protocols like HTTP). Each layer wraps the one above it as data goes down the stack.

JuniorNetworking
The full answer
What is a subnet, and what does a subnet mask do?

A subnet is a logical subdivision of an IP network. The subnet mask marks which bits of an IP address are the network portion and which are the host portion — for example, /24 (255.255.255.0) means the first 24 bits identify the network and the last 8 identify hosts. Subnetting controls how traffic is routed and lets you segment a network into smaller broadcast domains.

JuniorNetworking
The full answer
Walk me through the TCP three-way handshake.

TCP opens a connection in three steps. The client sends a SYN with an initial sequence number, the server replies with SYN-ACK (acknowledging the client's number and sending its own), and the client returns an ACK. After this exchange both sides have agreed on starting sequence numbers and the connection is established for reliable, ordered byte delivery.

JuniorNetworking
The full answer
TCP vs UDP — how do they differ and when would you choose each?

TCP is connection-oriented: it handshakes, numbers bytes, retransmits losses, and controls congestion, giving reliable ordered delivery at the cost of latency and overhead. UDP is connectionless and fire-and-forget — no handshake, no retransmission, no ordering. Use TCP when correctness matters (web, email, file transfer) and UDP when speed matters more than perfection (DNS, VoIP, gaming, video).

JuniorNetworking
The full answer
How does the TCP/IP model compare to the OSI model?

The TCP/IP model has four layers — Link, Internet, Transport, and Application — and describes how the real internet works. OSI has seven. They map closely: TCP/IP's Application layer absorbs OSI's Application, Presentation, and Session; its Link layer combines OSI's Physical and Data Link. OSI is the better teaching and troubleshooting reference; TCP/IP is the implemented protocol suite.

JuniorNetworking
The full answer
What is the difference between a VPN and a proxy?

A VPN creates an encrypted tunnel at the network/OS level, so all of a device's traffic is routed through it and protected end to end — used for secure remote access. A proxy operates at the application level, relaying traffic for specific apps or protocols and not necessarily encrypting it. The big differences are scope (whole-device vs per-application) and that a VPN encrypts by design while many proxies do not.

JuniorNetworking
The full answer
Walk me through how you enumerate a brand-new target box.

Start with a full TCP port scan, then enumerate every open service in depth — banners, versions, default creds, anonymous access, and web content — before touching any exploit. Most boxes fall to thorough enumeration, not clever exploits, which is the core of the 'try harder' mindset.

JuniorNetworkingLinux Internals
The full answer
Why scan all 65535 ports, and how do you do it efficiently with nmap?

The default nmap scan only covers the top 1000 ports, so a service on a high port would be missed entirely. The efficient pattern is a fast SYN scan of all 65535 ports first, then a focused version and default-script scan against only the ports found open.

JuniorNetworking
The full answer
You catch a reverse shell but it's unstable. How do you upgrade it?

Spawn a pseudo-terminal (commonly python -c 'import pty; pty.spawn("/bin/bash")'), background it with Ctrl-Z, run stty raw -echo on your local side, foreground it, and reset TERM and the rows/columns. That gives you a full TTY with job control, tab completion, and working editors.

JuniorLinux Internals
The full answer
How do you enumerate a web server you've never seen before?

Identify the stack from headers and source, then brute force directories and files with gobuster or feroxbuster using a good wordlist and relevant extensions. Look for admin panels, backups, config files, and upload points, and check virtual hosts when the site responds to a hostname.

JuniorWeb Security
The full answer
Explain the difference between passive and active reconnaissance, with examples of each.

Passive reconnaissance gathers information without directly interacting with the target's systems — OSINT, DNS records, certificate transparency. Active reconnaissance touches the target, like port scanning or banner grabbing, which is noisier but yields more detail.

JuniorNetworkingThreat Intelligence
The full answer
Walk me through the phases of a penetration test from kickoff to delivery.

A pentest moves through pre-engagement (scope and rules of engagement), reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. Each phase feeds the next, and reporting is where the value is actually delivered to the client.

JuniorNetworkingWeb Security
The full answer
A client asks why they should pay for a pentest when they already run vulnerability scans. How do you answer?

A vulnerability scan is an automated, breadth-first inventory of potential weaknesses, often with false positives. A penetration test is human-driven: it validates findings, chains them together, and demonstrates real business impact through actual exploitation.

JuniorNetworkingWeb Security
The full answer
Explain defense in depth and give a concrete example of applying it.

Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. No single control is assumed perfect, so you stack preventive, detective, and responsive measures across the network, host, application, and data layers.

JuniorNetworkingIdentity & Access Management
The full answer
How does hashing differ from encryption, and when would you use one over the other?

Encryption is reversible — with the key you get the plaintext back; it protects confidentiality. Hashing is a one-way function producing a fixed-size digest you cannot reverse; it verifies integrity and identity. Passwords should be hashed with a slow, salted algorithm like bcrypt or Argon2, never encrypted.

JuniorCryptography
The full answer
What is the difference between symmetric and asymmetric encryption, and when would you use each?

Symmetric encryption uses one shared key for both encrypt and decrypt — it's fast but the key must be shared securely. Asymmetric encryption uses a public/private key pair, solving key distribution but slowly. Real systems use asymmetric crypto to exchange a symmetric session key, then use the fast symmetric cipher for bulk data.

JuniorCryptography
The full answer
Your analysts are drowning in alerts. What is alert fatigue and what would you do about it?

Alert fatigue is the desensitization that sets in when analysts face too many low-value or false-positive alerts, causing them to miss or rush real ones. You fight it by tuning noisy rules, prioritizing by risk, deduplicating and grouping related alerts, automating repetitive enrichment with SOAR, and measuring alert quality, not just volume.

JuniorDFIR (Forensics & Incident Response)
The full answer
Can you explain how EDR, XDR, and SIEM differ and where each one fits?

EDR is endpoint-focused: it records and responds to process, file, and network activity on hosts. XDR extends that correlation across multiple domains — endpoint, network, identity, email, cloud — as one vendor-integrated stack. SIEM is the broad log-aggregation layer that ingests data from anything, including non-security sources, for detection, search, and compliance.

JuniorDFIR (Forensics & Incident Response)Windows Internals
The full answer
A user reports a suspicious email. Walk me through how you triage it safely.

Examine the email safely without clicking: check the headers and sender authentication (SPF/DKIM/DMARC), inspect URLs and attachments in a sandbox or with reputation tools, then scope it — who else received it, did anyone click or enter credentials. Based on findings, remediate by purging the email, blocking indicators, and resetting any exposed credentials.

JuniorDFIR (Forensics & Incident Response)Threat IntelligenceWeb Security
The full answer
We run both a SIEM and a SOAR. What does each one do, and how do they work together?

A SIEM ingests and correlates logs from across the estate to generate alerts — it is your detection and search layer. A SOAR sits downstream and automates the response: it runs playbooks, enriches alerts via integrations, and handles case management so analysts spend less time on repetitive steps.

JuniorDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
A SIEM alert fires for a suspicious login. Walk me through how you triage it.

Confirm the alert is real before acting: read what fired and why, then enrich it — who is the user, is the source IP/geo/device expected, is this impossible travel, were there prior failures? Classify true vs false positive, escalate or contain if real (disable session, force MFA reset), and document everything so the next analyst can follow your reasoning.

JuniorDFIR (Forensics & Incident Response)Threat IntelligenceIdentity & Access Management
The full answer
Walk me through what Windows event IDs 4624, 4625, and 4688 mean and how you would use them in an investigation.

4624 is a successful logon, 4625 is a failed logon, and 4688 is a process creation. In an investigation you use 4625 to spot credential attacks, 4624 (with its logon type and source) to confirm a successful access and how it happened, and 4688 to see what was actually executed, ideally with command-line auditing enabled.

JuniorWindows InternalsDFIR (Forensics & Incident Response)
The full answer
What is the OWASP Top 10?

The OWASP Top 10 is a community-driven awareness document that ranks the most critical web application security risks, refreshed every few years from real-world data. It is not a checklist or standard but a starting point — recent entries include Broken Access Control (#1), Cryptographic Failures, Injection, and Insecure Design.

JuniorWeb Security
The full answer
What do the HttpOnly, Secure, and SameSite cookie flags do?

HttpOnly hides the cookie from JavaScript so XSS cannot steal it via document.cookie. Secure ensures the cookie is only sent over HTTPS, blocking network interception. SameSite controls whether the cookie is sent on cross-site requests, mitigating CSRF. Together they harden session cookies against the most common theft and abuse paths.

JuniorWeb Security
The full answer
HTTP is stateless — so how do sessions work?

HTTP is stateless — each request is independent and carries no memory of prior ones. Sessions add state on top: after login, the server issues an identifier the browser stores in a cookie and replays on every request. Server-side sessions keep the state on the server keyed by an opaque session ID; stateless tokens like JWTs put signed state in the token itself so the server can verify without storage.

JuniorWeb SecurityIdentity & Access Management
The full answer

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.