Skip to content

Mid-level cybersecurity interview questions

A searchable bank of answered interview questions. Filter by role, topic, seniority and certification — or jump into a scored quiz.

170 questions questions in this set
Is AES-256 dramatically more secure than AES-128 for real-world use?

For practical purposes, no. AES-128 already needs about 2^128 work to brute-force — utterly infeasible — so AES-256 doesn't make you meaningfully safer against brute force; it mainly adds margin (e.g. post-quantum headroom, compliance). Both are standardized and unbroken. Your mode (GCM), nonce handling, and key management matter far more than 128 vs 256. 'AES-256 is twice as secure' is the misconception.

Mid-levelCryptography
The full answer
A full antivirus scan came back clean — does that prove the machine isn't compromised?

No. Antivirus is one signal, not proof. It misses fileless and in-memory attacks, brand-new or obfuscated samples, living-off-the-land abuse of legitimate tools, and rootkits built to hide from it. Absence of evidence is not evidence of absence — real assurance comes from EDR telemetry, memory forensics, behavioral analysis, and IOC hunting. Treating a clean AV scan as proof of a clean system is a classic incident-response mistake.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
Once your data is in the cloud, is securing it entirely the provider's responsibility?

No. Cloud runs on a shared responsibility model: the provider secures the underlying infrastructure ('security of the cloud'), but you remain responsible for your data, identity and access management, configuration, and — for IaaS — the OS and patching ('security in the cloud'). The large majority of cloud breaches are customer-side misconfigurations like public buckets and over-permissive IAM, not provider failures. Assuming the provider secures your data is how those breaches happen.

Mid-levelCloudGovernance, Risk & Compliance
The full answer
Does deleting the session cookie in your browser log you out on the server?

No. Deleting the cookie just removes the credential from your browser — the session record (or a still-valid JWT) on the server typically remains usable until it expires or is explicitly invalidated. An attacker who already captured the token can keep using it. The misconception treats the cookie as the session itself; it is only a pointer to server-side state. Real logout must invalidate the session server-side, or revoke and short-TTL the token.

Mid-levelWeb SecurityIdentity & Access Management
The full answer
Does HTTPS hide which website you're visiting from your ISP or network?

Mostly no. The destination hostname is sent in the clear in the TLS ClientHello's SNI extension, and your DNS query usually reveals it too, so an ISP or network can see WHICH site you visit even over HTTPS — they just can't read the path or content. Encrypted ClientHello (ECH) and DNS-over-HTTPS can close this gap, but they aren't universal. 'HTTPS hides everything' is the misconception.

Mid-levelNetworkingWeb Security
The full answer
Does enabling MFA make an account impossible to phish?

No. MFA raises the bar a lot, but OTP and push factors are phishable: adversary-in-the-middle kits (e.g. Evilginx) proxy the login and relay the code in real time, and MFA-fatigue/push-bombing tricks users into approving. Captured codes are reusable within their short window. The misconception is 'MFA = unphishable'; the factor type is what matters. Phishing-resistant MFA — FIDO2/WebAuthn passkeys bound to the site's origin — is what actually defeats this.

Mid-levelIdentity & Access ManagementThreat Intelligence
The full answer
Does NAT act as a firewall and secure your network?

No. NAT (and PAT) maps private addresses to a public IP and, as a byproduct, drops unsolicited inbound connections because no mapping exists for them. That's not a security policy — there's no inspection, no rules, no logging — and NAT traversal, hole punching, and outbound-initiated C2 pass right through. NAT is an addressing tool; you still need an actual firewall. 'NAT = firewall' is the misconception.

Mid-levelNetworking
The full answer
Your account was breached — does simply changing the password kick the attacker out?

Not by itself. Many systems keep existing sessions and previously issued tokens valid after a password change — OAuth refresh tokens, 'app passwords', API keys, and persistent cookies — so an attacker with a live session can stay in. The correct response is to change the password AND invalidate all sessions and tokens, revoke app credentials, and audit MFA devices and recovery settings. Assuming a password reset alone evicts the attacker is a classic incident-response mistake.

Mid-levelIdentity & Access ManagementDFIR (Forensics & Incident Response)
The full answer
A server looks compromised — does rebooting or shutting it down fix the problem?

No. Most real intrusions establish persistence (services, scheduled tasks, run keys, implants) that survives a reboot, so the attacker simply returns. Worse, powering off wipes volatile evidence — running processes, network connections, in-memory malware, and encryption keys — that you need to scope the incident. The right move is to contain by isolating the host while preserving memory, then investigate. Rebooting or shutting down as a 'fix' is a damaging instinct.

Mid-levelDFIR (Forensics & Incident Response)Malware
The full answer
Does a password salt need to be kept secret?

No. A salt is a unique, random value stored right alongside the hash; its job is to make identical passwords hash differently and to defeat precomputed rainbow tables — not to stay secret. It's fine if an attacker who steals the database also gets the salts. What actually protects passwords is a slow, salted hash (bcrypt, scrypt, Argon2). A separate, optional secret 'pepper' is a different concept.

Mid-levelCryptographyIdentity & Access Management
The full answer
You pull a pre-trained model from a public hub to run in production. What do you verify first?

A third-party model is a supply-chain dependency: verify it comes from a trusted source with matching checksums/signatures, that its license permits your use, and that the file format won't execute arbitrary code on load (prefer safe serialization over pickle-style formats). 'It loads' and 'download speed' say nothing about trust, and assuming public models are safe ignores real poisoning and deserialization risks.

Mid-levelAI & LLM SecurityGovernance, Risk & Compliance
The full answer
Developers paste customer PII into a third-party LLM API to draft support replies. What's the concern and action?

Sending customer PII to an external API exposes it to a third party's processing and retention and can breach privacy obligations. Minimize and redact what's sent, confirm the provider's data-use/retention terms and a data-processing agreement (or no-training guarantees), or move to a private deployment for sensitive data. Key length is irrelevant, and sending more PII increases the exposure.

Mid-levelAI & LLM SecurityGovernance, Risk & Compliance
The full answer
You're deciding how to store user passwords. What's the correct approach?

Password storage needs a deliberately slow, salted, memory-hard hash — bcrypt, scrypt, or Argon2 — so cracking stolen hashes is expensive and rainbow tables don't apply. A fast hash like SHA-256 is trivially brute-forced at scale; reversible encryption means one key compromise exposes every password at once; and plaintext is indefensible no matter how locked down the database is. Choose Argon2id (or bcrypt) with a tuned work factor and a unique per-user salt.

Mid-levelCryptographyIdentity & Access Management
The full answer
A scan shows your server still supports SSLv3/TLS 1.0 and RC4. What do you do?

SSLv3, TLS 1.0, and RC4 are broken or deprecated and enable downgrade and decryption attacks, so disable them and require TLS 1.2 or 1.3 with strong, forward-secret cipher suites — accepting the rare loss of very old clients. Leaving them on for compatibility keeps the weakness exploitable. Adding a second certificate or switching to a self-signed one doesn't remove the weak protocols, and self-signed certs harm trust without fixing the cryptography.

Mid-levelCryptographyNetworking
The full answer
You're handing a forensic disk image to legal. What ensures its integrity and admissibility?

Evidentiary integrity rests on hashing the image at acquisition (e.g., SHA-256) and verifying the hash later to prove it's unaltered, maintaining a documented chain of custody, and analyzing a working copy so the original stays pristine. Renaming the file does nothing for integrity, and compressing it to save space neither proves integrity nor helps admissibility. Touching the original risks spoliation that can get the evidence thrown out. Hash, document custody, and work on a verified copy.

Mid-levelDFIR (Forensics & Incident Response)Governance, Risk & Compliance
The full answer
An auditor asks for evidence that access reviews happen quarterly. What do you provide?

Auditors test for evidence, not intent: show the access-review policy, dated records of each review with approver sign-off, and confirmation that flagged access was revoked and verified. A verbal confirmation proves nothing repeatable, a promise to start next quarter shows the control was not operating in the audit period, and an org chart describes reporting lines, not access decisions. Only the dated, attributable artifacts demonstrate the control operated as designed across the whole period.

Mid-levelGovernance, Risk & ComplianceIdentity & Access Management
The full answer
Leadership says 'we have backups, so we're covered for disaster recovery.' What do you clarify?

Backups are necessary but not sufficient: disaster recovery and business continuity are the tested capability to restore operations within agreed recovery time and recovery point objectives (RTO/RPO), which requires a documented plan, mapped dependencies, runbooks, and validated restores — not just the existence of backup files. Agreeing they're the same conflates a data copy with an operational capability. DR isn't merely buying insurance, which transfers financial loss but doesn't restore systems. And backups don't make a DR plan unnecessary — untested backups routinely fail when they're finally needed. The clarification: DR must be exercised, not assumed.

Mid-levelGovernance, Risk & ComplianceDFIR (Forensics & Incident Response)
The full answer
Teams handle data inconsistently — some over-protect trivial data, some expose sensitive data. What foundational control helps?

Inconsistent handling usually means there's no shared definition of sensitivity, so the foundational control is a data classification scheme (e.g., public/internal/confidential/restricted) with defined handling, storage, and sharing requirements per level, letting teams apply proportionate controls. Encrypting nothing 'to keep things simple' or treating all data as public strips protection from data that needs it. Deleting all data older than a day destroys records the business and the law require. Only a classification scheme aligns the strength of controls to the actual sensitivity of the data.

Mid-levelGovernance, Risk & Compliance
The full answer
An employee leaves the company. What's the GRC-relevant control to verify?

Leaver risk is lingering access, so the control to verify is timely deprovisioning of every access path — directory accounts, SSO, VPN, privileged and service credentials, and third-party SaaS — reconciled against the joiner/mover/leaver (JML) process. Assuming HR handles it all without verification leaves gaps no one owns. Keeping the account active 'in case they come back' is standing, unmonitored risk. Disabling only email ignores the many other systems the person could still reach. The point is to verify access is actually and fully removed, not to trust that it was.

Mid-levelGovernance, Risk & ComplianceIdentity & Access Management
The full answer
A team identifies a new risk. As the GRC analyst, what do you do with it?

Governance means the risk is captured and managed, not informally handled: record it in the risk register with assessed likelihood and impact, assign an accountable owner, decide and document the treatment (mitigate, transfer, accept, or avoid), and set a review date. Fixing it yourself on the spot skips ownership, prioritisation, and tracking, and may not even be your call. Ignoring it until it becomes an incident is negligent, and emailing everyone creates noise but no accountability or follow-through. The register turns a one-off observation into a tracked, owned, revisited decision.

Mid-levelGovernance, Risk & Compliance
The full answer
An audit finds dozens of unused, over-permissioned service accounts. What do you do?

Unused, over-privileged service accounts are prime targets and a large attack surface. Inventory them, disable or delete the unused ones (watching for breakage), right-size the survivors to least privilege, and give each an owner plus a recurring review. Leaving them is standing risk, granting blanket admin maximizes blast radius, and consolidating onto one shared account destroys least privilege and accountability.

Mid-levelIdentity & Access ManagementCloud
The full answer
Investigating a breached Linux server, where do you look for attacker persistence?

Linux persistence hides in scheduled execution and startup paths: cron and systemd timers/units, added SSH authorized_keys, modified shell rc files and profile scripts, and trojanized service binaries or preloaded libraries. Check those systematically. Browser history and wallpaper settings aren't persistence mechanisms, and rebooting won't remove anything that re-establishes itself on boot — it just restarts it. The whole point of persistence is to survive reboots, so a reboot proves nothing.

Mid-levelLinux InternalsDFIR (Forensics & Incident Response)
The full answer
On a Linux host you find a world-writable file that is owned by root and has the SUID bit set. What's the risk and your action?

A SUID-root binary executes with root privileges, and if it's world-writable an attacker can replace or modify it to run arbitrary code as root — a classic local privilege-escalation path. Remove the SUID bit, correct ownership and permissions, and investigate how the misconfiguration appeared, since it may indicate compromise. Encrypting the file leaves the executable path intact, and renaming it just moves the problem without removing the escalation. Neither addresses the root cause.

Mid-levelLinux Internals
The full answer
Analysis revealed the malware's C2 domains and a unique mutex. What's the highest-value deliverable to the SOC?

The SOC needs to act, so deliver structured, actionable detection content: network IOCs, hashes, host artifacts like the mutex, and behavioral or YARA signatures they can deploy to hunt and block. An exhaustive API narrative isn't directly operational. A single hash is trivially changed by attackers. Speculative attribution isn't something the SOC can defend with. The goal is detections the SOC can ship today.

Mid-levelMalwareThreat Intelligence
The full answer
You're ready to run a sample dynamically. Which environment is appropriate?

Detonate only in a disposable, isolated VM with snapshots and a controlled network (e.g., simulated services or tightly monitored egress) so the malware can't reach production or the internet uncontrolled. AV on your laptop won't reliably contain live malware. A production server risks real systems. A colleague's machine just moves the danger. Isolation and revertable snapshots are the core of a safe malware lab.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
A host shows a ransom note. Supporting IR as the malware analyst, what's the most useful first contribution?

Family identification drives decisions: from the note, extension, and IOCs you can flag whether a free decryptor exists, the group's typical TTPs (including data theft for extortion), and the likely blast radius, feeding the IR team. Reformatting destroys evidence and scope information. Note grammar isn't actionable. Recommending negotiation is a business and legal decision, not the analyst's first move. Identify first, then enable IR.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
The SOC hands you a suspicious .exe pulled from a user's machine. What's your FIRST analysis step?

Begin with static triage in an isolated environment: compute hashes, pull strings, inspect PE headers and imports, and check reputation, so you understand the sample before risking execution. Running it on your own workstation can infect you and the network. Uploading client samples with identifying names leaks sensitive data to third parties. Deleting it destroys the evidence and the chance to build detections.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
A firewall review finds an 'any source / any destination / allow' rule near the top of the policy. What's the issue and fix?

Because firewalls evaluate rules top-down, a broad any/any allow near the top short-circuits every rule below it and permits all traffic — the firewall effectively stops enforcing anything. Replace it with explicit least-privilege rules for the flows actually needed, ordered so specific allows and denies take effect, ending in a default deny. Calling it efficient is wrong, moving it to the bottom can still shadow the default deny, and renaming changes nothing about what it permits.

Mid-levelNetworking
The full answer
A funds-transfer endpoint accepts a simple cookie-authenticated POST with no token. What's missing?

If the browser automatically attaches the session cookie, a malicious page can trigger the transfer on the victim's behalf — cross-site request forgery (CSRF). Defend state-changing requests with anti-CSRF tokens and SameSite cookies, and check the Origin/Referer header. Cookies prove identity but not intent, a login CAPTCHA does nothing for an already-authenticated action, and HTTPS protects transport confidentiality, not request forgery.

Mid-levelWeb Security
The full answer
Users upload profile images; the server stores them in the web root and serves them back. What's the risk?

If an attacker can upload a server-executable file (or HTML/SVG) into a servable directory, they may achieve remote code execution or stored XSS. Validate the real content type, store uploads outside the web root or on a non-executing store, randomize filenames, and serve them so they can't be executed or interpreted as markup. Slower page loads and disk usage are operational issues, not the security risk an attacker exploits here.

Mid-levelWeb Security
The full answer
EDR flags a process reading LSASS memory. Why does it matter and what do you do?

LSASS stores cached credentials and secrets, so an unexpected process reading its memory is a hallmark of credential theft (e.g., mimikatz-style dumping). Triage the offending process and parent, isolate the host to stop lateral movement, and rotate the credentials that could have been captured — including privileged and service accounts. It has nothing to do with graphics rendering or disk space, and ignoring it as normal can lead to domain-wide compromise. The benign-sounding distractors are exactly how analysts miss an active intrusion.

Mid-levelWindows InternalsIdentity & Access Management
The full answer
On Windows, an alert shows a new scheduled task launching PowerShell from %TEMP%. What is this likely to be and your move?

Legitimate software rarely runs PowerShell out of %TEMP% via a freshly created scheduled task — it's a common persistence and execution technique. Examine the task definition, the invoked script, the creating process and the timeline, contain the host, and sweep the environment for the same pattern. Updates don't look like this, blanket-trusting scheduled tasks ignores a known TTP, and deleting System32 breaks the OS while doing nothing about the threat. The first three options all reflect dangerously weak judgment.

Mid-levelWindows InternalsDFIR (Forensics & Incident Response)
The full answer
Users can change `?account_id=123` to `124` and see other users' data. What category is this, and how do you fix it?

This is broken access control (IDOR): the server isn't checking that the authenticated user may access the requested object. The fix is per-object authorization enforced server-side on every request. Sanitizing the number doesn't establish ownership. Encrypting or obfuscating the ID is obscurity that's still guessable, leakable, or replayable. The HTTP method is irrelevant to authorization. Always verify the caller's right to the specific object before returning it.

Mid-levelWeb SecurityIdentity & Access Management
The full answer
An API endpoint binds the entire JSON body to the user model, so a user can send `"isAdmin": true`. What is this, and the fix?

This is a mass-assignment (over-posting) flaw: the server blindly maps client JSON onto sensitive model fields. Fix it by binding only an explicit allow-list of permitted fields (DTOs / strong params) so privileged attributes like isAdmin can't be set by the client. Hiding the field in the frontend and adding client-side validation are both bypassed by a raw request. Renaming isAdmin is obscurity that's easily discovered. Control which fields bind, server-side.

Mid-levelWeb Security
The full answer
A code review shows a SQL query built by concatenating user input. What's the correct fix?

Parameterized queries are the actual fix: they separate code from data so user input is always treated as a value, never as SQL that can change the query's structure. Manual escaping is error-prone and bypassable across encodings and dialects. A WAF is a compensating control, not a fix, and encoding tricks defeat it. A length check doesn't stop injection at all. Fix it at the query layer.

Mid-levelWeb Security
The full answer
User-supplied profile bios render unescaped, and one contains a `<script>` tag. What's the correct fix?

Stored XSS is fixed by encoding data for the exact context where it's rendered (HTML body, attribute, JavaScript, URL) so the browser treats it as text, with a Content-Security-Policy as a second layer. Blacklisting the word 'script' is trivially bypassed via event handlers, mixed case, and encodings. You can't make your users disable JavaScript. Asking users not to enter HTML isn't an enforceable control. Encode on output, every time you render.

Mid-levelWeb Security
The full answer
`npm audit` flags a critical CVE in a transitive dependency used in production. What's the right response?

Transitive code runs in your app, so a critical CVE is your risk. Assess whether the vulnerable code path is actually reachable, then remediate by bumping or overriding the version (or mitigating) and verify in production. Ignoring it because it's transitive leaves a known hole an attacker can exploit. Suppressing the audit just hides the warning. Reinstalling node_modules pulls the same vulnerable version. Track it through SCA, don't silence it.

Mid-levelWeb SecurityGovernance, Risk & Compliance
The full answer
A team is about to build a new payment feature. When and how should threat modeling happen?

Threat modeling is cheapest and most effective at design time, before code locks in decisions: walk the data flows, enumerate threats with a framework like STRIDE, and bake in mitigations, then revisit as the design evolves. Doing it only post-incident or at the annual pentest finds problems after they are expensive to fix and already exposed. And relying on 'careful developers' is a hope, not a repeatable, auditable control.

Mid-levelGovernance, Risk & ComplianceWeb Security
The full answer
A phishing simulation shows 30% of staff clicked the link. What's the constructive response?

A 30% click rate is a baseline to improve, not a list of people to punish: pair role-based training and a frictionless report button with technical defenses (MFA, email filtering, least privilege) so a single click doesn't lead to compromise, and track the trend over time. Publicly shaming employees suppresses the reporting you depend on. Declaring the workforce hopeless removes a control you should be strengthening. Another scary all-staff email isn't a measurable intervention and doesn't change behavior.

Mid-levelGovernance, Risk & ComplianceThreat Intelligence
The full answer
Why should a CISO run incident-response tabletop exercises BEFORE an incident?

Tabletops rehearse the human and decision side of IR — who has authority to declare an incident, how legal/PR/exec communication flows, and where the playbook breaks — so the first time you make those calls isn't during a real crisis. It's far cheaper to find gaps in a drill than mid-breach. They are not a hollow compliance checkbox, they're not for assigning blame for past incidents, and they are cross-functional, not SOC-only — leadership has to practice the decisions only they can make.

Mid-levelGovernance, Risk & ComplianceDFIR (Forensics & Incident Response)
The full answer
You find CloudTrail (control-plane audit logging) is disabled in a production account. Why does it matter and what do you do?

Without control-plane audit logs you're blind to who did what at the cloud layer, and detection, forensics, and compliance all depend on that record. Enable CloudTrail immediately, org-wide, delivering to a separate, access-controlled, tamper-resistant (immutable) bucket. Saying it doesn't matter while nothing is wrong ignores that you'd have no history when something does go wrong. Waiting until an incident means the formative early actions are already unlogged and unrecoverable. Application logs don't capture API, IAM, or console activity at the control plane.

Mid-levelCloudDFIR (Forensics & Incident Response)
The full answer
A new VM was launched with SSH (22) and RDP (3389) open to 0.0.0.0/0. What's the right remediation?

Management ports open to the whole internet are scanned and brute-forced within minutes, so the fix is to shrink the attack surface: restrict the security-group ingress to known admin CIDRs or VPN, or remove inbound entirely using a bastion or SSM Session Manager. Moving SSH to a non-standard port is security by obscurity that scanners defeat trivially. A stronger password doesn't reduce the exposed surface or stop credential-stuffing. Trusting a host firewall ignores the attack surface the security group is openly advertising to the internet.

Mid-levelCloudNetworking
The full answer
A monitoring tool flags an S3 bucket as public, and it contains customer data exports. What's your FIRST action?

Public customer data is an active exposure, so remediate access first: enable Block Public Access and correct the bucket and IAM policy to stop ongoing leakage. Then pull access logs (S3 server access logs / CloudTrail data events) to assess what was actually reached, and trigger breach and notification processes per policy. Ticketing it for next sprint leaves regulated data exposed for days. Copying the data elsewhere creates a second copy but leaves the original bucket open. Renaming changes nothing about its permissions.

Mid-levelCloudDFIR (Forensics & Incident Response)
The full answer
Your team stores DB passwords as plaintext environment variables in deployment config that's checked into the repo. Better approach?

Secrets belong in a managed store with access control, audit, and rotation, injected at runtime — never committed to source control. Use a secrets manager (AWS Secrets Manager, HashiCorp Vault) and remove the committed values from history, then rotate them because they must be treated as compromised. Base64 is encoding, not protection — anyone can decode it. A private repo still spreads the secret to everyone with clone access plus CI systems and forks. Compiling it into the binary just hides a secret that's still trivially extractable.

Mid-levelCloudIdentity & Access Management
The full answer
Your app on EC2 authenticates to AWS using a long-lived access key baked into the AMI. What's the better pattern?

A static key baked into an image leaks easily and lives forever, so the fix is to eliminate the long-lived credential entirely: attach an IAM role via an instance profile, which delivers short-lived, automatically rotated credentials with nothing embedded. Manual 90-day rotation still leaves a long-lived secret sitting in the AMI between rotations. Moving the key to an environment variable doesn't make it any less static or any less leaked. Emailing it to ops spreads the exposure to mailboxes and archives.

Mid-levelCloudIdentity & Access Management
The full answer
Someone fixed a prod issue by clicking in the console, but the infrastructure is managed by Terraform. What's the problem and fix?

The manual console change is configuration drift: the next terraform apply can silently revert the fix, and the change also bypassed peer review and audit. Reconcile it by codifying the change in Terraform, running plan/apply so code and reality match, and adding guardrails against ad-hoc console edits (least-privilege console access, SCPs, drift detection). Doing nothing leaves a landmine for the next apply. Deleting the Terraform state is destructive and can orphan or duplicate resources. Abandoning Terraform throws away reproducibility, review, and audit trails.

Mid-levelCloudGovernance, Risk & Compliance
The full answer
A compromised laptop is on your desk, still powered on, with a suspicious process running. To preserve evidence, what do you do?

Follow the order of volatility. RAM, live network connections and the process table vanish on shutdown, so capture them first, then take a forensic disk image while documenting hashes and an unbroken chain of custody. A clean shutdown destroys memory-resident evidence — including fileless malware and keys that live only in RAM. Copy-then-delete tampers with the scene and breaks integrity. Running the company antivirus mutates the system and may quarantine or delete the very artifact you need to analyze.

Mid-levelDFIR (Forensics & Incident Response)
The full answer
A business-critical production service looks vulnerable to a memory-corruption exploit that might crash it. What do you do?

Rules of engagement usually exclude DoS on production, and an unplanned crash causes real business damage and can void the engagement. Verify scope first; if a destructive proof-of-concept isn't authorized, prove the vulnerability through safer means and clearly document the likely impact. Firing the exploit for a screenshot is reckless. Running it repeatedly for 'reliability metrics' multiplies the outage. Skipping it silently hides a serious, exploitable risk from the client.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
You're wrapping up an engagement where you uploaded webshells and created test accounts. What must you do?

Professional engagements end with full cleanup and an artifact inventory, so you don't leave new attack surface or muddy the client's environment. Leaving shells or accounts for the client to find is negligent and dangerous — a real attacker could reuse them. Keeping a backdoor 'for next time' is unethical and likely illegal. Deleting your own activity logs destroys the audit trail the client needs to validate the test and reconstruct what you did.

Mid-levelGovernance, Risk & Compliance
The full answer
For an authorized social-engineering test, which pretext is acceptable?

Social-engineering tests must stay within agreed, ethical pretexts: realistic enough to be useful but without coercion, impersonating authorities, or exploiting personal or medical situations. A generic IT password reset agreed in the rules of engagement is fair game. Impersonating a real employee's sick child or threatening someone with being fired causes genuine psychological harm. Pretending to be law enforcement impersonates authorities and is often illegal even with a signed engagement.

Mid-levelGovernance, Risk & Compliance
The full answer
You have SQL injection on a production app and could dump the entire customer database to prove impact. What's the responsible proof?

Prove the vulnerability without harming the client or hoarding their data: show you can read arbitrary data via the DB version, schema, or a single redacted sample, then stop. Dumping the full PII dataset creates breach-notification and data-handling liability for both parties. Dropping a table is destructive and well beyond proof-of-concept. Encrypting the database and demanding a bounty is extortion, not testing — it is a crime, not a finding.

Mid-levelWeb SecurityGovernance, Risk & Compliance
The full answer
Mid-engagement you discover an exploitable host that is clearly NOT in the agreed scope. What do you do?

Authorization defines the engagement, so testing outside the agreed scope is potentially illegal and breaches the rules of engagement no matter how tempting the target. Document what you saw, stop, and obtain written client approval before going further. Exploiting for 'more findings' is never a justification for unauthorized access. Quietly exploiting it if you think you won't be caught is both unethical and a crime, and self-extending the scope strips the client of informed consent.

Mid-levelNetworkingGovernance, Risk & Compliance
The full answer
Your report has 30 findings. How should you present them to be most useful to the client?

A useful report drives remediation: rank by business risk (likelihood × impact), surface the exploit chains that lead to critical compromise, and give actionable fixes for each finding. Alphabetical ordering buries what matters under what happens to start with 'A'. Longest-writeup-first rewards verbosity over severity. Dropping the lows hides real risk and the patterns the client needs for defense-in-depth, leaving them with a falsely reassuring picture.

Mid-levelGovernance, Risk & ComplianceWeb Security
The full answer
You're rolling out MFA and executives demand an exemption 'for convenience.' How do you handle it?

Executives are exactly the accounts attackers want (BEC, wire fraud), so exempting them inverts the risk model. Solve the friction, not the control: deploy phishing-resistant FIDO2/passkeys that are faster than codes. Caving to the exemption guts the program's credibility and leaves your highest-value accounts unprotected. Killing the MFA project abandons a top-tier control. Quietly enabling it behind their backs destroys trust and accountability.

Mid-levelIdentity & Access ManagementGovernance, Risk & Compliance
The full answer
A developer asks for permanent admin on the production cluster 'to debug faster.' What do you offer?

Least privilege plus just-in-time access: grant the minimum permissions needed, time-boxed and logged, so debugging is possible without standing admin that becomes a permanent risk and audit gap. Permanent cluster-admin violates least privilege and widens the blast radius of any compromise. A blanket denial blocks legitimate work and invites risky shadow workarounds. Sharing the common admin service-account credential destroys accountability — actions can't be traced to a person.

Mid-levelIdentity & Access Management
The full answer
A developer accidentally pushed an AWS access key to a PUBLIC GitHub repo. What is the correct response order?

Treat any pushed secret as burned: revoke and rotate it first, because bots scrape public commits within seconds, then review CloudTrail for misuse and purge it from history. Deleting the commit doesn't help — the key is already cloned, forked, and cached by third parties. Making the repo private leaves a live, already-leaked key in attackers' hands. Adding the file to .gitignore does nothing for a secret that is already committed.

Mid-levelIdentity & Access ManagementCloud
The full answer
You discover the application logs full credit-card numbers and passwords in plaintext. What's the fix priority?

Sensitive data should never reach logs: redact or mask at the source first to stop the bleeding, then remediate the historical logs and tighten access. PCI DSS forbids storing full PANs and CVVs this way, and passwords should never be logged at all. 'Internal' logs are still a prime breach target. Encrypting or ACLing the store still leaves cleartext secrets sitting in logs for anyone with read access — backups, SIEM pipelines, and admins all see them.

Mid-levelGovernance, Risk & ComplianceWeb Security
The full answer
A public API went down because its TLS certificate expired. Beyond renewing it, what's the durable fix?

Manual renewals fail, so engineer the problem away with automated ACME renewal plus expiry monitoring that alerts days in advance. A calendar reminder is the manual process that already failed once. A long-lived self-signed cert breaks public trust and violates modern lifetime limits (CAs cap validity at ~398 days, dropping further). Disabling TLS trades an availability blip for a catastrophic confidentiality and integrity loss.

Mid-levelCryptographyNetworking
The full answer
Your SIEM fires 500 'failed login' alerts a day, almost all noise, and analysts now ignore the rule. What's the right move?

Cut false positives through detection engineering, not by blinding yourself. Re-tune so alerts fire only on patterns that matter — many accounts hit with one password (spraying), one account hit many times (stuffing/brute force), impossible travel — while keeping the raw failed-login events searchable on a dashboard. Then measure alert precision over time. Disabling the rule removes a real signal, blanket suppression creates a permanent blind spot, and hiring people to triage pure noise doesn't scale and burns them out.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
You notice a single host making thousands of unusual, long TXT-record DNS queries to one domain. What's the most likely explanation and action?

High-volume, high-entropy TXT or long-subdomain queries to a single domain is a classic DNS tunneling / C2-and-exfil signature: data is being smuggled inside DNS to evade egress filtering. Capture a query sample for analysis, sinkhole or block the domain to cut the channel, and pivot to the host to find the responsible process. Dismissing it as normal caching or a slow website misses live exfiltration. Restarting the DNS server does nothing about the compromised endpoint and just disrupts name resolution.

Mid-levelNetworkingThreat Intelligence
The full answer
A user reports they clicked a link in a suspicious email and typed their password into the page. What is your FIRST action?

Assume the password is already compromised: force a reset AND invalidate the account's active sessions and tokens, because a reset alone won't evict an attacker who already holds a live session or refresh token. Then hunt for anomalous logins, MFA prompts, mailbox rules and OAuth grants from the exposure window. Deleting the email or telling the user to change it "next time" leaves the account wide open. An antivirus scan addresses malware on the endpoint, not stolen credentials in the cloud.

Mid-levelDFIR (Forensics & Incident Response)Identity & Access Management
The full answer
Monday 9am, four alerts are open. Which do you work FIRST?

Triage by impact and reachability: credential dumping (a mimikatz signature) on a domain controller is a crown-jewel event that can lead to full domain compromise, so work it first. The external port scan was already blocked by the IDS, the unapproved browser extension is low severity, and an expired TLS cert on an internal test box is informational. The core SOC skill is prioritizing by blast radius and likelihood of escalation, not by alert age or how loud the alert is.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
What are the benefits and risks of using AI in the SOC?

AI helps the SOC by triaging and de-duplicating alerts, summarizing incidents, enriching context, drafting detections, and accelerating analyst onboarding — reducing fatigue and dwell time. The risks: hallucinated or confidently wrong conclusions, automation bias where analysts stop verifying, prompt injection through attacker-controlled log or alert data, sensitive data leaking into third-party models, and adversaries using the same tools. Keep a human in the loop, verify outputs, and isolate untrusted inputs.

Mid-levelAI & LLM SecurityThreat Intelligence
The full answer
What is the difference between direct and indirect prompt injection?

Direct prompt injection is when a user types adversarial instructions straight into the prompt to override the system prompt or safety rules. Indirect prompt injection hides malicious instructions inside external content the model later ingests — a web page, email, PDF, or RAG document — so the attack fires without the victim ever typing it. Indirect injection is the bigger risk because the attacker and the victim are different people, and the payload rides in on data the app implicitly trusts.

Mid-levelAI & LLM SecurityWeb Security
The full answer
What is insecure output handling in LLM apps, and how does it cause XSS or SSRF?

Insecure output handling is trusting what the model returns and passing it to a downstream system without validation or encoding. Because model output is attacker-influenceable, rendering it as raw HTML causes XSS, feeding it to a URL fetcher causes SSRF, and passing it to a shell or SQL query causes command or SQL injection. The fix is to treat model output exactly like untrusted user input: context-aware output encoding, allowlisting, sanitization, and parameterization before it reaches any sink.

Mid-levelAI & LLM SecurityWeb Security
The full answer
Give an overview of the OWASP Top 10 for LLM Applications.

The OWASP Top 10 for LLM Applications is the consensus list of the most critical risks when building with large language models. The 2025 edition covers prompt injection, sensitive information disclosure, supply chain, data and model poisoning, improper output handling, excessive agency, system prompt leakage, vector and embedding weaknesses, misinformation, and unbounded consumption. It exists because traditional appsec lists don't capture LLM-specific failure modes, and it gives teams a shared vocabulary and a checklist to prioritize controls.

Mid-levelAI & LLM SecurityWeb Security
The full answer
How do LLM applications leak sensitive information, and how do you prevent it?

LLM apps leak data several ways: the model memorizes and regurgitates sensitive training or fine-tuning data, the system prompt (which may hold secrets or logic) gets extracted, retrieved RAG documents expose data the user shouldn't see, and context from one user or session bleeds into another. Prevention means data minimization before training, never putting secrets in prompts, enforcing per-user authorization on retrieval, output filtering and PII redaction, and tenant isolation.

Mid-levelAI & LLM Security
The full answer
Distinguish credential stuffing from password spraying, including how each appears in logs.

Credential stuffing replays known username:password pairs from third-party breaches, betting on password reuse — high success rate per attempt, often distributed across many IPs and devices to look human. Password spraying tries one or two common passwords (like Winter2026!) across many accounts to stay under lockout thresholds. Stuffing exploits reuse; spraying exploits weak shared passwords. MFA defeats both.

Mid-levelIdentity & Access ManagementDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
Explain the Lockheed Martin Cyber Kill Chain and how a blue team uses it.

The Cyber Kill Chain models an intrusion as seven sequential stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives. Defenders map detections and controls to each stage; because the stages are sequential, breaking any single link — blocking the phishing email, killing C2 — disrupts the whole attack. It pushes you to detect early rather than only at the final breach.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)Networking
The full answer
Explain the difference between Indicators of Compromise (IOCs) and Indicators of Attack (IOAs).

An IOC is a forensic artifact that something bad already happened — a malicious file hash, a C2 IP or domain, a known-bad registry key. An IOA is a behavioral signal of an attack unfolding regardless of the specific tools — e.g. a Word document spawning PowerShell, then reaching out to the internet. IOCs are reactive and easy to evade by changing a hash; IOAs catch intent and survive tool changes.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
Name the common ways malware persists on a Windows host across reboots, and how you would hunt for them.

Persistence is how malware survives reboots and logoffs. The staples on Windows are registry Run/RunOnce keys (HKLM and HKCU), scheduled tasks, and Windows services, plus startup folders, WMI event subscriptions, and DLL hijacks. You hunt them with autoruns/Sysinternals, Sysmon, and event logs — looking for unsigned binaries, odd paths like %AppData%, and entries created right after initial compromise.

Mid-levelWindows InternalsMalwareDFIR (Forensics & Incident Response)
The full answer
Explain the order of volatility and why it drives the sequence of evidence collection in DFIR.

Order of volatility ranks evidence by how fast it vanishes, so you collect the most fragile first. Roughly: CPU registers/cache, then RAM and running state (processes, network connections, ARP), then temporary/swap files, then disk, then remote logging and monitoring data, and finally archival media and backups. You also work on forensic copies, hash them, and keep a chain of custody so evidence stays admissible.

Mid-levelDFIR (Forensics & Incident Response)Windows InternalsLinux Internals
The full answer
What is ransomware, and walk me through how you respond once it is actively encrypting systems.

Ransomware is malware that encrypts (and increasingly exfiltrates) data, then demands payment. In an active case: isolate affected hosts from the network without powering them off if you can preserve memory, identify scope, patient zero, and the strain, preserve evidence, find and evict the foothold and any backdoors, then restore from known-clean offline backups. Paying is a last resort and never guarantees recovery.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
Explain how SPF, DKIM, and DMARC work together to prevent email spoofing.

SPF publishes which IPs may send mail for a domain. DKIM adds a cryptographic signature so the receiver can verify the message was not altered and came from the domain. DMARC ties SPF/DKIM results to the visible From: header via 'alignment', tells receivers what to do on failure (none/quarantine/reject), and sends reports. SPF and DKIM alone do not protect the From a user sees — DMARC is what enforces that.

Mid-levelNetworkingWeb SecurityIdentity & Access Management
The full answer
Compare static and dynamic malware analysis, including the strengths and limits of each.

Static analysis examines a sample without executing it — hashes, strings, imports, headers, and disassembly — so it is safe and complete in coverage but defeated by packing and obfuscation. Dynamic analysis detonates the sample in an isolated sandbox and observes real behavior — files, registry, processes, network — which cuts through obfuscation but only reveals what runs in that session and can be evaded by sandbox-aware malware. Analysts combine both.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
Which Windows event IDs and logs would you pull first during an intrusion investigation?

The Security log is primary: 4624 successful logon (with logon type), 4625 failed logon, 4634/4647 logoff, 4672 special privileges assigned, 4720 account created, 4688 process creation (with command line if enabled), and 4768/4769 Kerberos. Add 7045 service install (System log), 4698 scheduled task created, and PowerShell script-block logging (4104). Logon type and command-line auditing are what make these logs useful.

Mid-levelWindows InternalsDFIR (Forensics & Incident Response)
The full answer
Explain the role of data classification and the responsibilities of the data owner versus the data custodian.

Classification labels data by sensitivity so the organization applies controls proportional to value and risk, avoiding both under-protection and wasteful over-protection. The data owner (a business role) sets the classification and accepts risk, while the data custodian (often IT) implements and maintains the protective controls.

Mid-levelIdentity & Access Management
The full answer
Distinguish a policy, a standard, a procedure, and a guideline. Which are mandatory?

A policy is the high-level mandatory statement of management intent; a standard is a mandatory specific rule that enforces policy (e.g. AES-256); a procedure is the mandatory step-by-step how-to; a guideline is an optional recommendation. Policies, standards, and procedures are mandatory, while guidelines are discretionary.

Mid-levelIdentity & Access Management
The full answer
Walk me through quantitative versus qualitative risk analysis, and define ALE, SLE, and ARO.

Quantitative analysis assigns hard monetary values so you can compute expected loss; qualitative analysis ranks risk on relative scales (high/medium/low) using expert judgment. Quantitative uses SLE = asset value x exposure factor, ARO = expected occurrences per year, and ALE = SLE x ARO to express annual expected loss in dollars.

Mid-levelDFIR (Forensics & Incident Response)Identity & Access Management
The full answer
After a risk assessment, what are your options for treating a risk? Give an example of each.

You can mitigate (reduce likelihood/impact with controls), transfer (shift the financial impact via insurance or contracts), avoid (stop the risky activity entirely), or accept (knowingly tolerate the residual risk). The choice depends on risk appetite and a cost-benefit comparison against the risk's expected loss.

Mid-levelIdentity & Access Management
The full answer
How do you secure container images?

Start from a minimal, trusted base image (distroless or slim) to shrink attack surface, scan images for known CVEs in CI and in the registry, pin and verify image digests, run as a non-root user, and avoid baking in secrets. Sign images and enforce admission policies so only scanned, signed images run. Rebuild regularly so patched base layers flow through.

Mid-levelCloudNetworking
The full answer
IAM roles vs users vs policies — how do you apply least privilege in the cloud?

A user is a long-lived identity with permanent credentials; a role is an identity with no permanent credentials that any trusted principal can assume to get short-lived tokens; a policy is the JSON document that grants permissions, attached to either. Least privilege means preferring roles over users, scoping policies to specific actions and resources, and granting only what a task needs — then reviewing and pruning over time.

Mid-levelIdentity & Access ManagementCloud
The full answer
How do CloudTrail and GuardDuty fit into cloud logging and monitoring?

CloudTrail records every API call in the account — who did what, when, from where — giving you the authoritative audit trail for investigations and compliance. GuardDuty is a managed threat-detection service that analyzes CloudTrail, VPC flow, and DNS logs to surface findings like credential exfiltration or crypto-mining. CloudTrail is the source of truth you must protect; GuardDuty turns that telemetry into actionable alerts.

Mid-levelCloudNetworking
The full answer
What are common S3 bucket misconfigurations and how do you prevent them?

The classic mistakes are public ACLs or bucket policies that allow anonymous or all-AWS-users access, overly broad principals or wildcard actions, no default encryption, and no logging. Prevent them by enabling account-level Block Public Access, using IAM/bucket policies with least privilege, enforcing default encryption and TLS, and turning on access logging and Config rules to catch drift.

Mid-levelCloudIdentity & Access Management
The full answer
How do you securely manage secrets in the cloud?

Store secrets in a dedicated managed service (Secrets Manager, Parameter Store, Vault), encrypted with a KMS key, and grant access through IAM roles so workloads fetch them at runtime with short-lived credentials. Never bake secrets into code, container images, or committed .env files. Add automatic rotation, scoped key policies, and audit logging so every retrieval is traceable.

Mid-levelCloudIdentity & Access Management
The full answer
What's the difference between security groups and network ACLs?

Security groups are stateful firewalls attached to instances/ENIs: they allow rules only, and return traffic for an allowed flow is automatically permitted. Network ACLs are stateless filters at the subnet boundary: they have ordered allow and deny rules and you must explicitly allow return traffic on ephemeral ports. Security groups are the primary control; NACLs add coarse subnet-level guardrails like blocking an IP range.

Mid-levelNetworkingCloud
The full answer
What's the difference between Diffie-Hellman and RSA?

RSA is an asymmetric algorithm used to encrypt data or create digital signatures using a key pair. Diffie-Hellman is a key-agreement protocol that lets two parties derive a shared secret over a public channel without ever transmitting it. They solve different problems: RSA proves identity and can wrap keys; DH negotiates a session key — and its ephemeral variant gives forward secrecy.

Mid-levelCryptography
The full answer
How does an HMAC work and why use it instead of a plain hash?

HMAC is a keyed message authentication code: it hashes the message together with a secret key using a nested construction (inner and outer hash with key-derived pads). It proves both integrity (the message wasn't altered) and authenticity (it came from someone holding the key). A plain hash proves neither, since anyone can recompute it; HMAC also resists length-extension attacks.

Mid-levelCryptography
The full answer
How do JWTs work, and what security pitfalls should you watch for?

A JWT is three base64url parts — header, payload (claims), and signature — joined by dots. The server signs the header and payload with a secret or private key, and verifies that signature on each request to trust the claims without server-side session state. Pitfalls: accepting alg=none, RS256-to-HS256 key confusion, not validating expiry/issuer/audience, putting secrets in the readable payload, and no revocation path.

Mid-levelIdentity & Access ManagementWeb Security
The full answer
Walk me through the OAuth 2.0 authorization code flow.

The app redirects the user to the authorization server to log in and consent. The server redirects back with a short-lived authorization code. The app's backend then exchanges that code (plus its client secret) at the token endpoint for an access token, over a server-to-server back channel. This keeps tokens out of the browser/URL. Public clients add PKCE to bind the code to the original requester.

Mid-levelIdentity & Access ManagementWeb Security
The full answer
How should passwords be stored, and why use bcrypt/scrypt/argon2 over fast hashes?

Store passwords using a deliberately slow, salted, adaptive password-hashing function — bcrypt, scrypt, or Argon2 — never a fast general-purpose hash like SHA-256 or MD5. Fast hashes are built for speed, so attackers with GPUs can test billions of guesses per second against a leaked database. Slow hashes have a tunable work factor (and memory cost) that makes each guess expensive, keeping brute force impractical even after a breach.

Mid-levelCryptographyIdentity & Access Management
The full answer
What is Perfect Forward Secrecy and why does it matter?

Perfect Forward Secrecy (PFS) means each session derives a unique key from an ephemeral key exchange that is thrown away afterward. If an attacker later steals the server's long-term private key, they still cannot decrypt previously captured traffic, because that key was never used to derive the session keys. It's achieved with ephemeral Diffie-Hellman (DHE/ECDHE).

Mid-levelCryptographyNetworking
The full answer
How does Single Sign-On work, and how do SAML and OIDC differ?

SSO centralizes authentication at an Identity Provider (IdP). When a user visits a Service Provider (the app), the app redirects to the IdP; the user logs in once, and the IdP returns a signed assertion or token vouching for their identity. SAML carries this as a signed XML assertion; OIDC carries it as a signed JSON ID token layered on OAuth 2.0. The app trusts the IdP's signature rather than handling passwords itself.

Mid-levelIdentity & Access Management
The full answer
How do you scan container images in a CI/CD pipeline?

Scan images for known CVEs in OS packages and app libraries, plus misconfigurations and embedded secrets, both at build time and continuously in the registry — because new CVEs appear after an image is built. Use minimal or distroless base images to shrink the attack surface, pin and digest-reference base images, and run the container as non-root. Scanning is necessary but doesn't replace runtime protection.

Mid-levelCloud
The full answer
How do you secure Infrastructure as Code in the pipeline?

IaC scanning statically analyzes Terraform, CloudFormation, Kubernetes, and similar definitions against policy to catch misconfigurations — public S3 buckets, open security groups, missing encryption — before they're ever provisioned. Because the same template provisions many resources, fixing it once prevents repeated drift, and catching it pre-apply is far cheaper than remediating live cloud resources. Tools include Checkov, tfsec, and KICS, ideally enforced as policy-as-code gates.

Mid-levelCloud
The full answer
What's the difference between SAST, DAST, and IAST?

SAST reads source code without running it, finding flaws like injection sinks early but with many false positives. DAST attacks the running app from the outside with no code visibility, finding real exploitable issues but late and with shallow coverage. IAST instruments the running app to correlate runtime behavior with code, getting accurate results with code context, but needs an exercised application and agent support.

Mid-levelWeb Security
The full answer
How do you prevent secrets from leaking through your CI/CD pipeline?

Use defense in depth: pre-commit hooks (e.g. gitleaks) catch secrets before they ever land, server-side CI scanning catches what slips past, and periodic full-history scans find old leaks. Critically, a secret that reached a remote repo must be treated as compromised and rotated — deleting the commit doesn't help because it lives in history, forks, and logs. Pair this with a real secrets manager so secrets aren't in code at all.

Mid-levelWeb Security
The full answer
What does 'shift security left' mean, and how do you do it without blocking developers?

Shifting left means moving security earlier — into design, the IDE, and the pull request — where issues are cheaper to fix than in production. You avoid blocking developers by making the secure path the easy path: fast in-context feedback, low-false-positive gates that only hard-fail on high-severity new issues, secure defaults and paved-road templates, and treating security as enablement rather than a late veto.

Mid-levelWeb Security
The full answer
What is Software Composition Analysis (SCA) and why is it critical?

SCA inventories the open-source and third-party components an application pulls in — including transitive dependencies — and flags those with known CVEs or problematic licenses. It matters because most modern code is dependencies you didn't write, and a single vulnerable transitive package (like Log4j) can expose the whole app. Good SCA prioritizes by reachability and exploitability, not just raw CVE counts.

Mid-levelWeb Security
The full answer
What is an SBOM and why does it matter?

An SBOM is a machine-readable inventory of every component, library, and dependency in a piece of software, with versions and ideally hashes. It matters because when a new vulnerability drops, you can query your SBOMs to instantly answer 'are we affected and where?' instead of scrambling. The two dominant standards are SPDX and CycloneDX, and SBOMs are increasingly required by regulation and procurement.

Mid-levelWeb Security
The full answer
Walk me through the TLS 1.3 handshake.

Client and server agree on a shared secret in a single round trip using ephemeral Diffie-Hellman (ECDHE). The ClientHello carries the supported groups and a key share; the server replies with its key share and certificate, both sides derive the same keys, and application data flows immediately — with forward secrecy by default.

Mid-levelNetworkingCryptography
The full answer
Can you explain the difference between hashing, encryption, and encoding?

Encoding (like Base64) is a reversible format change with no secret — not security. Encryption is reversible with a key and protects confidentiality. Hashing is a one-way function producing a fixed-length digest, used for integrity checks and password storage, and cannot be reversed back to the input.

Mid-levelCryptographyWeb Security
The full answer
Explain the principle of least privilege and how you'd apply it.

Least privilege means every user, process, and service gets only the minimum access required for its task, and nothing more. It limits the blast radius of a compromised account, reduces insider-threat risk, and shrinks the attack surface. You apply it via role-based access, regular access reviews, and just-in-time elevation.

Mid-levelIdentity & Access ManagementCloud
The full answer
What is a zero-day, and how do you defend against something with no patch?

A zero-day is a vulnerability the vendor doesn't yet know about (or hasn't patched), so defenders have had 'zero days' to fix it. Since no patch exists, defense relies on layered controls, behavior-based detection, segmentation, least privilege, and fast incident response rather than a signature.

Mid-levelThreat IntelligenceMalware
The full answer
Do you compress then encrypt, or encrypt then compress?

Compress first, then encrypt. Good encryption produces output that is statistically indistinguishable from random, so ciphertext has no patterns left to compress — compressing afterward is pointless. The important caveat: compressing secret and attacker-controlled data together before encryption can leak information through ciphertext length, which is exactly the CRIME and BREACH attacks.

Mid-levelCryptography
The full answer
Which is worse in security detection: a false positive or a false negative?

Generally a false negative is worse from a pure security standpoint: it means a real attack went undetected, so there is no response, no containment, and the breach can dwell undiscovered. But false positives are not harmless — high volumes cause alert fatigue, where analysts start ignoring alerts and miss the real one. The right answer names the trade-off, not just a winner.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
On a firewall, would you rather a port be filtered or closed?

Filtered. A filtered port silently drops the packet, so the scanner gets no response and must wait for a timeout — it learns nothing about whether the host even exists, and scanning is slowed dramatically. A closed port sends back a TCP RST, which confirms the host is alive and responding, handing the attacker reconnaissance value for free.

Mid-levelNetworking
The full answer
Does HTTPS fully prevent man-in-the-middle attacks?

Not on its own. HTTPS prevents MITM only when certificate validation is strictly enforced and the client reaches the site over HTTPS to begin with. If a rogue CA is trusted (corporate proxy, malware-installed root), if the user clicks through cert warnings, or if SSL stripping downgrades the connection to HTTP before TLS starts, an attacker can still sit in the middle.

Mid-levelNetworking
The full answer
MD5 and SHA-256 are both fast hashes — why is neither right for storing passwords?

Because they are fast. MD5 and SHA-256 are designed for speed, which is exactly wrong for passwords: an attacker who steals the hashes can compute billions of guesses per second on a GPU. The fix is a deliberately slow, memory-hard key-derivation function — bcrypt, scrypt, or Argon2 — combined with a per-user salt and a tunable work factor.

Mid-levelCryptography
The full answer
Explain the categories of security controls and give examples of each.

Controls are classified two ways. By type: administrative (policies, training, procedures), technical/logical (firewalls, MFA, encryption), and physical (locks, badges, cameras). By function: preventive (stop an event — MFA, access control), detective (find an event — SIEM, IDS, audit logs), corrective (fix after — restore from backup, patch), deterrent (discourage — warning banners), and compensating (an alternative when the primary control isn't feasible). Defence in depth layers these so no single control failure leads to compromise.

Mid-levelGovernance, Risk & Compliance
The full answer
What are the core GDPR principles, and what is the breach notification timeline?

GDPR Article 5 sets seven principles: lawfulness/fairness/transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability. For a personal data breach, the controller must notify the competent supervisory authority without undue delay and where feasible within 72 hours of becoming aware (Article 33). If the breach is likely to result in a high risk to individuals, the controller must also notify the affected data subjects without undue delay (Article 34).

Mid-levelGovernance, Risk & Compliance
The full answer
Explain HIPAA basics: PHI, the Security Rule safeguards, and who must comply.

HIPAA (the US Health Insurance Portability and Accountability Act) protects Protected Health Information (PHI). The Privacy Rule governs use and disclosure of PHI; the Security Rule applies to electronic PHI (ePHI) and requires three categories of safeguards — administrative, physical, and technical. It applies to covered entities (providers, health plans, clearinghouses) and to business associates that handle PHI on their behalf, bound by Business Associate Agreements. The Breach Notification Rule sets obligations to notify individuals, HHS, and sometimes the media.

Mid-levelGovernance, Risk & Compliance
The full answer
Name and explain the core functions of the NIST Cybersecurity Framework.

The NIST Cybersecurity Framework organises cybersecurity outcomes into core functions. In CSF 2.0 there are six: Govern (the new overarching function for strategy, roles, risk decisions, and oversight), Identify (understand assets and risks), Protect (safeguards to limit impact), Detect (find events), Respond (act on incidents), and Recover (restore capabilities). They are not strictly sequential — they run continuously and together describe a full lifecycle of managing cyber risk.

Mid-levelGovernance, Risk & Compliance
The full answer
Explain PCI DSS basics: what it protects, who it applies to, and scope reduction.

PCI DSS (Payment Card Industry Data Security Standard) is a security standard maintained by the PCI Security Standards Council that applies to any organisation that stores, processes, or transmits cardholder data. It is organised around control objectives covering a secure network, protection of stored cardholder data, vulnerability management, strong access control, monitoring/testing, and an information security policy. Scope is everything in the cardholder data environment (CDE) — so segmentation, tokenisation, and not storing data you don't need are the main ways to shrink scope.

Mid-levelGovernance, Risk & Compliance
The full answer
How would you design and measure a security awareness and training program?

Treat awareness as behaviour change, not an annual checkbox. Make it role-based (a developer needs different content than finance), continuous rather than a once-a-year slideshow, and grounded in real risks like phishing, social engineering, and data handling. Reinforce it with phishing simulations, just-in-time nudges, and clear reporting channels. Measure outcomes — phishing report rates, click rates, time-to-report — not just completion percentages. Build a culture where people report mistakes without fear, because fear suppresses reporting.

Mid-levelGovernance, Risk & Compliance
The full answer
Explain SOC 2 Type I vs Type II and the Trust Services Criteria.

A SOC 2 Type I report assesses whether a service organisation's controls are suitably designed at a single point in time. A Type II report goes further: it tests whether those controls operated effectively over a review period, typically 3 to 12 months. Both are based on the AICPA Trust Services Criteria — Security (the required common criteria), plus optional Availability, Processing Integrity, Confidentiality, and Privacy.

Mid-levelGovernance, Risk & Compliance
The full answer
How do you establish a baseline of normal, and how does it help you detect anomalies?

A baseline is a model of normal behaviour for a host, user, account, or network segment — what processes run, who logs in from where and when, typical data volumes, normal beaconing intervals. Once you know normal, anomalies (rare parent-child process pairs, first-seen binaries, logons at odd hours, unusual data egress) become detectable as deviations. Baselining is the foundation of anomaly detection, but it requires enough clean history and careful handling of legitimate change so you do not drown in false positives.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
How do you decide which log sources and telemetry you need to hunt effectively?

Start from the techniques you want to detect, then work backwards to the telemetry that reveals them — ATT&CK's data sources mapping helps. In practice the highest-value sources are endpoint process/command-line and module-load telemetry (EDR/Sysmon), authentication and identity logs, DNS and proxy/network flow, and cloud control-plane logs. You then audit what you actually collect and retain versus what each technique needs, exposing visibility gaps. A technique you cannot see in any log is not huntable yet.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
Explain the Pyramid of Pain and how it shapes where you invest detection effort.

The Pyramid of Pain ranks indicator types by how costly it is for an attacker to change them once you detect on them. Hashes are trivial to alter (bottom), then IP addresses, domain names, network/host artifacts, tools, and finally TTPs at the top — which an attacker can only change by fundamentally re-tooling their behaviour. Detecting on higher levels causes more 'pain' and is more durable, so mature programs invest detection effort toward behaviours and TTPs rather than just IOCs.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What is User and Entity Behaviour Analytics (UEBA), and what threats does it catch?

UEBA (User and Entity Behaviour Analytics) builds behavioural baselines for users and entities (hosts, service accounts, devices) and uses statistics or machine learning to score deviations as risk. It excels at threats that have no clean signature: compromised credentials, insider misuse, and lateral movement — e.g. a user suddenly accessing systems they never touch, at unusual hours, or moving abnormal data volumes. It complements rule-based detection rather than replacing it, and needs tuning to avoid false positives from legitimate behaviour change.

Mid-levelThreat IntelligenceIdentity & Access Management
The full answer
What is threat hunting, and how does it differ from waiting for alerts?

Threat hunting is the proactive, hypothesis-driven practice of searching telemetry for adversary activity that existing detections missed. Unlike alert triage — which is reactive and waits for a tool to fire — hunting starts from a question ('if an attacker did X, what evidence would I see?'), tests it against data, and either finds something or produces a new detection. It assumes prevention and alerting are imperfect and that a determined adversary may already be inside.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What is Sigma, and how would you turn a hunt finding into a portable detection rule?

Sigma is an open, vendor-neutral YAML format for describing SIEM detections. You define a logsource (product/category, e.g. Windows process_creation), a detection block with named selections of field/value matches, and a condition that combines them. A converter (like sigma-cli/pySigma) translates the rule into the query language of your actual backend — Splunk, Sentinel, Elastic — so one rule is portable. It also carries metadata: title, level, status, false positives, and ATT&CK tags.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What are access reviews (recertification), and why do they matter?

Access reviews (recertification) are periodic checks where an accountable owner confirms each person's access is still justified, and revokes what isn't. They're the backstop that catches privilege creep, orphaned accounts, and entitlements granted for a project that ended. The control only works if a knowledgeable owner — usually the manager or resource owner — actually scrutinizes access rather than rubber-stamping it, and if revocations are enforced.

Mid-levelIdentity & Access ManagementGovernance, Risk & Compliance
The full answer
What is conditional / risk-based access and how does it work?

Conditional access makes the access decision depend on context rather than a fixed rule. It evaluates signals — who the user is, device compliance, location, the app, and a computed risk score from anomaly detection — and responds proportionally: allow, block, or require step-up like MFA or a compliant device. Risk-based access is the dynamic variant where a real-time risk signal drives the policy.

Mid-levelIdentity & Access ManagementCloud
The full answer
What is identity federation, and what role does an identity provider play?

Identity federation establishes trust between an identity provider (IdP) that authenticates users and service providers (relying parties) that consume that authentication. The IdP verifies the user and issues a signed assertion or token; the service provider trusts it instead of managing its own credentials. This enables cross-domain SSO and centralized control, but concentrates risk: compromise the IdP and you compromise everything that trusts it.

Mid-levelIdentity & Access ManagementCloud
The full answer
What makes MFA 'phishing-resistant', and how do FIDO2/passkeys achieve it?

Phishing-resistant MFA means the second factor can't be replayed against the real site even if the user is tricked. FIDO2/WebAuthn passkeys achieve this with origin-bound public-key cryptography: the authenticator signs a challenge tied to the real site's domain, so a credential captured by a lookalike or attacker-in-the-middle site is useless. TOTP codes and push prompts are still phishable because they can be relayed in real time.

Mid-levelIdentity & Access ManagementCryptography
The full answer
What is Privileged Access Management (PAM) and what problem does it solve?

PAM controls and monitors the accounts that can do the most damage — domain admins, root, service accounts. It vaults and rotates their credentials so secrets aren't shared or hardcoded, brokers sessions so admins never see the raw password, records what privileged users do, and ideally grants elevation just-in-time rather than standing access. The goal is to shrink the blast radius of the accounts attackers most want.

Mid-levelIdentity & Access Management
The full answer
RBAC vs ABAC: when do you reach for each in practice?

RBAC grants permissions through roles assigned to users — simple to reason about but prone to role explosion as edge cases multiply. ABAC evaluates policies over attributes of the user, resource, action, and environment, so it scales to fine-grained, context-aware decisions at the cost of complexity. Most mature systems layer them: roles for coarse grants, attributes and policy for the conditional details.

Mid-levelIdentity & Access ManagementCloud
The full answer
What is SCIM, and how does it support joiner-mover-leaver provisioning?

SCIM (System for Cross-domain Identity Management) is a standard REST/JSON API and schema for creating, updating, and deleting user accounts across applications. Wired to an HR system or IdP, it automates the joiner-mover-leaver lifecycle: accounts and entitlements are provisioned on hire, adjusted on role change, and — most importantly — deprovisioned on departure, eliminating the orphaned accounts attackers love.

Mid-levelIdentity & Access ManagementCloud
The full answer
What are the signs of command-and-control beaconing, and how do you extract C2 indicators from a sample?

Command-and-control beaconing is the implant periodically calling home for instructions. You recognize it by regular, low-volume outbound callbacks at a roughly fixed interval — often with jitter to avoid looking mechanical — to a small set of destinations, frequently over HTTP/HTTPS or DNS with encoded or encrypted payloads and a distinctive User-Agent or URI pattern. You extract indicators statically by pulling domains, IPs, URIs and keys from strings and config blocks, and dynamically by detonating the sample against a faked network and capturing the actual callbacks, then map the behavior to ATT&CK and feed the IOCs into detection.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
What are packers and obfuscation, and how do you detect them in a binary?

Packing compresses or encrypts the real payload and prepends a stub that unpacks it into memory at runtime; obfuscation transforms the code or data to resist reading and signatures. You detect packing from high section entropy near 8.0, a tiny or stub-only import table, unusual or writable-executable section names like UPX0, an entry point that sits outside .text, a large virtual size versus small raw size, and detectors like Detect It Easy or PEiD. None of these is conclusive alone, so analysts weigh several signals together and confirm by observing the unpack at runtime.

Mid-levelMalwareWindows Internals
The full answer
Walk me through the Windows PE file format and what parts you inspect when triaging a sample.

A PE file starts with the DOS header and its e_lfanew pointer to the PE/NT headers, which hold the File Header and Optional Header (entry point, image base, subsystem). It is divided into sections — .text for code, .data, .rdata, .rsrc for resources — each with a virtual address and raw size. During triage you read the import table for suspicious APIs, the section table for odd names and high entropy that hint at packing, the timestamp and rich header, embedded resources, and any digital signature. Mismatches between these tell you a lot before you ever run the file.

Mid-levelMalwareWindows Internals
The full answer
Walk me through your core tooling for static versus dynamic malware analysis and when you use each.

Static tooling reads the sample at rest: PEStudio, CFF Explorer and pefile for headers and imports, FLOSS and strings for embedded text, capa for capability mapping, and Ghidra or IDA for disassembly. Dynamic tooling watches it run inside an isolated VM: Procmon and Process Hacker for host activity, Wireshark and INetSim or FakeNet for faked network, Regshot for before/after diffs, and x64dbg for controlled stepping. The workflow is triage statically, detonate dynamically, then return to the disassembler to fill behavioral gaps.

Mid-levelMalwareDFIR (Forensics & Incident Response)
The full answer
Explain how YARA rules work and what makes a rule effective rather than brittle or noisy.

A YARA rule has a meta block, a strings section (text, hex, or regex patterns, including wildcards and jumps), and a condition that combines those matches with boolean and count logic. An effective rule keys on something durable and distinctive — a unique code stub, a mutex name, a config marker, or an unusual import combination — rather than on values an attacker trivially changes like a single hash or a generic string. You balance specificity against false positives, test against a clean corpus, and document the rule so others trust and maintain it.

Mid-levelMalwareThreat Intelligence
The full answer
What is coordinated vulnerability disclosure and how should it work?

Coordinated vulnerability disclosure is a process where a researcher reports a flaw privately to the vendor, both sides agree on remediation and a timeline, and details are published only after a fix is available (or an agreed deadline lapses). It balances giving defenders time to patch against the public's right to know. A security.txt file and a clear policy make reporting frictionless; bug bounty programs add structured rewards on top.

Mid-levelWeb SecurityThreat Intelligence
The full answer
Walk me through the digital forensics and incident response process.

DFIR follows a disciplined process: identification (confirm and scope the incident), acquisition (preserve evidence following order of volatility, with forensic images and hashes), analysis (timeline, root cause, scope of compromise), and reporting (findings for technical and legal audiences). Chain of custody documents who handled each artifact and when, so the evidence holds up if it ever reaches court. Preserve before you remediate.

Mid-levelDFIR (Forensics & Incident Response)
The full answer
How do you use MITRE ATT&CK for threat-informed defense?

ATT&CK is a knowledge base of real adversary tactics (the why), techniques (the how), and procedures. You use it to map your existing detections onto the matrix, identify coverage gaps, and prioritize the techniques used by threat actors that actually target your sector. It gives a common language across CTI, detection engineering, and IR, turning 'are we secure?' into a concrete, measurable coverage map driven by real-world adversary behavior.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
How do you structure a web application test using the OWASP WSTG?

The WSTG is a checklist-backed methodology that walks an app through testing categories: information gathering, configuration and deployment, identity and authentication, authorization, session management, input validation (injection/XSS), error handling, cryptography, business logic, and client-side. It gives systematic coverage with stable test IDs so findings are reproducible and nothing obvious gets skipped.

Mid-levelWeb Security
The full answer
Walk me through a penetration testing methodology like PTES.

PTES defines seven phases: pre-engagement (scope, rules of engagement, authorization), intelligence gathering (OSINT, recon), threat modeling, vulnerability analysis, exploitation, post-exploitation (pivoting, data of value, persistence), and reporting. The structure makes engagements repeatable, defensible, and tied to business risk rather than ad-hoc hacking — pre-engagement and reporting are the phases juniors underrate.

Mid-levelNetworkingWeb Security
The full answer
What is purple teaming and how do you run a purple team exercise?

Purple teaming is collaborative rather than adversarial: the red side executes specific, agreed TTPs (often mapped to MITRE ATT&CK) while the blue side watches their telemetry in real time to confirm whether each technique is logged, alerted, and detectable. You measure detection coverage technique-by-technique, tune detections and close gaps immediately, then re-test. The deliverable is improved, measurable detection — not a list of who 'won.'

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What does a secure SDLC look like?

A secure SDLC embeds security into every phase rather than testing at the end: requirements (security and abuse cases), design (threat modeling), implementation (secure coding standards, SAST/SCA in the IDE and CI), testing (DAST, pentest), release (gates and sign-off), and operations (monitoring, patching, feedback). Shift-left moves defects earlier where they're cheap to fix; maturity models like OWASP SAMM and BSIMM measure how well you actually do it.

Mid-levelWeb Security
The full answer
Walk me through the vulnerability management lifecycle.

Vulnerability management is a continuous loop: discover assets and vulnerabilities (scanning, asset inventory), prioritize by real risk (CVSS plus exploitability, exposure, and asset criticality — frameworks like EPSS and SSVC help), remediate or mitigate, verify the fix, and report on trends and SLAs. The scan is the easy part; the discipline is prioritizing and closing the loop so risk actually goes down over time.

Mid-levelNetworkingCloud
The full answer
What is the difference between a forward proxy and a reverse proxy?

A forward proxy sits in front of clients and makes outbound requests on their behalf — used for egress control, filtering, caching, and anonymity. A reverse proxy sits in front of servers and receives inbound requests on their behalf — used for load balancing, TLS termination, caching, and as a security front for a WAF. The direction it faces, client-side or server-side, is the key distinction.

Mid-levelNetworkingWeb Security
The full answer
How does traceroute work, and what role does the TTL field play?

Traceroute discovers the routers between you and a destination by exploiting the TTL field. It sends packets with TTL=1, then 2, then 3, and so on. Each router decrements TTL; when TTL hits zero, that router drops the packet and returns an ICMP Time Exceeded message, revealing its address. By stepping the TTL up, traceroute maps each hop in order until the destination is reached.

Mid-levelNetworking
The full answer
What is NAT, and how does PAT differ from it?

NAT (Network Address Translation) rewrites the source and/or destination IP as packets cross a boundary, typically mapping private internal addresses to public ones. PAT (Port Address Translation, or NAT overload) extends this by also translating ports, letting many internal hosts share a single public IP — each flow distinguished by its port. PAT is what home and office routers use to put a whole LAN behind one address.

Mid-levelNetworking
The full answer
What is a VLAN, and what is its security value?

A VLAN (Virtual LAN) logically partitions a physical switch into separate Layer 2 broadcast domains, so devices on different VLANs can't reach each other directly even on the same hardware. It's labeled with an 802.1Q tag on trunk links. The security value is segmentation: isolating user, server, guest, and IoT traffic limits broadcast scope and lateral movement, with inter-VLAN traffic forced through a router or firewall where policy is applied.

Mid-levelNetworking
The full answer
What is a DMZ in network architecture, and why would you use one?

A DMZ (demilitarized zone) is a network segment that sits between the untrusted internet and the trusted internal network, hosting public-facing services like web, mail, and DNS servers. Firewall rules let the internet reach the DMZ but tightly restrict the DMZ's access to the internal network. The goal is containment: if a public server is compromised, the attacker is stuck in the buffer zone rather than landing inside the LAN.

Mid-levelNetworking
The full answer
You have a low-priv shell on a Linux box. How do you escalate?

Enumerate systematically: check sudo -l, SUID/SGID binaries, cron jobs, the kernel and OS version, writable files in privileged paths, capabilities, and stored credentials. Tools like LinPEAS automate the sweep, but you still verify each finding against GTFOBins or a known technique.

Mid-levelLinux Internals
The full answer
How do you find and safely use a public exploit against a target?

Map the exact service and version, search Exploit-DB or searchsploit for a matching PoC, then read the code line by line before running it — fix the target IP, port, and reverse-shell address, regenerate any shellcode, and understand what it does so it cannot backfire on you.

Mid-levelMalwareLinux Internals
The full answer
You've dumped some password hashes. How do you crack them?

First identify the hash format (hashid or context), then run hashcat or John with the correct mode against a wordlist like rockyou, applying rules to mutate candidates. Use the right format flag (NTLM, sha512crypt, NetNTLMv2, etc.) so the tool hashes guesses the same way the target did.

Mid-levelCryptography
The full answer
What do you check when you find SMB and SNMP open on a host?

For SMB, enumerate shares, check for anonymous/null-session access, list users, and identify the version for known CVEs. For SNMP, try default community strings like 'public' and walk the MIB to extract usernames, running processes, installed software, and network details.

Mid-levelWindows InternalsNetworking
The full answer
Show me how you'd combine common web bugs — say SQL injection and XSS — into impact beyond a single finding.

Individually, SQLi exposes or modifies data and can reach RCE; stored XSS hijacks sessions in victims' browsers. Chained, you can use SQLi to plant a stored XSS payload that fires in an admin's session, steal their session, and escalate to full application control.

Mid-levelWeb Security
The full answer
You have a low-privileged shell on a Linux box. Walk me through how you'd escalate to root.

Enumerate first: current privileges, sudo rights, SUID/SGID binaries, cron jobs, writable files in PATH, kernel version, and stored credentials. Then exploit the easiest reliable path — often a misconfigured sudo rule or a SUID GTFOBin — before reaching for a kernel exploit.

Mid-levelLinux InternalsNetworking
The full answer
You've landed a low-privileged shell on a Windows host. How do you escalate privileges?

Enumerate the account's privileges and the host's misconfigurations: token privileges like SeImpersonate, unquoted service paths, weak service permissions, AlwaysInstallElevated, and stored credentials. Then abuse the most reliable one — token impersonation (Potato attacks) is a common route to SYSTEM.

Mid-levelWindows InternalsIdentity & Access Management
The full answer
Explain reverse shells versus bind shells and when you'd choose each.

A bind shell opens a listening port on the target and waits for you to connect to it. A reverse shell makes the target connect outbound to a listener you control. Reverse shells usually win because outbound traffic bypasses inbound firewall rules and NAT.

Mid-levelNetworkingLinux Internals
The full answer
What is the principle of least privilege, and how would you enforce it in practice?

Least privilege means every user, process, or service gets only the minimum access required to do its job, and nothing more. It shrinks the blast radius of any compromise or mistake. You enforce it with role-based access, just-in-time elevation, regular access reviews, and removing standing admin rights.

Mid-levelIdentity & Access Management
The full answer
How should secrets like API keys and database passwords be managed in an application?

Never hardcode secrets in source or commit them to git. Store them in a dedicated secrets manager or vault, inject them at runtime, scope access with least privilege, rotate regularly, and prefer short-lived dynamic credentials over long-lived static ones. Audit every access.

Mid-levelIdentity & Access ManagementCloud
The full answer
How would you secure a public-facing REST API?

Enforce TLS everywhere, authenticate every request (e.g. OAuth2/OIDC tokens), and authorize per-object so users can only reach their own data. Add input validation, rate limiting and quotas, schema validation, and thorough logging. The most common API flaw is broken object-level authorization, so check ownership on every resource access.

Mid-levelWeb SecurityIdentity & Access Management
The full answer
What is a PKI, and walk me through how a client validates a server's certificate.

A PKI is the system of CAs, certificates, and policies that binds public keys to identities. To validate a server cert a client builds a chain to a trusted root, verifies each signature, checks validity dates and the hostname, confirms key usage, and checks revocation via CRL or OCSP.

Mid-levelCryptographyNetworking
The full answer
Both involve failed logins. How would you distinguish a brute-force attack from a password spray in your logs?

Brute force targets a single account with many password guesses, so you see many failures concentrated on one username. Password spray flips it: one or a few common passwords tried across many accounts, low and slow, so each account sees only a couple of failures. The detection signal is the ratio of accounts to failures and the timing, not raw failure counts.

Mid-levelIdentity & Access ManagementDFIR (Forensics & Incident Response)Windows Internals
The full answer
A rule is generating hundreds of false positives a day. How do you tune it down safely?

First understand why the rule is firing so much — find the common benign pattern behind the noise. Then write the narrowest possible exclusion (specific host, account, or behavior), document the rationale, and validate that a true positive would still fire. Avoid broad suppressions that quietly create blind spots.

Mid-levelDFIR (Forensics & Incident Response)Threat Intelligence
The full answer
How would you use the MITRE ATT&CK framework to improve your detection coverage?

ATT&CK is a knowledge base of real-world adversary tactics and techniques. In a SOC you map each detection rule to the techniques it covers, build a coverage map (often with the ATT&CK Navigator), then prioritize closing gaps based on which techniques are most relevant to your threat model and which you have no visibility into.

Mid-levelThreat IntelligenceDFIR (Forensics & Incident Response)
The full answer
What is CSRF and how do tokens and SameSite stop it?

CSRF tricks a logged-in user's browser into sending a state-changing request to a site where they are authenticated, abusing the fact that cookies are sent automatically. It is stopped with anti-CSRF tokens (a secret per-session value the attacker cannot read or guess) and the SameSite cookie attribute, which stops cookies from riding along on cross-site requests.

Mid-levelWeb Security
The full answer
How should you store user passwords?

Never store passwords in plaintext or reversibly encrypted, and never with fast general-purpose hashes like MD5 or SHA-256. Use a slow, memory-hard password hashing function — Argon2id (preferred) or bcrypt — with a unique random salt per password and a tuned work factor, so an attacker who steals the database cannot feasibly crack the hashes.

Mid-levelWeb SecurityCryptography
The full answer
How do prepared statements prevent SQL injection?

Prepared statements send the query template to the database first, with placeholders, so the structure is fixed before any user data arrives. Parameters are then bound as pure data and can never be parsed as SQL — so input like ' OR 1=1 is treated as a literal string, not code. This separation is the canonical, reliable fix for injection.

Mid-levelWeb Security
The full answer
How do you prevent XSS?

The primary defense is contextual output encoding — encode untrusted data for the exact place it lands (HTML body, attribute, JavaScript, URL). Pair that with safe DOM APIs (textContent over innerHTML), framework auto-escaping, input validation, and a Content-Security-Policy as a defense-in-depth backstop that limits what scripts can run.

Mid-levelWeb Security
The full answer
Explain the Same-Origin Policy and CORS.

The Same-Origin Policy is the browser rule that script from one origin (scheme + host + port) cannot read responses from a different origin, which protects authenticated sessions. CORS is a controlled relaxation: a server returns Access-Control-Allow-Origin headers to explicitly opt in to letting specific origins read its responses, so it loosens SOP rather than bypassing it.

Mid-levelWeb Security
The full answer
Which HTTP response headers improve security?

Key security headers include Strict-Transport-Security (forces HTTPS, blocks SSL stripping), Content-Security-Policy (limits script sources, mitigates XSS), X-Frame-Options or CSP frame-ancestors (blocks clickjacking), X-Content-Type-Options: nosniff (stops MIME sniffing), and Referrer-Policy (controls referrer leakage). Each addresses a specific attack class.

Mid-levelWeb Security
The full answer
What are the main types of SQL injection?

SQL injection lets attacker input alter a query. In-band techniques return data directly: union-based appends a UNION SELECT to pull extra columns, and error-based leaks data through database error messages. When no output is visible, attackers use blind SQLi — boolean-based infers data from true/false response differences, and time-based uses delays like SLEEP() to read data one bit at a time.

Mid-levelWeb Security
The full answer
Explain stored, reflected, and DOM-based XSS.

All XSS injects attacker-controlled script into a victim's browser. Stored XSS persists the payload on the server (e.g. a comment) and hits everyone who views it; reflected XSS bounces the payload off the server in a single response, usually via a crafted link; DOM-based XSS never reaches the server logic — vulnerable client-side JavaScript writes untrusted input into the page.

Mid-levelWeb Security
The full answer

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.