40 Cybersecurity Interview Questions: From SOC Analyst to Pen Tester

Cybersecurity interviews in 2026 are among the most demanding in tech. Employers need to verify that you can think like both a defender and an attacker, that you understand the fundamentals deeply enough to reason about novel threats, and that you can communicate technical concepts to non-technical stakeholders. Whether you are applying for your first SOC analyst position or stepping into a senior penetration testing role, the questions in this guide reflect what hiring managers actually ask.

The 40 questions below are organized into six categories spanning the breadth of cybersecurity knowledge. Each question includes the expected answer and guidance on the depth interviewers are looking for. Technical questions include specific tools, protocols, and frameworks. Scenario-based questions test your reasoning process under pressure.

Networking Fundamentals (Questions 1-8)

1. Explain the OSI model and why it matters in security.

The OSI (Open Systems Interconnection) model is a seven-layer framework that describes how data moves across a network. Each layer handles a specific function.

  1. Physical — Electrical signals, cables, hardware
  2. Data Link — MAC addresses, switches, ARP
  3. Network — IP addresses, routing, ICMP
  4. Transport — TCP/UDP, ports, flow control
  5. Session — Session management, authentication
  6. Presentation — Encryption/decryption, data formatting
  7. Application — HTTP, DNS, SMTP, FTP

It matters in security because attacks target specific layers, and your defensive strategy must address each one. ARP spoofing targets Layer 2. IP spoofing targets Layer 3. SYN floods target Layer 4. SQL injection targets Layer 7.

Expected depth: Name all seven layers, give a security-relevant example for at least three layers, and explain how the model helps you systematically analyze network traffic.

2. What is the difference between TCP and UDP?

TCP (Transmission Control Protocol) is connection-oriented. It establishes a three-way handshake (SYN, SYN-ACK, ACK), guarantees delivery, maintains order, and provides error checking. It is used for HTTP, SSH, FTP, and email.

UDP (User Datagram Protocol) is connectionless. It sends data without establishing a connection, does not guarantee delivery or order, and has lower overhead. It is used for DNS, DHCP, VoIP, video streaming, and online gaming.

Security implication: TCP's handshake can be exploited in SYN flood attacks. UDP's lack of connection state makes it useful for amplification attacks (DNS amplification, NTP amplification) where attackers spoof the source IP.

Expected depth: Explain the three-way handshake, describe at least one attack vector for each protocol, and discuss how firewalls handle stateful inspection for TCP versus UDP.

3. How does DNS work and what are common DNS attacks?

DNS (Domain Name System) translates human-readable domain names into IP addresses. The resolution process follows this sequence:

  1. Client checks its local cache
  2. Query goes to the recursive resolver (usually ISP or configured DNS server)
  3. Resolver queries root nameservers
  4. Root points to TLD nameservers (.com, .org)
  5. TLD points to authoritative nameservers for the domain
  6. Authoritative server returns the IP address

Common DNS attacks include:

  1. DNS Spoofing/Cache Poisoning — Injecting false records into a resolver's cache to redirect traffic
  2. DNS Tunneling — Encoding data in DNS queries to exfiltrate information or bypass firewalls
  3. DNS Amplification — Using open resolvers to flood a target with large DNS responses
  4. Domain Hijacking — Taking control of a domain's DNS records through registrar compromise

Expected depth: Walk through the resolution process, name at least three attack types, and discuss mitigation strategies such as DNSSEC, DNS-over-HTTPS, and DNS monitoring.

4. What is ARP and how does ARP spoofing work?

ARP (Address Resolution Protocol) maps IP addresses to MAC addresses on a local network. When a device needs to communicate with another device on the same subnet, it broadcasts an ARP request asking "Who has this IP?" The device with that IP responds with its MAC address.

ARP spoofing (also called ARP poisoning) sends fake ARP replies to associate the attacker's MAC address with a legitimate IP address. This allows the attacker to intercept traffic (man-in-the-middle), redirect it, or cause denial of service.

Mitigation:

  1. Static ARP entries for critical systems
  2. Dynamic ARP Inspection (DAI) on managed switches
  3. Network segmentation with VLANs
  4. Using encrypted protocols (HTTPS, SSH) to protect data even if intercepted

Expected depth: Explain the ARP process, describe the attack mechanism, and discuss at least two mitigation strategies.

5. What is the difference between a firewall, an IDS, and an IPS?

  1. Firewall — Controls traffic flow based on rules (source/destination IP, port, protocol). Can be stateless (checks each packet independently) or stateful (tracks connection state). Blocks or allows traffic.
  2. IDS (Intrusion Detection System) — Monitors traffic and generates alerts when suspicious activity is detected. It is passive and does not block traffic. Uses signature-based or anomaly-based detection.
  3. IPS (Intrusion Prevention System) — Sits inline in the traffic path and actively blocks detected threats. It combines detection with prevention. Can drop packets, reset connections, or block source IPs.

Expected depth: Explain where each sits in the network topology, distinguish between signature-based and anomaly-based detection, and discuss the tradeoffs (false positives vs. false negatives, latency impact of inline IPS).

6. Explain the TCP three-way handshake and how SYN flood attacks exploit it.

The three-way handshake establishes a TCP connection:

  1. SYN — Client sends a SYN packet to the server
  2. SYN-ACK — Server responds with SYN-ACK and allocates resources for the connection
  3. ACK — Client sends ACK to complete the handshake

A SYN flood attack exploits this by sending a massive number of SYN packets with spoofed source IPs. The server responds with SYN-ACKs to non-existent addresses, allocates resources for each half-open connection, and eventually exhausts its connection table, denying service to legitimate users.

Mitigation: SYN cookies, rate limiting, firewall rules, increasing the backlog queue, and using cloud-based DDoS protection services.

Expected depth: Diagram the handshake, explain why the server is vulnerable, and name at least three mitigation techniques.

7. What is VLAN and how does it improve security?

A VLAN (Virtual Local Area Network) logically segments a physical network into isolated broadcast domains. Devices on different VLANs cannot communicate directly without a Layer 3 device (router or Layer 3 switch).

Security benefits:

  1. Reduced attack surface — Compromising a device on one VLAN does not grant access to other VLANs
  2. Containment — Malware or lateral movement is restricted to the VLAN
  3. Access control — Different security policies per VLAN (guest network, IoT devices, servers)
  4. Regulatory compliance — PCI DSS requires segmentation of cardholder data environments

VLAN hopping is an attack technique where an attacker escapes their VLAN. It can be mitigated by disabling unused ports, using dedicated native VLANs, and disabling DTP (Dynamic Trunking Protocol).

Expected depth: Explain the concept, give practical segmentation examples, and discuss VLAN hopping.

8. What is a VPN and what protocols does it use?

A VPN (Virtual Private Network) creates an encrypted tunnel between two endpoints over an untrusted network (typically the internet).

Common VPN protocols:

  1. IPsec — Operates at the network layer. Uses IKE for key exchange. Can run in tunnel mode (entire packet encrypted) or transport mode (only payload encrypted).
  2. OpenVPN — Open-source, uses SSL/TLS. Highly configurable. Runs over TCP or UDP.
  3. WireGuard — Modern, lightweight protocol with minimal code surface. Uses state-of-the-art cryptography. Faster than IPsec and OpenVPN.
  4. SSL/TLS VPN — Browser-based, operates at the application layer. No client installation required.

Expected depth: Explain at least three protocols, discuss the difference between site-to-site and remote access VPNs, and mention split tunneling and its security implications.

Cryptography (Questions 9-14)

9. What is the difference between symmetric and asymmetric encryption?

Symmetric encryption uses a single key for both encryption and decryption. It is fast but requires secure key distribution. Examples: AES, ChaCha20, 3DES.

Asymmetric encryption uses a key pair (public key and private key). The public key encrypts; the private key decrypts. It solves the key distribution problem but is much slower. Examples: RSA, ECC, Ed25519.

In practice, both are used together. TLS uses asymmetric encryption to exchange a symmetric session key, then uses symmetric encryption for the actual data transfer. This is called a hybrid cryptosystem.

Expected depth: Explain both types, give real-world examples, describe how TLS combines them, and discuss key lengths (AES-256, RSA-2048/4096, ECC curves).

10. How does TLS/SSL work?

The TLS handshake (TLS 1.3) follows these steps:

  1. Client Hello — Client sends supported cipher suites, TLS version, and a random number
  2. Server Hello — Server selects cipher suite, sends its certificate and public key
  3. Key Exchange — Both parties derive shared session keys using Diffie-Hellman or ECDHE
  4. Finished — Both parties confirm the handshake with a MAC of all handshake messages

TLS 1.3 completed this in a single round trip (1-RTT), a significant improvement over TLS 1.2's two round trips.

Expected depth: Describe the handshake process, explain the difference between TLS 1.2 and 1.3, discuss certificate validation and the role of Certificate Authorities (CAs), and mention common vulnerabilities (expired certificates, weak cipher suites).

11. What is hashing and how does it differ from encryption?

Hashing is a one-way function that converts input into a fixed-size output (hash/digest). It cannot be reversed. Examples: SHA-256, SHA-3, bcrypt, Argon2.

Encryption is a two-way function where data can be decrypted back to its original form with the correct key.

Use cases for hashing:

  1. Password storage — Store the hash, not the password. Use bcrypt or Argon2 with salting.
  2. Data integrity — Verify that files have not been tampered with.
  3. Digital signatures — Hash the message, then encrypt the hash with a private key.

Expected depth: Explain one-way versus two-way, discuss why MD5 and SHA-1 are considered broken, explain salting and why it prevents rainbow table attacks, and name modern password hashing algorithms.

12. What is a digital certificate and how does PKI work?

A digital certificate binds a public key to an identity (domain name, organization). It is issued by a Certificate Authority (CA).

PKI (Public Key Infrastructure) is the framework of policies, hardware, and software that manages digital certificates. The chain of trust works as follows:

  1. Root CA — Self-signed, trusted by operating systems and browsers
  2. Intermediate CA — Signed by the Root CA, issues end-entity certificates
  3. End-entity certificate — The certificate on your web server, signed by an Intermediate CA

Expected depth: Explain the chain of trust, discuss certificate revocation (CRL and OCSP), and mention certificate pinning and its tradeoffs.

13. What is the difference between encoding, encryption, and hashing?

  1. Encoding — Transforms data into a different format for compatibility. Not security-related. Easily reversible. Examples: Base64, URL encoding, UTF-8.
  2. Encryption — Transforms data to protect confidentiality. Requires a key to reverse. Examples: AES, RSA.
  3. Hashing — One-way transformation for integrity verification. Cannot be reversed. Examples: SHA-256, bcrypt.

Expected depth: Interviewers specifically look for the understanding that encoding provides zero security. A surprising number of candidates confuse Base64 encoding with encryption.

14. Explain the concept of perfect forward secrecy.

Perfect Forward Secrecy (PFS) ensures that even if a server's long-term private key is compromised, past recorded sessions cannot be decrypted. This is achieved by using ephemeral key pairs for each session.

With PFS (using ECDHE), each TLS session generates unique temporary keys. Compromising the server's private key only allows an attacker to impersonate the server going forward, not decrypt previously captured traffic.

Without PFS (using static RSA key exchange), capturing the private key allows decryption of all past and future sessions.

Expected depth: Explain why PFS matters, describe how Diffie-Hellman ephemeral (DHE/ECDHE) achieves it, and discuss why TLS 1.3 mandates PFS.

Incident Response (Questions 15-20)

15. Walk through the incident response lifecycle.

The NIST incident response lifecycle has four phases:

  1. Preparation — Policies, tools, training, playbooks, communication plans
  2. Detection and Analysis — Monitor alerts, triage, determine scope and severity, document indicators of compromise (IOCs)
  3. Containment, Eradication, and Recovery — Isolate affected systems, remove the threat, restore operations, verify integrity
  4. Post-Incident Activity — Lessons learned, timeline documentation, process improvements

Expected depth: Describe each phase with concrete actions, discuss the importance of documentation throughout, and mention that incident response is iterative, not strictly linear.

16. How do you triage a security alert?

A systematic triage process:

  1. Verify the alert — Is it a true positive or a false positive? Check the source, affected systems, and IOCs.
  2. Assess severity — What systems are affected? Is data at risk? Is the threat active or historical?
  3. Check context — Is this related to known vulnerabilities, ongoing campaigns, or recent changes?
  4. Classify — Assign a priority level (Critical, High, Medium, Low) based on your organization's criteria.
  5. Escalate or close — Escalate to the appropriate team if action is needed, or document and close if it is a false positive.

Expected depth: Demonstrate a structured approach rather than ad hoc investigation. Mention specific tools (SIEM, threat intelligence feeds, EDR consoles) you would use at each step.

17. What is the difference between a vulnerability, a threat, and a risk?

  1. Vulnerability — A weakness in a system that could be exploited. Example: unpatched Apache server with a known CVE.
  2. Threat — An actor or event that could exploit a vulnerability. Example: a ransomware group actively targeting that CVE.
  3. Risk — The likelihood that a threat will exploit a vulnerability multiplied by the impact if it does. Example: a high-risk scenario where the unpatched server contains sensitive customer data and the ransomware group is known to target your industry.

Risk = Threat x Vulnerability x Impact

Expected depth: Define all three clearly, explain how they relate, and give a concrete example that ties them together. Mention risk frameworks (NIST, ISO 27001) if appropriate.

18. How do you handle a ransomware incident?

  1. Isolate immediately — Disconnect affected systems from the network to prevent lateral movement and further encryption
  2. Preserve evidence — Take disk images and memory dumps before making changes
  3. Identify the variant — Use IOCs, ransom notes, and encrypted file extensions to identify the ransomware family
  4. Assess scope — Determine which systems, data, and backups are affected
  5. Check for decryptors — Resources like No More Ransom (nomoreransom.org) may have free decryption tools
  6. Restore from backups — Use verified, clean backups. Test restored data integrity
  7. Investigate root cause — How did the ransomware get in? Phishing? Exposed RDP? Exploited vulnerability?
  8. Report — Notify relevant authorities, affected parties, and regulatory bodies as required

Expected depth: Cover all phases, explicitly discuss whether to pay the ransom (generally advised against), and mention the importance of testing backup restoration before an incident occurs.

19. What are indicators of compromise (IOCs) vs. indicators of attack (IOAs)?

IOCs are forensic evidence that a breach has occurred. They are reactive and historical. Examples:

  1. Known malicious IP addresses or domains
  2. File hashes of malware
  3. Unusual registry modifications
  4. Unauthorized user accounts

IOAs focus on attacker behavior patterns regardless of specific tools. They are proactive and behavioral. Examples:

  1. Code execution from unusual processes
  2. Lateral movement patterns
  3. Privilege escalation attempts
  4. Data staging before exfiltration

Expected depth: Explain why IOAs are more valuable for detecting novel attacks that do not match known IOC signatures.

20. Explain the concept of chain of custody in digital forensics.

Chain of custody is the documented, chronological history of evidence from the moment it is collected until it is presented in court or a formal review. It must record:

  1. Who collected, handled, and analyzed the evidence
  2. What was collected (device, hash values, serial numbers)
  3. When each transfer or access occurred
  4. Where the evidence was stored
  5. How it was protected from tampering

Breaking chain of custody can render evidence inadmissible. Use write blockers when imaging drives, calculate and verify hash values at every transfer, and store evidence in tamper-evident containers.

Expected depth: Explain why chain of custody matters legally, describe the process for imaging a hard drive, and mention hashing (SHA-256) for integrity verification.

Penetration Testing (Questions 21-28)

21. What are the phases of a penetration test?

  1. Scoping and Planning — Define targets, rules of engagement, authorized methods, and success criteria
  2. Reconnaissance — Gather information about the target (passive OSINT and active scanning)
  3. Scanning and Enumeration — Port scanning, service identification, vulnerability scanning
  4. Exploitation — Attempt to exploit discovered vulnerabilities to gain access
  5. Post-Exploitation — Privilege escalation, lateral movement, data exfiltration, persistence
  6. Reporting — Document findings, risk ratings, evidence, and remediation recommendations

Expected depth: Describe each phase with specific tools and techniques. Emphasize that the report is the most important deliverable.

22. What is the difference between black box, white box, and gray box testing?

  1. Black box — Tester has no prior knowledge of the target. Simulates an external attacker. Most realistic but most time-consuming.
  2. White box — Tester has full knowledge (source code, architecture, credentials). Most thorough. Used for code review and comprehensive testing.
  3. Gray box — Tester has partial knowledge (some credentials, network diagrams). Balances realism with efficiency. Most common for internal assessments.

Expected depth: Discuss when each approach is appropriate and the tradeoffs between realism, thoroughness, and cost.

23. How does Nmap work and what are the most important scan types?

Nmap is a network scanner used for host discovery, port scanning, service detection, and OS fingerprinting.

Key scan types:

  1. SYN scan (nmap -sS target) — Sends SYN packets, does not complete the handshake. Fast and stealthy. Default when running as root.
  2. TCP connect scan (nmap -sT target) — Completes the full TCP handshake. Used when SYN scan is not available.
  3. UDP scan (nmap -sU target) — Scans UDP ports. Slower due to UDP's connectionless nature.
  4. Service version detection (nmap -sV target) — Probes open ports to determine service and version.
  5. OS detection (nmap -O target) — Fingerprints the operating system.
  6. Aggressive scan (nmap -A target) — Combines OS detection, version detection, script scanning, and traceroute.

Expected depth: Know the flags, explain why SYN scanning is stealthier, and discuss how Nmap scripts (NSE) extend functionality.

24. Explain the OWASP Top 10.

The OWASP Top 10 (2021 version, still widely referenced in 2026) lists the most critical web application security risks:

  1. Broken Access Control — Users acting beyond their intended permissions
  2. Cryptographic Failures — Weak encryption, exposed sensitive data
  3. Injection — SQL injection, command injection, LDAP injection
  4. Insecure Design — Flawed architecture, missing threat modeling
  5. Security Misconfiguration — Default credentials, unnecessary features enabled
  6. Vulnerable and Outdated Components — Unpatched libraries and frameworks
  7. Identification and Authentication Failures — Weak authentication, credential stuffing
  8. Software and Data Integrity Failures — Insecure CI/CD pipelines, unsigned updates
  9. Security Logging and Monitoring Failures — Insufficient logging, no alerting
  10. Server-Side Request Forgery (SSRF) — Exploiting server to make unintended requests

Expected depth: Name all ten, explain at least five in detail with exploitation examples, and discuss remediation for each.

25. How does SQL injection work and how do you prevent it?

SQL injection occurs when user input is inserted directly into a SQL query without proper sanitization, allowing an attacker to manipulate the query.

Example of vulnerable code:

query = "SELECT * FROM users WHERE username = '" + user_input + "'"
# If user_input is: ' OR '1'='1' --
# Query becomes: SELECT * FROM users WHERE username = '' OR '1'='1' --'

Prevention methods:

  1. Parameterized queries / prepared statements — The most effective defense
  2. Input validation — Whitelist allowed characters
  3. Stored procedures — Encapsulate SQL logic on the database side
  4. Least privilege — Database accounts should have minimal permissions
  5. WAF (Web Application Firewall) — Additional layer of defense

Expected depth: Demonstrate the attack with an example, explain parameterized queries as the primary defense, and mention both in-band and blind SQL injection variants.

26. What is privilege escalation and what techniques do attackers use?

Privilege escalation is gaining higher-level permissions than originally granted.

Vertical escalation (user to admin):

  1. Exploiting kernel vulnerabilities
  2. Misconfigured SUID/SGID binaries (Linux)
  3. Unquoted service paths (Windows)
  4. DLL hijacking (Windows)
  5. Exploiting sudo misconfigurations

Horizontal escalation (user to another user):

  1. Session hijacking
  2. IDOR (Insecure Direct Object Reference)
  3. Credential reuse

Expected depth: Distinguish between horizontal and vertical escalation, name at least three techniques for each operating system, and mention tools like LinPEAS and WinPEAS.

27. What is the difference between a reverse shell and a bind shell?

  1. Bind shell — The target machine opens a port and listens for incoming connections. The attacker connects to the target. Blocked by most firewalls because it requires an open inbound port.
  2. Reverse shell — The target machine initiates an outbound connection back to the attacker's listening machine. More likely to succeed because most firewalls allow outbound connections.

Expected depth: Explain why reverse shells are preferred in modern engagements, discuss how firewalls and egress filtering affect each approach, and mention common payloads (Netcat, PowerShell, Python one-liners).

28. What is lateral movement and how do you detect it?

Lateral movement is the process of moving through a network after initial compromise, accessing additional systems and escalating privileges.

Common techniques:

  1. Pass-the-Hash / Pass-the-Ticket — Using stolen credentials without cracking them
  2. PsExec and WMI — Remote execution tools
  3. RDP — Remote Desktop Protocol
  4. SMB shares — Accessing shared drives with compromised credentials
  5. SSH pivoting — Using compromised Linux hosts as jump points

Detection methods:

  1. Monitor for unusual authentication patterns (same account, multiple systems, short timeframe)
  2. Track logon events (Windows Event ID 4624, 4625)
  3. Deploy honeypots and honeytokens
  4. Use EDR with behavioral analysis
  5. Monitor for unusual SMB and RDP traffic

Expected depth: Name specific techniques and tools, describe detection strategies, and discuss network segmentation as a preventive control.

Security Architecture (Questions 29-34)

29. What is the principle of least privilege?

The principle of least privilege states that every user, process, and system should have only the minimum permissions necessary to perform its function, nothing more.

Applying least privilege:

  1. User accounts — Regular users do not get admin rights
  2. Service accounts — Application services run with restricted permissions
  3. Network access — Systems only communicate with the systems they need
  4. Database access — Applications connect with read-only accounts when writes are not needed
  5. API permissions — OAuth scopes should be as narrow as possible

Expected depth: Give examples across multiple domains (users, services, network, API), discuss how to implement it organizationally, and mention the tradeoff between security and convenience.

30. Explain Zero Trust architecture.

Zero Trust is a security model that assumes no user or system should be trusted by default, regardless of whether they are inside or outside the network perimeter.

Core principles:

  1. Verify explicitly — Authenticate and authorize every access request based on all available data points (identity, location, device health, service)
  2. Least privilege access — Limit access to only what is needed, with just-in-time and just-enough-access
  3. Assume breach — Minimize the blast radius of a compromise through segmentation, encryption, and continuous monitoring

Key technologies: identity providers (Okta, Azure AD), micro-segmentation, continuous authentication, device posture assessment, and software-defined perimeters.

Expected depth: Explain the core principles, contrast with traditional perimeter-based security, and name specific technologies or frameworks (NIST SP 800-207).

31. What is defense in depth?

Defense in depth is a security strategy that layers multiple defensive mechanisms so that if one layer fails, others still protect the asset.

Layers typically include:

  1. Physical — Locks, badges, security cameras
  2. Network — Firewalls, IDS/IPS, network segmentation
  3. Host — Antivirus, EDR, host-based firewalls, patch management
  4. Application — Input validation, authentication, WAF
  5. Data — Encryption at rest and in transit, access controls, DLP
  6. Administrative — Policies, training, background checks, incident response plans

Expected depth: Name at least five layers with specific controls at each layer, and explain why no single control is sufficient.

32. How does multi-factor authentication work and what are the factor types?

MFA requires two or more independent authentication factors:

  1. Something you know — Password, PIN
  2. Something you have — Hardware token (YubiKey), authenticator app (TOTP), smart card
  3. Something you are — Fingerprint, face recognition, iris scan

Important distinctions:

  1. SMS-based MFA is better than no MFA but is vulnerable to SIM swapping and SS7 attacks
  2. TOTP (Google Authenticator, Authy) is more secure than SMS
  3. Hardware security keys (FIDO2/WebAuthn) provide the strongest protection against phishing
  4. Biometrics should be combined with another factor because they cannot be changed if compromised

Expected depth: Name all three factor types, rank common MFA methods by security level, and discuss attacks against MFA (SIM swapping, MFA fatigue, adversary-in-the-middle phishing).

33. What is SIEM and how is it used?

A SIEM (Security Information and Event Management) system aggregates, correlates, and analyzes log data from across the organization to detect security threats.

Core functions:

  1. Log aggregation — Collects logs from servers, firewalls, endpoints, applications
  2. Correlation — Matches events across sources to identify attack patterns
  3. Alerting — Triggers notifications based on detection rules
  4. Investigation — Provides search and visualization for threat hunting
  5. Compliance — Generates reports for regulatory requirements (PCI DSS, HIPAA, SOX)

Popular SIEM platforms include Splunk, Microsoft Sentinel, IBM QRadar, and Elastic Security.

Expected depth: Explain the core functions, discuss the difference between rule-based and behavioral detection, and mention the challenge of alert fatigue and how to manage it.

34. Explain the shared responsibility model in cloud security.

In cloud computing, security responsibilities are divided between the cloud provider and the customer. The division depends on the service model.

  1. IaaS (Infrastructure as a Service) — Provider secures the physical infrastructure and hypervisor. Customer secures the OS, applications, data, and network configuration. Example: AWS EC2.
  2. PaaS (Platform as a Service) — Provider additionally secures the OS and runtime. Customer secures applications and data. Example: AWS Elastic Beanstalk.
  3. SaaS (Software as a Service) — Provider secures almost everything. Customer is responsible for data, access management, and configuration. Example: Microsoft 365.

Expected depth: Describe the model for all three service types, give examples of misconfigurations at each level, and discuss common cloud security mistakes (open S3 buckets, excessive IAM permissions, disabled logging).

Scenario-Based Questions (Questions 35-40)

35. You receive an alert that a user account is making API calls at 3 AM from an unusual country. Walk through your response.

Structured response:

  1. Verify the alert — Check if the user has a legitimate reason (travel, VPN). Review recent travel requests or shift schedules.
  2. Check authentication logs — Was MFA used? Was the login preceded by failed attempts? What device was used?
  3. Assess scope — What API calls were made? What data was accessed? Are there similar anomalies for other accounts?
  4. Contain if suspicious — Temporarily disable the account or revoke session tokens. Reset credentials.
  5. Investigate — Check for credential compromise indicators: data breaches, phishing campaigns targeting the organization, malware on the user's device.
  6. Communicate — Contact the user through a verified channel (phone call, not email) to confirm whether the activity was legitimate.
  7. Document — Record the timeline, actions taken, and outcome regardless of whether it was a true positive.

Expected depth: Show a systematic, calm approach. Mention that you would not permanently lock the account without verification, and that you would check for lateral movement.

36. A developer tells you they accidentally committed API keys to a public GitHub repository. What do you do?

  1. Revoke the keys immediately — This is the first priority, before anything else
  2. Remove from the repository — Delete the commit, force push, and purge from Git history using git filter-branch or BFG Repo-Cleaner. Note that the keys are already compromised regardless of removal.
  3. Audit usage — Check the API provider's logs for unauthorized usage between the time of the commit and key revocation
  4. Generate new keys — Issue replacement keys and update all systems that depend on them
  5. Scan for broader exposure — Use tools like truffleHog or GitLeaks to check for other secrets in the repository
  6. Implement prevention — Set up pre-commit hooks that scan for secrets, use a secrets manager (HashiCorp Vault, AWS Secrets Manager), and add secret patterns to .gitignore

Expected depth: Emphasize that revocation must happen before cleanup, because the keys should be considered compromised the moment they were pushed.

37. Your organization's website is experiencing a DDoS attack. Walk through your response.

  1. Confirm it is a DDoS — Rule out legitimate traffic spikes, server misconfiguration, or upstream provider issues
  2. Activate DDoS mitigation — If you have a CDN/DDoS protection service (Cloudflare, AWS Shield, Akamai), ensure it is in active mitigation mode
  3. Analyze traffic patterns — Identify the attack type (volumetric, protocol, application layer) and source characteristics
  4. Implement traffic filtering — Block traffic from identified attack sources, rate-limit suspicious patterns, geo-block if the attack originates from specific regions
  5. Scale resources — If using cloud infrastructure, scale horizontally to absorb traffic while filtering is implemented
  6. Communicate — Notify stakeholders, update the status page, and coordinate with your ISP if needed
  7. Post-attack — Analyze logs, update runbooks, and consider adding always-on DDoS protection if you only had on-demand

Expected depth: Distinguish between attack types, name specific mitigation tools, and discuss communication strategies.

38. You discover that an employee has been exfiltrating company data to a personal cloud storage account. How do you handle it?

  1. Preserve evidence silently — Do not alert the employee. Begin collecting logs, screenshots, and forensic data.
  2. Involve the right teams — Notify legal, HR, and management. This is not solely a technical issue.
  3. Scope the damage — What data was exfiltrated? How sensitive is it? Over what time period? What are the regulatory implications?
  4. Document everything — Maintain chain of custody for all evidence.
  5. Contain — Work with legal and HR to determine the appropriate time and method to restrict the employee's access.
  6. Remediate — After the employee's access is revoked, change any credentials they had access to, review systems they could have tampered with.
  7. Report — Depending on the data type, you may have regulatory reporting obligations (GDPR, HIPAA).

Expected depth: Emphasize the importance of involving legal and HR before taking action, and the need for proper evidence handling.

39. You are asked to assess the security of a new third-party SaaS vendor. What do you evaluate?

  1. Compliance certifications — SOC 2 Type II, ISO 27001, GDPR compliance, industry-specific certifications (HIPAA, PCI DSS)
  2. Data handling — Where is data stored? Is it encrypted at rest and in transit? What are the retention and deletion policies?
  3. Access controls — Does it support SSO, MFA, and RBAC? Can you enforce your own password policies?
  4. Incident response — What is their breach notification timeline? Do they have an incident response plan?
  5. Business continuity — SLA terms, uptime history, disaster recovery capabilities, data backup practices
  6. Security testing — Do they conduct regular penetration tests? Do they have a bug bounty program?
  7. Subprocessors — What third parties do they share your data with?

Expected depth: Cover at least five evaluation categories and demonstrate awareness that vendor risk is an extension of your own organization's risk.

40. A zero-day vulnerability has been disclosed that affects software your organization uses. Walk through your response.

  1. Assess exposure — Identify all systems running the affected software, including version numbers
  2. Evaluate risk — Is there active exploitation in the wild? Is proof-of-concept code available? What is the CVSS score? What data or systems are at risk?
  3. Apply temporary mitigations — If a patch is not yet available, implement workarounds recommended by the vendor (disable affected features, adjust firewall rules, add WAF rules)
  4. Monitor for exploitation — Create detection rules in your SIEM based on known IOCs and exploitation patterns
  5. Patch when available — Test the patch in a staging environment, then deploy to production on an accelerated timeline
  6. Communicate — Keep stakeholders informed of the risk level and remediation progress
  7. Review — After patching, verify no exploitation occurred during the exposure window

Expected depth: Demonstrate a calm, prioritized approach. Mention CVSS scoring, vendor advisories, and the importance of not panicking but also not waiting for the normal patch cycle.

Preparation Strategy

Cybersecurity interviews test breadth and depth. Here is how to prepare effectively.

  1. Build a home lab. Practice with tools like Nmap, Wireshark, Burp Suite, and Metasploit in a controlled environment. Platforms like TryHackMe and HackTheBox provide guided, legal practice targets.
  2. Study frameworks. Know NIST CSF, MITRE ATT&CK, and the OWASP Top 10 at a conceptual level.
  3. Practice scenario-based answers. For every question, structure your response as a sequence of prioritized actions.
  4. Stay current. Follow threat intelligence feeds, read CVE disclosures, and understand recent high-profile breaches.
  5. Communicate clearly. The ability to explain a technical concept to a non-technical audience is one of the most valued skills in cybersecurity.

Prepare with our free Ethical Hacking textbook.