Security technical interviews vary significantly by role. A SOC analyst interview emphasizes incident detection, triage, and response. A penetration tester interview tests exploitation knowledge and methodology. A security engineer interview focuses on defensive architecture, secure coding, and tooling. This article covers the technical questions that appear across these roles, with the depth and framing that distinguishes serious candidates from those who studied surface definitions.
Foundational Security Concepts
CIA Triad and the Authentication/Authorization Distinction
"Explain the CIA triad. Give a real example of each component being violated."
The CIA triad is the foundational framework for information security:
- Confidentiality: Information is accessible only to those authorized. Violation: an unencrypted database backup uploaded to a public S3 bucket.
- Integrity: Information is accurate and has not been tampered with. Violation: an attacker modifies a financial transaction in transit.
- Availability: Systems and data are accessible when needed. Violation: a DDoS attack takes down a payment processing service.
Security decisions often involve trade-offs between these three properties. Encryption improves confidentiality but adds latency (availability impact). Aggressive rate limiting improves availability against DDoS but may block legitimate users.
"What is the difference between authentication and authorization?"
Authentication verifies identity: "Who are you?" Authorization determines what an authenticated identity is permitted to do: "What are you allowed to do?" A classic failure pattern: systems that authenticate users but do not enforce authorization checks on sensitive endpoints, allowing any authenticated user to access any resource.
Network Security Questions
TLS, Firewall Evasion, and MITM Attacks
"What is a man-in-the-middle attack? How does TLS prevent it?"
In a MITM attack, an attacker intercepts and potentially modifies communication between two parties, each of whom believes they are communicating directly with the other. ARP spoofing on a local network or a rogue Wi-Fi access point are common MITM setups.
TLS prevents MITM through certificate validation. During the TLS handshake, the server presents a certificate signed by a trusted Certificate Authority (CA). The client verifies the certificate chain, checks that the certificate is not expired or revoked (via CRL or OCSP), and confirms the Subject Alternative Name matches the hostname. An attacker cannot forge this certificate without compromising the CA's private key.
Certificate pinning extends this by embedding the expected certificate or public key directly in the client application, preventing attacks even if a CA is compromised.
"Explain common firewall evasion techniques."
This question appears in penetration testing interviews and is also asked in blue team contexts to understand what defenders need to watch for:
- Fragmentation: splitting a packet so the attack payload is divided across multiple fragments that are reassembled by the target
- IP spoofing: sending packets with a forged source IP to obscure the true origin
- Protocol tunneling: encapsulating attack traffic inside an allowed protocol (e.g., DNS tunneling, ICMP tunneling)
- Using allowed ports: communicating over ports 80/443 that are typically permitted through firewalls
Modern next-generation firewalls (NGFWs) perform deep packet inspection and application-layer filtering to counter many of these techniques.
SOC and Incident Response Questions
Malware Investigation, IDS/IPS, and SIEM Usage
"Incident response is not primarily a technical problem—it is a process problem. The teams that handle incidents well have documented runbooks, practiced their response before the incident, and have clear communication protocols. The ones that struggle are improvising under stress." — NIST Computer Security Incident Handling Guide (Special Publication 800-61 Rev. 2)
"Describe your process for investigating a potential malware infection on an endpoint."
A structured incident response approach:
- Isolate: disconnect the system from the network (logically or physically) to contain potential lateral movement
- Preserve: capture memory and disk image before any remediation that might destroy evidence
- Identify indicators: check running processes, network connections, startup items, scheduled tasks, and recently modified files
# Running processes with connections
netstat -anob # Windows
ss -tulnp # Linux
# Recently modified files
find /etc /bin /usr/bin -mtime -7 -type f 2>/dev/null
# Scheduled tasks (Linux)
crontab -l
ls /etc/cron.d/ /etc/cron.daily/
- Timeline: correlate endpoint events with SIEM logs to understand the infection vector and scope
- Remediate: rebuild from clean image rather than attempting to clean an infected system (for malware)
- Document: record the timeline, indicators of compromise (IoCs), and remediation steps
"What is the difference between an IDS and an IPS?"
An Intrusion Detection System (IDS) monitors traffic and generates alerts when it detects suspicious patterns but does not block traffic. An Intrusion Prevention System (IPS) is inline and can actively block or drop traffic matching attack signatures. IDS is passive; IPS is active. IPS deployment requires careful tuning because false positives result in blocked legitimate traffic.
"What are SIEM tools used for and what makes a good SIEM alert?"
Security Information and Event Management (SIEM) platforms aggregate and correlate logs from across the infrastructure—firewalls, endpoints, servers, cloud services—and surface alerts for security analysts. Examples: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM.
A high-quality SIEM alert has:
- Low false positive rate (alert fatigue destroys SOC effectiveness)
- Sufficient context to enable rapid triage without raw log hunting
- Clear severity based on actual risk
- Documented response runbook
Common alert types that appear in interviews: brute force against authentication systems, impossible travel (login from geographically distant locations in a short timeframe), beaconing behavior (regular outbound connections at fixed intervals suggesting C2 communication), and privilege escalation events.
Vulnerability and Attack Questions
SQL Injection, OWASP, and Application Security
"What is SQL injection? How do you prevent it?"
SQL injection occurs when user-supplied input is incorporated into a database query without proper sanitization, allowing an attacker to modify the query's logic. A classic example:
Input: ' OR '1'='1
Query: SELECT * FROM users WHERE username='' OR '1'='1' AND password=...
Prevention: use parameterized queries (prepared statements) rather than string concatenation. ORMs typically handle this. Input validation provides defense in depth but is not sufficient alone.
"What is the OWASP Top 10 and why is it useful?"
The OWASP Top 10 is a regularly updated list of the most critical web application security risks, published by the Open Web Application Security Project. It is widely used as a baseline for application security assessments, developer training, and security testing requirements. The current top items include Broken Access Control, Cryptographic Failures, Injection, Insecure Design, and Security Misconfiguration.
Knowing the list is table stakes. Being able to describe how each category manifests in real applications, give examples of vulnerable code patterns, and explain effective mitigations separates candidates with genuine application security knowledge.
Cryptography Questions
Encryption Schemes, Hash Functions, and TLS Key Exchange
"What is the difference between symmetric and asymmetric encryption? When is each used?"
Symmetric encryption uses the same key for encryption and decryption. It is fast and suitable for encrypting large volumes of data. Examples: AES-256. The key distribution problem—how to securely share the key with the other party—is its limitation.
Asymmetric encryption uses a public/private key pair. Data encrypted with the public key can only be decrypted with the private key. It solves the key distribution problem but is computationally expensive. Examples: RSA, ECC.
In practice, protocols like TLS use asymmetric cryptography to securely exchange a symmetric session key, then use the symmetric key for the bulk of the communication—combining the security properties of asymmetric key exchange with the performance of symmetric encryption.
"What is a hash function and what makes a hash function cryptographically secure?"
A hash function produces a fixed-length output (digest) from an input of arbitrary length. Cryptographic hash functions must be: one-way (computationally infeasible to reverse), collision-resistant (infeasible to find two inputs with the same output), and deterministic (same input always produces same output). SHA-256 and SHA-3 are current standard choices. MD5 and SHA-1 are considered cryptographically broken and should not be used for security purposes.
Common Security Tools
Tools by Category: From Packet Capture to SIEM
Interviewers for security roles often ask about tools you have used in practice:
| Tool | Category | Common Interview Context |
|---|---|---|
| Wireshark / tcpdump | Packet analysis | Describe what you look for in a capture |
| Nmap | Network scanning | Explain scan types (SYN, connect, UDP) |
| Burp Suite | Web app testing | Describe how to intercept and modify requests |
| Metasploit | Exploitation framework | Explain modules, payloads, listeners |
| Splunk / Sentinel | SIEM | Describe a detection rule you wrote |
| OpenVAS / Nessus | Vulnerability scanning | Explain how to prioritize findings |
See also: Cloud Technical Interview Prep: AWS and Azure Questions That Come Up
References
- Stuttard, D., & Pinto, M. (2011). The Web Application Hacker's Handbook (2nd ed.). Wiley. ISBN: 978-1118026472
- Engebretson, P. (2013). The Basics of Hacking and Penetration Testing (2nd ed.). Syngress. ISBN: 978-0124116443
- OWASP Foundation. (2021). "OWASP Top Ten 2021." https://owasp.org/www-project-top-ten/
- NIST. (2012). "Computer Security Incident Handling Guide (Special Publication 800-61 Revision 2)." https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
- Conklin, W. A., White, G., Williams, D., Davis, R., & Cothren, C. (2021). CompTIA Security+ All-in-One Exam Guide (6th ed., exam SY0-601). McGraw-Hill. ISBN: 978-1260464009
- Schneier, B. (2015). Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World. W. W. Norton. ISBN: 978-0393352177
- Mitnick, K., & Simon, W. L. (2005). The Art of Intrusion: The Real Stories Behind the Exploits of Hackers, Intruders and Deceivers. Wiley. ISBN: 978-0764569593
Frequently Asked Questions
What topics do SOC analyst interviews focus on?
SOC interviews focus on incident triage and response process, log analysis and SIEM usage, common attack patterns like phishing, malware, and lateral movement, understanding of network traffic analysis, and knowledge of detection frameworks like MITRE ATT&CK. Scenario-based questions asking how you would investigate a specific alert are very common.
What is the difference between an IDS and an IPS?
An IDS monitors traffic and generates alerts but does not block traffic—it is passive. An IPS is deployed inline and can actively block traffic matching attack signatures. IPS requires careful tuning because false positives result in blocked legitimate traffic, which can impact availability.
What makes a cryptographic hash function secure?
A cryptographic hash function must be one-way (computationally infeasible to reverse), collision-resistant (infeasible to find two different inputs producing the same hash), and deterministic. SHA-256 and SHA-3 meet these requirements. MD5 and SHA-1 are considered broken and should not be used for security purposes.
How do you prevent SQL injection?
The primary defense is parameterized queries (prepared statements), which separate SQL code from user-supplied data so input can never modify query logic. Input validation provides defense in depth. ORMs typically handle parameterization automatically. String concatenation to build queries from user input is always a vulnerability.
What is the OWASP Top 10?
The OWASP Top 10 is a regularly updated list of the most critical web application security risks published by the Open Web Application Security Project. Current top items include Broken Access Control, Cryptographic Failures, Injection, and Security Misconfiguration. It is a standard baseline for application security testing requirements and developer training.