Cyber Security Interview Questions for Penetration Testers, Red Team Engineers, SCO Analyst, Malware Researchers, Network Security Engineers and more. These are real questions faced by candidates in different domain interviews. These questions can help serious Job seekers and students alike who want to enter Cyber Security and clueless what might be asked in Interviews.
Different Cyber Security Job Roles - A look at different domains in Cyber Security, this is not perfect, but still can help to get some idea of different roles one might take in CYber Security Jobs
The Tweet above or the MindMap of different possible Cyber Security Job Roles will help me escape the Question - ” Why every question is not Offensive or Defensive only, I only want Pentesting Questions, or only SOC Analyst Questions.” Answer - ” Cyber Security is big domain and needs for different roles are different. ”
Orginal Repository - https://github.com/abhinavkakku/Cyber_Security_Interview_Questions
Note-1: We will keep updating this page (Last updated : 06 September, 2k23), just started so don’t expect this to become encyclopedia yet. I have removed the answers bit for now, might be updated in future.
Note-2: Some questions can fall under more than one Category, forgive me for that, I will try not to repeat. Yet some questions that have very broad scope of follow-up questions maybe repeated ( as it gives context).
Basic Cyber Security Questions
Some basic questions that are very fundamental in nature, are directly or sometimes in-directly related to Cyber Security. These help establish some baseline, and everytime when one of these questions are asked, try to align the answer to Cyber Security. Also, when answering these, try not to miss the basic points, often the interviewer might want to hear some particular keyword, so dont rush on hearing a easy question, gather yourself and the answer and answer it.
- What is Cyber Kill Chain.
- How can you classfy the roles in Cyber Security ? What is your understanding of different job roles and functions that are part of Cyber Security ?
- What is the CIA triangle?
- What’s the difference between symmetric and asymmetric (public-key) cryptography?
- What are Ports in Computers, how many ports a computer has ?
- Why is deleted data not truly gone when you delete it?
- What is Encryption, Encoding, Hashing ?
- What is Salting (in context of Hashing), and why it is used ?
- Would you Encrypt and Compress or Compress and Encrypt ? Why ?
- What’s the difference between deep web and dark web?
- What is MITRE ATT&CK?
- Explain/differentiate Vulnerability and Exploit
- Explain Vulnerability, Threat and Risk.
- What is difference in VA and PT ?
- What is Diffrence Between Events, Alerts & Incidents ?
- What is APT Groups ( in Cyber Security Context ) ?
- Any experience on working with any Ticketing tools ?
Network Security Interview Questions
Questions around Networks and devices are important as this is very intrinsic part of any security setup. I will again repeat this - while the questions are very very basic, be prepared for follow up questions. These questions are just initiators, the actual question will the follow up question on which you will be judged.
- What is traceroute and how do you use it ?
- What is SSH ? on What port does SSH works ?
- Can you do SSH from Windows ?
- Why is DNS Monitoring Important ? What information can it reveal ?
- DNS Communication Happens on which port ?
- What is VPN?
- What is Proxy
- What is Difference in VPN and Proxy ?
- What is Forward Proxy and Reverse Proxy?
- What is a Load Balancer?
- What is CDN ?
- Can you explain man-in-the middle attack?
- Does HTTPS/SSL protects from Man-in-the-Middle Attack ?
- What is difference in IPS and IDS ? 1 What are different OSI Layers in Networking
- How is TCP/IP Layer Different from OSI Layers in Networking?
- Do you prefer filtered ports or closed ports on your firewall?
- What is a firewall? What are different types of Firewall ?
- How can you bypass firewall? or IDS ?
- What is Fragmentation attack ?
- How can Fragmentation be used as DoS Attack ? How can this be avoided or handled ?
- Besides firewalls, what other devices are used to enforce network boundaries?
- What is a honeypot?
- What is the difference between an HIDS and a NIDS? Exmaples of both.
- What is worse in detection, a false negative or a false positive? And why?
- What is DDoS and DoS attack ?
- What do you understand by IP Subnetting ?
- Explain NAT (Network Address Translation) ?
- What is Port Forwarding ? and how/why it is used ?
- What is VLAN ?
- What Security Principle means a signed message came from the owner of key that signed it ? (non-repundiation, Integrity, authority, -non-verifiability)
- What is ARP Poisoning ?
Intermediate Level Questions
Now that you have answered some basic questions, lets level up a bit. These might not be very good, but keeping in mind to keep answer to the realm of Security, focus on security aspect when answering these.
- What is Three-way-Handshake ? Explain.
- How many packets are sent and received in 3-way handshake ?
- Explain BruteForce Attack . How do you detect it ?
- How can you prevent Brute Force attack ? Mention some methods.
- Have you heard of 2FA ? How 2FA protects users ? Is it possible to bypass 2FA with Phishing ?
- What is difference in SSL and TLS ?
- What is use of SSL ? How it protects ?
- How SSL Certificate Exchange happens ?
- What do you understand by DMZ and Non-DMZ ?
- What is Meta Data and how can you view it ? What Risk it causes ?
- Explain TCP and UDP . How they differ ?
- What is DNS ? How DNS Resolution happens ? Which Port is used for DNS ? is it over TCP or UDP ?
- What is DLP ? Heard of it ?
- What is Data Exfiltration ? Mention some methods of Data Exfiltration.
- How can you check for Data Exfiltration Activities ?
- Expect some questions on common ports and services, like SMB, DNS FTP, SSH, SMTP, HTTP, HTTPS, DHCP, questions based on some log analysis or directly can be asked, if you are observing too much traffic to/from on port 22, what steps you take ?
- How do you place a firewall, load balancer, proxy ? in what order and why ?
- What information can you get from MAC Address ?
- What port does PING works on ? ( I will change this Ping thing, too much resued now)
Red Teaming, Penetration Testing, Application Security Questions
When explaining any Vulnerability here, also try mentioning remidiation for the same, and more deep dive if follow up questions asked.
Note : Kindly dont pinpoint yet on hey this is patching or this is Application Security or This falls in Mobile PT or Red Teaming, the border lines between these bit blured, so questions cn fall in one or more categories.
Again, the questions here are not guessed, can be limitless, so just putting very basic ones. This does NOT pertains to like - Hey ! These are asked in Pentesting Interviews.
- How do you start about hacking a target ? What is Information Gathering, Enumeration ?
- What are phases of Network Penetration Testing ? (Cyber Kill Chain)
- What NMAP argument/flag in nmap tells about version ?
- What is difference in -v and -V in NMAP ?
- Can SQLi lead to RCE ?
- How do you erase tracks when hacked a machine ? consider it is linux.
- What is your opinion on Automated Pentesting ? vs Manual Pentesting ? Which one is better ?
- What is difference in Black-Box Pentesting vs White-Box Pentesting ?
- Any Purple Teaming Exercises done in past ? Explain.
- Have you done any Phishing assesments in past ?
- How can you bypass Antivirus Detection ? Explain.
- How does EDR works ? How to bypass EDR Detections ? Explain.
- What is Supply Chain Attack ?
- Compromising a local account is easier or an AD account ? (Windows Context)
- How would you do Data Exfiltration if you hacked a machine ?
- have you worked on Nessus / Qualys before ?
- Any open source alternative of Nessus or Qualys ?
- What do you prefer ? Vulnerbaility Assessment of a machine with Credentials or without Credentials ?
- What are things to consider before doing Pentesting or Vulnerability Assesment of a targt ?
- Would you place the machine (server example Nessus) within the same Network of machines which is being tested or seperate ?
- Why or Why not will you whitelist the Source machine of attack in Penetration Testing or Vulnerability Assesement ?
- How do you rate Vulnerability ? Eplain scoring system or frameworks.
- Name some tools you use in Network Pentesting.
- How do you report Vulnerability or Security Gaps after pentesting ? (Report Writing)
- Do you work often with patching teams to report and get patched the vulnrable software or fixing security gaps ?
- What are some HTTP Status codes you monitor during pentest ? Explain some interesting ones.
- What is a 0-Day (Zero-Day) attack ?
- What is Sub-Domain Takeover. Explain.
- How can you detect presence of a WAF ( Web Application Firewall),( and which one) ?
- What is C2 Server (Command and Control) ?
- Mention some SSL/TLS related Vulnerabilities.
- Have you come across any recent Data Breach, explain how it happened . (and IR Part : How we can protect against the same ?)
- How does NMAP determines the Operating System of the target ?
- What is difference in Pass-the-Hash and Pass-the-Ticket ?
- Heard of OWASP ? What is it ? name some Vulnerabilities from OWASP-T10.
- What is Vulnerability Assesment, Pentesting , and Red teaming. Differences ?
- How do you handle Brute Forcing on your application ?
- What is Authentication and Authorization ?
- What is Steteful and Steteless in HTTP context ?
- How does HTTP handles state ?
- What is Cross Site Scripting ?
- What is difference in stored , reflected, and DOM XSS ?
- Which of the XSS attacks are hard to detetct and why ?
- What is the defense against XSS ? Remidiation.
- Do you prefer black-listing approach or whitelisting approach ? and Why ?
- What is CSRF ? Impact ? and Remidiation ?
- When investigating CSRF Attack , wat are the things you will look for ?
- Can you perform CSRF attack if HTTP method is PUT considering there is no CSRF Prevention, Explain?
- How do you determine if the Website is hosted on IIS or Apache or Nginix or whatever server stack ?
- What is SQL Injection ?
- Name some Types of SQL Injection Vulnerability.
- Explain Union Based SQL Injection.
- Explain Time Based SQL Injection.
- Explain Blind SQL Injection.
- How do you protect against SQLi ?
- What is Prepared Statements and Paramatrized Query ? (in Context of SQLi)
- What is 2nd-Order-SQLi ?
- How do you store password for applications in database ?
- What is RCE ? How do you test for RCE ? How can this bug be remidiated ?
- Explain OS Command Injection .
- What is CORS ? and SOP ?
- Does CORS protect against CSRF Attack ?
- Explain XXE ? What causes this flaw ? How do you mitigate it ?
- What are some Security headers in HTTP Request? Name some.
- Mention some HTTP Response Headers for Security ? Explain.
- What are various HTTP methods ?
- What is difference in GET POST and PUT Request ?
- What is CSP (Content Security Policy) ?
- Explain Race Condition ? How can you test for it ?
- Explain Cookie Attributes/Flags ? and Explain.
- What is Threat Modeling ?
- When do you interact with developers for security testing ?
- Are you aware of the Software Development Life Cycle ?
- When in SDLC should you engage with Developers ?
- What is CI/CD Pipeline ? Explain the role of this with the context of Security.
- Classify some Web Vulnerabilities into Low, Medium , High and Critical category. Reason why !
- Known that MD5 is not the most secured hasing Algorithm, Why we dont use SHA256 or others always ?
- Internet facing NGINIX is being used in front of multiple applications (micro service architecture). These application are accessible to users via different sub-domains through NGINIX, What can go Wrong ?
- Can server SSL Certificate prevent SSL Injection against your system ? Explain.
- An Attacker is trying to extract session cookie using XSS Vulnerability, but a blank popup is shown. What could be the reason for this behaviour ?
- Web Application allows user to download their account statement in DF format. How can you securely implement this functionality ? Explain.
- What is Threat Model / Threat Modeling ?
- What is STRIDE ?
Mobile Application Pentesting
- What are some common Risks in Mobile Applications ?
- Describe Programatic ways to detect if iOS or Android device is jailbroken or rooted.
- Can SMS be used as a medium to perform SQL Injection on Android Application. Explain ?
- Which tool is (mostly*) used to hook into iOS application
- Which protection mechanism is used for distributing Apple iOS Application on iTunes store?
- What are different Obfuscators used to Protect Mobile Apps ?
- What are different ways for Mobile Application to store and Protect sensative data in Android and iOS. Recomend best practices.
- Brief about the Security improvements in Recent (last 2) Android Releases.
- Mention different steps you would perform doing reverse engineering on an iOS Application downloaded from iTunes Store.
- Consider that you have decompiled a Android Application, made changes to the code and apk design, Will you be able to install this repacked APK on a newly formatted Android device ? Why ? or Not ?
- Provide ADB command with example to fetch APK file from Android Device.
- Can Adnroid malware App Extract sqlite file of another app? How? Why?or Not ? Explain with any assumptions made .
- Explain different approaches of bypassing SSL Pinning in Android and iOS Applications.
Cloud Pentesting or Security
- What are common Misconfigurations around AWS S3 bucket ?
SOC Analyst | Incident Response | DFIR
SOC Analysts can be Clark Kent (superman) touching multiple parts of tech, having a grip over some and idea of many helps many times. Also the questions in a basic SOC job can start from any section above or below and land to this part of page. I will try to keep it concise to the topic.
Note : SOC Analysts work around many different tech, so questions expect to judge the knowledge around some system, which can make response (or handling) around some Incident/Attack better.
Note-2 : Questions in SOC Analyst Role and Incident Response are expected to be asnwered with scenarios and response action, so cover all possible paths you can think of.
- How can you break password of BIOS on a locked machine. How to do same on Laptop ( expected follow-up).
- Where is password Stored in Windows Machines ?
- How can you read SAM File in Windows ? How does it stores passwords ?
- Mention some methods you crack Windows Password.
- Lets talk about Linux system passwords , where is it stored ? which hash it uses ?
- How can you detect malicious activity around both SAM and passwd/shadow file respectively ? ( say things you should be monitoring and how ?)
- What is Incident Response ?
- What is LifeCycle of a Incident Response Process ?
- What is SLA ?
- I hope you understand the Idea of P0, P126.96.36.199 Incidents ? Which one will you handle with priority ?
- What is IOC (Indicators of Compromise) and IOA (Indicators of Attack) ?
- How can you say if an email is Phishing or not ?
- What will you do if user reports to have phishing email ?
- You discover user clicked links in phishing email, also shared credentials. What actions will be taken by you ?
- SPM DKIM DMARC records are related to ?
- How can you determine if the email spam ? what is the action taken to arrest the spread of same if you have to act ?
- make a playbook for case of BEC ( Business Email Compromise ).
- When a user reports their machine is hacked , what are the things yu look for ?
- What are some malware persistence Techniques ?
- What is Process Injection ? Name some (sub)methods.
- Which one is more acceptable Sypware or PUP ?
- What would you prefer on your system ? Rootkit or Backdoor ?
- Why Ransomware is a buzz word ?
- How can you detect/confirm that you (organisation) has been hit (affected) by ransomware ? What are the indicators ?
- How do you respond to a Ransomware attack ?
- Have you worked on any EDR Tools before ? What makes EDR different from Antivirus ?
- How/Why would you classify a website as malicious ?
- What is drive-by-downloads ?
- Can website with Green-Lock (SSL) be dangerous ?
- You discover your Infrastructure / Application is under DDoS attack ? What will be your resonse plan ?
- How would you advise backup policy of critical data in infrastructure ?
- What are some interesting logs you can collect in Windows Environment ?
- What are different DNS Records ? Explain.
- Explain DNS Exfiltration. How to detect DNS Exfiltration ?
- Browser, Application and OS are Vulnerable, which one will you priotize to fix and why ?
- How can you do Network Packet Analysis ? (Wireshark)
- Can you do do Network Packet Analysis with Wireshark ? What all information can you get from this analysis ?
- Can you do Network backet Analysis of HTTPS (SSL Enabled) traffic with Wireshark ?
- What are the logs from a Linux machine you would pick for SIEM ?
- What is SIEM ? Its Use ? ( More SIEM based questions in a small section later on same page)
- Describe some Incident that you faced, and how you handled it ?
- How do you Investigate a suspicious Login alert for a business user email?
- What is difference in Credential Stuffing ? and password Spraying ? How do you detect these ?
- Make a use-case of Password Spraying attack.
- What types of Malware Analysis are posible ?
- Explain Static Analysis and Dynamic Analysis of Malwares.
Compliance Audit GRC and more.
- What s GDPR ? How does this affects you/us ?
Hontesly I have no-clue of this branch, but questions on compliance standards , something around ISO PCI and other standards will be expected, and also updated here. Soon* .
Opinion based questions or Scenario…
These questions are to know your views, and there is usually no right or wrong answer here. It is more of a discussion to know your opinions , the way you see the problem or solve it, there is/are always more approaches to solve the problem.
- Do you prefer Open-Source projects or proprietary ones ? and Why ?
- Geo-Blocking IP ranges is a good Idea ? Why or Why not ?
- Can you explain some recent security breaches or well-known attacks .
- Our data is exfiltrated and encrypted in a Ransomware attack we suffered from. Should we pay to attacker to get the key or data back ?
More questions based on some experience coming here soon. As Cyber Sec Interviews are mostly for one of the roles, so follow up questions and scenarios are limited in scope. But will share some.
Programming Automation Tools.
- Are you good at coding ? How good are you with programming ?
- What is the choice of Language ? Which one are you comfotable with ?
- Write code to fetch IP Address from a json file.
- Write code to fetch valid email address from json file, email address can have ( . _ numbers )
- Have you worked with Python Web Requests ? possibly parsing the response in desired format.
- Write program to do the Network Packet Analysis , maybe fetch the .exe or .elf payload data from Network data captured in PCAP file.
More questions based on some projects and required coming here soon.
These are totally random questions, makes less sense to judge on ( personal Opinion* ), but just for the sake of interaction sometimes you can hear these. I hope people dont represent the Illuminati view here, and be moderate or balanced in answering.
- Security is fast moving field. How do you keep yourself updated.
- What is your understanding of Insider Threats ? how to detect ?
- Social Media websites such as Instagram and Linkedin are ok to use at workplace ? Why ? or not ?
- iOS is more secure compared to Android ?
- Are you a Linux user or Windows ? Which is more secure ? Why you think so ?
- What is Dark Web, and how is it different compared to Deep Web ?
I want this section to be short, but for this, I wont keep any questions with me.