Technical security questions

"Explain the OSI model and how it relates to network security." Layers 1-7: Physical, Data Link (MAC, ARP, VLANs), Network (IP, routing), Transport (TCP/UDP, ports), Session, Presentation (encryption), Application (HTTP, DNS, SMTP). Security by layer: Layer 2 — MAC spoofing, ARP poisoning; Layer 3 — IP spoofing; Layer 4 — port scanning, SYN flood; Layer 7 — SQL injection, XSS. Firewalls operate at Layers 3-4 or Layer 7 (WAF). "What is the difference between symmetric and asymmetric encryption?" Symmetric: same key encrypts and decrypts (AES-256) — fast but requires secure key distribution. Asymmetric: public key encrypts, private key decrypts (RSA, ECC) — solves key distribution but slower. TLS uses asymmetric to establish a session, then symmetric for bulk transfer (hybrid approach).

Incident response questions

"Walk me through your response to a suspected phishing email." PICERL: Preparation, Identification (verify — headers, URLs, attachments in sandbox; did the employee click?), Containment (isolate machine if malware executed, block malicious domains, reset credentials), Eradication (remove malware, patch), Recovery (restore clean state, verify no persistence), Lessons Learned (update email filters, run phishing training, update playbook). "What is a SIEM and how do you use it?" Aggregates, correlates, and alerts on log data across the environment. Common: Splunk, Microsoft Sentinel, IBM QRadar, Elastic SIEM. SOC use: alert triage, threat hunting (proactive queries), investigation (building event timelines), compliance reporting.

Threat landscape questions

"What are the most significant cyber threats in 2026?" Ransomware (still highest-impact — double extortion: encrypt and exfiltrate), AI-enabled phishing (generative AI dramatically improved targeting and quality), supply chain attacks (targeting software vendors to reach downstream targets), cloud misconfigurations (most common data exposure source for cloud-native organisations), identity-based attacks (credential theft, MFA bypass via adversary-in-the-middle). Follow: CISA advisories, NCSC guidance, Mandiant reports, vendor threat intel blogs. "What is the MITRE ATT&CK framework?" A knowledge base of adversary tactics, techniques, and procedures from real-world attacks. Use cases: threat modelling, detection engineering (SIEM rules for ATT&CK techniques), red/purple team exercises, SOC analyst training.

Behavioral questions

"Tell me about a time you identified a security vulnerability that others had missed." How you spotted it, investigated and confirmed it, escalated appropriately, and what the impact would have been left unaddressed. "How do you keep your security knowledge up to date?" Specific sources: SANS Internet Storm Center, Krebs on Security, Bleeping Computer, NIST NVD for CVEs, CISA advisories. Active learning: CTFs, TryHackMe, HackTheBox, conference talks (DEF CON, Black Hat, BSides). Certifications: CompTIA Security+, CySA+, GIAC GSEC or GCIH, CISSP for senior roles.

Get real-time help in your next interview
Live Interview Help listens to your interview and surfaces personalised answers in real time. Free 20-minute trial on Google Meet, Teams, and Zoom.
Install Free on Chrome

Frequently asked questions

What certifications are most valued for security analyst roles?
Entry level: CompTIA Security+, CySA+, Google Cybersecurity Certificate. Mid-level: CEH, GIAC GSEC, Microsoft SC-200 (for Sentinel/Defender-centric SOC roles). Senior: CISSP (gold standard for broad security knowledge), GIAC GCIA or GCIH. Hands-on platforms like TryHackMe, HackTheBox, or CyberDefenders are increasingly valued alongside certifications, particularly for SOC analyst roles.
What is the difference between a SOC analyst and a penetration tester?
SOC analysts work defensively: monitoring, alert triage, incident investigation and response in real time. Penetration testers work offensively: simulating attacker techniques to find vulnerabilities before real attackers do. Both require understanding attack techniques but from opposite sides. Many start in a SOC role and later specialise into penetration testing, red teaming, or purple teaming.