Tech interviews are hard. Security engineer interviews are harder, because the job itself spans such an enormous range , one security engineer might spend her week doing code review and threat modeling; another might own the SIEM and be on call for incidents. The questions you get reflect which of those two jobs you’re interviewing for, and most candidates don’t figure that out until they’re three questions in.
I’ve tried to organize these by domain rather than difficulty, because the hardest questions aren’t always the most important ones. Sometimes the question that sinks candidates is embarrassingly basic. More on that below.
The four areas interviewers consistently test
Before the specific questions: most security engineering interviews assess across four areas, weighted differently depending on the company. Application security teams care heavily about secure SDLC and code review. Infrastructure security teams care more about network defense, identity, and logging. Generalist security engineering roles at smaller companies test everything at shallower depth.
Knowing which type of role you’re interviewing for is worth 30 minutes of research before the call. It’s not just flattery to ask a recruiter “what does the team’s day-to-day actually look like?” , it’s information that changes how you prepare.
Security fundamentals questions
These appear in almost every interview. They feel like softballs. They’re not. Getting fuzzy on fundamentals in front of a senior engineer is the fastest way to undermine confidence built up elsewhere.
- Explain the CIA triad. How does it apply to a healthcare data platform? Most people can define confidentiality, integrity, and availability. The interviewer wants to hear you apply them in context and talk about trade-offs , high availability and confidentiality can conflict.
- What happens during a TLS 1.3 handshake? They want the sequence: client hello, server hello, key exchange, certificate validation, session key derivation. Many candidates fumble TLS 1.3 specifics (0-RTT, the removal of RSA key exchange) because they studied 1.2.
- What is the difference between symmetric and asymmetric encryption? When would you use each? Symmetric for bulk data (fast). Asymmetric for key exchange and signatures (slower but solves the distribution problem). Real-world examples matter here.
- How does RBAC differ from ABAC, and when would you choose one over the other? RBAC assigns permissions to roles; ABAC evaluates attributes at access time. ABAC is more flexible but more complex to implement and audit. Smaller orgs often choose RBAC for its simplicity.
- What’s the difference between IDS and IPS? IDS detects and alerts; IPS actively blocks. The wrong answer is treating them as interchangeable.
Network security questions
These matter more than most candidates expect, even at application-focused companies. Network security is the substrate everything else runs on.
- You notice unusual outbound traffic to an unfamiliar IP at 2 AM. Walk me through your response. Good answers involve: enriching the IP (threat intel, WHOIS, passive DNS), checking the process that generated the traffic, correlating with other hosts, considering containment vs. continued monitoring.
- How would you segment a network that includes IoT devices, developer workstations, and a production database? They’re testing whether you think about VLANs, firewall rules, and least-privilege network access as a design problem, not just a list of controls.
- What is a DDoS attack, and what are three mitigation strategies? Rate limiting, upstream filtering (Cloudflare, Akamai), traffic scrubbing, and over-provisioning are all reasonable answers. The question often comes with a follow-up about how you’d distinguish a DDoS from a legitimate traffic spike.
- Explain DNS over HTTPS (DoH). What are the security implications? DoH encrypts DNS queries to prevent eavesdropping and manipulation, but it also complicates corporate monitoring and can bypass enterprise DNS controls. Both the security benefit and the visibility trade-off matter.
Incident response questions
In my experience, this is where good candidates separate from great ones. Technical knowledge is table stakes. The difference is whether someone has a systematic way of thinking under pressure.
- Walk me through your incident response process for a ransomware event. The NIST SP 800-61 framework (Preparation, Detection, Containment, Eradication, Recovery, Post-Incident) is the skeleton. But the interviewer wants to hear judgment: when do you isolate vs. let the attacker run longer to gather intelligence? When do you call law enforcement?
- How do you preserve evidence during an active incident without contaminating it? Chain of custody, memory dumps before shutdown, disk imaging, write blockers. Most candidates skip memory forensics and that’s a tell.
- What’s a false positive in SIEM, and how do you tune to reduce them? Baselining normal behavior, adjusting thresholds, correlating events, and suppressing known-good patterns. They want to hear that you know tuning is ongoing work, not a one-time setup.
- You get an alert that a privileged account logged in from two countries 90 minutes apart. What do you do? Classic impossible travel scenario. The answer involves verifying whether VPN or remote access explains it, reaching out to the user, checking other concurrent activity, and possibly disabling the account pending investigation.
Application and cloud security questions
Broken access control has been the number one vulnerability in the OWASP Top 10 since 2021. It comes up in interviews constantly, and not just as a definition question.
- How would you perform a security review of a new internal API before it ships? Threat modeling, authentication/authorization checks, input validation, rate limiting, logging completeness. The answer should feel like a process, not a checklist.
- What’s the shared responsibility model in AWS, and where does it create confusion? AWS secures the infrastructure; you secure everything you put on it. The confusion happens with managed services: who’s responsible for the OS on an EC2 vs. an RDS instance?
- A developer requests admin access to a production database to debug an issue. How do you handle it? The right answer involves time-limited, audited access via a privileged access management solution, not a standing admin credential. And understanding why the developer needs this in the first place, because the root issue might be a missing debugging tool.
The question that trips up the most candidates
It’s usually something like: “Tell me about a time a security control you implemented failed.” Or: “What’s the biggest mistake you’ve made in a security context?”
People freeze. They pivot to something generic. Or they describe someone else’s mistake.
Interviewers ask this to see self-awareness and how you handle failure, not to find dirt. A concise, honest answer about a real failure , what you learned, what you changed , lands much better than a polished non-answer.
Craqly’s AI interview copilot is useful for practicing exactly these kinds of behavioral security questions, particularly the ones where you need to articulate a response to a failure or edge case under time pressure. Worth using in your prep sessions before the real thing.
One more thing that’s genuinely underrated: after your answer on a technical question, ask the interviewer if they’d approach it differently. Security is opinionated. Good interviewers appreciate the question, and it often turns into the most interesting five minutes of the whole conversation.