Interview Questions
Domain-wise interview questions with collapsible answers - click a question to reveal what a strong answer covers, then close it and try answering out loud before checking yourself. Use these to self-test after working through the matching Study Plan, not as a substitute for it.
How to Use This Section
- Pick a domain you're interviewing for (or currently studying)
- Read the question, don't peek - try to answer it yourself first
- Expand to check - compare your answer against what's listed
- Note the gaps - anything you couldn't answer becomes your next study topic
- Go deeper - each page links back to the relevant guide on this site for the topics you're shaky on
Available Domains
| Domain | Focus |
|---|---|
| Application Security | Secure coding, secure code review, threat modeling, SDLC, spot-the-bug code snippets |
| AWS Security | IAM policies, GuardDuty/CloudTrail, IMDSv2/SSRF, KMS, design scenarios |
| Common Security | Behavioral/scenario questions and cross-domain fundamentals that apply to any security role |
| AI Security | AI/ML attack taxonomy, prompt injection, model extraction, governance and risk (grounded in this site's AI Security section) |
| GRC | Governance vs. risk vs. compliance, ISO 27001, NIST CSF/RMF, privacy fundamentals (grounded in this site's GRC section) |
| API Security | BOLA/IDOR, broken auth, mass assignment, rate limiting, SSRF, shadow APIs, GraphQL risks |
| Container Security | Image hardening, image scanning, Kubernetes RBAC, network policies, Pod Security Standards, secrets |
| DevSecOps | Shift-left, SAST/SCA/DAST in a pipeline, gating merges, policy-as-code, vulnerability prioritization |
| Network Security | Defense in depth, segmentation, firewalls, IDS/IPS, zero trust vs. perimeter, ARP/DNS/MITM attacks |
| GCP Security | Shared responsibility, Cloud IAM, Security Command Center, Cloud KMS, VPC Service Controls, AWS comparison |
| Web Security | OWASP Top 10 2021 deep dives, CORS, cookie security flags, CSRF defenses, CSP |
| SOC | SIEM fundamentals, alert triage, incident response lifecycle, detection use cases |
All seven of these are grounded directly in this site's own docs (the upstream repo is empty/thin for them) - see each page's intro for its source pages.
More Domains, Coming Soon
The remaining gap is domains where neither this site nor the upstream repo has enough real content yet to ground good questions in. As either side fills in, they'll be added here in the same collapsible format - see jassics/security-interview-questions for the canonical, evolving source.
Scenario-Based Deep Dives (GitHub Only)
These are long-form scenario interviews rather than simple Q&A, so they're linked directly rather than converted:
- Cloud Security Engineer Scenario Questions
- Security Architect Scenario Questions
- Senior AI Pentester Interview
Stay current
This site mirrors a snapshot of security-interview-questions - the GitHub repo is the canonical, most up-to-date source and gets new questions first.