TTechclick ⚡ XP 0% All lessons
Cyber Security · Fundamentals · Interview PrepInteractive · L1 / L2 / L3

Cyber Security Interview Questions — CIA, Crypto, IR & Cheat-Sheet

The complete cyber security interview guide — the foundations every SOC analyst, security analyst and fresher must own. Real questions with answers across the CIA triad, AAA and risk, threats and attacks, defenses and cryptography, and the incident-response lifecycle. Scenario-led, interactive, with a printable cheat-sheet — built so you walk in framing every answer the way interviewers reward.

📅 2026-06-11 · ⏱ 18 min · 1 live demo · 5 infographics · real console form · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Cyber security interview questions and answers (2026) for SOC and security-analyst roles — the CIA triad, AAA, defense in depth, Risk = Threat × Vulnerability × Impact, malware and attack types, IDS vs IPS, symmetric vs asymmetric encryption, hashing vs encryption, PKI/SSL-TLS, MFA, SIEM, EDR/XDR and the NIST incident-response lifecycle, with real SOC scenarios and a printable cheat-sheet.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Fundamentals

CIA triad, AAA, risk, Zero Trust, least privilege.

 2

Threats & attacks

Malware, phishing, MITM, DDoS, SQLi/XSS, insider.

 3

Defenses & crypto

IDS/IPS, symmetric vs asymmetric, hashing, PKI.

 4

Practices & IR

NIST IR lifecycle, CSF 2.0, SOC triage scenarios.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What does the CIA triad stand for?

Answered in Fundamentals.

2. IDS vs IPS — the difference?

Answered in Defenses & crypto.

3. Should passwords be stored encrypted or hashed?

Answered in Threats & attacks.

Most engineers think…

Most candidates answer "we have antivirus and a strong password policy, so we're secure" — and the interview quietly ends there.

That single sentence fails you. Security is layered and identity-centric, never one tool: antivirus misses phishing, stolen credentials, zero-days and insiders; a strong password is useless once it's phished. The right answer is always defense in depth — MFA + patching + least privilege + monitoring together — and you frame all of it around the CIA triad. This lesson trains exactly that instinct.

① Fundamentals — CIA triad, AAA, risk & the core models

Security interviews open on the big picture, and the single best habit is to frame everything around the CIA triad. Confidentiality keeps secrets secret (encryption, access control). Integrity keeps data un-tampered (hashing, signatures). Availability keeps systems up (redundancy, backups, DDoS protection). Every control you name should serve one of these three.

Figure 1 — Defense in depth wraps the CIA triad in layers
Defense in depth wraps the CIA triad in layersNo single control protects an asset. Security is layered — each ring catches what the previous one missed — and every layer ultimately defends Confidentiality, Integrity and Availability.Threat → many layers → the data at the centre (CIA)Perimeter (firewall / WAF)Network (segmentation / IDS)Endpoint (EDR / patching)Identity (MFA / least privilege)CIA TriadConfidentiality · Integrity · AvailabilityApplication (input validation)Data (encryption / DLP)Monitoring (SIEM / SOC)People & process (training)
An attacker must defeat EVERY layer to reach the data; the defender only needs ONE layer to hold. That asymmetry is the whole argument for defense in depth — and it is the answer that beats 'we have antivirus'.

The security vocabulary every interview opens with

Know these four cold before anything else — they frame every other answer. Tap each card.

🔺
CIA Triad
tap to flip

Confidentiality, Integrity, Availability — the three goals every control serves. Keep secrets secret, keep data un-tampered, keep systems up. Frame answers here.

Threat vs Vuln vs Risk
tap to flip

Threat = the danger (a hacker). Vulnerability = the weakness (an unpatched server). Risk = Threat × Vulnerability × Impact — the chance it actually hurts you.

🧱
Defense in Depth
tap to flip

Layered security — many independent controls so one failure isn't fatal. The attacker must beat every layer; you only need one to hold.

🚫
Zero Trust
tap to flip

Never trust, always verify — no user or device is trusted by default, inside or outside the network. Verify identity + device posture on every request.

Two more frameworks every fresher must own. AAA: Authentication (who are you), Authorization (what are you allowed to do), Accounting (what did you do — the audit log). And the risk equation: Risk = Threat × Vulnerability × Impact — a vulnerability with no threat, or a threat with no impact, is low risk. The crisp interview line on the modern model: Zero Trust = never trust, always verify; Least privilege = minimum access needed, nothing more.

Quick check · Q1 of 10 · Remember

An attacker encrypts a hospital's patient records and demands payment — staff cannot open any files. Which part of the CIA triad is MOST directly attacked?

Correct: c. Ransomware locking files denies access to legitimate users — that is an Availability attack first and foremost. (Confidentiality is only hit if the data is also stolen/leaked.) Framing the attack against the CIA triad is exactly the instinct interviewers reward.
👉 So far: CIA triad = Confidentiality, Integrity, Availability — frame every answer here. AAA = Authentication, Authorization, Accounting. Risk = Threat × Vulnerability × Impact. Zero Trust = never trust, always verify; least privilege = minimum access.
Don't confuse security with compliance

Security is whether you're actually protected; compliance (ISO 27001, PCI-DSS, SOC 2) is proving it on paper against a standard. You can be compliant and still breached — compliance is a floor, not a ceiling. Saying 'we passed the audit so we're secure' is a classic junior mistake.

② Threats & attacks — the zoo you must name on demand

Interviewers fire rapid-fire "what is X" attack questions. Know the malware family cold: a virus attaches to a file and needs you to run it; a worm self-spreads across the network with no click; a trojan is disguised as something legit; ransomware encrypts your files for ransom; a rootkit hides deep in the OS for persistent access.

▶ Watch a phishing-to-breach attack chain — and where each layer stops it

How one phishing email becomes a full breach, and how defense in depth breaks the chain. Press Play for the healthy path, then Break it to see the failure.

① Phishing email landsAttacker emails 'IT Helpdesk: reset your password' to staff. The email gateway / training is the first layer.
② Victim enters credentialsAn employee clicks and types their password into a fake portal. MFA is the layer that should now save them.
③ Attacker tries to log inStolen password is replayed. With MFA enforced, the second factor blocks the login — the chain breaks here.
④ If no MFA: lateral movementWithout MFA the attacker is in. Least privilege + network segmentation + EDR/SIEM now decide how far they get.
Press Play to step through the healthy path. Then press Break it.
COLOUR KEYattack / blocked / failtrusted / inspected controldecision / detection pointallowed / verified safe

The human attacks: phishing is mass bait; spear phishing targets one person with personal detail; whaling targets the CEO/CFO. The technical ones: MITM intercepts traffic; DDoS floods a service offline; SQL injection and XSS abuse unvalidated input; a zero-day has no patch yet; and the insider threat is the person who already has access.

Pause & Predict

A user clicks a phishing link and types their password into a fake login page. Has the company been breached yet? Type your guess.

Answer: Not necessarily — phishing is the delivery, not the breach. If MFA is enforced, the stolen password alone is useless and the attacker is stopped at login. The breach only happens if a single control (a strong password) was the ONLY thing standing in the way. This is the entire case for layered defence: one stolen credential should never be game over.
Quick check · Q2 of 10 · Apply

Sneha at Flipkart's SOC sees a single host that started scanning and infecting other machines on the LAN overnight with no user logged in. Which malware type best fits?

Correct: b. Self-spreading across the network with no user action is the defining trait of a worm. A virus needs a user to run an infected file; a trojan needs the user to install it. The 'no user logged in, spreads on its own' detail is the giveaway.

Rahul at an Indian bank SOC faces this

A flood of failed logins hits a privileged Finance account from one external IP, then one login SUCCEEDS.

Likely cause

A brute-force / password-spray attack (MITRE T1110) that has likely succeeded — the single success after dozens of failures is the red flag.

Diagnosis

Check the SIEM alert detail: source IP reputation, the failed-then-success pattern, whether MFA challenged the success, and what the account did next.

SIEM ▸ Alerts ▸ Alert Detail (Severity, MITRE T1110, Source IP, Event Count)
Fix

Contain immediately — disable the account and force a password reset; block the source IP; hunt for what the attacker accessed; then enforce MFA + lockout thresholds so it can't recur.

Verify

The account is disabled, no further activity from that IP, and the SIEM shows the brute-force rule now triggers a lockout before any success.

👉 So far: Malware: virus needs a host, worm self-spreads, trojan is disguised, ransomware encrypts, rootkit hides. Phishing→spear→whaling by targeting. MITM intercepts, DDoS floods, SQLi/XSS abuse input, zero-day has no patch, insider already has access.
'We have antivirus, so we're secure'

Antivirus catches known malware signatures — it does nothing for phishing, stolen credentials, zero-days, insiders or misconfigurations. Naming antivirus as your whole security posture is the fastest way to fail an interview. The correct answer is always layered: MFA + patching + least privilege + monitoring + training together.

③ Defenses & crypto — controls, encryption, hashing, PKI

Now the defensive toolbox. A firewall filters by rules. The classic pairing: IDS detects and alerts, while IPS sits inline and blocks. A VPN builds an encrypted tunnel; a WAF guards web apps against SQLi/XSS.

Figure 3 — Symmetric vs Asymmetric encryption
Symmetric vs Asymmetric encryptionThe single most-asked crypto question: one shared key (fast) versus a public/private key pair (solves key exchange). TLS uses BOTH.Symmetric vs Asymmetric encryptionSymmetric (AES)Asymmetric (RSA / ECC)ONE shared secret key for both endsA key PAIR: public encrypts, private decryptsVery fast — bulk data encryptionSlower — small data, key exchange, signaturesProblem: how to share the key safely?Solves key exchange; enables digital signaturesExample: AES-256 disk / session dataExample: RSA / ECC in the TLS handshake & certs
The one-liner that wins: TLS uses asymmetric crypto to safely AGREE on a symmetric session key, then switches to fast symmetric AES for the actual data. Symmetric = speed, asymmetric = trust & key exchange.

Crypto is the part freshers fumble — don't. Symmetric encryption uses one shared key (AES — fast, bulk data). Asymmetric encryption uses a key pair (RSA/ECC — public encrypts, private decrypts; solves key exchange). Crucially, hashing is NOT encryption — it is one-way (SHA-256), used for integrity and password storage; you can't 'decrypt' a hash. PKI and digital certificates bind a public key to an identity, powering SSL/TLS.

Pause & Predict

A website stores user passwords. Should it ENCRYPT them or HASH them — and why does the difference matter? Type your guess.

Answer: HASH them (with a unique salt, using bcrypt/argon2). Encryption is reversible — if the key leaks, every password is exposed. Hashing is one-way: even the company can't read the password, and a breach of the database doesn't directly reveal plaintext passwords. 'We encrypt passwords' is technically a red flag in an interview; 'we salt-and-hash with bcrypt' is the right answer.
Quick check · Q3 of 10 · Apply

Karthik needs to detect attacks for forensic analysis WITHOUT risk of accidentally blocking legitimate business traffic during a busy sale. IDS or IPS, and why?

Correct: b. An IDS is passive/out-of-band — it detects and alerts but won't drop legitimate packets, so there's zero risk of breaking the sale. An IPS is inline and CAN block, but a false positive would drop real customer traffic. For monitor-only, IDS; to actively block, IPS.

Priya at an Infosys client project faces this

After enabling HTTPS inspection on a new gateway, users get certificate-trust errors across many internal sites.

Likely cause

The gateway is doing TLS interception (a controlled MITM) with its own certificate, but the endpoints don't trust that inspection CA in their trust store.

Diagnosis

Open the browser certificate chain — issuer is the corporate inspection CA but shows 'untrusted'; confirm whether the CA was pushed to devices.

Browser ▸ Certificate ▸ Issuer + endpoint trust store (GPO/MDM)
Fix

Distribute the inspection root CA to all endpoints via GPO/MDM, and exempt certificate-pinned apps (banking/health apps) which break under any interception.

Verify

Reload the sites — no warning; the cert chain shows the trusted corporate CA; pinned apps are correctly bypassed.

👉 So far: Firewall filters by rule; IDS detects, IPS blocks. Symmetric=AES (one fast key), asymmetric=RSA (key pair, key exchange + signatures), hashing=one-way SHA-256 for integrity/passwords. PKI/certs bind a key to identity for SSL/TLS. WAF guards web apps.
The crypto one-liner that wins

'TLS uses asymmetric crypto to safely agree on a symmetric session key, then switches to fast symmetric AES for the actual data — and hashing is separate: one-way, for integrity, not secrecy.' Say that and the interviewer knows you actually understand it, not just the acronyms.

④ Practices & frameworks — IR lifecycle, NIST CSF & the scenarios

The senior-sounding answers come from process. The incident response lifecycle (NIST SP 800-61) runs: Prepare → Detect & Analyse → Contain → Eradicate → Recover → Lessons Learned. You contain BEFORE you eradicate — stop the bleeding first. Modern security maps to NIST CSF 2.0, whose six functions are Govern, Identify, Protect, Detect, Respond, Recover (Govern was added in 2024). And vulnerability management — scan, prioritise, patch — is the unglamorous work that prevents most breaches.

Figure 4 — Is this alert a real incident? — SOC triage ladder
Is this alert a real incident? — SOC triage ladderHow a tier-1 analyst decides whether a SIEM alert is a true incident or noise — work top-down, escalate only what survives every gate.Is this alert a real incident? — SOC triage ladderIs the alert a known false positive?check the tuning / allow-listFAILKnown benignclose + document, tune the rulePASS ↓Is the activity actually malicious?map to MITRE ATT&CK, check intentFAILAuthorised/expectedclose as benign, note contextPASS ↓Did it succeed / is it ongoing?check logon success, data movementFAILBlocked attempt onlylog + monitor, raise thresholdPASS ↓Is a crown-jewel asset / account hit?check asset value & privilegeFAILLow-value, containedticket at low severityAll pass → the layer is healthy; look one level up.
Escalate only what passes all four gates: real, malicious, succeeding, and hitting something valuable. That is the judgement an interviewer is testing — not whether you can read an alert, but whether you know what deserves a 2 a.m. call.

🖥️ This is the screen a SOC analyst lives in — SIEM ▸ Alerts ▸ open the alert ▸ read the detail pane. Fields ①②③ decide whether you escalate. This alert at an Indian bank's SOC just fired on a flood of failed logins.

soc.bank.example.in · SIEM ▸ Alerts ▸ Alert Detail
Alert Name *
Multiple Failed Logons — Possible Brute Force
Severity
High
1
MITRE Technique
T1110 — Brute Force
2
Tactic
Credential Access
Source IP
203.0.113.45 (Cidr: external)
Target User
priya.sharma (Finance, privileged)
Event Count
48 failed in 90s, then 1 SUCCESS
3
Recommended Action
Investigate → Contain (disable + reset)
Investigate   Contain

Severity High + a privileged user = escalate now, do not just close. ② MITRE T1110 names the technique (Brute Force, Credential Access) so you know what to look for next. ③ The killer field — 48 fails then 1 SUCCESS means the brute force likely WORKED: this is a live incident, contain the account immediately.

Pause & Predict

During a ransomware outbreak spreading across the LAN, what is the very FIRST action — restore from backups, or isolate the infected machines? Type your guess.

Answer: Isolate (Contain) first. In the IR lifecycle you Contain before you Eradicate or Recover — disconnect/segment the infected hosts so the ransomware stops spreading. Restoring from backup while the malware is still live just re-infects the clean systems. Reaching for backups first is the classic wrong instinct under pressure.
Quick check · Q4 of 10 · Analyze

A SIEM alert shows 48 failed logins then 1 success on a privileged account, mapped to MITRE T1110. The host is a finance server. Why does this jump straight to High severity?

Correct: a. Severity = likelihood × impact. The failed-then-success pattern means the attack likely succeeded (high likelihood of compromise), and it's a privileged account on a high-value finance server (high impact). Real + succeeding + crown-jewel = escalate now, exactly the triage ladder.

Arjun at Wipro's security team faces this

A critical CVE is published for the company's public web server, with a known exploit circulating, but the patch needs a maintenance window two weeks away.

Likely cause

There's now an active threat (public exploit) against a known vulnerability on an exposed asset — risk is high and immediate; waiting two weeks is unacceptable.

Diagnosis

Score it with CVSS + check exploitability and exposure; confirm the asset is internet-facing and in scope; check for a vendor workaround or virtual patch.

Vuln management ▸ CVE detail + CVSS + asset exposure
Fix

Apply a virtual patch at the WAF/IPS as a compensating control now, restrict exposure (ACL/geo-block), then schedule the real patch ASAP — don't wait the full two weeks for an actively-exploited, internet-facing CVE.

Verify

The WAF rule blocks the exploit pattern, scans show the attack vector mitigated, and the permanent patch is applied in the next emergency window.

Quick SOC triage commands an analyst actually runs
# How many failed logons from the suspect IP, and did any succeed?
grep '203.0.113.45' /var/log/auth.log | grep -c 'Failed password'
grep '203.0.113.45' /var/log/auth.log | grep 'Accepted password'

# Is the host still talking to the attacker? (containment check)
ss -tnp | grep '203.0.113.45'

# Verify the integrity of a downloaded patch before applying it
sha256sum patch-CVE-2026-1234.bin
Expected output
48
Accepted password for priya.sharma from 203.0.113.45 port 51422 ssh2
ESTAB  0  0  10.20.4.11:22  203.0.113.45:51422  users:(("sshd",pid=4471))
9f2c... (matches the vendor-published hash → safe to apply)

Kavya at an HCL interview panel faces this

The interviewer asks: 'A user reports their machine is slow and pop-ups appear. Walk me through what you do.'

Likely cause

Likely malware (adware/trojan) — but the value isn't the guess, it's showing a structured response that maps to the IR lifecycle.

Diagnosis

Detect & Analyse: check running processes, recent installs, EDR alerts, and outbound connections; confirm it's malicious vs just slow.

IR lifecycle ▸ Detect → Contain → Eradicate → Recover → Lessons
Fix

Contain (isolate the host from the network), Eradicate (remove the malware via EDR / re-image), Recover (restore and patch), then Lessons Learned (how did it get in — phishing? patch gap?) and fix that root cause.

Verify

You named a structured, lifecycle-driven answer instead of 'I'd run a virus scan' — that's what earns the offer.

Figure 5 — Cyber security interview cheat-sheet
Cyber security interview cheat-sheetOne card: the CIA triad, risk equation, attack zoo, the crypto pair, defence stack and the IR loop.🖨 Print this before your security interview🔺CIA triadConfidentiality (secrecy) ·Integrity (no tampering) ·Availability (it's up). FrameEVERY answer here.Risk equationRisk = Threat × Vulnerability× Impact. Threat=who, Vuln=thehole, Impact=the damage.🦠Attack zooVirus needs a host · Wormself-spreads · Trojandisguised · Ransomwareencrypts · Phishing = bait.🔑Crypto pairSymmetric=AES, one fast key ·Asymmetric=RSA, key pair ·Hash=one-way, integrity only.🛡Defence stackFirewall · IDS detects/IPSblocks · MFA · SIEM correlates· EDR/XDR on endpoints · WAFfor web.🔄IR loopPrepare → Detect → Contain →Eradicate → Recover → Lessons.Contain BEFORE eradicate.Train hands-on. Pass with proof. — Techclick
Tap the Preview button at the top to save this one-page card before your interview.
Prove it, don't assume — the SOC mindset

Never close a ticket on 'looks fine'. Check the logs (did the login actually succeed?), check containment (is the host still talking to the attacker?), verify integrity (does the file hash match?). Evidence over assumption is the difference between a junior who guesses and an analyst who's trusted with a P1.

👉 So far: IR lifecycle: Prepare → Detect → Contain → Eradicate → Recover → Lessons (contain before eradicate). NIST CSF 2.0 = Govern, Identify, Protect, Detect, Respond, Recover. Vuln management = scan, prioritise (CVSS), patch — and an actively-exploited internet-facing CVE gets a virtual patch NOW.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Cyber Security docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Apply

An e-commerce site at Flipkart suffers a DDoS flood and goes offline during a sale. Which CIA pillar is hit, and which control category responds?

Correct: c. A DDoS denies legitimate users access — it's an Availability attack. The defences are availability controls: upstream DDoS scrubbing/CDN, rate-limiting, autoscaling and redundancy. Mapping the attack to the CIA pillar and then to the matching control is exactly the structure interviewers want.
Q6 · Analyze

Priya's team enforces MFA, yet an attacker still phished a password. Why is the breach contained, and what does this prove about single controls?

Correct: d. With MFA enforced, a stolen password is useless without the second factor — the attack is stopped at login. This is the core lesson of defense in depth: no single control is the whole story, and a strong password alone is never enough. That framing beats 'we have a password policy'.
Q7 · Analyze

A junior says 'we encrypt all stored passwords.' Why does a senior interviewer flinch, and what's the correct design?

Correct: b. Encryption is reversible — if the key leaks, every password is exposed. Passwords must be salted and hashed with bcrypt/argon2 (one-way), so even a full database breach doesn't directly reveal plaintext. 'We encrypt passwords' signals a real misunderstanding of hashing vs encryption.
Q8 · Analyze

During a worm outbreak spreading across the LAN, what is the correct FIRST step in the NIST IR lifecycle, and why not restore backups first?

Correct: a. The lifecycle is Prepare → Detect → Contain → Eradicate → Recover → Lessons. You Contain before you Eradicate/Recover — isolate the infected hosts so the worm stops spreading. Restoring backups while the malware is still live just re-infects clean systems. Containment-first is the instinct seniors test for.
Q9 · Evaluate

A company passes its ISO 27001 audit, then suffers a major breach. The best interview take is…

Correct: d. Compliance proves you met a standard at a moment in time; it doesn't mean you're actually secure against a live, adaptive attacker. Real security is continuous, layered and identity-centric. Articulating the security-vs-compliance gap — without dismissing frameworks — is a senior-level answer.
Q10 · Evaluate

Asked 'what's the single most important thing to improve a company's security posture?', the strongest answer is…

Correct: b. The trap is naming one silver bullet. Strong posture is layered — defense in depth. The honest senior answer: no single control suffices, but MFA (stops stolen-credential attacks) plus disciplined patching (closes the holes worms/exploits use) eliminate the largest share of real-world breaches. Single-tool answers fail.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is defense in depth better than relying on antivirus? Then compare to the expert version.

Expert version: Because antivirus is one control catching one class of threat (known malware signatures). It does nothing for phishing, stolen credentials, zero-days, misconfigurations or insiders. Defense in depth layers many independent controls — MFA, patching, least privilege, network segmentation, EDR and SIEM monitoring — so that when one fails, the next catches the attack. The attacker must defeat every layer; the defender only needs one to hold. That asymmetry, plus framing it all around protecting the CIA triad, is the answer that gets you hired.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CIA Triad
Confidentiality (secrecy), Integrity (no tampering), Availability (it's up) — the three core goals of security.
AAA
Authentication (who you are), Authorization (what you may do), Accounting (what you did — the audit log).
Risk equation
Risk = Threat × Vulnerability × Impact — the chance a weakness is exploited and how badly it hurts.
Defense in depth
Layered, independent controls so one failure isn't fatal; the attacker must beat every layer.
Zero Trust / Least privilege
Never trust, always verify; grant only the minimum access each user/process needs.
Malware family
Virus (needs a host), worm (self-spreads), trojan (disguised), ransomware (encrypts), rootkit (hides).
IDS vs IPS
IDS detects and alerts (passive); IPS sits inline and actively blocks malicious traffic.
Symmetric vs Asymmetric
Symmetric = one shared key (AES, fast); asymmetric = a key pair (RSA/ECC, key exchange + signatures).
Hashing
A one-way function (SHA-256) for integrity and password storage — not reversible, not encryption.
IR lifecycle
NIST SP 800-61: Prepare → Detect → Contain → Eradicate → Recover → Lessons Learned.

📚 Sources

  1. NIST — SP 800-61 Rev. 3: Incident Response Recommendations and Considerations (2025). csrc.nist.gov
  2. NIST — Cybersecurity Framework (CSF) 2.0 — Govern, Identify, Protect, Detect, Respond, Recover. nist.gov/cyberframework
  3. MITRE ATT&CK — Brute Force (T1110), Credential Access tactic. attack.mitre.org
  4. OWASP — Top 10:2025 (Broken Access Control A01, Injection A05 — SQLi/XSS). owasp.org/Top10
  5. CIS — Critical Security Controls v8 (defense-in-depth control families). cisecurity.org
  6. (ISC)² & CompTIA — Security+ / CC exam objectives (CIA, crypto, IR). comptia.org & isc2.org

What's next?

Cleared the fundamentals round? Keep going — the interview-prep library covers Zscaler, Palo Alto, Fortinet, VPN, Checkpoint and more, all in the same hands-on style.

Next · All interview lessons → Practice on exam.techclick.in →