TTechclick ⚡ XP 0% All lessons
Cyber Security · Fundamentals · Interview PrepInteractive · L1 / L2 / L3

Cyber Security Interview Questions — CIA, Crypto, IR & Cheat-Sheet

The complete cyber security interview guide — the foundations every SOC analyst, security analyst and fresher must own. Real questions with answers across the CIA triad, AAA and risk, threats and attacks, defenses and cryptography, and the incident-response lifecycle. Scenario-led, interactive, with a printable cheat-sheet — built so you walk in framing every answer the way interviewers reward.

📅 2026-06-11 · ⏱ 18 min · 1 live demo · 5 infographics · real console form · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

Cyber security interview questions and answers (2026) for SOC and security-analyst roles — the CIA triad, AAA, defense in depth, Risk = Threat × Vulnerability × Impact, malware and attack types, IDS vs IPS, symmetric vs asymmetric encryption, hashing vs encryption, PKI/SSL-TLS, MFA, SIEM, EDR/XDR and the NIST incident-response lifecycle, with real SOC scenarios and a printable cheat-sheet.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Fundamentals

CIA triad, AAA, risk, Zero Trust, least privilege.

 2

Threats & attacks

Malware, phishing, MITM, DDoS, SQLi/XSS, insider.

 3

Defenses & crypto

IDS/IPS, symmetric vs asymmetric, hashing, PKI.

 4

Practices & IR

NIST IR lifecycle, CSF 2.0, SOC triage scenarios.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. What does the CIA triad stand for?

Answered in Fundamentals.

2. IDS vs IPS — the difference?

Answered in Defenses & crypto.

3. Should passwords be stored encrypted or hashed?

Answered in Threats & attacks.

Most engineers think…

Most candidates answer "we have antivirus and a strong password policy, so we're secure" — and the interview quietly ends there.

That single sentence fails you. Security is layered and identity-centric, never one tool: antivirus misses phishing, stolen credentials, zero-days and insiders; a strong password is useless once it's phished. The right answer is always defense in depth — MFA + patching + least privilege + monitoring together — and you frame all of it around the CIA triad. This lesson trains exactly that instinct.

① Fundamentals — CIA triad, AAA, risk & the core models

Security interviews open on the big picture, and the single best habit is to frame everything around the CIA triad. Confidentiality keeps secrets secret (encryption, access control). Integrity keeps data un-tampered (hashing, signatures). Availability keeps systems up (redundancy, backups, DDoS protection). Every control you name should serve one of these three.

Figure 1 — Defense in depth wraps the CIA triad in layers
No single control protects an asset. Security is layered — each ring catches what the previous one missed — and every layer ultimately defends Confidentiality, Integrity and Availability.Threat → many layers → the data at the centre (CIA)Perimeter (firewall / WAF)Network (segmentation / IDS)Endpoint (EDR / patching)Identity (MFA / least privilege)CIA TriadConfidentiality · Integrity · AvailabilityApplication (input validation)Data (encryption / DLP)Monitoring (SIEM / SOC)People & process (training)
An attacker must defeat EVERY layer to reach the data; the defender only needs ONE layer to hold. That asymmetry is the whole argument for defense in depth — and it is the answer that beats 'we have antivirus'.

The security vocabulary every interview opens with

Know these four cold before anything else — they frame every other answer. Tap each card.

🔺
CIA Triad
tap to flip

Confidentiality, Integrity, Availability — the three goals every control serves. Keep secrets secret, keep data un-tampered, keep systems up. Frame answers here.

Threat vs Vuln vs Risk
tap to flip

Threat = the danger (a hacker). Vulnerability = the weakness (an unpatched server). Risk = Threat × Vulnerability × Impact — the chance it actually hurts you.

🧱
Defense in Depth
tap to flip

Layered security — many independent controls so one failure isn't fatal. The attacker must beat every layer; you only need one to hold.

🚫
Zero Trust
tap to flip

Never trust, always verify — no user or device is trusted by default, inside or outside the network. Verify identity + device posture on every request.

Two more frameworks every fresher must own. AAA: Authentication (who are you), Authorization (what are you allowed to do), Accounting (what did you do — the audit log). And the risk equation: Risk = Threat × Vulnerability × Impact — a vulnerability with no threat, or a threat with no impact, is low risk. The crisp interview line on the modern model: Zero Trust = never trust, always verify; Least privilege = minimum access needed, nothing more.

Quick check · Q1 of 10 · Remember

An attacker encrypts a hospital's patient records and demands payment — staff cannot open any files. Which part of the CIA triad is MOST directly attacked?

Correct: c. Ransomware locking files denies access to legitimate users — that is an Availability attack first and foremost. (Confidentiality is only hit if the data is also stolen/leaked.) Framing the attack against the CIA triad is exactly the instinct interviewers reward.
👉 So far: CIA triad = Confidentiality, Integrity, Availability — frame every answer here. AAA = Authentication, Authorization, Accounting. Risk = Threat × Vulnerability × Impact. Zero Trust = never trust, always verify; least privilege = minimum access.
Don't confuse security with compliance

Security is whether you're actually protected; compliance (ISO 27001, PCI-DSS, SOC 2) is proving it on paper against a standard. You can be compliant and still breached — compliance is a floor, not a ceiling. Saying 'we passed the audit so we're secure' is a classic junior mistake.

② Threats & attacks — the zoo you must name on demand

Interviewers fire rapid-fire "what is X" attack questions. Know the malware family cold: a virus attaches to a file and needs you to run it; a worm self-spreads across the network with no click; a trojan is disguised as something legit; ransomware encrypts your files for ransom; a rootkit hides deep in the OS for persistent access.

▶ Watch a phishing-to-breach attack chain — and where each layer stops it

How one phishing email becomes a full breach, and how defense in depth breaks the chain. Press Play for the healthy path, then Break it to see the failure.

① Phishing email landsAttacker emails 'IT Helpdesk: reset your password' to staff. The email gateway / training is the first layer.
② Victim enters credentialsAn employee clicks and types their password into a fake portal. MFA is the layer that should now save them.
③ Attacker tries to log inStolen password is replayed. With MFA enforced, the second factor blocks the login — the chain breaks here.
④ If no MFA: lateral movementWithout MFA the attacker is in. Least privilege + network segmentation + EDR/SIEM now decide how far they get.
Press Play to step through the healthy path. Then press Break it.
COLOUR KEYattack / blocked / failtrusted / inspected controldecision / detection pointallowed / verified safe

The human attacks: phishing is mass bait; spear phishing targets one person with personal detail; whaling targets the CEO/CFO. The technical ones: MITM intercepts traffic; DDoS floods a service offline; SQL injection and XSS abuse unvalidated input; a zero-day has no patch yet; and the insider threat is the person who already has access.

Pause & Predict

A user clicks a phishing link and types their password into a fake login page. Has the company been breached yet? Type your guess.

Answer: Not necessarily — phishing is the delivery, not the breach. If MFA is enforced, the stolen password alone is useless and the attacker is stopped at login. The breach only happens if a single control (a strong password) was the ONLY thing standing in the way. This is the entire case for layered defence: one stolen credential should never be game over.
Quick check · Q2 of 10 · Apply

Sneha at Flipkart's SOC sees a single host that started scanning and infecting other machines on the LAN overnight with no user logged in. Which malware type best fits?

Correct: b. Self-spreading across the network with no user action is the defining trait of a worm. A virus needs a user to run an infected file; a trojan needs the user to install it. The 'no user logged in, spreads on its own' detail is the giveaway.

Rahul at an Indian bank SOC faces this

A flood of failed logins hits a privileged Finance account from one external IP, then one login SUCCEEDS.

Likely cause

A brute-force / password-spray attack (MITRE T1110) that has likely succeeded — the single success after dozens of failures is the red flag.

Diagnosis

Check the SIEM alert detail: source IP reputation, the failed-then-success pattern, whether MFA challenged the success, and what the account did next.

SIEM ▸ Alerts ▸ Alert Detail (Severity, MITRE T1110, Source IP, Event Count)
Fix

Contain immediately — disable the account and force a password reset; block the source IP; hunt for what the attacker accessed; then enforce MFA + lockout thresholds so it can't recur.

Verify

The account is disabled, no further activity from that IP, and the SIEM shows the brute-force rule now triggers a lockout before any success.

👉 So far: Malware: virus needs a host, worm self-spreads, trojan is disguised, ransomware encrypts, rootkit hides. Phishing→spear→whaling by targeting. MITM intercepts, DDoS floods, SQLi/XSS abuse input, zero-day has no patch, insider already has access.
'We have antivirus, so we're secure'

Antivirus catches known malware signatures — it does nothing for phishing, stolen credentials, zero-days, insiders or misconfigurations. Naming antivirus as your whole security posture is the fastest way to fail an interview. The correct answer is always layered: MFA + patching + least privilege + monitoring + training together.

③ Defenses & crypto — controls, encryption, hashing, PKI

Now the defensive toolbox. A firewall filters by rules. The classic pairing: IDS detects and alerts, while IPS sits inline and blocks. A VPN builds an encrypted tunnel; a WAF guards web apps against SQLi/XSS.

Figure 3 — Symmetric vs Asymmetric encryption
The single most-asked crypto question: one shared key (fast) versus a public/private key pair (solves key exchange). TLS uses BOTH.Symmetric vs Asymmetric encryptionSymmetric (AES)Asymmetric (RSA / ECC)ONE shared secret key for both endsA key PAIR: public encrypts, private decryptsVery fast — bulk data encryptionSlower — small data, key exchange, signaturesProblem: how to share the key safely?Solves key exchange; enables digital signaturesExample: AES-256 disk / session dataExample: RSA / ECC in the TLS handshake & certs
The one-liner that wins: TLS uses asymmetric crypto to safely AGREE on a symmetric session key, then switches to fast symmetric AES for the actual data. Symmetric = speed, asymmetric = trust & key exchange.

Crypto is the part freshers fumble — don't. Symmetric encryption uses one shared key (AES — fast, bulk data). Asymmetric encryption uses a key pair (RSA/ECC — public encrypts, private decrypts; solves key exchange). Crucially, hashing is NOT encryption — it is one-way (SHA-256), used for integrity and password storage; you can't 'decrypt' a hash. PKI and digital certificates bind a public key to an identity, powering SSL/TLS.

Pause & Predict

A website stores user passwords. Should it ENCRYPT them or HASH them — and why does the difference matter? Type your guess.

Answer: HASH them (with a unique salt, using bcrypt/argon2). Encryption is reversible — if the key leaks, every password is exposed. Hashing is one-way: even the company can't read the password, and a breach of the database doesn't directly reveal plaintext passwords. 'We encrypt passwords' is technically a red flag in an interview; 'we salt-and-hash with bcrypt' is the right answer.
Quick check · Q3 of 10 · Apply

Karthik needs to detect attacks for forensic analysis WITHOUT risk of accidentally blocking legitimate business traffic during a busy sale. IDS or IPS, and why?

Correct: b. An IDS is passive/out-of-band — it detects and alerts but won't drop legitimate packets, so there's zero risk of breaking the sale. An IPS is inline and CAN block, but a false positive would drop real customer traffic. For monitor-only, IDS; to actively block, IPS.

Priya at an Infosys client project faces this

After enabling HTTPS inspection on a new gateway, users get certificate-trust errors across many internal sites.

Likely cause

The gateway is doing TLS interception (a controlled MITM) with its own certificate, but the endpoints don't trust that inspection CA in their trust store.

Diagnosis

Open the browser certificate chain — issuer is the corporate inspection CA but shows 'untrusted'; confirm whether the CA was pushed to devices.

Browser ▸ Certificate ▸ Issuer + endpoint trust store (GPO/MDM)
Fix

Distribute the inspection root CA to all endpoints via GPO/MDM, and exempt certificate-pinned apps (banking/health apps) which break under any interception.

Verify

Reload the sites — no warning; the cert chain shows the trusted corporate CA; pinned apps are correctly bypassed.

👉 So far: Firewall filters by rule; IDS detects, IPS blocks. Symmetric=AES (one fast key), asymmetric=RSA (key pair, key exchange + signatures), hashing=one-way SHA-256 for integrity/passwords. PKI/certs bind a key to identity for SSL/TLS. WAF guards web apps.
The crypto one-liner that wins

'TLS uses asymmetric crypto to safely agree on a symmetric session key, then switches to fast symmetric AES for the actual data — and hashing is separate: one-way, for integrity, not secrecy.' Say that and the interviewer knows you actually understand it, not just the acronyms.

④ Practices & frameworks — IR lifecycle, NIST CSF & the scenarios

The senior-sounding answers come from process. The incident response lifecycle (NIST SP 800-61) runs: Prepare → Detect & Analyse → Contain → Eradicate → Recover → Lessons Learned. You contain BEFORE you eradicate — stop the bleeding first. Modern security maps to NIST CSF 2.0, whose six functions are Govern, Identify, Protect, Detect, Respond, Recover (Govern was added in 2024). And vulnerability management — scan, prioritise, patch — is the unglamorous work that prevents most breaches.

Figure 4 — Is this alert a real incident? — SOC triage ladder
How a tier-1 analyst decides whether a SIEM alert is a true incident or noise — work top-down, escalate only what survives every gate.Is this alert a real incident? — SOC triage ladderIs the alert a known false positive?check the tuning / allow-listFAILKnown benignclose + document, tune the rulePASS ↓Is the activity actually malicious?map to MITRE ATT&CK, check intentFAILAuthorised/expectedclose as benign, note contextPASS ↓Did it succeed / is it ongoing?check logon success, data movementFAILBlocked attempt onlylog + monitor, raise thresholdPASS ↓Is a crown-jewel asset / account hit?check asset value & privilegeFAILLow-value, containedticket at low severityAll pass → the layer is healthy; look one level up.
Escalate only what passes all four gates: real, malicious, succeeding, and hitting something valuable. That is the judgement an interviewer is testing — not whether you can read an alert, but whether you know what deserves a 2 a.m. call.

🖥️ This is the screen a SOC analyst lives in — SIEM ▸ Alerts ▸ open the alert ▸ read the detail pane. Fields ①②③ decide whether you escalate. This alert at an Indian bank's SOC just fired on a flood of failed logins.

soc.bank.example.in · SIEM ▸ Alerts ▸ Alert Detail
Alert Name *
Multiple Failed Logons — Possible Brute Force
Severity
High
1
MITRE Technique
T1110 — Brute Force
2
Tactic
Credential Access
Source IP
203.0.113.45 (Cidr: external)
Target User
priya.sharma (Finance, privileged)
Event Count
48 failed in 90s, then 1 SUCCESS
3
Recommended Action
Investigate → Contain (disable + reset)
Investigate   Contain

Severity High + a privileged user = escalate now, do not just close. ② MITRE T1110 names the technique (Brute Force, Credential Access) so you know what to look for next. ③ The killer field — 48 fails then 1 SUCCESS means the brute force likely WORKED: this is a live incident, contain the account immediately.

Pause & Predict

During a ransomware outbreak spreading across the LAN, what is the very FIRST action — restore from backups, or isolate the infected machines? Type your guess.

Answer: Isolate (Contain) first. In the IR lifecycle you Contain before you Eradicate or Recover — disconnect/segment the infected hosts so the ransomware stops spreading. Restoring from backup while the malware is still live just re-infects the clean systems. Reaching for backups first is the classic wrong instinct under pressure.
Quick check · Q4 of 10 · Analyze

A SIEM alert shows 48 failed logins then 1 success on a privileged account, mapped to MITRE T1110. The host is a finance server. Why does this jump straight to High severity?

Correct: a. Severity = likelihood × impact. The failed-then-success pattern means the attack likely succeeded (high likelihood of compromise), and it's a privileged account on a high-value finance server (high impact). Real + succeeding + crown-jewel = escalate now, exactly the triage ladder.

Arjun at Wipro's security team faces this

A critical CVE is published for the company's public web server, with a known exploit circulating, but the patch needs a maintenance window two weeks away.

Likely cause

There's now an active threat (public exploit) against a known vulnerability on an exposed asset — risk is high and immediate; waiting two weeks is unacceptable.

Diagnosis

Score it with CVSS + check exploitability and exposure; confirm the asset is internet-facing and in scope; check for a vendor workaround or virtual patch.

Vuln management ▸ CVE detail + CVSS + asset exposure
Fix

Apply a virtual patch at the WAF/IPS as a compensating control now, restrict exposure (ACL/geo-block), then schedule the real patch ASAP — don't wait the full two weeks for an actively-exploited, internet-facing CVE.

Verify

The WAF rule blocks the exploit pattern, scans show the attack vector mitigated, and the permanent patch is applied in the next emergency window.

Quick SOC triage commands an analyst actually runs
# How many failed logons from the suspect IP, and did any succeed?
grep '203.0.113.45' /var/log/auth.log | grep -c 'Failed password'
grep '203.0.113.45' /var/log/auth.log | grep 'Accepted password'

# Is the host still talking to the attacker? (containment check)
ss -tnp | grep '203.0.113.45'

# Verify the integrity of a downloaded patch before applying it
sha256sum patch-CVE-2026-1234.bin
Expected output
48
Accepted password for priya.sharma from 203.0.113.45 port 51422 ssh2
ESTAB  0  0  10.20.4.11:22  203.0.113.45:51422  users:(("sshd",pid=4471))
9f2c... (matches the vendor-published hash → safe to apply)

Kavya at an HCL interview panel faces this

The interviewer asks: 'A user reports their machine is slow and pop-ups appear. Walk me through what you do.'

Likely cause

Likely malware (adware/trojan) — but the value isn't the guess, it's showing a structured response that maps to the IR lifecycle.

Diagnosis

Detect & Analyse: check running processes, recent installs, EDR alerts, and outbound connections; confirm it's malicious vs just slow.

IR lifecycle ▸ Detect → Contain → Eradicate → Recover → Lessons
Fix

Contain (isolate the host from the network), Eradicate (remove the malware via EDR / re-image), Recover (restore and patch), then Lessons Learned (how did it get in — phishing? patch gap?) and fix that root cause.

Verify

You named a structured, lifecycle-driven answer instead of 'I'd run a virus scan' — that's what earns the offer.

Figure 5 — Cyber security interview cheat-sheet
One card: the CIA triad, risk equation, attack zoo, the crypto pair, defence stack and the IR loop.🖨 Print this before your security interview🔺CIA triadConfidentiality (secrecy) ·Integrity (no tampering) ·Availability (it's up). FrameEVERY answer here.Risk equationRisk = Threat × Vulnerability× Impact. Threat=who, Vuln=thehole, Impact=the damage.🦠Attack zooVirus needs a host · Wormself-spreads · Trojandisguised · Ransomwareencrypts · Phishing = bait.🔑Crypto pairSymmetric=AES, one fast key ·Asymmetric=RSA, key pair ·Hash=one-way, integrity only.🛡Defence stackFirewall · IDS detects/IPSblocks · MFA · SIEM correlates· EDR/XDR on endpoints · WAFfor web.🔄IR loopPrepare → Detect → Contain →Eradicate → Recover → Lessons.Contain BEFORE eradicate.Train hands-on. Pass with proof. — Techclick
Tap the Preview button at the top to save this one-page card before your interview.
Prove it, don't assume — the SOC mindset

Never close a ticket on 'looks fine'. Check the logs (did the login actually succeed?), check containment (is the host still talking to the attacker?), verify integrity (does the file hash match?). Evidence over assumption is the difference between a junior who guesses and an analyst who's trusted with a P1.

👉 So far: IR lifecycle: Prepare → Detect → Contain → Eradicate → Recover → Lessons (contain before eradicate). NIST CSF 2.0 = Govern, Identify, Protect, Detect, Respond, Recover. Vuln management = scan, prioritise (CVSS), patch — and an actively-exploited internet-facing CVE gets a virtual patch NOW.

⑤ Networking, web & identity — the rapid-fire round freshers miss

Most fresher interviews include a "name it fast" networking round. Know the OSI model's seven layers bottom-up — Physical, Data Link, Network, Transport, Session, Presentation, Application (mnemonic: Please Do Not Throw Sausage Pizza Away) — and be ready to map an attack to each: MAC flooding / ARP spoofing at Layer 2, IP spoofing & routing attacks at Layer 3, a SYN-flood DDoS at Layer 4 (Transport), TLS-stripping at the Presentation/Session boundary, and SQLi / XSS / a Layer-7 HTTP-flood at the Application layer. The one-liner that lands: "an attack exists at every layer, so defence has to live at every layer — that's defense in depth expressed through the stack."

TCP vs UDP, and the three-way handshake. TCP is connection-oriented and reliable — it guarantees delivery and order via the three-way handshake (client sends SYN → server replies SYN-ACK → client sends ACK, connection established). UDP is connectionless and fast with no guarantee — used where speed beats reliability (DNS, VoIP, video). The security hook: a SYN flood abuses the handshake by sending SYNs and never the final ACK, filling the server's half-open connection table — defended with SYN cookies and rate-limiting.

"Explain the TLS/SSL handshake step by step." This is the crypto question that separates memorisers from understanders. Walk it: (1) ClientHello — the browser offers its TLS versions and cipher suites; (2) ServerHello + certificate — the server picks a cipher and sends its X.509 certificate; (3) certificate validation — the client checks the cert chains to a trusted CA, isn't expired, and matches the hostname (this is where PKI earns its keep); (4) key exchange — using the server's public key (or, in TLS 1.3, ephemeral Diffie-Hellman for forward secrecy) both sides derive the same session key; (5) switch to symmetric — all further data is encrypted with fast symmetric AES. The winning summary: "asymmetric crypto is used once to safely agree a symmetric key, then symmetric AES does the heavy lifting — and TLS 1.3 dropped the slow round-trips and weak ciphers."

"What happens, end to end, when you type a URL and press Enter?" A favourite because it touches the whole stack: (1) DNS resolves the domain to an IP (UDP query to a resolver, cached along the way); (2) TCP three-way handshake opens the connection to that IP on port 443; (3) TLS handshake negotiates encryption and validates the certificate; (4) HTTP request (GET /) goes out over the encrypted channel; (5) the server responds, the browser renders the page. Security touchpoints to name: DNS can be poisoned or hijacked (use DNSSEC / DoH), the TLS cert must validate (else MITM), and HSTS forces HTTPS so an attacker can't downgrade you to plaintext.

🔄
Encoding vs Hashing vs Encryption
tap to flip

Encoding = reversible, NO key, not security (Base64 for transport). Hashing = one-way, no key (SHA-256 for integrity / passwords). Encryption = two-way, needs a key (AES/RSA for secrecy). "Base64 is not encryption" is a classic trap.

🎫
OAuth vs SAML vs OIDC
tap to flip

OAuth 2.0 = authorization (delegated access via tokens). OIDC = authentication built on top of OAuth (the ID token / "who are you"). SAML = older XML-based SSO, common in enterprise. AuthN = who you are; AuthZ = what you may do.

🪪
CSRF vs XSS
tap to flip

XSS injects script into a page to run in the victim's browser (steal cookies). CSRF tricks the browser into sending an authenticated request the user didn't intend. Stop CSRF with anti-CSRF tokens + SameSite cookies; stop XSS with output encoding + CSP.

☁️
Cloud shared responsibility
tap to flip

Provider secures the cloud (hardware, hypervisor, managed services); you secure what's in the cloud (data, IAM, config, OS patching). Most cloud breaches are your side: public S3 buckets, over-broad IAM, exposed secrets.

CSRF — the missing member of the web-attack trio. Everyone names SQLi and XSS; mentioning CSRF shows depth. CSRF abuses the fact that the browser auto-sends cookies: an attacker's page silently fires a request (e.g. "transfer money") to a site where you're logged in, and the site can't tell it wasn't you. Defences: an unpredictable anti-CSRF token the attacker can't guess, SameSite cookies so the cookie isn't sent cross-site, and re-authentication for sensitive actions. The clean contrast: XSS abuses trust the user has in the site (runs script in their browser); CSRF abuses trust the site has in the user's browser (rides their session).

Identity & access beyond MFA. Be ready to separate authentication ("who are you") from authorization ("what may you do"), and to compare OAuth 2.0 (delegated authorization via tokens), OIDC (authentication on top of OAuth) and SAML (XML-based enterprise SSO). Add the access-model contrast: RBAC grants by role, ABAC grants by attributes/context (department, device, time) — and a stateless JWT is verified by signature without a server session, which is why short expiry + a revocation list matter.

Aditya at a fintech cloud-security interview faces this

The interviewer asks: "Our customer data leaked from an AWS S3 bucket — whose fault is it under the shared-responsibility model, and what would you check first?"

Likely cause

A misconfigured bucket policy left the data publicly readable. Under shared responsibility AWS secures the infrastructure, but bucket access configuration is the customer's responsibility — so this is on us, not the provider.

Diagnosis

Check the bucket ACL / policy and Block Public Access settings, review CloudTrail for who changed it and who accessed the data, and scan for other public buckets and over-permissive IAM roles.

Fix

Enable Block Public Access org-wide, apply least-privilege IAM, turn on default encryption, and add an automated config-drift check (AWS Config / CSPM) so a public bucket alerts immediately.

Verify

Re-scan: bucket returns 403 to anonymous requests, CSPM shows zero public buckets, and the IR ticket records scope, root cause and the data actually exposed.

👉 So far: OSI = Physical→Application (an attack per layer). TCP = reliable + 3-way handshake (SYN/SYN-ACK/ACK); UDP = fast, no guarantee. TLS = ClientHello → cert validation → key exchange → symmetric. URL→Enter = DNS→TCP→TLS→HTTP→render. Encoding≠hashing≠encryption. CSRF = ride the session (tokens + SameSite); XSS = inject script (encode + CSP). Cloud = provider secures the cloud, you secure what's in it.

⑥ The 2026 AI/GenAI threat wave — what every interviewer is now asking

This is the round that didn't exist two years ago and now dominates 2026 panels. GenAI has changed the attack surface on both sides — attackers use it to scale, and defenders bolt LLMs into the SOC. Frame your answer around the OWASP Top 10 for LLMs and you instantly sound current.

"How do GenAI/LLM threats change the attack surface?" Three angles to cover. (1) Prompt injection is the #1 LLM risk for the second OWASP edition running — a user (direct) or a poisoned document/web page/email the model reads (indirect) smuggles in instructions that override the system prompt, leak data, or trigger actions. (2) LLM data leakage — staff paste source code or customer PII into a public chatbot, or a RAG model surfaces data the user shouldn't see; sensitive output disclosure is its own OWASP category. (3) Excessive agency — an agentic AI wired to tools/APIs can be tricked (via prompt injection) into taking real actions: deleting records, sending mail, moving money.

"How do attackers weaponise AI, and how do you defend?" The 2026 reality: AI lets attackers operate at scale and with frightening realism. Deepfake voice-clone CEO fraud is the headline — a voice can be cloned from about three seconds of public audio, deepfake-enabled vishing surged over 1,600% in early 2025, and US deepfake-fraud losses hit roughly $1.1 billion in 2025 (about triple the prior year). AI also mass-produces flawless, typo-free, personalised phishing — the old "spot the bad grammar" advice is dead. Defence: out-of-band verification / call-back on a known number for any money or credential request (process beats detection), MFA and payment dual-approval that a cloned voice can't bypass, deepfake-aware user training, and email tools that score behavioural/contextual signals rather than spelling. The interview line: "AI didn't invent these attacks — it removed the friction, so we lean harder on verification, MFA and zero trust, not on humans spotting fakes."

'AI is just a productivity tool, not a security concern'

This answer dates you instantly. By 2026 the LLM is attack surface: prompt injection (OWASP LLM01), data leakage from staff pasting secrets into chatbots, training-data poisoning, and agentic AI with excessive permissions. Treat AI systems like any other untrusted input — validate, sandbox tool access, apply least privilege to the agent, and never let an LLM's output trigger a sensitive action without a human or policy gate.

Pause & Predict

A finance employee gets a video call from the "CFO" — face and voice match — urgently authorising a wire transfer. MFA is on the employee's accounts. Does MFA stop this fraud? Type your guess.

Answer: No — MFA protects login, but this attack bypasses systems entirely and targets the human decision. A deepfake call-clone needs a process control: out-of-band verification (call the CFO back on a known number), payment dual-approval, and a policy that no transfer is authorised by voice/video alone. This is exactly why 2026 interviewers want "verify the request through a second trusted channel," not "we have MFA."

"How do you stay current — and tell me about a time you handled an incident?" (behavioural). For staying current, name concrete habits, not vibes: follow CISA / vendor advisories and the NIST NVD, read MITRE ATT&CK and ATLAS (the ATT&CK equivalent for AI systems), run a home lab / TryHackMe, and track OWASP. For the incident story, use STAR (Situation, Task, Action, Result) mapped onto the IR lifecycle: what alerted you, how you triaged true-vs-false-positive, how you contained before eradicating, how you recovered, and the one process change you drove in Lessons Learned. Interviewers reward calm structure and a measurable result over heroics.

👉 So far: The 2026 AI round: prompt injection = OWASP LLM01 (direct + indirect); LLM data leakage from pasted secrets/RAG; excessive agency in agentic AI. AI scales phishing and deepfake CEO/voice fraud — defend with out-of-band verification, MFA, dual-approval and zero trust, not "spot the fake." Stay current via CISA/MITRE ATT&CK + ATLAS/OWASP; tell incident stories in STAR mapped to the IR lifecycle (contain before eradicate).

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from Cyber Security docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Apply

An e-commerce site at Flipkart suffers a DDoS flood and goes offline during a sale. Which CIA pillar is hit, and which control category responds?

Correct: c. A DDoS denies legitimate users access — it's an Availability attack. The defences are availability controls: upstream DDoS scrubbing/CDN, rate-limiting, autoscaling and redundancy. Mapping the attack to the CIA pillar and then to the matching control is exactly the structure interviewers want.
Q6 · Analyze

Priya's team enforces MFA, yet an attacker still phished a password. Why is the breach contained, and what does this prove about single controls?

Correct: d. With MFA enforced, a stolen password is useless without the second factor — the attack is stopped at login. This is the core lesson of defense in depth: no single control is the whole story, and a strong password alone is never enough. That framing beats 'we have a password policy'.
Q7 · Analyze

A junior says 'we encrypt all stored passwords.' Why does a senior interviewer flinch, and what's the correct design?

Correct: b. Encryption is reversible — if the key leaks, every password is exposed. Passwords must be salted and hashed with bcrypt/argon2 (one-way), so even a full database breach doesn't directly reveal plaintext. 'We encrypt passwords' signals a real misunderstanding of hashing vs encryption.
Q8 · Analyze

During a worm outbreak spreading across the LAN, what is the correct FIRST step in the NIST IR lifecycle, and why not restore backups first?

Correct: a. The lifecycle is Prepare → Detect → Contain → Eradicate → Recover → Lessons. You Contain before you Eradicate/Recover — isolate the infected hosts so the worm stops spreading. Restoring backups while the malware is still live just re-infects clean systems. Containment-first is the instinct seniors test for.
Q9 · Evaluate

A company passes its ISO 27001 audit, then suffers a major breach. The best interview take is…

Correct: d. Compliance proves you met a standard at a moment in time; it doesn't mean you're actually secure against a live, adaptive attacker. Real security is continuous, layered and identity-centric. Articulating the security-vs-compliance gap — without dismissing frameworks — is a senior-level answer.
Q10 · Evaluate

Asked 'what's the single most important thing to improve a company's security posture?', the strongest answer is…

Correct: b. The trap is naming one silver bullet. Strong posture is layered — defense in depth. The honest senior answer: no single control suffices, but MFA (stops stolen-credential attacks) plus disciplined patching (closes the holes worms/exploits use) eliminate the largest share of real-world breaches. Single-tool answers fail.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why is defense in depth better than relying on antivirus? Then compare to the expert version.

Expert version: Because antivirus is one control catching one class of threat (known malware signatures). It does nothing for phishing, stolen credentials, zero-days, misconfigurations or insiders. Defense in depth layers many independent controls — MFA, patching, least privilege, network segmentation, EDR and SIEM monitoring — so that when one fails, the next catches the attack. The attacker must defeat every layer; the defender only needs one to hold. That asymmetry, plus framing it all around protecting the CIA triad, is the answer that gets you hired.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

CIA Triad
Confidentiality (secrecy), Integrity (no tampering), Availability (it's up) — the three core goals of security.
AAA
Authentication (who you are), Authorization (what you may do), Accounting (what you did — the audit log).
Risk equation
Risk = Threat × Vulnerability × Impact — the chance a weakness is exploited and how badly it hurts.
Defense in depth
Layered, independent controls so one failure isn't fatal; the attacker must beat every layer.
Zero Trust / Least privilege
Never trust, always verify; grant only the minimum access each user/process needs.
Malware family
Virus (needs a host), worm (self-spreads), trojan (disguised), ransomware (encrypts), rootkit (hides).
IDS vs IPS
IDS detects and alerts (passive); IPS sits inline and actively blocks malicious traffic.
Symmetric vs Asymmetric
Symmetric = one shared key (AES, fast); asymmetric = a key pair (RSA/ECC, key exchange + signatures).
Hashing
A one-way function (SHA-256) for integrity and password storage — not reversible, not encryption.
IR lifecycle
NIST SP 800-61: Prepare → Detect → Contain → Eradicate → Recover → Lessons Learned.

📚 Sources

  1. NIST — SP 800-61 Rev. 3: Incident Response Recommendations and Considerations (2025). csrc.nist.gov
  2. NIST — Cybersecurity Framework (CSF) 2.0 — Govern, Identify, Protect, Detect, Respond, Recover. nist.gov/cyberframework
  3. MITRE ATT&CK — Brute Force (T1110), Credential Access tactic. attack.mitre.org
  4. OWASP — Top 10:2025 (Broken Access Control A01, Injection A05 — SQLi/XSS). owasp.org/Top10
  5. CIS — Critical Security Controls v8 (defense-in-depth control families). cisecurity.org
  6. (ISC)² & CompTIA — Security+ / CC exam objectives (CIA, crypto, IR). comptia.org & isc2.org

What's next?

Cleared the fundamentals round? Keep going — the interview-prep library covers Zscaler, Palo Alto, Fortinet, VPN, Checkpoint and more, all in the same hands-on style.

Next · All interview lessons → Practice on exam.techclick.in →