Cyber Security, DFIR & SOC Interview Questions [Update 2020]

Cyber Security is an exciting field, and every next person wants to explore this domain and make a career in it. Still, the problem is they have no idea how to get in and even if they do, They don’t have any idea on what type of questions they might face in an interview.

A few years back @Miss_Malware asked for everyone’s favourites security analyst and DFIR interview question that gave me an idea to compile a list of questions which are asked in every interview one way or another. What follows is a list of questions which you may face in an interview.

All These questions have compiled with the help of @Miss_Malware's twitter thread, contribution from friends and very intelligent internet searches :P, All the relevent sources (Read those I remember) have been mentioned at end of the post. 


  • What is DNS and at what port does it run?
  • Differentiate between TCP & UDP?
  • How does HTTP handle state?
  • Does TLS use symmetric or asymmetric encryption?
  • What is a three-way handshake?
  • What is “Risk”? What is “Risk Management”?
  • Which leg of the CIA triad is the most Important?
  • What do you understand by Risk, Vulnerability & Threat in a network?
  • What is the difference between policies, processes and guidelines?
  • As a Pen-tester, is being a 1337 hax0r or doing a good job more important to you?
  • Describe the SHA-1 hash.
  • How would you explain to a business user why we are not giving them local admin to their machine?
  • What is MD5 checksum?
  • Answer true or false and explain your answer: “Two-factor authentication protects against session hijacking.”
  • Walk me through if you are a threat actor, how would you compromise an organisation in all three domains (Physical, Digital, and Human).
  • Name 3 Internet protocols which use TCP, name three which use UDP, Name 2, which use neither and what port they run on.
  • If I am on my laptop, here inside my company, and I have just plugged in my network cable. How many packets must leave my NIC to complete a traceroute to
  • What’s the difference between encoding, encryption, and hashing?
  • Can you describe rainbow tables?
  • If you had to both encrypt and compress data during transmission, which would you do first, and why?
  • In public-key cryptography, you have a public and a private key, and you often perform both encryption and signing functions. Which key is used for which purpose?
  • What are the advantages offered by bug bounty programs over regular testing practices?
  • Who’s more dangerous to an organisation, insiders or outsiders?
  • Who do you look up to within the field of Information Security? Why?
  • You just stepped on to the elevator with your CEO. They ask you how secure we are? What do you say?
  • You have an unlimited budget and resources. Please draw the most secure corporate network for my organisation. It must have specific components including but not limited to: the Internet, one user subnet, at least one Active Directory server, one web server (with backend database) on the Internet, one Human Resources server, WiFi for your users, a VPN, etc.


  • What is Cross-Site Request Forgery?
  • In what category XXE falls?
  • How can SQL Injection lead to remote code execution?
  • What is the most significant security issue is with microservices and APIs?
  • What is the difference between VA(Vulnerability Assessment) and PT(Penetration Testing)?
  • What is the difference between HIDS and NIDS?
  • I have a /24 subnet of hosts on the Internet that I would like you to pen-test. Take me through, in detail, all the steps that you will go through in this assessment.
  • On assessment, you have just compromised a Mac OS X laptop inside a corporate user subnet. Your goal is to infiltrate Active Directory hashes from the AD servers. How do you accomplish this?
  • What kind of attack is ARP Spoofing considered, and how could you leverage it on a penetration test?
  • What are some common ways that TLS is attacked, and what are some ways it’s been attacked in the past?
  • During the penetration test, you find an instance of Outlook Web Access belonging to the client. Describe how you would attack this?
  • You are performing an onsite penetration test. You do not want to perform any active scanning. How would you gather credentials?
  • How would you target a database that you know lies behind a jump server with an unknown IP address?
  • Describe the last program or script that you wrote. What problem did it solve?
  • What kind of attacks are you vulnerable to when you are using weak ciphers?
  • Which department in an organisation is more likely to get attacked first?
  • What is some of the low-hanging fruit you go after as a pen-tester?
  • Describe three of the most common ways an external attacker today might attempt to gain access to a network.
  • On what port does ping run?
  • What are the common vulnerabilities in Enterprise WiFi network?
  • How would you bypass a network IDS?
  • What are some parts of the HTTP header and why is this important as a security analyst?
  • Suppose you have physical access to a machine on a corporate domain that you are testing. It is connected to their You do not have credentials for the domain or local computer. You also have your laptop. How would you begin testing?
  • What is the purpose of the same-origin policy in relation to the document object model?
  • You are launching a Metasploit reverse https meterpreter payload against a host that is vulnerable to your attack, but once you type “exploit” nothing happens after it launches the attack, how would you debug this (or what would you change to get your meterpreter session?)

Digital Forensics and Incident Response

  • What is the primary reason to not upload targeted malware to VT?
  • What DFIR evidence do you gather first, and why?
  • Why is DNS monitoring essential?
  • Assume a user forwards you a suspected phishing email. How do you respond and handle it?
  • Excluding atomic IoCs, provide three examples of how you would detect evil in the network.
  • What percentage of malware in the wild do you think AV can detect?
  • Explain to me why you need to consider scope in the “identification” stage of IR.
  • What is the primary problem with bash history as a forensic artefact, and name one way to partially recreate this data during an investigation
  • How will you identify a malicious file without executing it?
  • How will you unpack malware? Moreover, in how many ways?
  • How will malware try to evade analysis? What are the ways?
  • Given a binary, how would you say it has been packed, and how would you figure out which packer was used?
  • Name at least three diff vulnerability scanners and patterns to identify them.
  • How would you validate a false positive?
  • How would you validate a false negative
  • How would you design and execute an incident response plan?
  • What ares the differences between FAT32 and NTFS?
  • Describe how the TCP handshake works?
  • What’s the difference between an IDS and an IPS? Give examples of each.
  • Name four types of DNS records and what they signify.
  • What sorts of anomalies would you look for to identify a compromised system?
  • You get a report that your company’s LAMP website may be being DDoSed. How do you investigate?
  • What are different ways to find out actual date of file creation from a disk image and how you can be sure that the date is correct?
  • Explain the difference between local and network authentication and walk me through the authentication process?
  • What will be your primary data sources for detecting botnet activity?
  • What is a disadvantage of signature-based malware detection?
  • An incident has been reported that an enterprise host was identified communicating with a known malicious external host. The incident responders have already blocked the communication and have requested the disk for forensic investigation. You are the forensic analyst on duty when the disk arrives. How will you begin the investigation?

Malware Analysis, Exploit Writing and Cryptography

  • How would you bypass ASLR?
  • How would you bypass SafeSEH?
  • Explain the behaviour and your analysis methodology of any new APT
  • What is DEP? How can it be bypassed?
  • Explain a PE file.
  • How does keylogging work?
  • What is code injection?
  • What are the APIs used by malware to connect to the server?
  • How can you unpack a malware and in how many ways?
  • In what way malware tries to evade analysis?
  • Explain the Anti-Debugging techniques employed by macro malware.
  • What are different types of breakpoints, what is their use and when to use those breakpoints?
  • Describe what Buffer overflow is and how you would test for it?
  • Describe what SEH is and how you exploit it?
  • Describe how debugger modules and plugins can speed up initial exploit development?
  • How does interrupts work in a debugger? What are the Opcodes for that?
  • What are salted hashes?
  • How do UAF exploits work?
  • Differentiate between symmetric and asymmetric encryption?
  • In public-key cryptography, which key is used for what function (think the public/private & encryption/signing)?
  • Which of this algorithm is better than others and why – AES-128, AES-196 and AES-256?
  • What is the difference between CBC mode and EBC mode of encryption?
  • What is a Windows Portable Executable?
  • What is the ESP register used for in the Intel x86–32 architecture?
  • During the execution of a piece of malware in a segregated virtual lab environment, the sample was observed making an HTTP GET request for a text file. Because the lab is separated from the Internet, the sample did not receive the text file. What would you do to move the investigation forward?

Security Operation Center (SOC) and Blue Team  

  • What is the Blue Team, and what purpose does it serve?
  • Let say, we ask you to implement a new SIEM, what will be your approach?
  • What are the essential components of Security Operation Center?
  • Given an HTTP traffic log between a machine on your network and a 3rd party website (e.g. Google), what would the source and destination ports look like?
  • What are the fundamentals of SOC?
  • What is SIEM, and what does it do?
  • SOC analysts are required to collect information from multiple sources, how can you determine which information is relevant?
  • What is the difference between Cyber Threat and Cyber Attack?
  • What is IOC and IOA, what is the difference between them?
  • Define the concepts of handling alerts, analysing alerts and triaging alerts?
  • What is the need of Threat Intelligence in Security Operation Center?
  • Does only setting up SIEM solutions completes the SOC?
  • What are measures to evaluate SOC maturity?
  • Describe the importance of Playbooks and Workflows in SOC.
  • How often should you perform Patch management?
  • Why is DNS monitoring necessary?
  • What sorts of anomalies would you look for to identify a compromised system?
  • What are security risks associated with BYOD environment?
  • How can you detect SQL injection? What is the most common SQL injection tool?
  • How would you identify a CSRF Attack?

Free free to contact me if you have any comments on the questions, or if you have ideas for additions.

Sources: @MissMalware, Himanshu Khokhar, Ravi KiranDaniel Miessler

7 Comments Cyber Security, DFIR & SOC Interview Questions [Update 2020]

  1. online order medicine

    I’m not sure where you are getting your information, but good topic.
    I needs to spend some time learning much more or
    understanding more. Thanks for wonderful information I was looking for this information for my mission.


Leave a Reply

Your email address will not be published. Required fields are marked *

1 × 5 =