Security is everyone’s job but few reason about it well. These questions check whether a candidate understands threats, defenses and secure engineering.
Hiring a Cybersecurity developer is easy. Telling a real one from a convincing résumé is the hard part — and it’s most of what we do. These are grouped by level, because the same question that stretches a junior is a warm-up for a senior.
Junior Cybersecurity interview questions
0–2 years
Fundamentals.
What is the CIA triad?
Confidentiality, Integrity and Availability — the three core goals security aims to protect.
Cannot name the pillars.
What is the difference between authentication and authorization?
Authentication proves identity; authorization determines permitted actions.
Conflates the two.
What is the difference between encryption and hashing?
Encryption is reversible with a key; hashing is a one-way function used for integrity and password storage (with salt).
Thinks hashing is reversible or stores passwords in plaintext.
What is a firewall?
A control that filters network traffic by rules to permit or block connections.
No idea how traffic is controlled.
What is phishing and social engineering?
Manipulating people into revealing information or access, often a bigger risk than technical exploits.
Thinks security is purely technical.
Why should passwords be hashed and salted?
So a breach doesn’t expose plaintext passwords; salting defeats precomputed (rainbow table) attacks.
Stores or “encrypts” passwords reversibly.
What is the principle of least privilege?
Granting only the minimum access needed, limiting damage from compromise or mistakes.
Grants broad admin access by default.
What is HTTPS and why does it matter?
HTTP over TLS, encrypting traffic and authenticating the server to prevent eavesdropping and tampering.
Sends sensitive data over plain HTTP.
Mid-level Cybersecurity interview questions
2–5 years
Vulnerabilities and defense.
What is SQL injection and how do you prevent it?
Injecting SQL via unsanitised input; prevented with parameterised queries/ORMs, never string concatenation.
Concatenates user input into SQL.
What is XSS and how do you prevent it?
Injecting scripts that run in victims’ browsers; prevented by output encoding, a Content Security Policy and not trusting input.
Renders user input into HTML unescaped.
What is CSRF and how do you mitigate it?
Tricking an authenticated user’s browser into making unwanted requests; mitigated with anti-CSRF tokens and SameSite cookies.
Disables CSRF protection to fix a bug.
What is the difference between symmetric and asymmetric encryption?
Symmetric uses one shared key (fast); asymmetric uses a public/private key pair (key exchange, signatures). TLS uses both.
Confuses which key is shared.
What are common authentication weaknesses?
Weak password policies, no MFA, session fixation, and insecure token storage; defense in depth addresses them.
Relies on passwords alone with no MFA.
What is defense in depth?
Layered controls so no single failure is catastrophic — network, application, data and monitoring together.
Relies on one control (e.g. a firewall).
How do you handle secrets securely?
Store in a secrets manager, rotate them, never commit them, and inject at runtime.
Commits API keys to the repo.
What is the OWASP Top 10 and why does it matter?
A widely-used list of the most critical web application security risks, a baseline checklist for secure development.
Has never heard of it.
Senior Cybersecurity interview questions
5+ years
Architecture and response.
How do you build security into the development lifecycle?
Threat modelling, secure coding standards, dependency and code scanning in CI, code review, and security testing.
Treats security as a final audit step.
What is a zero-trust approach?
Trust nothing by default; authenticate and authorise every request regardless of network location, with least privilege.
Assumes the internal network is safe.
How do you approach incident response?
A plan covering detection, containment, eradication, recovery and post-mortem, practised before a real incident.
Improvises during an incident with no plan.
How do you secure a modern cloud environment?
Least-privilege IAM, encryption in transit and at rest, network segmentation, logging/monitoring, and guardrails/policy as code.
Over-permissive roles and public data stores.
How do you manage third-party and supply-chain risk?
Vet dependencies, pin and scan them, monitor for CVEs, and verify artifact integrity.
Pulls unpinned dependencies with no scanning.
How do you balance security with usability and delivery?
Risk-based controls proportionate to the threat, automation to reduce friction, and secure defaults rather than blocking everything.
Adds so much friction that people bypass controls.
How do you handle logging and monitoring for security?
Centralised, tamper-resistant logs, alerting on anomalies, and retention that supports investigation — without logging secrets.
Logs sensitive data or has no security monitoring.
How do you think about data protection and compliance?
Data classification, minimisation, encryption, access controls, and meeting relevant regulations by design.
Treats compliance as an afterthought.
Build and score a full interview with our free interview scorecard tool, browse the full question hub, or see how we interview engineers.