Did Lilly's virtual onsite for a senior security engineer role in Q1 2026. Four rounds, all over Teams, all in one day. Here's exactly how it went.
Round 1: Coding (45 min). Two problems. Both medium. One string manipulation, one involved a graph. The interviewer watched me code in a shared editor. Quiet mostly, watched how I talked through my thinking. Didn't help when I got stuck briefly but wasn't cold about it either.
Round 2: System design (60 min). The prompt was around building a secure audit logging system for internal access to sensitive clinical data. Very relevant to my function. I went deep on threat modeling which they seemed to like. We talked about tamper evidence, write-once log storage, how you'd handle insider threat scenarios. This felt like a real conversation, not a performance.
Round 3: Behavioral (45 min). Four questions, STAR format. The interviewer was from a different team than the role. Questions: tell me about a time you identified a security risk that others missed, tell me about a time you disagreed with a senior stakeholder, describe a project where you had to learn something quickly, give an example of cross-functional collaboration. Classic but they probed hard. Expect follow-ups.
Round 4: Hiring manager conversation (30 min). Less formal. They explained the team, the roadmap, asked if I had questions. I asked about their AppSec maturity, toolchain, incident response cadence. They answered honestly including acknowledging gaps. That was a good sign.
Debrief call from recruiter came 8 days later. Offer followed 2 days after that.
Overall: more thorough than I expected from pharma. Less brutal than FAANG. The domain specificity in the design round was legitimately good. I took the offer.