Been through four security engineering loops this year across a cloud provider, a large fintech, a defense-adjacent contractor, and a late-stage startup. Different role types, different depths. Sharing what actually came up because security interview prep resources are way sparser than SWE.
Cloud provider (mid-senior security engineer):
They started with threat modeling. I was given a simple microservices architecture diagram and asked to identify the top five threats and how I'd mitigate them. No tricks. They wanted to see if I used a structured methodology (STRIDE came up naturally) or just free-associated vulnerabilities.
Then a question on detection vs. prevention tradeoffs: given limited budget, how do you prioritize controls across an attack surface. This was conversational but they pushed back on everything to see if I had real opinions vs. textbook answers.
No CTF-style technical challenge in the loop itself but there was a 45-minute take-home before it.
Fintech (AppSec, senior level):
Heavy on OWASP top 10 in practice, not just naming them. They described an API that a developer built and asked me to walk through the top three security issues I'd look for in a code review. SQL injection and auth bypass came up. They wanted to see that I could explain the risk to a non-security developer in one sentence.
One interesting behavioral: tell me about a time you found something serious in a security review and had to deliver bad news to an engineering team that was about to ship.
Common across all four: Every single loop had some version of 'how do you work with developers who see security as a blocker.' This is a people problem, not a technical problem, and they know it.
Comp at the cloud provider was around $180k base plus RSUs, mid-senior title. The fintech came in at $190k base with smaller equity.
Happy to go deeper on any of the rounds.