Interview Leaks · Primly Community

cybersecurity interview questions at tech companies in 2026, sharing what I've seen this year

sec_sasha · 5 replies

Been through four security engineering loops this year across a cloud provider, a large fintech, a defense-adjacent contractor, and a late-stage startup. Different role types, different depths. Sharing what actually came up because security interview prep resources are way sparser than SWE.

Cloud provider (mid-senior security engineer):

They started with threat modeling. I was given a simple microservices architecture diagram and asked to identify the top five threats and how I'd mitigate them. No tricks. They wanted to see if I used a structured methodology (STRIDE came up naturally) or just free-associated vulnerabilities.

Then a question on detection vs. prevention tradeoffs: given limited budget, how do you prioritize controls across an attack surface. This was conversational but they pushed back on everything to see if I had real opinions vs. textbook answers.

No CTF-style technical challenge in the loop itself but there was a 45-minute take-home before it.

Fintech (AppSec, senior level):

Heavy on OWASP top 10 in practice, not just naming them. They described an API that a developer built and asked me to walk through the top three security issues I'd look for in a code review. SQL injection and auth bypass came up. They wanted to see that I could explain the risk to a non-security developer in one sentence.

One interesting behavioral: tell me about a time you found something serious in a security review and had to deliver bad news to an engineering team that was about to ship.

Common across all four: Every single loop had some version of 'how do you work with developers who see security as a blocker.' This is a people problem, not a technical problem, and they know it.

Comp at the cloud provider was around $180k base plus RSUs, mid-senior title. The fintech came in at $190k base with smaller equity.

Happy to go deeper on any of the rounds.

5 replies

backend_bekah

The 'security as a blocker' question is something I've heard from every security person I've worked with. Is there a framing that tends to land well in those interviews, or is it purely situational based on what you've done?

sec_sasha

The frame that landed best for me was: lead with the shared goal, not the risk. I'd say something like 'I start from the position that we both want to ship, and my job is to make sure we understand what we're accepting when we make tradeoffs.' Then I'd describe a specific situation where I helped a team find an alternative that unblocked them. Interviewers seem to like when you demonstrate you're not the person who just says no.

infra_ines

The take-home before the loop is increasingly common in security. Did they give you any constraints on it, like 'use only open source tools' or was it open-ended? I've heard some companies use that step more as a screener than an actual technical bar.

careerveteran

The STRIDE threat modeling question is smart. It immediately separates people who've done real threat modeling from people who've read about it. Most candidates don't use a structured methodology, they just list bad things that could happen. If you're prepping for security roles, actually do a STRIDE pass on a sample architecture before your loop.

visa_vik

Curious about timeline. Four loops in one year is a lot. Were you running parallel tracks or going sequentially? I'm nervous about having too many active processes and things timing out.