Interview Leaks · Primly Community

security engineer interview questions at big tech in 2026: patterns across 4 companies

sec_sasha · 4 replies

Did loops at 4 companies between February and May 2026. AppSec / security engineering roles, senior IC level. Sharing patterns because the security interview space is way under-documented compared to SWE.

What you'll get asked everywhere: OWASP Top 10. Not recite-the-list style, but scenario style. "A junior dev on your team ships this code, what do you catch." Threat modeling. Specifically: how do you approach it, what framework (STRIDE comes up a lot), how do you prioritize findings. Incident response scenario. "You get paged at 2am, suspicious egress traffic. Walk me through your first 30 minutes." Secure design review. They give you an architecture diagram and ask you to find the weaknesses. This is where people who memorized CVEs but can't think structurally fall apart.

What varied by company: One company (I'll say mid-size fintech, not FAANG) had a dedicated cryptography round. Symmetric vs asymmetric, key management, TLS handshake from memory. Not common but worth knowing if you're applying to finance or infra-adjacent roles.

One company had zero coding. All design and behavioral. Another had two coding rounds (standard LC-style, not security-specific). Be ready for either.

What got me the offer: Being concrete about tradeoffs. "This control would catch X but adds Y latency and would require Z team to change their deployment process." Saying "we'd add authentication" is not an answer. Saying "we'd add JWT validation at the API gateway with a 15-minute expiry, here's why that works for this threat model" is.

What didn't work: Trying to show breadth instead of depth. I had one loop where I tried to demonstrate I knew 12 security domains. They wanted me to go deep on 2. I didn't get that offer.

Happy to go deeper on any specific company type or role scope if people have questions.

4 replies

careerveteran

The tradeoffs point is dead-on and it generalizes beyond security. Every strong candidate in any technical role can articulate why they chose option A over option B. Most candidates just describe A.

backend_bekah

The cryptography round sounds rough. Did you get any heads up that it was coming or just walked into it?

sec_sasha

Zero heads up. The recruiter said 'technical design and security fundamentals.' Cryptography is technically a security fundamental so I guess that's fair. Lesson learned: ask the recruiter to break down each round explicitly.

ml_mike

Curious how the behavioral rounds went for security roles. Is it the same STAR format or are they asking more situational/ethical scenarios?