Did loops at 4 companies between February and May 2026. AppSec / security engineering roles, senior IC level. Sharing patterns because the security interview space is way under-documented compared to SWE.
What you'll get asked everywhere: OWASP Top 10. Not recite-the-list style, but scenario style. "A junior dev on your team ships this code, what do you catch." Threat modeling. Specifically: how do you approach it, what framework (STRIDE comes up a lot), how do you prioritize findings. Incident response scenario. "You get paged at 2am, suspicious egress traffic. Walk me through your first 30 minutes." Secure design review. They give you an architecture diagram and ask you to find the weaknesses. This is where people who memorized CVEs but can't think structurally fall apart.
What varied by company: One company (I'll say mid-size fintech, not FAANG) had a dedicated cryptography round. Symmetric vs asymmetric, key management, TLS handshake from memory. Not common but worth knowing if you're applying to finance or infra-adjacent roles.
One company had zero coding. All design and behavioral. Another had two coding rounds (standard LC-style, not security-specific). Be ready for either.
What got me the offer: Being concrete about tradeoffs. "This control would catch X but adds Y latency and would require Z team to change their deployment process." Saying "we'd add authentication" is not an answer. Saying "we'd add JWT validation at the API gateway with a 15-minute expiry, here's why that works for this threat model" is.
What didn't work: Trying to show breadth instead of depth. I had one loop where I tried to demonstrate I knew 12 security domains. They wanted me to go deep on 2. I didn't get that offer.
Happy to go deeper on any specific company type or role scope if people have questions.