Meta · Primly Community

Meta security engineer interview: what to actually prepare for

sec_sasha · 5 replies

went through the Meta security engineer interview process in early 2026. targeting a senior AppSec / product security role. posting this because the information online is pretty thin and what's there is mostly from 2021-2022 loops that don't fully match current.

the loop structure for security eng: mine had 5 rounds on the onsite: 2 coding rounds (yes, standard LC-style, medium difficulty, no security-specific problems here, just general algo) 1 security design round 1 domain-specific security round 1 behavioral (jedi)

no CTF, no exploit writing, no binary RE in my loop. if you're coming from a pure red team background expecting those, adjust expectations. Meta's product security interviews lean toward the engineering side of security, not the researcher side.

the security design round: this was the most interesting. i was given a system design problem but with a security lens. something like: 'you're designing an API that third-party apps use to access user data. walk me through how you'd secure it end to end.' they wanted to hear: auth model (OAuth, token scope, expiry) rate limiting and abuse detection how you'd log and alert on anomalous access data classification and what gets encrypted at rest vs in transit how you'd handle a key compromise

you don't have to have every answer. they're watching how you reason through threat models, not whether you hit every checkbox.

the domain round: covered real topics: XSS, SSRF, SQL injection, but not in a 'can you define this' way. more like 'here's a code snippet, what's the vulnerability, what's the impact, how do you fix it.' one question was on secure deserialization. another was about dependency supply chain security. the level of depth expected scales with your seniority.

coding: prep like you would for any FAANG coding screen. trees, graphs, hash maps. nothing security-specific. medium LC difficulty. two problems in 45 minutes, one per round.

what i'd do differently: practice the security design out loud. i was too heads-down writing on the whiteboard and the interviewer had to pull me back to discuss tradeoffs. they want a conversation, not a monologue.

feel free to ask specifics.

5 replies

infra_ines

the 'security design as a system design variant' format tracks. i had something adjacent in my infra loop where they asked about secrets management at scale. it's less 'do you know the CVEs' and more 'do you know how to build systems that minimize blast radius when something goes wrong.' solid framing.

remote_swe_42

curious: did they ask about specific Meta products during the design round or was it all hypothetical systems? i'm trying to gauge how much company-specific context matters for security interviews.

sec_sasha

mostly hypothetical, framed around 'a social platform at scale' without being Meta-specific. but knowing Meta's actual scale helped me size my answers. like when i said 'rate limit to X req/sec per token' i calibrated it to be realistic for high-traffic APIs rather than a toy number. that kind of implicit knowledge helps but you don't need to have worked there.

bootcamp_bri

this is super helpful. i'm earlier in my career and looking at associate security eng roles. do you know if the loop is meaningfully different for more junior levels? or is it the same structure just graded differently?

pivot_pat

the coding rounds being standard LC is both reassuring and slightly annoying. reassuring because i've been grinding that anyway. annoying because i spent a week reviewing OWASP top 10 when i should have just done another 20 mediums.