went through the Meta security engineer interview process in early 2026. targeting a senior AppSec / product security role. posting this because the information online is pretty thin and what's there is mostly from 2021-2022 loops that don't fully match current.
the loop structure for security eng: mine had 5 rounds on the onsite: 2 coding rounds (yes, standard LC-style, medium difficulty, no security-specific problems here, just general algo) 1 security design round 1 domain-specific security round 1 behavioral (jedi)
no CTF, no exploit writing, no binary RE in my loop. if you're coming from a pure red team background expecting those, adjust expectations. Meta's product security interviews lean toward the engineering side of security, not the researcher side.
the security design round: this was the most interesting. i was given a system design problem but with a security lens. something like: 'you're designing an API that third-party apps use to access user data. walk me through how you'd secure it end to end.' they wanted to hear: auth model (OAuth, token scope, expiry) rate limiting and abuse detection how you'd log and alert on anomalous access data classification and what gets encrypted at rest vs in transit how you'd handle a key compromise
you don't have to have every answer. they're watching how you reason through threat models, not whether you hit every checkbox.
the domain round: covered real topics: XSS, SSRF, SQL injection, but not in a 'can you define this' way. more like 'here's a code snippet, what's the vulnerability, what's the impact, how do you fix it.' one question was on secure deserialization. another was about dependency supply chain security. the level of depth expected scales with your seniority.
coding: prep like you would for any FAANG coding screen. trees, graphs, hash maps. nothing security-specific. medium LC difficulty. two problems in 45 minutes, one per round.
what i'd do differently: practice the security design out loud. i was too heads-down writing on the whiteboard and the interviewer had to pull me back to discuss tradeoffs. they want a conversation, not a monologue.
feel free to ask specifics.