Finished my PANW DS loop last month, senior-level role on the Cortex security analytics team. Posting the breakdown because I couldn't find much specific info when I was prepping.
Total rounds: recruiter screen, take-home, then a 4-hour onsite split into four 1:1s.
Take-home (3 days) Given a dataset of network events (simulated logs, CSV). Asked to: clean it, identify anomalies, build a simple classifier, and write up findings. Nothing exotic but the security context was new to me. They want you to narrate decisions, not just produce output. I added a short doc explaining every choice.
Onsite Round 1: SQL + data exploration Two questions, medium difficulty. One was a running aggregation with PARTITION BY. The other involved a self-join to identify repeated failed login attempts within a 5-minute window. The security-domain flavor shows up: they care if you understand event sequences, not just group-bys.
Onsite Round 2: Stats / probability Expected value, A/B testing power/sample size, then a question about anomaly detection: given a baseline false positive rate, how do you tune a threshold? Nothing tricky if you know your stuff, but they went deeper than I expected.
Onsite Round 3: Case / product sense How would you measure whether a new threat detection feature is actually working? They're not testing PM skills, they want to see if you think about proxy metrics, ground truth labeling, class imbalance. Security DS is mostly anomaly detection and classification problems so this came up naturally.
Onsite Round 4: Behavioral Standard stuff. Biggest disagreement with a stakeholder, a time you communicated a model's limitations to a non-technical audience. PANW culture is collaborative but direct.
Total timeline from first screen to offer: 5 weeks. Leveled at DS2 (roughly L5 equivalent). Bay Area offer landed around $215k total comp, base was $155k. Stock vest schedule is 4-year with 1-year cliff. Happy to answer specific questions.