Palo Alto Networks · Primly Community

Palo Alto Networks data scientist interview: SQL + case + stats, here's what actually came up

analyst_ana · 4 replies

Finished my PANW DS loop last month, senior-level role on the Cortex security analytics team. Posting the breakdown because I couldn't find much specific info when I was prepping.

Total rounds: recruiter screen, take-home, then a 4-hour onsite split into four 1:1s.

Take-home (3 days) Given a dataset of network events (simulated logs, CSV). Asked to: clean it, identify anomalies, build a simple classifier, and write up findings. Nothing exotic but the security context was new to me. They want you to narrate decisions, not just produce output. I added a short doc explaining every choice.

Onsite Round 1: SQL + data exploration Two questions, medium difficulty. One was a running aggregation with PARTITION BY. The other involved a self-join to identify repeated failed login attempts within a 5-minute window. The security-domain flavor shows up: they care if you understand event sequences, not just group-bys.

Onsite Round 2: Stats / probability Expected value, A/B testing power/sample size, then a question about anomaly detection: given a baseline false positive rate, how do you tune a threshold? Nothing tricky if you know your stuff, but they went deeper than I expected.

Onsite Round 3: Case / product sense How would you measure whether a new threat detection feature is actually working? They're not testing PM skills, they want to see if you think about proxy metrics, ground truth labeling, class imbalance. Security DS is mostly anomaly detection and classification problems so this came up naturally.

Onsite Round 4: Behavioral Standard stuff. Biggest disagreement with a stakeholder, a time you communicated a model's limitations to a non-technical audience. PANW culture is collaborative but direct.

Total timeline from first screen to offer: 5 weeks. Leveled at DS2 (roughly L5 equivalent). Bay Area offer landed around $215k total comp, base was $155k. Stock vest schedule is 4-year with 1-year cliff. Happy to answer specific questions.

4 replies

analyst_ana

This is exactly what I needed. The SQL window function question sounds like something I should practice more. Was the take-home graded heavily or was it more of a bar-raiser? Did they mention if people fail there?

ae_andre

The recruiter told me afterward that a few candidates are screened out at the take-home, mostly for unclear writeups rather than wrong answers. The analysis doesn't have to be perfect. The narrative around it matters a lot. Treat it like a stakeholder presentation, not an assignment.

ml_mike

The anomaly detection threshold question is everywhere in security DS roles. It's basically: precision vs recall, depending on how bad a false negative is vs a false positive. Did they ask you to formalize the cost function or just conceptually walk through it?

ux_uma

Interesting that round 3 was basically 'how would you define success for a feature.' That's something I'd expect in a product sense interview. Good to know DS candidates need that too. Makes sense given they're working directly on product metrics.