Robinhood · Primly Community

Robinhood security engineer interview: what they actually tested across the loop

sec_sasha · 5 replies

Did their security engineering loop recently for an AppSec role. This one is a bit different from a standard SWE loop so worth a dedicated post.

Robinhood's security function has grown a lot since some of their public incidents a few years back. They have AppSec, cloud security, and a detection/response team, and the interview process varies somewhat by track. My experience was AppSec, so that's what I'll speak to.

Structure: Recruiter screen (30 min, mostly culture and role expectations) Technical phone screen with a security engineer (45 min) Virtual onsite: 4 rounds

Phone screen was a mix. They started with threat modeling: I was given a short description of a fintech feature (something like a P2P payment flow) and asked to walk through threats. Not a whiteboard, just talking through it. They also asked about common web vulns, OWASP top 10 type stuff, but not in a checkbox way. More "describe a time you found an injection vuln in production and what the blast radius was."

Onsite rounds: Secure code review: They gave me a code snippet (Python, realistic fintech business logic, not a toy example) and asked me to identify vulns. I found an insecure deserialization issue and a race condition in the payment handling. Missed a subtle SSRF. They weren't grading for gotchas, they wanted to see how I reasoned. System design with a security lens: Design a secrets management system for a company at Robinhood's scale. Not just infrastructure design, they wanted threat modeling baked in. What fails, how does it fail, who's your attacker. Behavioral / leadership: Standard STAR format. They really pushed on cross-functional influence: how do you get a product team to actually fix a vuln they've deprioritized. That's a real problem in AppSec and they know it. Craft interview with a senior eng: A deeper dive on one past project I'd done in AppSec. Brought my own material, walked them through a pen test engagement. Questions got pretty specific.

What mattered: Depth over breadth. They can tell immediately if you're pattern-matching on "I know OWASP" without having shipped anything. The secure code review will find you out.

Comp: I didn't accept but the offer was $190k base for senior AppSec, NYC, with RSU on a 4-year vest. That's fair for the role but not top of market for security in fintech.

Happy to answer questions on the loop.

5 replies

infra_ines

The secrets management design question is interesting. Did they care more about the architecture or the threat model? I've seen that question asked in different ways where one interviewer wants HashiCorp Vault and another wants you to invent your own rotation strategy.

sec_sasha

Definitely more threat model than specific tooling. They actually pushed back a little when I jumped to Vault early, not because it's wrong but because they wanted to hear me reason about what properties matter before naming a tool. Key rotation, audit logging, least-privilege access patterns. The tooling came after.

mobile_mara

The "how do you get a product team to fix a deprioritized vuln" question is genuinely hard to answer well. Interested what approach you took.

sec_sasha

Happy to elaborate. Basically: I talked through building a risk case in terms the PM cares about, attaching it to a regulatory or compliance hook when possible (fintech has plenty of those), and framing urgency as business risk rather than "bad things could happen." I also mentioned making it easy for the engineering team to fix, not just easy for me to report. They seemed to like that.

director_dee

The behavioral emphasis you're describing makes sense for an AppSec role at a company like this. The technical bar matters but they've probably learned that pure security nerds who can't communicate across functions are a liability. The influencing-without-authority thing is real in security more than almost any other role.