InterviewStack.io LogoInterviewStack.io

Threat Modeling and Risk Assessment Questions

Systematic identification and evaluation of threats, vulnerabilities, assets, and attack surfaces to determine likelihood and business impact and to drive prioritized security controls. This topic covers threat modeling techniques and structured methodologies such as STRIDE, PASTA, and attack trees, enumeration of threat actors and attack vectors, scenario based attack simulation, and attack surface analysis. Candidates should be able to quantify risk using likelihood and impact, risk matrices, and concepts such as risk velocity, and explain how to integrate threat intelligence into probability assessments. The topic includes translating threat models into prioritized mitigations, detection and monitoring requirements, and security architecture or design trade offs that balance security with business objectives and operational constraints. At larger scale it covers enterprise risk assessment practices, alignment with risk management frameworks such as NIST and ISO 31000, integration with vulnerability assessment and vulnerability management programs, risk quantification, and effective communication of risk and remediation priorities to technical teams and executive stakeholders.

MediumTechnical
78 practiced
Given an AWS-hosted SaaS architecture with public S3 buckets, Lambda functions running with IAM roles, RDS in a private subnet, and a CI/CD pipeline that uses deploy keys, enumerate the top threats, likely attack paths an adversary might take, and propose 3–5 prioritized mitigations. Justify the prioritization using likelihood and business impact.
MediumTechnical
76 practiced
An API gateway exposes several hundred endpoints. Propose a set of attack-surface reduction techniques (both design-time and runtime) you would apply to the gateway and describe how you would measure and quantify the reduction in risk or attack surface.
EasyTechnical
74 practiced
Describe what threat modeling is and why an organization should invest in threat modeling as part of its security architecture program. Include the main objectives, common outputs (for example: threat lists, attack trees, data-flow diagrams, misuse cases), typical stakeholders to involve, and at least two concrete ways threat modeling influences design decisions and enterprise risk management.
HardSystem Design
72 practiced
Design an enterprise threat modeling program for a global company with 10,000 employees and 500 applications. Define governance (roles and responsibilities), end-to-end process workflows, tooling (including automation and integration points), KPIs to measure program health, onboarding for new teams, and how to scale peer reviews while keeping models current.
EasyBehavioral
64 practiced
Tell me about a time you led a cross-functional threat modeling workshop. Use the STAR framework: set the Situation, describe the Tasks and Actions you took (methods like STRIDE/PASTA, facilitation approach), explain the Results, and describe any follow-up actions or lessons learned.

Unlock Full Question Bank

Get access to hundreds of Threat Modeling and Risk Assessment interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.