Security Engineering & Operations Topics
Operational security practices, secure systems implementation, threat modeling, penetration testing, vulnerability assessment, and security operations at production scale. Covers network security, endpoint security, secure architecture implementation, incident response mechanics, and security automation. Distinct from Security & Compliance (which addresses governance, compliance frameworks, and policy) and from Security Research & Innovation (which addresses novel techniques and research contributions).
Container and Kubernetes Security
Security for containerized applications and Kubernetes platforms across the full lifecycle: secure image creation and supply chain, image scanning and vulnerability management, secure base images, image signing, runtime protection and intrusion detection, container isolation and least privilege at the container level, secrets management, pod security policies and admission controllers, network policies and microsegmentation, role based access control for cluster access, cluster hardening and configuration management, secure cluster bootstrapping and upgrades, and compliance considerations and audit logging for container environments. Candidates should be able to discuss tooling, threat models specific to cloud native workloads, and operational practices for preventing and responding to container and orchestration security incidents.
Security Incident Response and Operations
Covers the practices, processes, and tooling for responding to security incidents and operating a security capability. Topics include the security incident lifecycle of preparation, detection, analysis, containment, eradication, recovery, and post incident review; development and execution of playbooks and runbooks tailored to threat types; severity classification and decision criteria for escalation; evidence preservation and forensic analysis and chain of custody; crisis communication to stakeholders and regulators; notification and regulatory compliance considerations; and coordination with legal, privacy, communications, and executive leadership. Also includes operational aspects of building and staffing a security operations center, on call schedules and escalation, ticketing and case management, leadership and coordination during major incidents, running blameless post incident reviews to identify systemic improvements, and integration of security incident learnings into engineering and operations.
Incident Response Fundamentals
Comprehensive understanding of standard incident response methodology and the analyst role across all phases. Candidates should know the primary phases at a practical level: detection including common detection sources and how incidents are identified; containment strategies to limit blast radius and isolate affected systems; eradication techniques to remove malware or malicious access and to close exploited vulnerabilities; recovery practices such as restoring from clean backups and validating system integrity; and post incident review to capture lessons learned and improve controls. The topic also covers initial triage thinking and operational decision making: how to prioritize alerts by impact, scope, and confidence; what contextual information to collect such as logs, timestamps, affected assets and user activity; how to distinguish true incidents from false positives; and how to classify incidents and assign severity levels. Candidates should be familiar with evidence preservation and chain of custody basics, use of playbooks and runbooks, communication and escalation paths with stakeholders, and common metrics used to evaluate response effectiveness.
TLS Protocol Security
Deep understanding of transport layer security protocols and their secure deployment. Topics include TLS handshake mechanics, cipher suite negotiation, certificate validation and management, session resumption and key exchange algorithms, forward secrecy, common vulnerabilities and mitigations such as downgrade and padding oracle attacks, practical configuration for servers and clients, certificate revocation and lifecycle management, and compatibility considerations across protocol versions.
Secure Coding and Application Security
Covers the principles and practices for building and maintaining secure software throughout the secure software development lifecycle. Topics include secure coding patterns, common vulnerabilities and mitigations such as injection, cross site scripting, insecure deserialization, broken authentication and authorization, improper error handling, and insecure configuration. Includes threat modeling, secrets management, dependency and supply chain hygiene, vulnerability and patch management, and principles of least privilege and defense in depth. Covers code level controls such as input validation and output encoding, use of vetted libraries, avoiding dangerous custom cryptography, and guarding against side channel and timing attacks. Also covers security activities and tools including code review best practices, static application security testing, dynamic application security testing, interactive application security testing, dependency scanning, and how to integrate security testing and gates into continuous integration and continuous delivery pipelines to improve application security maturity.
Incident Investigation and Remediation
Focuses on systematic investigation methodology and the distinction between immediate mitigation and long term prevention. Topics include collecting and preserving evidence, establishing a reliable timeline, identifying affected systems, performing root cause analysis, containment versus remediation, and documenting findings. Covers basic digital forensics principles and chain of custody, techniques for reducing blast radius and restoring service as a short term response, and planning permanent fixes to prevent recurrence. Also addresses privacy incident investigation practices such as interviewing stakeholders, assessing regulatory and compliance implications, timeliness and documentation requirements, remediation planning, and using post incident analysis to improve processes and controls.
Infrastructure Security and Compliance
Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.
Threat Modeling and Secure System Design
Applying threat modeling and structured problem solving to secure system design. Candidates should be able to decompose complex security challenges by identifying business context, critical assets, threat actors, attack surfaces, and compliance requirements. Topics include threat modeling methodologies, attacker capability and motivation analysis, risk assessment and prioritization, selection of mitigations and compensating controls, and evaluation of trade offs among security, usability, cost, and performance. Candidates should also be able to produce implementation and monitoring plans that address scalability and maintainability and to clearly explain and justify design choices and residual risk to stakeholders.
Logging and Log Analysis
Covers operating system and application logging architecture, log collection, parsing, analysis, and security monitoring workflows. Topics include where logs are stored on Linux systems, system logging daemons and their configuration such as rsyslog, using the systemd journal and journalctl, and log rotation and retention strategies. Skills include parsing and inspecting logs with command line tools and regular expressions, extracting key fields such as timestamps, user identifiers, internet protocol addresses, actions performed, and error codes, and working with structured log formats such as JavaScript Object Notation. Also includes forwarding logs to centralized systems and agents, transport protocols and collectors, and upstream processing pipelines. For security and monitoring, this covers log aggregation, normalization, event correlation, alerting and thresholding, building searches and dashboards, and deriving forensic and operational insights for incident response and troubleshooting. Candidates may be evaluated on practical configuration tasks, example queries, interpreting log entries, designing log pipelines for reliability and scale, and applying best practices for retention, privacy, and performance.