Security Incident Response and Operations Questions

Covers the practices, processes, and tooling for responding to security incidents and operating a security capability. Topics include the security incident lifecycle of preparation, detection, analysis, containment, eradication, recovery, and post incident review; development and execution of playbooks and runbooks tailored to threat types; severity classification and decision criteria for escalation; evidence preservation and forensic analysis and chain of custody; crisis communication to stakeholders and regulators; notification and regulatory compliance considerations; and coordination with legal, privacy, communications, and executive leadership. Also includes operational aspects of building and staffing a security operations center, on call schedules and escalation, ticketing and case management, leadership and coordination during major incidents, running blameless post incident reviews to identify systemic improvements, and integration of security incident learnings into engineering and operations.

MediumTechnical

0 practiced

A Windows host shows a suspicious child process that executes a long base64 PowerShell command. As the first responder, outline the containment steps, artifacts you would collect (including registry, scheduled tasks, prefetch, event logs), how to collect memory without destroying forensic evidence, and how to eradicate and recover the host.

HardTechnical

0 practiced

Implement a function in Python or Go that computes a deterministic fingerprint for JSON log events that is insensitive to key ordering and ignores fields listed as volatile (timestamp, request_id). The fingerprint should allow deduplication of semantically identical logs. Provide algorithm, edge cases, and complexity analysis.

HardTechnical

0 practiced

Explain the regulatory notification requirements common in data breach law (for example GDPR 72-hour reporting, HIPAA breach notification, and state laws like CCPA) that software engineers should understand during incident response. How do these regulations influence technical choices like detection, logging retention, and timeliness of notification?

MediumTechnical

0 practiced

Write a Python streaming algorithm that consumes HTTP access logs and maintains an online baseline per IP using exponential weighted moving average (EWMA). Flag IPs that exceed baseline by a configurable multiplier. The implementation should use O(1) time per request and bounded memory via TTL for inactive IPs.

MediumSystem Design

0 practiced

Design a lightweight playbook authoring and execution system for engineers: YAML-based playbook format supporting manual and automated steps, preconditions, artifact collection, and rollback actions. Describe components for authoring, version control, a sandboxed runner, and RBAC for playbook execution.

Unlock Full Question Bank

Get access to hundreds of Security Incident Response and Operations interview questions and detailed answers.

Join thousands of developers preparing for their dream job.