Many recent posts highlight FAANG & other tech interviews require LC for non-SWE Security Engineering jobs, such as DFIR, red team, threat intel, vuln management, etc. My recent interview experiences were all over the map. Most require a rudimentary coding test, but it is difficult to prepare due to the inconsistency across companies. Fellow Security Engineers: have you found success grinding LC or similar coding challenge sites? If yes, which question sets? My approach so far: - Studied security concepts from the Google Security Engineering GitHub resource: https://github.com/gracenolan/Notes/blob/master/interview-study-notes-for-security-engineering.md - HackerRank Python & RegEx tracks - LC easy regex & shell questions Offers: Amazon - one light scripting exercise reddit - no coding Failed at phone screen due to lack of preparation: Google - no coding, system design Meta - easy coding What has worked for you? #cybersecurity #interview #security TC: $400k (not listed employer) YOE: 10+
Google has 3 rounds of coding but mostly scripting/more useful stuff, nothing like LC. One during the technical phone screen and then 2 during the on-site loop.
Thanks for weighing in! Glad to hear Google is in touch with reality. My Google recruiter said phone screen is a scripting exercise, so I practiced Python for a few weeks. Instead, the interviewer asked me to design a large scale malware identification system. In their defense the interviewer asked which domain I prefer and I chose malware analysis. Lesson learned: choose wisely!
@OP any other questions they asked around Malware Analysis? I've had few scenario based questions before around IR and malware campaign. Nothing around development of Malware environment
I’m new to AppSec but my interviews consisted of mostly explaining OWASP Top 10 vulnerabilities and threat modeling. I agree the coding portions are a little trickier than standard LC because every company expects you to be able to code different things, so I have yet to figure out how to prepare for that except getting better at coding overall.
Yes! OWASP is invaluable for AppSec. I cram OWASP and OWASP API top 10 before any loops where I suspect it will be relevant. Agree completely: getting better at coding is the best one can do to prepare. It’s tricky when your day job isn’t conducive to practicing, as I expect true for many of us.
Any specific resources you use to study?
@op, based on your interview experience, what are your focus areas now? Where did you fail despite of having 10 yoe? Just asking because it could help many others here who are clueless of these interview processes..
Great question. I’m currently a SOC engineer who spends more time on program management than writing code. My biggest failure and strength concurrently are too much breadth, insufficient depth. I have worn all the blue/purple team hats and dabbled in everything except AppSec and DevSecOps. Being multi-disciplined can be a disadvantage. I was down leveled in both offers I noted in my post. One recruiter told me the team loved me but didn’t think I was technical enough for $level—that hurts when I push myself to take on new domains year after year! I turned down the offers and I’m about to submit another round of applications, tbh that’s the impetus for this post. I still don’t know what I want to be when I grow up, so the best advice I can muster: - Figure out what security domain excites you and go deep. - Ensure you continue learning. If you’re not learning, leave. - If you love security but your job is boring, figure out why and try to fix that. - Know your worth: ALWAYS negotiate. It can feel scary to ask for more when you’re very excited about a company giving the offer. It feels much worse to get the dream job and learn you’re horrendously underpaid with no leverage or opportunity to make more. - Titles are often, though not always, negotiable. Why be a Security Analyst when you can be a Cloud Security Incident Responder or a Detection Engineer or an Offensive Security Practitioner?
How is Reddit interview and what is amazon and Reddit TC and level?
DM and I can elaborate if you have specific questions. They were very different companies and teams, so the process was different. I am comfortable saying I interviewed at Staff/L6 and was given a down leveled offer by both. Also, both offers were $50-70k less than my current TC after a few rounds of negotiation, so I walked. Having a decent job while interviewing is a huge asset: take only an offer worth accepting. :) Who knows if I’ll get an offer worth jumping ship at this point, but you have to play to win.
Practice has worked somewhat for me. Always ask what to expect in the upcoming rounds. So far I have experienced problem solving type questions, Q/A trivia (what is xss etc), hands on practicals like CTFs, and code review style questions. Have not had leetcode style yet but know that exists for security engineers. Thanks for sharing details on how you prepped op.
These are great additions! Are you red team? I have yet to see an interview CTF, sounds like fun. Closest I’ve gotten was when a certain auto tech company gave a take home exercise where I analyzed a PCAP and reconstructed the kill chain exclusively from the traffic and OSINT. Interesting anecdote: I’ve seen fewer security trivia Qs this year compared to interviews last year. For example, in 2020 three interviewers at a FAANG company asked me to explain the OSI model. I didn’t get that question at all in 2021 interviews at the same company or elsewhere. For me, the new interview question I keep seeing is “Explain how the internet works.”
First of all, thank you OP for sharing this. This honestly is the most useful thread I've come across here for myself as a security professional. It is definitely hard to get back into coding after a long time. I couldn't even do easy LC questions without help/hints!! But it felt so useless when I was practicing LC. Do you have any resources where we can practice scripting type of questions? I.e. python scripting, bash, powerShell. I feel like scripting is way more useful for us then developing
@Twilio, yes good one! I’ll add on that you can break down complex shell scripts with https://explainshell.com. It’s basically a UI for opening the command man pages and grepping the flags. @JPM, I am so happy to hear this is helpful. I decided to start blogging these topics so more to come once I host some content. There’s clearly an imbalance in the supply vs demand for this info. Re: scripting, I agree shell is absolutely more useful for security engineers than most other languages. I primarily pursued Python for my interview prep: it has so much flexibility and community support via third-party modules—especially for security uses. If you’re starting from scratch (or close enough), I highly recommend Automate the Boring Stuff With Python by Al Sweigart. I read the book and did many of the challenges before my most recent round of interviews, it helped immensely! I then applied the knowledge to several scripting exercises from the Google Security Engineering Interview resource in my original post. Try to use regex to reliably extract indicators from a log file. Once that works, modify your script to run recursively on a whole directory tree, or perhaps download log files from a server then extract IOCs. Try to work on scripting at least once a week. If your current job is conducive to scripting, that’s even better and lucky you!
Top tech companies expecting coding. Seen good coding round like scraping the data from file which has JSON. Extract few elements similar to jq. But few organizations asked like polindrome, substring index, Caesar cipher. Mostly used Python3 for coding. Optimization didn’t work well for me. But still that was deciding factor to proceed further. Failed lot of big tech companies.
In one of the FAANF, they asked pretty detailed questions in AWS security configuration like prehash or pre signed hash and IAM roles types and usages. I am into appsec. Not heavily into AWS or Azure. Thought why so much depth in AWS. That may be their requirement. So we can’t prepare well for security interviews. We never know what that guy expertise. Even in one interview they went deep into XML like developer level. Explained XXE etc. but went deep in terminologies.
Can you say which FAANG? Meta and Google are on private cloud. Amazon dog food AWS from what I heard and Netflix is all in on AWS. those two makes sense IMO.
When interviewing for any job in the security domain (Red Team, WebAppSec, Blue Team, NetSec, IAM, ect...) basic coding fundamentals is almost a requirement anywhere you go, even if they don't say it.... Basic coding fundamentals is defined by having little knowledge of: loops (for, while), functions, I/O operations, web requests, parsing, and regexp, anything outside of that is a plus. Many of those fundamentals can be found via your language of choice at https://www.w3schools.com/ I will say that typically python3 is preferred but not required. When interviewing people with respects to coding, I don't care if they can tell me how much water some container can hold. I want to see if they understand the code, what it is doing, why it is doing it. This is important because lots of time you will need to spoon feed developers who don't understand a particular vulnerability. Also will let me know if you are bsing or not.
Software Engineering Career
5d
21724
What level would Zuck be, had he not created FB
Tech Industry
Yesterday
1229
Women, help me understand why this is inspirational
Tech Industry
Yesterday
2099
What happens when most of your team is Indian?
Tech Industry
3d
58769
Crossed a line with my boss
Health & Wellness
Yesterday
336
Lasik cost
I don’t have any advice but following the thread. I had a question for you though? What type of roles did you get a Reddit and AMZ? I am currently working for a MSSP and trying to move into larger tech and specialized roles in security.
AMZ offer is red team; DM me if you’d like specifics. Re: MSSP, been there. Luckily I did highly specialized work in the MSSP world, it made the exit much easier. Some advice: - If you’re currently in a SOC or similar role, take projects outside normal scope. - Volunteer for work that will bolster your domain expertise, put it on your resume. - Hire a resume writer who specializes in ATS optimization. Tailor your resume to highlight duties and accomplishments that align with your desired role. - Get referrals. Ask former coworkers or even ask people on Blind! - Ask for a title that aligns with your preferred domain, like “Hunt Team Analyst” instead of “Security Analyst”. Despite working for a relatively well-known and arguably prestigious startup, I am getting fewer callbacks with a generalist title as my most recent resume item, so titles matter.