Practicing responses to common interview questions helps build confidence, enabling you to respond effectively even in high-pressure situations. This preparation ensures that you can articulate your thoughts clearly, providing evidence of your abilities and making a strong case for why you are the ideal candidate for the job.
- 35 Pentesting Interview Questions (With Sample Answers) (Indeed)
- 200 IT Security Job Interview Questions (McAfee)
- Amazon Interview Questions (General)
- Amazon Interview Questions (Technical)
- Cybersecurity job interview prep: A guide to hacking interviews (Hack the Box)
- Life After Layoff (YouTube)
- Tech Layoff Tracker
General questions
Can you talk a bit about yourself?
The goal of this question is to see if you are a good fit for the role and company. Do not tell your whole life, recite your resume, or talk in details about your hobbies. Say how you can solve the company’s problems and why you are a good fit.
Why do you want to work here?
Always do your research about the company before the interview. NEVER ask what the company does…
Why do you want to leave your current job?
Do not talk badly about your current employer, as you could do the same about them when leaving. Stay positive, saying you are ready for new challenges.
Tell me about one of your greatest achievements or a time you were proud of yourself?
What is something about yourself you need to improve / work on?
Salary expectations
Companies determine wage ranges based on the local market for similar types of roles (from wage survey data for industry groups), the cost of living in this area, and internal equity (what are we currently paying for employees in this role). Understand if the company is a pay lagger (low end, lots of turnover), or pay leader (wants the best talents). Salary bands have a low, mid, and high. Usually companies target getting people in the middle of the band. It varies based on industries (e.g. non-profit organization pay less, large vs small company).
Know what the market is paying – go on Salary.com, Glassdoor, Payscale, and Comparably to look at base compensation (look for “Penetration Tester” or “Ethical Hacker”). LinkedIn and Indeed are often way off.
💡 If you do not get that question: the interviewer may not think you are a good fit for the company or just forgot. It is appropriate to bring it up only at the end if it was not addressed.
Technical questions
What tools do you use during a penetration test?
How would you approach a penetration test on a web application? What tests would you do?
Enumeration of technologies, crawl the website using gobuster. Check critical functionalities like file upload, login, ecommerce.
Difference between CSRF and XSS.
CSRF is a server-side attack, XSS happens on the client-side.
Can a XSS be found in a GET or POST request?
Both GET and POST can be used. POST would be used to store the XSS (stored XSS).
How can you detect a SQLi if there is no feedback or errors?
Use a sleep command.
Given an infrastructure diagram, how would you move laterally or elevate privileges?
Depends on open port and infrastructure diagram given. Examples: Juicy Potato, evil-winrm (port 5985), SCF files, etc.
Are you familiar with the OWASP Top 10?
From 2021: Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Security Logging and Monitoring Failures, Server-Side Request Forgery (SSRF)
Following up after the interview
If the interviewer said he/she would come back to you on a certain date and did not do it, it is ok to follow up one day after that date. If you still do not get a response, wait one week and follow up again.
Title: Follow Up on Penetration Tester interview
Hi <name>,
Last week we spoke on the role of Penetration Tester. I am following up on the status of my interview. Have any decisions been made? I’d like to reiterate my interest in the role and feel I could add value to your team!
Best Regards,
<your name>