Security engineer interview questions

picked.ai/hire/security-engineer/interview-questions

30 security engineer

interview questions that actually work.

Pulled from the Neuroworx item bank: nine years of calibration against twelve-month performance outcomes on 14,083 security engineers. Sorted by stage (screen, assessment, on-site) and level (IC1 to IC5). Each question comes with what to listen for, what to ignore, and the failure mode it is designed to catch.

questions

stages

levels

14k

hires of validity data

Screen ↓Role-fit ↓On-site ↓Anti-pattern questions ↓

Stage 01 · Screen

Twelve minutes. Ten questions.

The screening conversation. Picked runs this with an AI voice; this is what a human screen would look like with the same rubric. Time-box hard. 60 seconds per answer.

10 questions

Tell me about the last threat model you ran. Who was in the room and what came out of it?

threat modellingspecificity

Listen for

A specific product surface, the team present, a ranked list of risks, a follow-up the team owned.

Ignore

"We do threat modelling on everything." Generalities.

catches · Engineers who treat threat modelling as a workshop format, not a practice.

When did you last decide not to block a shipping team?

judgementpragmatism

Listen for

A specific risk, the compensating control they accepted, the named owner of the residual risk.

Ignore

"Security is always a partner." A platitude.

catches · Engineers who only have stories about blocking.

Tell me about a policy you wrote that survived a real incident.

policycraft

Listen for

A specific policy, the incident that tested it, the line that held. They name the change they made after.

Ignore

A policy library lifted from a vendor.

catches · Cannot point to a policy they have authored.

Describe an audit your team failed. What did you do?

commshonesty

Listen for

A real finding, the root cause, the change they shipped. The way they wrote it up.

Ignore

"We have always passed our audits." Either a lie or no real audits.

catches · Engineers who externalise audit failures.

Walk me through a bug bounty report you triaged.

triagecuriosity

Listen for

A specific report, the way they confirmed it, the severity call, the fix. They name the researcher.

Ignore

A generic answer about bug bounty programmes.

catches · Engineers who have never sat with an external report.

How do you decide what to detect and what to accept?

riskjudgement

Listen for

A real frame. The thing they monitor because it is cheap. The thing they accept because the control is expensive.

Ignore

"We detect everything." Pager-fatigue answer.

catches · Engineers who cannot describe their accepted risks.

What is a security tool in your stack you would rip out?

taste

Listen for

A named tool, a specific failure mode (noise, blind spot, licence cost). What they would replace it with.

Ignore

A complaint about SIEM in the abstract.

catches · Cannot hold an opinion on their own tooling.

Tell me about a developer relationship you rebuilt after a friction point.

comms

Listen for

A specific team, the friction, the change they made on their side, the new working pattern.

Ignore

"Developers all love us." A red flag.

catches · Engineers who externalise every cross-team problem.

How do you keep up with relevant threats without drowning in feeds?

curiosityoperating

Listen for

A short, named list of sources. A cadence. A filter that protects their attention.

Ignore

"I read everything." Untrue.

catches · Engineers who chase every CVE.

One thing you want from the next security team you join that you did not have last time.

stage fit

Listen for

A specific something. A budget line. A reporting line. A particular product partner.

Ignore

"A more mature programme." Vague.

catches · Engineers who are not sure why they are leaving.

Stage 02 · Role-fit assessment

A scoped task. A scored rubric.

One realistic task. We score the writeup, not the polish. The candidate has the take-home equivalent of 60 minutes.

8 questions

Threat model the following product (3 pages of spec). Give me the top five risks ranked and the first control you would ask the team to implement.

threat modellingIC2+

Listen for

A ranked list with reasoning. A first control that is cheap enough to actually land. They name the risks they are accepting.

Ignore

A STRIDE flow chart with no ranking.

catches · Engineers who hand back twenty undifferentiated risks.

Here is a 200-line auth service from a real codebase. Find three issues and tell me which to fix this week.

code reviewIC2+

Listen for

Real issues. A defensible call on which to fix first. They name what they would not fix and why.

Ignore

A long list of style nits.

catches · Reviewers who cannot prioritise.

A team wants to ship a feature on Friday that fails one of your controls. Walk me through how you handle it. 30 minutes max.

operatingIC3+

Listen for

A real conversation. The compensating control they accept. The follow-up owner. The clear deadline.

Ignore

A blanket "we block the deploy" answer.

catches · Engineers who treat every exception as the same risk.

Read this 3-page incident postmortem and write three questions you would ask the author plus one action item you would push back on.

judgementIC3+

Listen for

Questions that engage with the timeline. A push-back on a theatrical action item.

Ignore

Style edits.

catches · Engineers who cannot critique a postmortem.

We are about to onboard a new SaaS vendor that processes PII. Sketch your review and the three questions you would refuse to skip.

vendor reviewIC2+

Listen for

A real review. The three questions that catch the things checklists miss (data flow, sub-processors, breach history).

Ignore

A SOC 2 report request and nothing else.

catches · Engineers who outsource judgement to compliance docs.

Take this real PR for a public-facing endpoint. Approve, request changes, or block. Write the review.

code reviewIC2+

Listen for

Substantive comments. They reach for the design choice, not the missing semicolon.

Ignore

Volume without signal.

catches · Reviewers who cannot prioritise.

Write the runbook for a credential-leak alert in the system from question 1.

operabilityIC3+

Listen for

A 3am-readable runbook. Specific signals, specific containment, a clear decision tree.

Ignore

A generic incident-response template.

catches · Engineers who can build but cannot operate.

In 200 words: why might the top risk from question 1 be wrong, and what risk did you under-rate?

humilityIC4+

Listen for

Genuine engagement with an alternative ranking. A real "I might have under-rated X".

Ignore

A defence of the original ranking.

catches · Engineers without perspective on their own threat models.

Stage 03 · On-site (after Picked)

Twelve questions you will still want to ask in person.

Picked screens, scores, and shortlists. These are the questions worth asking with a human in the room: the calibration questions, the dealbreakers, the chemistry probes.

12 questions

Where in the work do you want to grow this year?

growthmanager fit

Listen for

A specific gap, a plan, a person they would learn from.

Ignore

"I want to be a staff security engineer." Title-laddering.

catches · Engineers without a learning agenda.

Tell me about a time you disagreed with a CISO or security lead. What happened?

authoritymanager fit

Listen for

A real disagreement, the mechanics of it, what they took from it.

Ignore

"I always agree with the security lead." A worrying answer.

catches · Engineers who cannot hold opinions in the face of authority.

What is the most uncomfortable feedback you have received and what did you do with it?

self-awareness

Listen for

A specific piece of feedback, the change they made, the thing they still wrestle with.

Ignore

"I take feedback well." Tells us nothing.

catches · Defended self-narrative.

Walk me through a control you wish you had retired sooner.

judgementoperating

Listen for

A real control. The reason it was keeping its place. The cost of keeping it.

Ignore

"We retire controls all the time." Vague.

catches · Engineers who add controls without removing any.

What is a strong security opinion you have changed in the last year?

intellectual humility

Listen for

A specific opinion, what changed it, the new practice they adopted.

Ignore

"My mind is always open."

catches · Closed-loop thinkers.

Pick two security engineers you admire from your last role. What do they do differently?

taste

Listen for

Concrete habits. The ones they adopted. The ones they did not.

Ignore

Pure praise.

catches · Engineers without taste for other engineers.

Tell me the last technical thing you read outside your job.

curiosity

Listen for

A specific disclosure post, paper, or talk. What they thought about it.

Ignore

A book they mean to finish.

catches · Engineers who do not read outside their stack.

When are you most useful to a product team?

operating model

Listen for

A self-aware answer. They name the meetings they show up to, the format they bring.

Ignore

"I am useful any time."

catches · Engineers without self-instrumentation.

Where would you rather be in three years, deeper IC or programme lead?

careerretention

Listen for

A direction and a reason. Honesty about the uncertainty.

Ignore

"Wherever the company needs me."

catches · Drifting engineers.

If you join, what would your first week look like?

agencyonboarding

Listen for

A specific plan. Often: read the last three incidents, sit with one product team, run one threat model.

Ignore

"Whatever you suggest."

catches · Engineers without an onboarding instinct.

What would make you leave us within six months?

dealbreaker

Listen for

A specific irritant. A reporting line that defangs the role. A budget pattern that blocks you.

Ignore

"As long as the work is good."

catches · Hidden dealbreakers, surfaced post-offer.

What would you want to ask our most frustrated product engineer about security?

probingcuriosity

Listen for

A real question, often about the friction in their day. "Which of our controls slows you down most?"

Ignore

A softball.

catches · Candidates who do not want to know what is wrong with the programme.

The anti-pattern set

Eight questions that look smart
but tell you nothing.

"What is your biggest weakness?"

You will get a strength-shaped weakness. We have asked this 47,000 times. It catches no-one. Replace with: "What is the most uncomfortable feedback you have received?".

"Where do you see yourself in five years?"

Either a rehearsed answer or a stalled one. Both useless. Replace with: "Where would you want to be in three years?"

"Tell me about yourself."

Wastes the first three minutes on the CV they already gave you. Replace with: "Walk me through the most recent thing you shipped end-to-end."

"Why this company?"

Generates polished mission-talk. Replace with: "What about this role made you apply that would not have made you apply elsewhere?"

"Are you a team player?"

No-one says no. Replace with: "Tell me about a time a teammate disagreed with you and how you handled it."

"How do you handle stress?"

No-one says badly. Replace with: "Tell me about your last production incident and your precise role."

"How would you reverse a linked list?"

Probes nothing we care about. We removed it from the bank in 2019. Replace with: "Refactor this 200-line file and tell me what you changed and why."

"If you were an animal, which animal would you be?"

You know what we are going to say. Replace with: anything else.

Or, let us ask

We will ask these for you.
By Friday.

Picked runs the screen, the assessment, and the first-round interview against this exact item bank. You meet the three finalists in person, with these on-site questions in hand.

Post a security engineer role for free See pricing →

$0.99 per AI-vetted candidate. First 50 free.

Companion pages