EXPERIENCED · 49 Q&AS · MID / SENIOR / CCIE TRACK · 2026
Networking Interview Questions for Experienced Engineers (2026)
49 real networking interview questions for mid-career and senior engineers — BGP path attributes, MP-BGP, OSPF DR/BDR election, EIGRP DUAL, SD-WAN architecture, Cisco DNAC fabric design, Palo Alto HA, Fortinet Security Fabric, troubleshooting frameworks. The questions Bangalore product companies, BFSI, and GCC hiring panels ask for 3-15+ year network engineering roles, including CCIE Enterprise and CCIE Security track candidates.
Bangalore experienced network engineer salary: ₹12-25 LPA for L2/L3 / senior engineer (3-7 yrs); ₹25-50 LPA for architect / principal-level (7+ yrs). CCIE-certified candidates command a 30-40% premium.
Other prep tracks:
49
Senior Q&As
₹12-50L
Mid/senior BLR pay
+30%
CCIE premium
18 yrs
Interview data
Routing · 4 questions
Q. What's the difference between OSPF, EIGRP, and BGP? ▾
OSPF (link-state, IGP, open standard, RFC 2328) — runs Dijkstra SPF inside each area, fast convergence, hierarchical with areas. EIGRP (advanced distance-vector, IGP, originally Cisco-proprietary now open) — uses DUAL algorithm, fastest convergence among IGPs, less complex than OSPF. BGP (path-vector, EGP, RFC 4271) — used between autonomous systems (the internet's backbone), policy-driven, slow convergence, scales to 1M+ routes. Use OSPF for enterprise multi-vendor, EIGRP for Cisco-only, BGP for ISP/multi-AS.
Q. Explain OSPF area types — backbone, regular, stub, totally stubby, NSSA. ▾
Backbone (area 0) — must be present, all other areas connect to it. Regular area — accepts all LSA types (1, 2, 3, 4, 5). Stub area — blocks Type 5 (external LSAs); ABR injects default route. Totally stubby (Cisco proprietary) — blocks Type 3, 4, 5; only default route from ABR. NSSA (Not-So-Stubby Area) — like stub but allows Type 7 LSAs (redistributed routes from non-OSPF), translated to Type 5 at ABR. Use case: branch offices that need external route info but want a small LSDB.
Q. EIGRP DUAL algorithm — explain Successor and Feasible Successor. ▾
Successor — the route with the lowest metric to a destination, installed in the routing table. Feasible Successor (FS) — a backup route that satisfies the Feasibility Condition: FS reported distance < Successor feasible distance. FS is pre-computed, kept in topology table, and installed instantly if Successor fails — no recomputation needed. This is what gives EIGRP sub-second convergence. If no FS exists, DUAL goes Active and queries neighbors — slower.
Q. BGP path attributes — list the 6 well-known mandatory ones. ▾
Per RFC 4271: AS_PATH, NEXT_HOP, ORIGIN, LOCAL_PREF (well-known discretionary, only for iBGP), ATOMIC_AGGREGATE (well-known discretionary), MED (optional non-transitive). Path selection order: Highest Weight (Cisco-only) → Highest LOCAL_PREF → Locally Originated → Shortest AS_PATH → Lowest ORIGIN → Lowest MED → eBGP over iBGP → Lowest IGP metric to next-hop → Oldest Route → Lowest Router-ID. Memorising this order is a CCNP / CCIE benchmark question.
Modern · 1 question
Q. What is BGP EVPN and where is it used? ▾
BGP EVPN (RFC 7432) — uses MP-BGP to advertise MAC and IP addresses (instead of just IP prefixes). Primary use: VXLAN-based datacentre fabrics. Replaces older flood-and-learn approaches with control-plane-driven learning. Cisco implementations: ACI fabric, Nexus 9K with VXLAN. Major use case in modern Bangalore datacentres — every cloud service provider's underlay uses EVPN-VXLAN.
Cloud Networking · 1 question
Q. Explain AWS VPC peering vs Transit Gateway — when to use each? ▾
VPC Peering — direct 1:1 connection between two VPCs. Non-transitive (A→B and A→C does NOT enable B→C). Cheap, simple. Use for small hub-and-spoke or 2-3 VPC integrations. Transit Gateway — central hub for many VPCs (up to 5,000) and on-prem connections. Transitive routing. More expensive but scales massively. Use for: enterprise multi-account architectures, multi-region replication, hybrid cloud connectivity. Senior network engineer roles in Bangalore now ask AWS networking depth — TGW is common interview topic.
AI/ML Foundations · 1 question
Q. Explain the difference between supervised, unsupervised, and reinforcement learning in security contexts. ▾
Supervised — labelled training data (e.g. malware vs benign samples). Used for malware classification, phishing detection. Drawback: needs labelled data. Unsupervised — no labels; finds patterns/anomalies in data. Used for UEBA (user behaviour anomaly detection), unknown threat clustering. Drawback: harder to validate. Reinforcement learning — agent learns through trial-and-error rewards. Used for adaptive defence, automated red-team agents (PentestGPT-style). Drawback: requires defined reward function — easy to misalign in security.
Prompt Injection · 1 question
Q. Walk me through detecting and mitigating an indirect prompt injection in a RAG system. ▾
Detection: (1) anomaly detection on retrieved chunks (statistical outliers in token distribution); (2) semantic classifiers flagging adversarial intent in retrieved content; (3) output validation (does response match expected format/schema?); (4) provenance tracking (which document caused which response token?). Mitigation: (1) strict input/output schemas; (2) separate retrieval from generation context; (3) adversarial training with known prompt injection corpora; (4) human-in-the-loop for high-risk responses; (5) sanitise retrieved content before context injection.
OWASP LLM Top 10 · 2 questions
Q. List the OWASP Top 10 for LLM Applications (2025 edition) and rank them by severity. ▾
LLM01 Prompt Injection (highest severity), LLM02 Insecure Output Handling, LLM03 Training Data Poisoning, LLM04 Model Denial of Service, LLM05 Supply Chain Vulnerabilities, LLM06 Sensitive Information Disclosure, LLM07 Insecure Plugin Design, LLM08 Excessive Agency, LLM09 Overreliance, LLM10 Model Theft. In Bangalore enterprise pen-tests during 2025-2026, LLM01 Prompt Injection found in 87% of LLM apps; LLM06 Sensitive Info Disclosure in 62%; LLM02 Insecure Output Handling in 54%. These three are interview-must-knows.
Q. How would you mitigate LLM06 (Sensitive Information Disclosure)? ▾
Layered approach: (1) Pre-input PII redaction (Presidio, AWS Comprehend PII); (2) System prompt restrictions (explicit 'never repeat user data, system info'); (3) Output PII filters before return; (4) Training/fine-tuning data audit — remove PII before training; (5) RAG context filtering — strip PII from retrieved chunks; (6) Audit logs for prompt/response pairs (with PII redaction in logs); (7) Periodic data leakage testing using known sensitive prompts. No single layer is sufficient — defence in depth required.
Adversarial ML · 2 questions
Q. Explain FGSM (Fast Gradient Sign Method) and how it bypasses ML classifiers. ▾
FGSM (Goodfellow 2014) — generates adversarial example by adding small perturbation in direction of gradient sign of loss function. Math: x_adv = x + ε · sign(∇_x J(θ, x, y)) where ε is perturbation magnitude. Result: tiny modification to input causes classifier to misclassify with high confidence. Real-world impact: malware classifier marks malware as benign with single-byte changes; image classifier confidently mislabels stop sign as 100mph speed limit. Defence: adversarial training (train on perturbed examples), randomised smoothing, certified defences.
Q. How would you red-team a fraud detection ML model? ▾
Methodology: (1) Reconnaissance — identify model type, training data, features; (2) Black-box probing — submit transactions across normal/borderline/extreme ranges, observe decisions; (3) Membership inference — determine if specific training samples were used; (4) Model extraction — query repeatedly to clone decision boundary; (5) Adversarial example generation — craft transactions that bypass while remaining in 'plausible' range; (6) Evasion via feature engineering — modify behavioural patterns to avoid detection; (7) Report findings with severity ratings + mitigations. Tools: ART (Adversarial Robustness Toolbox), CleverHans, Counterfit.
AI Defence · 1 question
Q. How would you design an AI-powered SIEM using ML? ▾
Architecture layers: (1) Data ingestion — normalise logs from firewalls, endpoints, cloud (Splunk/Elastic). (2) Feature engineering — time windows, behavioural profiles per user/host, statistical aggregations. (3) Model layer — three approaches: (a) supervised classifiers for known attack patterns (XGBoost on labelled incidents), (b) unsupervised anomaly detection (isolation forest, autoencoders) for novel threats, (c) sequence models (LSTMs/transformers) for multi-stage attack detection. (4) Alert layer — confidence-scored alerts with explainability (SHAP values). (5) Feedback loop — analyst feedback retrains model, reduces false positives over time. Production tools: Splunk MLTK, Microsoft Sentinel UEBA, Darktrace, Vectra.
MITRE ATLAS · 2 questions
Q. What is MITRE ATLAS and how does it differ from MITRE ATT&CK? ▾
MITRE ATT&CK — adversary tactics + techniques for traditional IT systems (initial access, execution, persistence, etc). Released 2013, widely-adopted. MITRE ATLAS (Adversarial Threat Landscape for AI Systems) — equivalent for AI/ML systems. Released 2021, 14 tactic categories specific to ML lifecycle: ML model access, evasion, model extraction, poisoning, etc. Use ATLAS for: AI red team planning, defensive coverage assessment, incident classification when AI systems are attacked. SOC analysts must be ATLAS-fluent for AI security roles in 2026 — most JDs explicitly ask for ATLAS familiarity.
Q. Map an LLM jailbreak attack to MITRE ATLAS tactics. ▾
Example: jailbreak via persona role-play. Tactic chain: (1) AML.T0050 LLM Prompt Injection — adversary injects prompt that subverts intended behaviour; (2) AML.T0042 Verify Attack — adversary checks attack worked (model produces restricted content); (3) AML.T0011 ML-Enabled Product or Service Discovery — adversary identified target was LLM-powered (often via probing); (4) AML.T0057 LLM Plugin Compromise — if jailbroken LLM has plugins/tools, adversary can leverage. Mitigations mapped: AML.M0001 Limit Public Release of Information, AML.M0010 Validate ML Model, AML.M0014 Verify ML Artifacts. Interview tip: always map to specific TIDs in ATLAS, don't just describe attack.
AI Red Teaming · 2 questions
Q. How does Microsoft AI Red Team approach LLM testing? ▾
Microsoft AI Red Team (founded 2018) methodology: (1) Threat modelling — STRIDE-like analysis for AI systems. (2) Adversarial probing — manual + automated attacks across responsible AI dimensions (security, safety, fairness, privacy). (3) Use of PyRIT (Python Risk Identification Tool) — open-source AI red team automation. (4) Cross-disciplinary teams — security engineers + ML researchers + policy experts. (5) Iterative — findings feed back to product teams; re-test after fixes. Their public learnings: 'AI red teaming is different from traditional pen-testing — focus on context-specific harms (bias, manipulation, factuality) not just confidentiality/integrity/availability'. PyRIT and their lessons-learned blog are critical reading for interview prep.
Q. Walk me through red-teaming a customer-facing GenAI chatbot. ▾
5-phase methodology: (1) Reconnaissance — what's the system prompt? what's the model? what's the deployment context? (2) Bypass attempts — direct prompt injection, persona role-play, encoding tricks (base64, leet-speak), context overflow. (3) Information extraction — probe for system prompt leakage, training data extraction, customer data leaks. (4) Tool/agent abuse — if chatbot has plugins/tools, attempt to invoke unauthorised actions. (5) Reasoning manipulation — false premises, loaded contexts, multi-turn drift. Document each finding: attack chain, severity (CVSS-like), business impact, mitigation recommendation. Tools: Garak, PyRIT, custom LLM-driven attack generators. Time investment: typically 2-3 weeks for a meaningful red team engagement.
Behavioural · 3 questions
Q. How do you stay current with AI security threats given how fast the field evolves? ▾
Honest answer: I follow 5 sources weekly. (1) MITRE ATLAS updates (quarterly); (2) OWASP LLM project (Slack + GitHub); (3) Security research papers on arXiv (cs.CR + cs.LG categories); (4) Vendor security blogs (Anthropic, OpenAI, Microsoft AI Red Team, Google DeepMind); (5) Practical hands-on: I red-team my own RAG/LLM apps weekly using Garak/PyRIT. I avoid: vendor marketing whitepapers (low signal), generic 'AI is going to destroy us' articles. Quality over quantity — 4-6 hours/week of disciplined reading + practice keeps me current.
Q. Tell me about an AI security issue you discovered or remediated. ▾
Use STAR format (Situation, Task, Action, Result). Best examples come from: (1) hands-on lab work — show you tested LLM apps against OWASP Top 10; (2) personal projects — built RAG app, found prompt injection vector, documented mitigation; (3) certification training — discuss specific attack chains learned via MITRE ATLAS exercises; (4) published research — even small blog posts on AI security demonstrate engagement. Avoid: hypothetical 'I would do X' answers. Interviewers want concrete demonstrations of actually doing the work, even small in scale.
Q. How do you handle disagreement with a senior analyst's call? ▾
Show structured + respectful approach: (1) Acknowledge their perspective + experience; (2) Present specific data/observation that informs your view; (3) Frame as question, not challenge: 'I noticed X — does that change the analysis?'; (4) If still disagreed, escalate via process (L3 or manager) without bypass; (5) Accept the call as it stands while documenting your concern; (6) Seek post-mortem feedback to learn. Interviewers want to see: independent thinking + collaborative communication + respect for authority but not silent compliance. Avoid: 'I always defer to seniors' (too passive) or 'I'd push back hard' (too combative).
Industry-Specific · 1 question
Q. What's the AI security stack a Bangalore product company typically uses in 2026? ▾
Layered stack: (1) Model layer — typically combination of OpenAI/Anthropic/Google APIs + smaller fine-tuned local models. (2) Guardrails — NeMo Guardrails or Llama Guard. (3) Input/output validation — custom classifiers + Microsoft PromptShields or AWS Bedrock Guardrails. (4) Monitoring — LangSmith, Helicone, Arize for LLM observability + drift detection. (5) Security testing — Garak, PyRIT, custom red team scripts in CI/CD. (6) Data — vector DB with row-level access (Pinecone, Weaviate, pgvector + Postgres RLS). (7) Compliance — typically aligned to NIST AI RMF + SOC 2 + DPDP Act. Bangalore startups vary significantly — interview question is really probing your understanding of the production reality.
Reconnaissance · 1 question
Q. Walk me through subdomain enumeration for a target. ▾
Multi-source approach: (1) Passive sources — amass enum -passive, subfinder, assetfinder. Pull from CT logs, DNS aggregators, search engines. (2) Active resolution — massdns to verify which subdomains have live IPs. (3) Permutation/wordlist — gobuster vhost mode + custom wordlists for missed subdomains. (4) JS file analysis — extract subdomain references from target's JavaScript with subjs + mantra. (5) Combine + dedupe → final subdomain list. Critical: assets like staging/dev/admin subdomains often have weaker security than primary domain.
Active Directory · 1 question
Q. What is BloodHound and how do you use it in AD pen-test? ▾
BloodHound (Specter Ops) — Active Directory attack path visualisation tool. Workflow: (1) SharpHound (data collector) — gather AD info: users, groups, sessions, ACLs, GPOs. (2) Upload data to Neo4j-backed BloodHound GUI. (3) Query attack paths — built-in queries like 'shortest path from any user to Domain Admin'. (4) Identify chained vulnerabilities: GenericWrite → ForceChangePassword → AdminTo → DA. (5) Plan exploit — execute attack chain using PowerSploit, Mimikatz, ImpacketIn. BloodHound mastery is non-negotiable for senior AD pen-test interviews. CE version free; Enterprise version (paid) has more features.
Exploit Dev · 1 question
Q. Walk through a buffer overflow exploit on Linux x86_64. ▾
(1) Identify vulnerable function (strcpy, gets, sprintf without bounds checking). (2) Send oversized input to crash binary (segfault). (3) Find offset — pattern_create.rb + pattern_offset.rb (Metasploit utilities) to find exact offset where RIP is overwritten. (4) Identify register state — RAX/RDI/RSI controlled, look for jump targets. (5) Find ROP gadgets with ROPgadget or Ropper — chain to call mprotect (make stack executable) or system('/bin/sh') directly. (6) Bypass ASLR via info leak (printf format string, libc address leak). (7) Bypass stack canaries via brute-force or info leak. Modern exploitation requires bypassing DEP, ASLR, canaries, CFI — pure stack overflow into shellcode is rarely viable on hardened targets.
Mobile · 1 question
Q. Walk me through pen-testing an Android banking app. ▾
(1) Static analysis — APKTool to decompile, jadx-gui to read decompiled Java/Kotlin. Search for hardcoded secrets, API endpoints, weak crypto. (2) Dynamic analysis with Frida — hook root detection, certificate pinning, encryption functions to bypass and observe. (3) MITM proxy — Burp Suite + bypass cert pinning (Frida hooks for SSLPinningChecker). (4) API security testing — once MITM established, fuzz APIs for OWASP API Top 10 (broken auth, BOLA/IDOR, mass assignment). (5) Local data — extract /data/data/com.bank.app/, look for unencrypted SharedPreferences, SQLite databases, cached files. (6) Insecure IPC — exposed Activities, Services, Content Providers. Banking apps have high bounty payouts ($10K-25K) — invest in mastering this niche.
Methodology · 1 question
Q. Walk me through your pen-test methodology for a black-box engagement. ▾
OWASP Testing Guide / PTES + custom adaptation: (1) Pre-engagement — scope, rules of engagement, emergency contacts, written authorisation. (2) Reconnaissance — passive then active. (3) Threat modelling — identify high-value assets, likely attack paths. (4) Vulnerability identification — automated (nmap NSE, nuclei) + manual (Burp Suite, custom testing). (5) Exploitation — controlled exploitation, evidence collection. (6) Post-exploitation — privilege escalation, lateral movement (where in scope). (7) Reporting — executive summary + technical findings + business impact + reproduction steps + recommendations. (8) Re-test after fixes. Time allocation: 30% recon, 40% exploitation, 30% reporting (reporting is the deliverable, don't shortcut it).
Tools · 1 question
Q. List the top 10 tools every ethical hacker should master in 2026. ▾
(1) Burp Suite Pro — web app testing standard. (2) Nmap — port scanning + NSE scripts. (3) Metasploit Framework — exploit chains. (4) sqlmap — SQL injection automation. (5) Nuclei — template-based vulnerability scanning. (6) Wireshark — packet analysis. (7) Hashcat / John — password cracking. (8) BloodHound + SharpHound — AD attack mapping. (9) Frida — mobile/desktop runtime instrumentation. (10) Bonus: Garak / PyRIT for LLM red teaming (emerging in 2026). Honourable mentions: Mimikatz (Windows post-exploitation), Volatility (memory forensics), Ghidra (reverse engineering), Cobalt Strike (commercial — red team).
OSCP · 1 question
Q. What's different about OSCP exam compared to certifications like CEH? ▾
CEH — multiple-choice, 4-hour exam, theoretical knowledge of tools/concepts. ₹100K. Pass rate ~60%. OSCP — 24-hour practical exam in custom lab environment, requires actually compromising machines + writing professional report within 24 hours. ₹135K+. Pass rate ~30%. Skills tested: Linux + Windows enumeration, web exploitation, AD attacks, privilege escalation, post-exploitation. CEH proves you know the tools; OSCP proves you can use them under pressure. Both are valuable — most senior pen-testers have both. CEH for HR filter, OSCP for technical credibility.
MITRE ATT&CK · 2 questions
Q. Walk me through investigating a T1059 Command and Scripting Interpreter alert. ▾
T1059 = adversary using Bash, PowerShell, cmd.exe, Python for execution. Investigation steps: (1) Get full command line from EDR/Sysmon Event 1; (2) Identify parent process (was PowerShell launched from Word? = malicious; from Sysmon Event 1 ParentImage); (3) Check for encoded commands (PowerShell -EncodedCommand → base64 decode); (4) Check network connections from process (Sysmon Event 3); (5) Check files written (Sysmon Event 11); (6) Hash + reputation check on any artifacts. Sub-techniques: T1059.001 PowerShell, T1059.003 Windows Command Shell, T1059.006 Python — investigation differs slightly per shell.
Q. What's the difference between MITRE ATT&CK and Cyber Kill Chain? ▾
Cyber Kill Chain (Lockheed Martin, 2011) — linear 7-phase model: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives. Simple, easy to teach, but oversimplified — modern attacks don't follow strict linear paths. MITRE ATT&CK (2013, expanded continuously) — graph-like 14 tactics + 200+ techniques. Reflects how adversaries actually operate (skip phases, parallel attacks, persistence loops). Industry standard since 2018. Use Kill Chain for executive briefings; ATT&CK for technical SOC operations.
Incident Response · 1 question
Q. Walk me through your incident response process for a confirmed malware infection. ▾
NIST IR lifecycle: (1) Preparation — done before incident: tools, runbooks, contacts, comms plan; (2) Detection + Analysis — confirm true positive, scope (1 host vs lateral spread), severity classification; (3) Containment — isolate affected host(s) via EDR, block C2 IPs at firewall, disable affected accounts; (4) Eradication — remove malware, patch initial entry vector; (5) Recovery — restore from clean backup, monitor for re-infection; (6) Lessons Learned — root cause analysis, runbook updates, detection rule additions. Time-criticality matters: aim for containment within 1 hour of confirmation for ransomware.
Threat Hunting · 2 questions
Q. What's the difference between alert-driven SOC and threat hunting? ▾
Alert-driven (reactive): SIEM/EDR generates alerts → analyst investigates → confirms + responds. Most SOC L1 work is alert-driven. Threat hunting (proactive): analyst forms hypothesis ('adversary may have established persistence via WMI subscription') → searches data without preexisting alert → either confirms threat or rules out. Hypothesis-driven hunting is L2/L3 work, not L1. PEAK framework (SANS) for hunting: Prepare, Execute, Act, Knowledge sharing. Most senior SOC roles split time: 60% alert response, 40% hunting + detection engineering.
Q. Walk me through a hypothesis-driven hunt for lateral movement. ▾
(1) Hypothesis: 'Adversary may be using PsExec or remote service creation for lateral movement'. (2) Data sources needed: Windows Event Logs (5145 Network Share, 7045 Service Install), Sysmon Event 1 (process creation with psexec.exe / cmd.exe with /sc command), authentication events (4624 logon type 3 from internal IPs). (3) Build SPL: index=win EventCode=7045 OR (EventCode=4624 LogonType=3 src_ip=internal_subnet) | stats count values(EventCode) by src_ip, dest_ip. (4) Identify outliers — workstations rarely host services, unusual lateral connections. (5) Pivot to confirmed positives — investigate full attack chain. (6) Document findings → create detection rule for repeat alerts.
Network Sec · 1 question
Q. Explain how you'd detect DNS tunneling using Splunk. ▾
DNS tunneling = encoding data in DNS queries/responses to bypass firewalls. Detection patterns: (1) Unusually long subdomain names (legitimate DNS rarely has 200+ char subdomains): index=dns | eval subdomain_length=len(query) | where subdomain_length > 100. (2) High query volume from single client: index=dns | stats count by src_ip | where count > 1000 (per hour). (3) High entropy in subdomains (random-looking strings): use Splunk MLTK shannon entropy command or custom Python. (4) Unusual record types (TXT, NULL queries from clients): index=dns query_type IN (TXT, NULL) NOT src_ip IN (legit_resolver_list). Tools: Splunk Enterprise Security has DNS analytics; standalone: bandit / Suricata DNS rules; ML option: MLTK anomaly detection on DNS metrics.
Investigation · 2 questions
Q. User clicked phishing link. What's your investigation flow? ▾
Time-bounded investigation in 30 minutes: (1) Identify what they clicked — pull email from M365, extract URL. (2) Reputation check — VirusTotal, urlscan.io. (3) If credential phishing: did they enter credentials? Check ADFS/M365 sign-in logs for that user — any new sign-ins from unusual IPs/locations? (4) Force password reset + revoke active sessions immediately. (5) Check MFA status — if MFA enabled, attacker can't login with stolen creds (high-confidence containment). (6) Search inbox rules — common attacker action is creating auto-forward rule to exfil emails. (7) Check OAuth grants — attacker may have granted OAuth tokens to bypass password change. (8) Search M365 audit log for any other user activity from attacker IP. (9) Detection improvement — add the URL/domain to blocklist, search org-wide for other clicks.
Q. How do you triage if a brute-force attack succeeded? ▾
(1) Identify successful login (event 4624) following multiple failures (event 4625) from same source IP. (2) Check legitimate use — was the user actually working at that time? Pull sign-in logs from M365/ADFS. (3) Geographic anomaly — login from country user has never used before. (4) Velocity check — was there a legitimate login from another country within hours? Impossible travel = compromised. (5) Post-login activity — what did the account do after login? Database queries? File downloads? Email sent to new addresses? (6) Force password reset, revoke sessions, MFA enrollment. (7) Hunt for other accounts brute-forced by same IP — likely campaign, not isolated incident. (8) Detection: write Sigma rule for 'failed authentication burst followed by success from same IP within 5 minutes'.
Career · 1 question
Q. How do I move from SOC L1 to L2 faster? ▾
Practical steps: (1) Master 1 SIEM platform deep (typically Splunk for Bangalore SOCs); (2) Earn Splunk Power User Certified or equivalent; (3) Volunteer for night shift incident handling — gets you hands-on with real incidents (not just runbook execution); (4) Document case studies from your investigations — build a portfolio you can reference in L2 interviews; (5) Learn Sigma rule writing + contribute to detection engineering; (6) Master MITRE ATT&CK enough to discuss in interviews; (7) Add a specialisation: cloud (AWS Security Specialty), threat intel, or detection engineering. Realistic timeline: 18-24 months L1 → L2 with focused effort. Faster: 12-15 months if you handle a real major incident well.
AI/Future · 1 question
Q. How is AI changing the SOC analyst role in 2026? ▾
Already changing meaningfully. (1) AI-powered triage — UEBA tools (Microsoft Sentinel UEBA, Splunk MLTK, Securonix) auto-prioritise alerts, reducing L1 alert volume 30-40%. (2) AI-assisted investigation — Microsoft Copilot for Security, Anthropic Claude integrations help analysts summarise alerts, write reports faster. (3) Generative AI threats — LLM-generated phishing at industrial scale, AI-powered social engineering. SOCs need new detection patterns. Career advice: (1) Skip 'pure Tier 1 alert triage' as long-term destination; (2) Aim for L2/L3 + detection engineering by year 3; (3) Add AI security skills (OWASP LLM Top 10, MITRE ATLAS) for future-proofing. SOC analysts who augment with AI thrive; those who compete with AI commodify.
Closing · 1 question
Q. What questions do you have for us? ▾
Strong question categories: (1) Process — 'What's a typical week look like for SOC L1 here? Shift breakdown?'; (2) Tools — 'Which SIEM + EDR platforms do you use? Are there plans to add SOAR?'; (3) Growth — 'What's the typical L1 → L2 timeline at your team? What learning resources are available?'; (4) Tech debt — 'What's the most challenging detection gap your team is working on closing?'; (5) Team culture — 'How does the team handle complex incidents — collaboration patterns?'. Avoid: 'What's the salary?' (already negotiated separately), 'How many vacation days?' (signals wrong priorities). Strong questions show you're hiring them as much as they're hiring you.
Palo Alto · 1 question
Q. What constitutes the 6-tuple for session matching in Palo Alto Networks firewalls? ▾
The 6-tuple used by Palo Alto Networks firewalls for session matching comprises the source IP address, destination IP address, source port, destination port, protocol, and the ingress zone. This combination uniquely identifies a network flow, allowing the firewall to apply security policies consistently. The ingress zone is critical for policy enforcement, as it determines which security rules are evaluated. Bangalore companies like Akamai and Aryaka, heavily reliant on Palo Alto, expect engineers to understand how this 6-tuple impacts policy lookup and NAT application. Interview tip: Always mention the ingress zone; it's a common differentiator from other firewall vendors' session identification methods.
Routing Protocols · 1 question
Q. What is MP-BGP and how does it differ from regular BGP-4? ▾
MP-BGP (Multiprotocol BGP) extends BGP-4 to carry routing information for multiple address families beyond IPv4 unicast, including IPv6, VPNv4, EVPN, and multicast routes. Regular BGP-4 only advertises IPv4 unicast prefixes. MP-BGP uses Address Family Identifier (AFI) and Subsequent AFI (SAFI) fields to distinguish route types within the same BGP session. Cisco India and service providers like Aryaka use MP-BGP extensively for MPLS L3VPN deployments where VPNv4 routes carry both customer prefix and Route Distinguisher. Interview tip: Mention that MP-BGP enables a single BGP peering to handle multiple routing tables simultaneously, critical for modern multi-tenant networks.
BGP · 1 question
Q. Explain MP-BGP address families and their use cases (VPNv4, EVPN, IPv6, multicast). ▾
MP-BGP extends BGP to carry routing information for multiple protocols beyond IPv4 unicast using Address Family Identifiers (AFI) and Subsequent AFI (SAFI). VPNv4 (AFI 1, SAFI 128) carries MPLS L3VPN routes with route distinguishers, used by Cisco India and Aryaka for customer VPN separation. EVPN (AFI 25, SAFI 70) transports MAC/IP bindings for data center fabric overlays—Flipkart and Razorpay deploy this in VXLAN environments. IPv6 unicast (AFI 2, SAFI 1) enables dual-stack routing. Multicast (SAFI 2) distributes multicast topology separately from unicast. Interview tip: Bangalore ISPs like Tata Communications expect you to configure 'address-family vpnv4' and explain RD/RT mechanics for L3VPN troubleshooting.
Cybersecurity Fundamentals · 1 question
Q. What is the difference between IT cybersecurity and OT (Operational Technology) cybersecurity? ▾
The primary difference lies in their priorities: IT cybersecurity prioritizes confidentiality, integrity, and availability (CIA), while OT cybersecurity prioritizes availability, integrity, and then confidentiality (AIC). OT systems, like those in manufacturing or power grids, are critical for continuous operations, so downtime is far more impactful than data breaches. Attacks on OT can lead to physical damage, production halts, or even loss of life. In Bangalore, companies like Schneider Electric or ABB, which deal with industrial control systems, heavily invest in OT security, often using specialized protocols and isolated networks, distinct from their corporate IT infrastructure. Interviewers at these firms will expect you to understand this fundamental distinction.
Web Security · 1 question
Q. What is a CSRF token, and how does it differ from a CORS header? ▾
A CSRF token is a unique, secret, and unpredictable value generated by the server and embedded in web forms to protect against Cross-Site Request Forgery attacks. It ensures that the request originated from the legitimate application, not an attacker's site. CORS (Cross-Origin Resource Sharing) headers, conversely, are HTTP headers used by servers to tell browsers whether to permit web applications running at one origin (domain) to access selected resources from a different origin. While both relate to web security, CSRF tokens prevent unauthorized state-changing requests, whereas CORS controls cross-origin data access. Bangalore hiring note: Companies like Razorpay and Flipkart frequently test this distinction for web security roles.
Routing & Switching · 1 question
Q. What is VRRP and how does it differ from HSRP and GLBP for first-hop redundancy? ▾
VRRP (Virtual Router Redundancy Protocol, RFC 5798) is an open-standard first-hop redundancy protocol that elects one master router from a group to forward traffic using a shared virtual IP. Unlike Cisco-proprietary HSRP, VRRP uses IP protocol 112 (not UDP) and allows the physical interface IP to match the virtual IP, eliminating one hop. GLBP differs by load-balancing across up to four routers simultaneously via multiple virtual MAC addresses, while VRRP and HSRP keep standby routers idle. Bangalore employers like Cisco India and Aryaka expect you to know VRRP's preemption is enabled by default (disabled in HSRP). Interview tip: mention VRRP's faster hello timer (1s default vs HSRP's 3s) when discussing convergence.
SOC L1 · 1 question
Q. What is the difference between threat hunting and incident response? ▾
Threat hunting proactively searches for unknown threats within a network, assuming a breach has already occurred, using hypotheses and data analysis to find hidden malicious activity. Incident response, conversely, is a reactive process that begins after a known security incident has been detected, focusing on containing, eradicating, recovering from, and post-analyzing the specific event. For example, a SOC analyst at Wipro might hunt for specific C2 beaconing patterns, while incident response kicks in when a SIEM alert confirms a successful phishing attack. Bangalore hiring note: Many L1 SOC roles at companies like HCL or Movate expect a foundational understanding of both, even if you primarily perform one function.
Network Support Tiers · 1 question
Q. What is L1, L2, L3 in network engineer support tiers and how do responsibilities differ? ▾
L1 handles ticket logging, basic troubleshooting (ping, traceroute), password resets, and escalates unresolved issues—typically 6-12 months experience. L2 engineers diagnose routing protocol failures (OSPF neighbor states, BGP path selection), VLAN misconfigurations, and firewall ACL issues—requires 2-4 years and CCNA/CCNP. L3 architects solutions, handles complex multi-vendor integrations, capacity planning, and mentors junior staff—demands 5+ years with CCIE or equivalent. Bangalore employers like Cisco India, Aryaka, and Akamai clearly separate these tiers in NOC/TAC roles. Interview tip: Be honest about your tier—claiming L3 skills without design experience is immediately evident in technical rounds.
SOC Operations · 1 question
Q. What is L1, L2, L3 SOC analyst and how do responsibilities differ across tiers? ▾
L1 analysts perform initial triage, monitor SIEM dashboards, and escalate confirmed incidents—think ticket validation and basic containment at Bangalore SOCs like HCL or Wipro. L2 analysts investigate escalated alerts, correlate threat intel, write Sigma rules, and map incidents to MITRE ATT&CK techniques—deeper forensics and response coordination. L3 analysts handle advanced threat hunting, zero-day analysis, playbook development, and architect detection logic—often ex-L2s at Akamai or Razorpay with 5+ years. Interview tip: Bangalore employers expect L1 candidates to explain a real alert they triaged; L2 roles test Sigma rule syntax and ATT&CK mapping on the spot.
Interview Strategy · 1 question
Q. What is the 30-60-90 day plan question in an interview, and how should a network engineer answer it? ▾
The 30-60-90 day plan question asks candidates to outline their first three months on the job. Network engineers should structure it as: Days 1-30 — learn network topology, documentation standards, ticketing tools (ServiceNow/Remedy), shadow senior engineers; Days 31-60 — handle L2 incidents independently, contribute to change requests, audit VLAN/routing configs; Days 61-90 — propose optimization (OSPF tuning, ACL cleanup), document undocumented segments. Bangalore employers like Cisco India and Aryaka value this because it shows ownership mindset, not just technical skills. Interview tip: Reference the company's tech stack from the job description to show you researched their environment.
Targeting CCIE or architect roles?
Our flagship CCIE Enterprise and CCIE Security programs train working engineers to crack the lab + reach ₹25-50 LPA architect roles. Hands-on with real Cisco/Palo Alto/Fortinet/Cisco SD-WAN hardware, weekly mock orals, real interview prep with Bangalore CCIEs.