Cybersecurity Analyst interview questions & answers — India 2026

Model answer

OWASP Top 10 (2021): A01 Broken Access Control, A02 Cryptographic Failures, A03 Injection, A04 Insecure Design, A05 Security Misconfiguration, A06 Vulnerable Components, A07 Auth Failures, A08 Data Integrity Failures, A09 Logging Failures, A10 SSRF. SQL Injection testing methodology: (1) Identify input fields: URL params, form inputs, headers, cookies; (2) Basic tests: add a single quote ' and observe errors; (3) Boolean-based: input' AND 1=1-- vs input' AND 1=2-- and observe response differences; (4) Time-based: '; WAITFOR DELAY '0:0:5'-- for blind SQLi; (5) Tools: SQLmap for automated detection, Burp Suite for manual interception and fuzzing; (6) Verify in a controlled environment only — never test production without written authorisation. Always include false positive verification and document every finding with CVSS score, reproduction steps, and remediation recommendation.

Model answer

Follow the IR lifecycle: (1) Identification — validate the alert in SIEM (Splunk/QRadar): confirm data volume, source IP, destination IP, user account involved, time range; correlate with other alerts in the same window; (2) Containment — isolate the affected endpoint (network quarantine), disable the user account, block destination IP at firewall; do not shut down the system if forensic preservation is needed; (3) Eradication — identify the attack vector: malware? credential theft? insider? Remove malware, rotate credentials, patch the vulnerability; (4) Recovery — restore from clean backup if system was compromised, monitor for re-infection; (5) Post-incident — document timeline, write IR report, conduct root cause analysis, update runbooks. Communication: notify CISO and relevant BU stakeholders per IR policy. For Indian companies, CERT-IN reporting obligation (within 6 hours for incidents impacting critical infrastructure, under CERT-IN directions 2022).

Model answer

Vulnerability scan: automated, uses tools (Nessus, Qualys, OpenVAS) to identify known vulnerabilities by comparing system configurations and versions against CVE databases. Fast, broad, low risk. Does not attempt exploitation — only identifies potential weaknesses. Output: list of CVEs with CVSS scores. Penetration test: manual and tool-assisted attempt to actively exploit vulnerabilities to understand real-world impact. Requires scoping document and rules of engagement. Tests for both known and unknown vulnerabilities, business logic flaws, and chained attacks. Output: proof-of-concept exploits, impact assessment, and remediation roadmap. In India, most organisations conduct annual pen tests (required for PCI-DSS and ISO 27001) and continuous vulnerability scanning. Key exam question follow-up: explain the difference between white-box (full system knowledge provided), grey-box (partial knowledge), and black-box (no prior knowledge) penetration testing.

Model answer

Use STAR format. Include: how you discovered it (routine scan, code review, alert, bug bounty research), what the vulnerability was (SQL injection, exposed credentials, misconfigured S3 bucket — be specific), what the potential business impact was (data at risk, compliance violation, regulatory penalty), your responsible disclosure process (who you notified, timeline, escalation path), how it was remediated, and what you did to prevent recurrence. If you have a bug bounty finding or a CVE submission, this is the ideal answer. If describing internal discovery, emphasise the professional handling and the speed of escalation.

Model answer

MITM attack: attacker positions themselves between two communicating parties (client and server) to intercept, read, or modify traffic without either party knowing. Common methods: ARP spoofing (on local network), DNS spoofing, SSL stripping (downgrade HTTPS to HTTP), rogue Wi-Fi hotspot. Defences: (1) TLS/HTTPS with HSTS (HTTP Strict Transport Security) prevents SSL stripping; (2) Certificate pinning in mobile apps; (3) DNSSEC to prevent DNS spoofing; (4) VPN for all remote access; (5) Dynamic ARP Inspection (DAI) on switches to prevent ARP spoofing; (6) Network monitoring with Wireshark or IDS to detect anomalous ARP patterns. In practical terms for Indian corporate environments: enforce HTTPS everywhere, implement HSTS with preloading, deploy a corporate VPN, and use certificate management tools to prevent expired/self-signed certificates.

Model answer

This is a Business Email Compromise (BEC) scenario. Immediate response: (1) Do NOT process the transfer; (2) Contact the real CFO via phone (out-of-band channel — not reply to email) to verify the request; (3) Preserve the phishing email as evidence (headers, content); (4) Analyse the email headers: spoofed domain vs legitimate domain, SPF/DKIM/DMARC failures; (5) Report to IR team and escalate to CISO; (6) If any transfer was attempted, immediately contact the bank to reverse. Preventive measures: DMARC enforcement (p=reject) on company domains, dual-approval policy for wire transfers above a threshold, executive training on BEC patterns. In India, file a cybercrime complaint on cybercrime.gov.in and notify CERT-IN for significant financial fraud attempts.