carefully structured list of scenario-based and Red Team vs Blue Team interview questions

Tags

Each question is designed to test critical thinking, tool choice, kill-chain mapping, detection logic, and remediation design — not just memorization.

🔴 Red Team Scenarios (Offensive / Adversarial Thinking)

1. Initial Access & Recon

  1. You’re targeting a web app behind Cloudflare. How do you identify its real origin IP?
  2. During reconnaissance, you find an exposed .git directory. What’s your approach to exploit it safely?
  3. A company uses a login portal with a CAPTCHA. How would you attempt password brute-forcing or bypassing CAPTCHA protection?
  4. You discover a forgotten subdomain running an old CMS version. Describe how you’d perform fingerprinting and exploit development.
  5. You found an S3 bucket with public read access. What are the next steps?

2. Exploitation & Payload Delivery

  1. You have RCE on a web server with www-data privileges. What are your first three post-exploitation steps?
  2. You compromise a developer’s workstation. How would you move laterally into the CI/CD environment?
  3. Explain how you’d bypass antivirus and EDR using process injection or LOLBins.
  4. You upload a PHP web shell, but it gets deleted after 10 seconds. What countermeasures could be removing it, and how do you persist?
  5. You have access to a Kubernetes worker node. How do you attempt to escalate privileges to cluster admin?

3. Privilege Escalation & Lateral Movement

  1. You gain a low-privileged Windows user shell. How would you enumerate for privilege escalation paths?
  2. You find cached credentials in a Jenkins node. How do you extract and reuse them securely?
  3. A Linux target runs Docker with --privileged flag. Explain how you can escape to the host.
  4. You compromise a Windows box but find LSASS is protected. How else can you dump credentials?
  5. The target network blocks SMB traffic. How else could you exfiltrate data stealthily?

4. Persistence & Evasion

  1. You need to maintain persistence on a Linux web server without cron or rc.local. What other persistence mechanisms could you use?
  2. Your reverse shell traffic is being blocked. How would you bypass egress filtering or use DNS tunneling?
  3. What techniques could you use to evade a behavioral EDR system monitoring PowerShell?
  4. You’re asked to simulate an APT group using fileless persistence. Describe your approach.
  5. You need to persist in a Kubernetes cluster after pod restarts — how?

5. Exfiltration & Post-Exploitation

  1. How would you exfiltrate 500MB of data without triggering DLP or SIEM alerts?
  2. You find AWS CLI credentials on a compromised host. How do you escalate within AWS using those credentials?
  3. You’re on a segmented network. How do you set up a covert C2 channel?
  4. Describe a real scenario where you could chain SSRF → metadata API → AWS takeover.
  5. What’s your strategy to remain stealthy while performing domain enumeration in Active Directory?

🔵 Blue Team Scenarios (Defensive / Detection & Response)

6. Threat Detection & Response

  1. You receive an alert for multiple failed SSH logins from one IP. What steps would you take before blocking it?
  2. How do you detect data exfiltration via DNS tunneling in network logs?
  3. A user reports slow performance; how do you determine if malware or cryptomining is running?
  4. How do you triage a suspected phishing email with an attachment?
  5. You see rundll32.exe spawning PowerShell. What’s your investigation flow?

7. Log & SIEM Analysis

  1. What specific log patterns indicate a brute-force attack vs a credential stuffing attack?
  2. In your SIEM, you see traffic to 169.254.169.254. Why is this important?
  3. What key events would you monitor in Windows Event Logs for lateral movement detection?
  4. How would you detect an attacker using certutil or bitsadmin for download?
  5. What data sources would you correlate to confirm exfiltration activity?

8. Incident Response

  1. You discover ransomware on one host — what are your immediate containment steps?
  2. How would you preserve volatile memory for forensic analysis in Linux and Windows?
  3. How do you ensure log integrity and chain of custody during incident handling?
  4. What’s your method for scoping an incident across multiple endpoints?
  5. After containment, how do you verify that persistence mechanisms are removed?

9. Threat Hunting

  1. Describe how you would hunt for credential theft in Active Directory without waiting for alerts.
  2. How do you use Sysmon data to identify process injection?
  3. What are common indicators of PowerShell abuse in EDR telemetry?
  4. How do you detect living-off-the-land (LOLBins) activity in your environment?
  5. Explain how you would hunt for lateral movement via WinRM or WMI.

10. Cloud & Container Defense

  1. How do you detect container breakout attempts in Kubernetes?
  2. What are indicators of compromise in AWS CloudTrail logs?
  3. How do you prevent IAM credential leakage from EC2 metadata services?
  4. How do you detect cryptojacking in Kubernetes workloads?
  5. A compromised Lambda function is making external requests — how do you investigate and mitigate?

⚙️ Bonus: Deep-Dive Follow-Ups (used in advanced interviews)

  • Map MITRE ATT&CK techniques for any of the above scenarios.
  • Write detection logic (KQL, Sigma, or Splunk SPL) for a given TTP.
  • Build an end-to-end kill chain diagram showing how the attacker entered, moved laterally, and exfiltrated data.
  • Simulate detections using tools like Atomic Red Team, CALDERA, or PurpleSharp.
LinkedIn Reddit