HeyKB Note

Cyber Security Interview Guide

Cyber security interview preparation and technical revision notes

Cyber Security Interviews Networking SIEM XDR

Cyber Security Interview Guide

Master Cyber Security Interview Guide

Modern Attack Techniques & Security Mitigations

Built specifically around the requirements in the role description.

This guide only includes:

  • Need-to-know concepts
  • Simple explanations
  • Interview-relevant terminology
  • Core security understanding

XDR

What is XDR?

XDR stands for:

Extended Detection and Response

It is an advanced security platform that combines multiple security tools into one system.

Instead of security tools working separately:

  • email security
  • endpoint security
  • firewall logs
  • cloud logs

XDR connects them together.


Why is XDR useful?

Attackers rarely attack only one system.

Example:

  1. User receives phishing email
  2. Malicious file runs on laptop
  3. Credentials are stolen
  4. Attacker accesses cloud services

XDR links all those events together so security teams can detect attacks faster.


EDR

What is EDR?

EDR stands for:

Endpoint Detection and Response

It protects devices such as:

  • laptops
  • desktops
  • servers

It monitors behaviour on devices looking for suspicious activity.


Difference Between Antivirus and EDR

AntivirusEDR
Looks for known malwareLooks for suspicious behaviour
Signature-basedBehaviour-based
Basic protectionAdvanced detection and investigation

SIEM

What is SIEM?

SIEM stands for:

Security Information and Event Management

A SIEM collects logs from multiple systems into one platform.


SOAR

What is SOAR?

SOAR stands for:

Security Orchestration, Automation and Response

It automates security tasks.


MFA

What is MFA?

MFA means:

Multi-Factor Authentication

Users must provide more than one form of authentication.

Usually:

  • password
  • mobile app approval/code

Zero Trust

What is Zero Trust?

Zero Trust assumes:

nobody should be automatically trusted.

Users and devices must continuously verify identity and security posture.


Conditional Access

What is Conditional Access?

Conditional Access controls WHEN users are allowed access.

Access depends on conditions such as:

  • MFA passed
  • Device compliant
  • User location approved
  • Risk level acceptable

Least Privilege

What does Least Privilege mean?

Users should only have the minimum access required for their job.


Lateral Movement

What is Lateral Movement?

After attackers compromise one machine, they try moving through the network to reach more valuable systems.


Network Segmentation

What is Network Segmentation?

Separating networks into smaller sections to limit attacker movement.


Defence in Depth

What does Defence in Depth mean?

Using multiple security layers because no single security control is perfect.


Ransomware

What is Ransomware?

Malware that encrypts files or systems and demands payment.

Modern ransomware groups often:

  • steal data first
  • then encrypt systems

This is called Double Extortion.


Phishing

What is Phishing?

Attackers trick users into:

  • clicking malicious links
  • downloading malware
  • entering passwords

Usually through fake emails or websites.


Threat Hunting

What is Threat Hunting?

Proactively searching for threats that may not have triggered alerts.


IAM

What is IAM?

IAM stands for:

Identity and Access Management

It controls:

  • who can access systems
  • what they can do
  • what permissions they have

AWS Security Groups

What are Security Groups?

Virtual firewall rules in AWS.

They control:

  • inbound traffic
  • outbound traffic

Terraform

What is Terraform?

Terraform is:

Infrastructure as Code (IaC)

Infrastructure is deployed using code instead of manual clicking.


KQL

What is KQL?

KQL stands for:

Kusto Query Language

Used to search and analyse logs in Microsoft tools like Sentinel.

Example:

SecurityEvent
| where EventID == 4625

NIST

What is NIST?

NIST is a cyber security framework that helps organisations manage security risk.


5 Core Functions

FunctionMeaning
IdentifyUnderstand assets and risks
ProtectImplement security controls
DetectDetect threats
RespondHandle incidents
RecoverRestore services

Mnemonic for NIST

“Identify Problems, Detect Risks Rapidly”

  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

CIA Triad

What is the CIA Triad?

The 3 core principles of security:

TermMeaning
ConfidentialityOnly authorised people access data
IntegrityData is not altered improperly
AvailabilitySystems/data remain accessible

Common Ports To Know

ServicePortPurpose
HTTP80Web traffic
HTTPS443Secure web traffic
SSH22Secure remote access
Telnet23Insecure remote access
FTP21File transfer
SFTP22Secure file transfer
TFTP69Lightweight file transfer
DNS53Name resolution
DHCP67/68Automatic IP addressing
SMTP25Email sending
POP3110Email retrieval
IMAP143Email retrieval/sync
LDAP389Directory services
LDAPS636Secure LDAP
RDP3389Remote desktop
SNMP161Network monitoring
SNMP Trap162SNMP alerts
NTP123Time synchronisation
SMB445Windows file sharing
NetBIOS137-139Legacy Windows networking
Syslog514Logging
SQL Server1433Microsoft SQL
MySQL3306MySQL database
PostgreSQL5432PostgreSQL database
Oracle DB1521Oracle database
SIP5060VoIP signalling
SIP TLS5061Secure VoIP signalling
Kerberos88Authentication
BGP179Routing protocol
LDAP Global Catalog3268Active Directory searches
WinRM5985/5986Windows remote management
VNC5900Remote desktop sharing

Most Important Interview Mindset

Good interview answers explain:

  1. What the threat is
  2. Why it matters
  3. How to reduce the risk

That is what strong cyber security engineers do.

© 2026 Carlyle AKA Chets
HeyChets.com — Network, Cybersecurity, WAN, & Cloud Portfolio