Threat Intelligence · Incident Response · Cloud

Mandiant (Google Cloud) Cybersecurity Interview Pack

Mandiant (now part of Google Cloud) runs one of the most technical IR + threat-intel interview loops in the industry. Expect adversary-tradecraft depth and Google's hiring-committee rigour.

// hiring focus
- Incident Response (M-Trends, FLARE) - Managed Defense - Threat Intelligence (advanced persistent threat tracking) - Consulting (proactive services, red team) - Detection engineering
Since the 2022 Google acquisition, Mandiant operates as a brand within Google Cloud Security but retains its IR + intel culture. Interviews preserve the Mandiant identity (deep adversary fluency, M-Trends-flavoured questions) layered with Google's hiring-committee structure. The IR + Managed Defense teams hire technical operators; the consulting teams hire client-facing pen-testers and tabletop facilitators.
// hiring loop
- Recruiter screen - Technical screen (45-60m) - Loop: 4-5 rounds × 45m: IR / forensics depth, threat-intel reasoning, detection-engineering, behavioural, hiring-committee crossfit - Google hiring committee review - Team match + offer
// interviewer style + signals
Adversary-first. Expect to be asked to recall named threat clusters (APT28, FIN7, UNC4990) and their TTPs. Strong on evidence — every assertion needs a forensic artefact or intel source behind it. Don't fabricate; saying 'I don't recall the exact CVE' is fine.
// recent themes & hot topics
Cloud-native intrusion sets (Storm-0558 lessons, Snowflake campaign), Volt / Salt / Flax Typhoon CNI targeting, generative-AI assisted social engineering, supply-chain (3CX, MOVEit, XZ-utils), ransomware ecosystem evolution (Scattered Spider, BlackCat aftermath).

Sample interview questions

  1. 01

    Walk me through your first 24 hours arriving onsite for a ransomware engagement.

    Show strong-answer outline

    Scope + stakeholder triage, deploy collection (Velociraptor / KAPE), preserve, identify variant + initial vector hypothesis, contain (disable accounts, segment, kill C2 IPs), parallel-track recovery planning, brief executive bridge, set 12-hour cadence.

  2. 02

    How do you attribute an intrusion to a named threat cluster?

    Show strong-answer outline

    Diamond Model + cluster behaviour: TTP overlap, infrastructure reuse, malware family lineage, victimology. Apply Admiralty grading. Be honest about uncertainty — 'consistent with' vs 'attributed to'.

  3. 03

    A customer SOC says the alert is a false positive. You disagree. How do you escalate?

    Show strong-answer outline

    Pull artefacts (process tree, network telemetry, registry evidence), show the kill chain, reference similar UNC clustering, brief the IR lead, agree containment posture before debate is resolved.

  4. 04

    Explain how you'd hunt for Volt Typhoon LOTL activity in a customer environment.

    Show strong-answer outline

    Hypothesis: LOTL via wmic, ntdsutil, netsh on internet-edge devices + SOHO router pivots. Hunt: process command-line telemetry, anomalous netsh portproxy, ntds.dit access outside DC admin sessions, archive-then-exfil patterns.

  5. 05

    Why Mandiant?

    Show strong-answer outline

    Adversary depth, M-Trends contribution, Google-scale telemetry, customer mission impact.

Frequently asked questions

Is Mandiant still separate from Google?

It's a brand within Google Cloud Security. The IR practice operates as a distinct unit with its own intake.

Do I need GIAC certs?

GCFA / GREM / GNFA are common at consultant level but not mandatory. Operational experience > certs.

Run the Mandiant (Google Cloud) loop as a graded mock

Premium members get the full round structure, signals, and AI-graded practice.

Start free