Mandiant (now part of Google Cloud) runs one of the most technical IR + threat-intel interview loops in the industry. Expect adversary-tradecraft depth and Google's hiring-committee rigour.
Walk me through your first 24 hours arriving onsite for a ransomware engagement.
Scope + stakeholder triage, deploy collection (Velociraptor / KAPE), preserve, identify variant + initial vector hypothesis, contain (disable accounts, segment, kill C2 IPs), parallel-track recovery planning, brief executive bridge, set 12-hour cadence.
How do you attribute an intrusion to a named threat cluster?
Diamond Model + cluster behaviour: TTP overlap, infrastructure reuse, malware family lineage, victimology. Apply Admiralty grading. Be honest about uncertainty — 'consistent with' vs 'attributed to'.
A customer SOC says the alert is a false positive. You disagree. How do you escalate?
Pull artefacts (process tree, network telemetry, registry evidence), show the kill chain, reference similar UNC clustering, brief the IR lead, agree containment posture before debate is resolved.
Explain how you'd hunt for Volt Typhoon LOTL activity in a customer environment.
Hypothesis: LOTL via wmic, ntdsutil, netsh on internet-edge devices + SOHO router pivots. Hunt: process command-line telemetry, anomalous netsh portproxy, ntds.dit access outside DC admin sessions, archive-then-exfil patterns.
Why Mandiant?
Adversary depth, M-Trends contribution, Google-scale telemetry, customer mission impact.
It's a brand within Google Cloud Security. The IR practice operates as a distinct unit with its own intake.
GCFA / GREM / GNFA are common at consultant level but not mandatory. Operational experience > certs.
Premium members get the full round structure, signals, and AI-graded practice.