NCC Group is one of the UK's deepest offensive-security and assurance houses. Interviews are technically intense — expect live exploitation, code review and cryptography rounds.
You have a black-box web app. Walk me through your first 60 minutes.
Recon (subdomains, JS endpoints, tech stack via Wappalyzer), auth surface mapping, parameter discovery (ffuf), Burp passive findings triage, business-logic hypothesis, prioritise high-value flows (auth, payment, file upload, IDOR-prone IDs). Document as you go.
Find the bug: [given a 30-line C snippet with an integer-overflow into a heap allocation].
Trace the allocation size: `n * sizeof(struct)` can overflow when n is attacker-controlled, allocating too small a buffer. Subsequent writes are OOB → heap corruption. Fix: use `calloc`-style checked multiplication or limit n.
Explain a TLS 1.3 handshake at the byte level.
ClientHello (key_share for X25519 / Kyber, supported_versions, ALPN), ServerHello + EncryptedExtensions + Certificate + CertificateVerify + Finished, Client Finished. Key schedule via HKDF, 0-RTT optional and replay-prone.
How would you red-team an AWS environment given only an IAM access key with no policies attached?
Enumerate via `iam:Get*` / `sts:GetCallerIdentity`, look for resource-policy paths (S3, KMS, Lambda), pivot via assumed roles, enumerate via Pacu, hunt for IMDSv1 in EC2 metadata SSRF chains.
Tell me about your most interesting bug.
Pick something with novelty + impact. Bonus for a CVE or public write-up.
For pen-test roles, OSCP or equivalent is table stakes. CRT / CCT for senior UK roles. OSEP / OSED for red-team.
Yes for most consulting roles, with travel to client sites. Hardware lab work is on-site (Cheltenham / Manchester).
Broader service catalogue, larger UK presence, stronger cryptography + hardware practices, Fox-IT IR capability.
Premium members get the full round structure, signals, and AI-graded practice.