Cybersecurity Consulting · Offensive Security · Assurance

NCC Group Cybersecurity Interview Pack

NCC Group is one of the UK's deepest offensive-security and assurance houses. Interviews are technically intense — expect live exploitation, code review and cryptography rounds.

// hiring focus
- Penetration Testing (Web, Mobile, Infra, Cloud) - Red Team / Adversary Simulation - Hardware + Embedded Security - Cryptography Services - Detection & Response (Fox-IT heritage)
NCC Group's heritage is technical depth — the firm is built on Matasano, iSEC Partners, Cryptography Services and Fox-IT. Interviews at consultant level are deeply hands-on: live boxes, code review under time pressure, and a cryptography round for relevant teams. Behavioural and consulting craft matter at Senior Consultant+ but never substitute for technical signal at junior levels.
// hiring loop
- Recruiter screen - Technical screen (45m, often a CTF-style challenge) - Practical assessment: live pen-test box, code-review exercise, or hardware lab depending on team (2-4 hours) - Final round: technical deep-dive + behavioural + Q&A - Offer
// interviewer style + signals
Direct, technical, peer-respect culture. Interviewers are practitioners — they will know if you don't. Expect questions like 'walk me through CVE-2024-XXXX', 'find the bug in this 30-line snippet', 'how does Kyber differ from Dilithium?'. Bluffing is fatal.
// recent themes & hot topics
Post-quantum migration (NIST PQC standards), AI / LLM red-teaming, hardware fault injection (post-Starlink, post-Tesla), cloud red-team (AWS / Azure abuse paths), supply-chain attacks (npm / PyPI / GitHub Actions), web3 / smart-contract audits.

Sample interview questions

  1. 01

    You have a black-box web app. Walk me through your first 60 minutes.

    Show strong-answer outline

    Recon (subdomains, JS endpoints, tech stack via Wappalyzer), auth surface mapping, parameter discovery (ffuf), Burp passive findings triage, business-logic hypothesis, prioritise high-value flows (auth, payment, file upload, IDOR-prone IDs). Document as you go.

  2. 02

    Find the bug: [given a 30-line C snippet with an integer-overflow into a heap allocation].

    Show strong-answer outline

    Trace the allocation size: `n * sizeof(struct)` can overflow when n is attacker-controlled, allocating too small a buffer. Subsequent writes are OOB → heap corruption. Fix: use `calloc`-style checked multiplication or limit n.

  3. 03

    Explain a TLS 1.3 handshake at the byte level.

    Show strong-answer outline

    ClientHello (key_share for X25519 / Kyber, supported_versions, ALPN), ServerHello + EncryptedExtensions + Certificate + CertificateVerify + Finished, Client Finished. Key schedule via HKDF, 0-RTT optional and replay-prone.

  4. 04

    How would you red-team an AWS environment given only an IAM access key with no policies attached?

    Show strong-answer outline

    Enumerate via `iam:Get*` / `sts:GetCallerIdentity`, look for resource-policy paths (S3, KMS, Lambda), pivot via assumed roles, enumerate via Pacu, hunt for IMDSv1 in EC2 metadata SSRF chains.

  5. 05

    Tell me about your most interesting bug.

    Show strong-answer outline

    Pick something with novelty + impact. Bonus for a CVE or public write-up.

Frequently asked questions

Do I need OSCP?

For pen-test roles, OSCP or equivalent is table stakes. CRT / CCT for senior UK roles. OSEP / OSED for red-team.

Is there remote work?

Yes for most consulting roles, with travel to client sites. Hardware lab work is on-site (Cheltenham / Manchester).

How is it different from Bishop Fox / IOActive?

Broader service catalogue, larger UK presence, stronger cryptography + hardware practices, Fox-IT IR capability.

Run the NCC Group loop as a graded mock

Premium members get the full round structure, signals, and AI-graded practice.

Start free