topic

Incident Response Interview Questions Interview Questions

Incident Response (DFIR) interview questions — lifecycle, host forensics, ransomware playbooks, exec briefing under pressure.

IR interview loops drill into methodology, tooling, and crisis judgement. Consultancy interviews emphasise client communication and engagement velocity; in-house emphasise stakeholder management and post-incident learning. ## Interview questions and strong-answer skeletons Each question below is drawn from recent UK and US interview loops for the role or framework. Use the answer skeletons as scaffolding — adapt to your specific experience.

Questions

  1. 01

    Walk me through the IR lifecycle and where teams most often fail.

    Show strong-answer outline

    NIST 800-61r2: Preparation, Detection & Analysis, Containment Eradication & Recovery, Post-Incident. Most fail at Preparation (playbooks untested, RACI unclear) and Post-Incident (no actual lesson learned).

  2. 02

    First 60 minutes of a ransomware incident — what do you do?

    Show strong-answer outline

    Establish facts (scope, impact, encryption family), activate IR plan, isolate impacted segments (not power off — lose memory), engage IR retainer + legal + comms, preserve evidence, identify last good backup, exec brief at the 1-hour mark.

  3. 03

    How do you decide whether to pay a ransomware demand?

    Show strong-answer outline

    Default: do not pay. Decision drivers: backup recoverability, downtime cost, customer impact, sanctions exposure (OFAC / OFSI / NCA sanctioned actors), regulator posture. Decision sits with CEO + GC, not IR lead. Always engage law enforcement (NCA, FBI).

  4. 04

    Memory forensics: what artefacts do you extract first?

    Show strong-answer outline

    Process list + DLL list (suspicious PIDs, parent-child anomalies), network connections, command history, injected code regions, kernel modules. Volatility 3 with pslist, netstat, malfind, dlllist. Pull strings from suspicious processes.

  5. 05

    How do you investigate AWS CloudTrail for a suspected compromise?

    Show strong-answer outline

    Pull last 30 days via Athena (Lake if enabled). Filter unusual principals, source IPs, API call patterns. Look for IAM mutations (CreateUser, AttachPolicy, AssumeRole anomalies), data movement (GetObject volume spikes, CreateExportTask), and persistence (Lambda, EventBridge rules).

  6. 06

    Walk me through a Business Email Compromise investigation.

    Show strong-answer outline

    Pull mailbox audit log (Unified Audit Log if M365), identify suspicious sign-ins (impossible travel, MFA bypass, OAuth app consent), check for inbox rules (auto-forward, delete), enumerate sent items for invoice / payment requests, check delegate permissions, identify exposed data, contain (kill sessions, revoke OAuth tokens, reset password, re-enable MFA), notify affected counterparties.

  7. 07

    What is the difference between IOCs and TTPs and which is more valuable for detection?

    Show strong-answer outline

    IOCs (hashes, IPs, domains) — point-in-time, easily rotated by adversary. TTPs (tactics, techniques, procedures from MITRE ATT&CK) — behavioural, harder to rotate. TTPs > IOCs for durable detection.

  8. 08

    How do you communicate with executives during a live incident?

    Show strong-answer outline

    Cadence (e.g. every 60 minutes for first 4 hours, then 4-hourly), structure (Situation, Impact, Actions, Decisions needed, Next update). Avoid technical jargon; quantify business impact; flag decisions you need from them explicitly.

  9. 09

    Describe how you'd preserve evidence in a way that survives legal scrutiny.

    Show strong-answer outline

    Chain of custody log (who, what, when, where, why), write-blockers for disk imaging, cryptographic hashes (SHA-256) before/after, store evidence in restricted-access location, document everything contemporaneously. Even cloud evidence (CloudTrail exports) needs hash + custody log.

  10. 10

    What is the role of cyber insurance in IR?

    Show strong-answer outline

    Insurer often dictates IR firm choice, breach counsel, and negotiates ransom (if any). Engage carrier within hours — typically required by policy. They cover IR cost, business interruption, data restoration, third-party claims.

  11. 11

    Tell me about an incident where you got something wrong.

    Show strong-answer outline

    Behavioural. Real owned mistake, root cause, what you'd do differently. Bonus: how you institutionalised the lesson (playbook update, training).

  12. 12

    How do you measure IR programme maturity?

    Show strong-answer outline

    MTTD, MTTR, % incidents detected vs externally reported, playbook coverage of top-10 scenarios, tabletop exercise cadence, post-incident lesson closure rate, retainer relationship health.

Frequently asked questions

Do IR interviews include live forensics labs?

Often yes for consultancy roles — KAPE collection on a sample image, Volatility memory analysis, or a SIEM hunt exercise.

How important is cloud IR vs on-prem?

Cloud IR is the fastest-growing IR specialism. Most loops in 2026 will probe both.

What scripting languages should I know?

Python is the lingua franca; PowerShell for Windows IR; KQL / SPL for SIEM hunting.

Do I need GIAC certs (GCFA, GCIH, GREM) to interview for IR?

Strong differentiator for consultancy; not strict requirement. Hands-on experience + a clear methodology beats certs alone.

Rehearse Incident Response Interview Questions questions live

Run AI-graded mock interviews with panel personas and structured feedback.

Start free
// related