Incident Response (DFIR) interview questions — lifecycle, host forensics, ransomware playbooks, exec briefing under pressure.
Walk me through the IR lifecycle and where teams most often fail.
NIST 800-61r2: Preparation, Detection & Analysis, Containment Eradication & Recovery, Post-Incident. Most fail at Preparation (playbooks untested, RACI unclear) and Post-Incident (no actual lesson learned).
First 60 minutes of a ransomware incident — what do you do?
Establish facts (scope, impact, encryption family), activate IR plan, isolate impacted segments (not power off — lose memory), engage IR retainer + legal + comms, preserve evidence, identify last good backup, exec brief at the 1-hour mark.
How do you decide whether to pay a ransomware demand?
Default: do not pay. Decision drivers: backup recoverability, downtime cost, customer impact, sanctions exposure (OFAC / OFSI / NCA sanctioned actors), regulator posture. Decision sits with CEO + GC, not IR lead. Always engage law enforcement (NCA, FBI).
Memory forensics: what artefacts do you extract first?
Process list + DLL list (suspicious PIDs, parent-child anomalies), network connections, command history, injected code regions, kernel modules. Volatility 3 with pslist, netstat, malfind, dlllist. Pull strings from suspicious processes.
How do you investigate AWS CloudTrail for a suspected compromise?
Pull last 30 days via Athena (Lake if enabled). Filter unusual principals, source IPs, API call patterns. Look for IAM mutations (CreateUser, AttachPolicy, AssumeRole anomalies), data movement (GetObject volume spikes, CreateExportTask), and persistence (Lambda, EventBridge rules).
Walk me through a Business Email Compromise investigation.
Pull mailbox audit log (Unified Audit Log if M365), identify suspicious sign-ins (impossible travel, MFA bypass, OAuth app consent), check for inbox rules (auto-forward, delete), enumerate sent items for invoice / payment requests, check delegate permissions, identify exposed data, contain (kill sessions, revoke OAuth tokens, reset password, re-enable MFA), notify affected counterparties.
What is the difference between IOCs and TTPs and which is more valuable for detection?
IOCs (hashes, IPs, domains) — point-in-time, easily rotated by adversary. TTPs (tactics, techniques, procedures from MITRE ATT&CK) — behavioural, harder to rotate. TTPs > IOCs for durable detection.
How do you communicate with executives during a live incident?
Cadence (e.g. every 60 minutes for first 4 hours, then 4-hourly), structure (Situation, Impact, Actions, Decisions needed, Next update). Avoid technical jargon; quantify business impact; flag decisions you need from them explicitly.
Describe how you'd preserve evidence in a way that survives legal scrutiny.
Chain of custody log (who, what, when, where, why), write-blockers for disk imaging, cryptographic hashes (SHA-256) before/after, store evidence in restricted-access location, document everything contemporaneously. Even cloud evidence (CloudTrail exports) needs hash + custody log.
What is the role of cyber insurance in IR?
Insurer often dictates IR firm choice, breach counsel, and negotiates ransom (if any). Engage carrier within hours — typically required by policy. They cover IR cost, business interruption, data restoration, third-party claims.
Tell me about an incident where you got something wrong.
Behavioural. Real owned mistake, root cause, what you'd do differently. Bonus: how you institutionalised the lesson (playbook update, training).
How do you measure IR programme maturity?
MTTD, MTTR, % incidents detected vs externally reported, playbook coverage of top-10 scenarios, tabletop exercise cadence, post-incident lesson closure rate, retainer relationship health.
Often yes for consultancy roles — KAPE collection on a sample image, Volatility memory analysis, or a SIEM hunt exercise.
Cloud IR is the fastest-growing IR specialism. Most loops in 2026 will probe both.
Python is the lingua franca; PowerShell for Windows IR; KQL / SPL for SIEM hunting.
Strong differentiator for consultancy; not strict requirement. Hands-on experience + a clear methodology beats certs alone.
Run AI-graded mock interviews with panel personas and structured feedback.