Security Architect interview questions — threat modelling, reference architectures, zero trust, cryptography, ARB facilitation.
Walk me through threat modelling using STRIDE.
Decompose system (DFDs with trust boundaries), enumerate threats per element via STRIDE (Spoofing, Tampering, Repudiation, InfoDisclosure, DoS, Elevation), rank with DREAD or risk × likelihood, propose mitigations, validate in code review. Capture in ADR.
Design a zero-trust architecture for a financial-services tenant.
Identity-centric: strong identity (FIDO2 / passkeys + Entra ID Protection), device posture (MDM / EDR signal), continuous authorisation per request (PEP/PDP), micro-segmentation (Cilium / Network Policies), encrypted everywhere (mTLS), continuous detection feeding PDP. Reference NIST 800-207 + UK NCSC zero-trust principles.
Cryptography: how do you store passwords correctly in 2026?
Argon2id (preferred) or scrypt; bcrypt acceptable for legacy. Per-user salt (≥16 bytes), memory cost ≥64MB, parallelism factor calibrated. Never raw SHA / MD5. Plan for post-quantum migration plan for transport (TLS 1.3 hybrid KEMs).
Explain mTLS vs JWT bearer tokens for service-to-service auth.
mTLS: cryptographic identity bound to cert; no replay risk if private key safe; rotation via SPIFFE/SVID. JWT bearer: simpler but replayable, requires short TTL + audience check + signature validation; vulnerable if token leaked. Prefer mTLS for service-mesh; JWT for cross-org / federated identity.
How would you secure a multi-tenant SaaS platform?
Tenant isolation: data (per-tenant schema or row-level + always-included tenant_id filter), compute (per-tenant queues/workers), identity (SCIM provisioning + per-tenant SSO), encryption (per-tenant CMK), audit (per-tenant log stream). Threat model tenant escape explicitly.
What is BeyondCorp and what does it replace?
Google's zero-trust model replacing VPN with identity + device + per-request authorisation via Access Proxy + Access Control Engine. Replaces 'trusted internal network' with 'no network is trusted'. Reference for any modern zero-trust design.
Walk me through a secure CI/CD pipeline design.
Source: signed commits, branch protection. Build: hermetic builds, SBOM generation, supply-chain scanning (Snyk / Dependabot), SAST (Semgrep / CodeQL). Sign: Sigstore / Cosign. Deploy: OIDC federation to cloud (no long-lived secrets), policy-as-code (Conftest / OPA) admission. Runtime: signed image verification, runtime detection.
Defend your choice of API authentication for a new public API.
OAuth 2.1 (incl. PKCE for public clients) + OIDC for user identity + JWTs short-lived + refresh tokens rotated. Mutual TLS for high-value B2B endpoints. Rate limit + WAF in front. Never API keys for end-user-impersonating endpoints.
How do you approach an Architecture Review Board?
Prep: 1-page ADR + reference pattern + risk treatment matrix. In room: lead with business problem, present 2–3 alternatives, recommend with trade-offs explicit, invite challenge, capture decision + dissents in ADR. Avoid surprise asks.
Quantum-resistant cryptography — what should I be doing now?
Inventory current cryptography (algorithm, library, location). Adopt crypto-agility wherever possible. Track NIST PQC standardisation (ML-KEM, ML-DSA, SLH-DSA). For TLS, plan hybrid KEMs (X25519+ML-KEM) for HSTS-critical sites. Plan 5-year migration roadmap.
How do you balance security architecture against engineering velocity?
Paved roads (secure-by-default libraries + templates) remove choice from common cases. Threat modelling required only above defined risk threshold. Security champions embedded. ADRs for deviations with explicit risk acceptance.
Tell me about an architectural decision you got wrong.
Behavioural. Concrete decision, what you learned, how it shaped your subsequent practice.
Always. Practise drawing identity + data flow + trust boundaries fluently on a blank canvas in 20 minutes.
Conceptual depth on common pitfalls (IV reuse, weak KDFs, raw RSA), not implementation-level. You must be able to defend algorithm choice.
Often — a 30-min secure code review or PR critique is common at senior+. Pick languages relevant to the firm's stack.
Required for UK enterprise (banks, insurers, public sector); optional for scale-ups / product companies.
Run AI-graded mock interviews with panel personas and structured feedback.