Penetration Tester Interview Questions: Junior, Mid, and Senior Answers Anchored to Real CVEs and Named Breaches



Senior interviewers at NCC Group, Mandiant, and Bishop Fox open with “walk me through ProxyLogon” and expect you to distinguish CVE-2021-26855 from CVE-2021-27065 before naming the chain. This guide is for security analysts, SOC analysts, junior security engineers, and red team aspirants targeting penetration tester or offensive security engineer roles at Big 4 firms (KPMG, EY, Deloitte, PwC), boutique pen test firms (NCC Group, Mandiant, Bishop Fox, Trustwave, GuidePoint, Coalfire), or in-house Fortune 500 red teams. Start with OffSec PEN-200 / OSCP first if you’re new to offensive security.

Penetration tester interview questions in 2026 test four domains: methodology fluency (NIST SP 800-115 phases, OWASP Top 10 2021, MITRE ATT&CK technique IDs), tooling depth (Burp Suite Pro, BloodHound, CrackMapExec, Mimikatz — when to reach for each, not just that they exist), named-CVE breach postmortems (ProxyLogon CVE-2021-26855 chain, MOVEit CVE-2023-34362, Capital One IMDSv1 SSRF, Citrix Bleed CVE-2023-4966 CVSS 9.4), and modern attack surfaces (cloud IAM exfiltration, AD post-exploitation chains, API authorization testing). Candidates who anchor answers to exact CVE numbers and MITRE technique IDs consistently outperform candidates with only tool familiarity.

1. Vulnerability assessment vs. penetration test?
2. Phases of a penetration test (NIST SP 800-115)
3. Black-box, white-box, and gray-box engagements
4. OWASP Top 10 2021 — which to test first?
5. SQL injection — manual testing walk-through
6. Reflected, stored, and DOM-based XSS
7. CSRF — when isn’t it exploitable?
8. Burp Suite Pro for a typical web app test
9. Nmap scan on a /24 internal network
10. Full web app attack chain
11. AD enumeration from a domain-user foothold
12. REST API authorization testing
13. Pen test report for a non-technical executive
14. Scoping a “test our website” engagement
15. ProxyLogon chain walk-through
16. MOVEit-style SQLi zero-day discovery
17. SSRF to AWS IAM credential exfiltration
18. Domain Admin without public exploits
19. Validating full Citrix Bleed remediation
20. SolarWinds-style supply-chain red team

Penetration Testing Hiring in 2026: What Actually Changed

The pen testing interview shifted from “can you name ten vulnerabilities” to “can you walk me through a real breach chain” — and candidates who haven’t done that work yet will fail technical screens at serious firms. Four structural shifts since 2023 drove this change.

• Cloud-first attack surfaces are now a core technical topic. AWS/Azure/GCP attack paths — IMDSv2 enforcement, IAM role assumption chains, Lambda environment variable extraction — appear at almost every senior screen. The Capital One 2019 breach remains the canonical teaching case. Cloud pen testing is no longer a specialization; it’s a baseline.
• OWASP API Security Top 10 2023 is the new baseline for web app work. Mid-to-senior candidates who cite only the web app OWASP Top 10 without knowing API1 (BOLA) and API2 (Broken Auth) as distinct categories are signaling outdated prep. API authorization testing — not just injection — is what interviewers probe.
• Supply-chain post-SolarWinds emphasis. After the SUNBURST trojanized Orion DLL compromise (December 2020, 18,000+ organizations affected), red team leads at enterprise organizations expect candidates to model software supply-chain attack surfaces, not just network perimeters.
• CISA and MITRE ATT&CK alignment for federal-contractor roles. CISA AA23-059A, AA24-193A, and AA24-326A explicitly document that known-unpatched vulnerabilities remain the primary initial access vector. Federal-contractor pen test work now requires candidates to anchor findings in MITRE ATT&CK technique IDs, not just CVSS scores.

Industry-reported aggregator data (hedged: figures shift with geography and demand) shows mid-to-senior pen testers clustering in the $130K–$220K total-comp range; OSCP-certified candidates report 15–25% premiums over uncertified peers. One r/oscp commenter: “I don’t see how it’s humanly possible to get a pen test position without the OSCP or the SANS or any pentest-related cert.”

What Penetration Tester Interviews Actually Test in 2026

Senior interviewers — including those documented in Stefano Lanaro’s Steflan Security cheat sheet (2021) — cycle through four question types:

• Framework knowledge: OWASP WSTG domains, NIST SP 800-115 phases, and MITRE ATT&CK Enterprise technique IDs — the structured vocabulary interviewers use to evaluate depth.
• Tool fluency: not listing tools — knowing when Collaborator beats Repeater, or when sqlmap loses to a manual payload.
• Named-CVE postmortem walk-throughs: chain ProxyLogon (CVE-2021-26855 + CVE-2021-27065) without confusing it with ProxyShell; name LEMURLOOT’s webshell path; explain Citrix Bleed’s out-of-bounds memory read.
• Engagement scoping and report writing: translate a technical RCE into board-readable business risk — per practitioners, 80% of real pen test value lives in the report.

What’s the difference between a vulnerability assessment and a penetration test?

Concept: methodology scope | Difficulty: junior | Stage: recruiter/technical

Direct answer: A vulnerability assessment enumerates vulnerabilities — scanner-driven (Nessus, OpenVAS) — without exploiting them to prove impact. A penetration test exploits confirmed vulnerabilities to demonstrate a viable breach path. A pattern documented in r/netsec post-mortems: firms delivering raw Nessus output — 127.0.0.1 flagged as a “remote connection risk” — billed as a penetration test. That conflation is what this question probes.

What they’re really probing: Whether you understand the mandate difference. Blurring it signals scanner experience, not genuine engagement delivery.

An assessor delivers a CVSS-scored list; a penetration tester delivers an attack narrative from initial access to exfiltration.

Walk me through the phases of a penetration test.

Concept: methodology framework | Difficulty: junior | Stage: technical

Direct answer: NIST SP 800-115 defines four phases: Planning (scope, rules of engagement, legal authorization), Discovery (port scanning, service enumeration, vulnerability identification), Attack (exploitation, privilege escalation, lateral movement), and Reporting (findings, risk ratings, remediation guidance, executive summary). The PTES extends this to seven phases, adding pre-engagement interactions and post-exploitation as distinct steps.

What they’re really probing: Whether you think in structured phases. Structured thinkers are less likely to skip reporting or clean-up steps that create client liability.

Naming NIST SP 800-115 by number distinguishes you immediately from candidates who say only “reconnaissance, scanning, exploitation, reporting.”

What’s the difference between black-box, white-box, and gray-box engagements?

Concept: engagement knowledge tier | Difficulty: junior | Stage: technical

Direct answer: Per Stefano Lanaro’s Steflan Security cheat sheet (2021): black-box — no prior knowledge, simulates an external attacker. White-box — full access (source code, credentials, diagrams); maximizes coverage per engagement hour. Gray-box — partial knowledge (domain user account, no source code); most common enterprise type. Each tier tests a different threat model: black-box tests detective controls; white-box tests code quality; gray-box tests insider escalation.

What they’re really probing: Whether scope shapes your threat model, not just your starting information set.

Serious red team engagements usually operate gray-box — black-box reconnaissance that takes a real attacker months consumes client budget without proportionate additional coverage.

Walk me through the OWASP Top 10 2021 — which one would you test first on a new engagement?

Concept: web application risk taxonomy | Difficulty: junior/mid | Stage: technical

Direct answer: OWASP Top 10 2021: A01 Broken Access Control · A02 Cryptographic Failures · A03 Injection · A04 Insecure Design · A05 Security Misconfiguration · A06 Vulnerable/Outdated Components · A07 Auth Failures · A08 Software Integrity Failures · A09 Logging Failures · A10 SSRF. Start with A01 — authorization bypass is widespread, high-impact, and invisible to scanners. Scanners find missing headers; they won’t catch IDOR.

What they’re really probing: Whether you distinguish the OWASP Top 10 (risk awareness list) from the OWASP WSTG v4.2 (testing methodology). Conflating them is the junior tell.

Framework Triad Reference: OWASP, MITRE ATT&CK, NIST

Senior interviewers expect you to anchor every answer in at least one named framework. The table covers eight frameworks most commonly probed, sourced from MITRE ATT&CK Enterprise, OWASP Top 10 2021, OWASP WSTG v4.2, and NIST SP 800-115. Junior candidates name tools; senior candidates name techniques and frameworks.

Framework	What It Covers	Most Cited Section in Interviews	Common Interviewer Probe
OWASP Top 10 2021	10 most critical web application risk categories (A01–A10)	A01 Broken Access Control (moved from #5)	“Which would you test first on a new engagement and why?”
OWASP API Security Top 10 2023	API-specific risks: API1 BOLA, API2 Broken Auth, API3 Property-Level Authz	API1 BOLA — distinct from web app IDOR framing	“How is BOLA different from IDOR? Which OWASP list covers it?”
OWASP WSTG v4.2	12-domain practitioner testing methodology (WSTG-AUTHN, WSTG-SESS, WSTG-INPV)	WSTG-AUTHN (authentication), WSTG-SESS (session), WSTG-INPV (input validation)	“What’s the difference between the OWASP Top 10 and the WSTG?”
MITRE ATT&CK Credential Access (TA0006)	17 credential-access techniques: T1003 OS Cred Dumping, T1558 Kerberos Tickets	T1558.003 Kerberoasting, T1558.004 AS-REP Roasting, T1003.006 DCSync	“Map your AD post-exploitation steps to ATT&CK technique IDs”
MITRE ATT&CK Lateral Movement (TA0008)	9 techniques: T1550.002 Pass-the-Hash, T1021.002 SMB Admin Shares	T1550.002 Pass-the-Hash, T1550.003 Pass-the-Ticket	“You’ve got NTLM hashes but can’t crack them — what’s your move?”
NIST SP 800-115	Federal standard; 4 phases: planning, discovery, attack, reporting	Phase definitions and deliverables	“What’s the federal methodology standard for penetration testing?”
PTES (2011)	7-phase alternative: pre-engagement, intel gathering, threat modeling, vuln analysis, exploitation, post-exploitation, reporting	Pre-engagement and post-exploitation as distinct phases	“How does PTES differ from NIST SP 800-115?”
CISA AA23-059A Red Team Guidance	CISA red team TTPs: known-vuln initial access, LotL, scheduled-task persistence	Living-off-the-land lateral movement without triggering detection	“What does ‘living off the land’ mean in an AD context?”

Pen Tester Tooling Reference (2026)

The interview probe pattern: “When would you reach for X instead of Y?” — not “name a tool.” Sources: Stefano Lanaro’s Steflan Security cheat sheet (2021), HackTricks, SpecterOps AD Attack Paths research.

Tool	Phase	Common Use	Senior Probe Pattern
Burp Suite Pro	Exploitation	Web app proxy; Repeater (manual manipulation), Intruder (fuzzing), Collaborator (out-of-band detection)	“When do you use Collaborator vs. Repeater for SSRF detection?”
Nmap	Discovery	Port scan, service version (-sV), NSE scripts (--script vuln)	“Difference between -sS and -sT — when does it matter?”
Metasploit	Exploitation	Framework for known CVEs; MSFvenom for payload generation	“When would you write a custom exploit instead of using Metasploit?”
Nessus / OpenVAS	Discovery	Vulnerability scanning; identifies patch gaps	“What does a scanner miss that a manual tester catches?”
BloodHound + SharpHound	AD Enumeration	Graph-based AD attack-path analysis; identifies paths to Domain Admin via ACL/delegation misconfigurations	“What does BloodHound reveal that manual enumeration misses?”
CrackMapExec	Lateral Movement	Multi-protocol auth testing (SMB, WinRM, LDAP); credential validation at scale across a subnet	“CME to validate credential reuse across a /24?”
Mimikatz	Credential Access	LSASS memory dump (T1003.001), Kerberos ticket extraction, Golden/Silver Ticket	“What stops Mimikatz from dumping LSASS?”
Hashcat / John	Credential Cracking	Offline NTLM hash cracking; ruleset-based attacks (rockyou + best64)	“Wordlist and ruleset for Kerberoasting ticket cracking?”
sqlmap	Exploitation	Automated SQLi; blind, union, and out-of-band extraction	“When to prefer manual SQLi over sqlmap?”
gobuster / ffuf	Discovery	Directory and endpoint brute-forcing; wordlist-driven content discovery	“Default wordlist on a web app engagement — why?”
Wireshark / tcpdump	Network Analysis	Packet capture and protocol analysis; encrypted traffic limits	“What can you learn from TLS traffic without decrypting it?”
Responder / Inveigh	Credential Access	LLMNR/NBT-NS poisoning (T1557); NTLMv2 hash capture for offline cracking	“What stops Responder from working?”

Junior-Tier Questions: Definitions, Tools, and Methodology (0–2 Years)

Junior screens test whether you’ve moved beyond tutorial knowledge to command-level understanding. Expect definition questions with follow-up probes that expose whether you’ve run the tool or just read the man page.

What is SQL injection? Walk me through how you’d test for it manually.

Concept: injection testing methodology | Difficulty: junior | Stage: technical

Direct answer: SQL injection manipulates backend queries via unsanitized user input. Per PortSwigger SQLi reference, three categories: in-band (result returned via same channel — most common), blind (boolean-based or time-based — behavior inferred), and out-of-band (DNS/HTTP callbacks via OAST). Manual testing: inject a single quote (') and observe for database errors or behavior change; follow with 1 AND 1=1-- vs. 1 AND 1=2-- for boolean confirmation. Primary defense: parameterized queries; secondary: allow-list input validation.

What they’re really probing: Whether you can test for SQLi without sqlmap — understanding error messages and boolean-response differences, not just running automation.

Name second-order SQLi specifically: input stored safely, later retrieved without sanitization. Automated tools miss this class because the vulnerable execution is temporally separated from the input point.

Explain the difference between reflected, stored, and DOM-based XSS.

Concept: XSS taxonomy | Difficulty: junior | Stage: technical

Direct answer: Per PortSwigger XSS reference: Reflected — script in the current HTTP request; requires victim to click a crafted URL; no server storage. Stored/Persistent — script written to the database, executes for all users who view the infected page; no crafted URL needed. DOM-based — client-side JavaScript writes attacker-controlled data (e.g., location.hash) to the DOM without server involvement; payload never hits the server logs. Prevention: four layers — input filtering, contextual output encoding (HTML/URL/JS/CSS), response headers, and Content Security Policy (CSP).

What they’re really probing: DOM-based XSS trips candidates who only think server-side — the server never sees the payload, so server-side filters and WAF rules are blind to it.

DOM XSS requires source-to-sink JavaScript analysis (e.g., document.write(location.hash)). Server-side scanners miss it entirely — manual or DOM-analysis tooling is required.

What is CSRF, and when isn’t it exploitable?

Concept: session-based forgery | Difficulty: junior/mid | Stage: technical

Direct answer: CSRF induces an authenticated victim to issue a forged state-changing request via the browser’s automatic cookie inclusion. Per Stefano Lanaro’s Steflan Security cheat sheet (2021), CSRF differs from XSS: XSS returns malicious script targeting other users; CSRF forges requests from the victim’s own authenticated session. Not exploitable when: unpredictable, session-tied CSRF tokens are validated on every state-changing action; SameSite=Strict cookie attribute is set; the endpoint requires re-authentication; or the API accepts only JSON with a custom Content-Type (simple forms can’t send JSON cross-origin).

What they’re really probing: “When isn’t it exploitable” is the trap — most candidates explain what CSRF is but skip its failure conditions.

The modern answer pairs SameSite=Strict with CSRF tokens. Candidates who name only tokens are describing a 2015-era mitigation stack, not a 2026 one.

Walk me through how you’d use Burp Suite Pro for a typical web app test.

Concept: web app proxy workflow | Difficulty: junior/mid | Stage: technical

Direct answer: Proxy — intercept and map traffic while browsing manually; understand the parameter surface before testing. Repeater — manual request manipulation: modify parameters, headers, cookies, methods. Intruder — wordlist or numeric fuzzing on parameter values (rate-unrestricted in Pro). Collaborator — out-of-band detection for SSRF and blind XXE, where the payload triggers a DNS or HTTP callback to Burp infrastructure; this is the capability that separates Pro from Community for blind injection classes. Scanner (Pro) — passive and active scanning; reliable on parameter injection, blind to authorization logic flaws. Decoder/Comparer — token analysis and session parameter comparison.

What they’re really probing: When Collaborator is necessary — blind injection classes with no in-band confirmation.

Naming Turbo Intruder signals real engagement depth; standard Intruder rate-limits are too slow for professional-volume fuzzing.

Show me the Nmap scan you’d run as your first step on a /24 internal network.

Concept: network discovery methodology | Difficulty: junior | Stage: technical

Direct answer: Host discovery first — no port scan: nmap -sn 192.168.1.0/24 (ping sweep, identifies live hosts). Then: nmap -sS -sV -O -p- --min-rate 5000 <targets> -oA output — SYN scan (-sS, requires root, leaves no full-connect logs), service version (-sV), OS detection (-O), all 65535 ports (-p-), all output formats (-oA). Follow with NSE scripts on interesting ports: nmap --script vuln,safe -p 80,443,445,3389 <targets>. Include UDP: nmap -sU -p 161 — SNMP at UDP/161 is frequently misconfigured and information-rich.

What they’re really probing: Whether you know that -sS (SYN, stealth) differs from -sT (full TCP connect, logged by target), and why host discovery precedes port scanning.

Citing -oA signals professional practice — reproducible scan data is a report-quality requirement, not optional.

Mid-Tier Questions: Attack Chains and Methodology (2–5 Years)

Mid-tier screens probe whether you chain techniques into a coherent engagement narrative, scope work professionally, and write findings clients understand. Expect scenario-based questions with follow-up probes that expose whether your methodology is real or theoretical.

Walk me through a full web app attack chain — initial access through data exfiltration.

Concept: end-to-end attack chain | Difficulty: mid | Stage: technical/system-design

Direct answer: Starting black-box from zero: Reconnaissance — passive (Google dorking, Shodan, certificate transparency, subdomain enumeration) then active (gobuster/ffuf content discovery, Nmap service mapping). Attack surface mapping — enumerate auth endpoints, file upload functions, search/filter parameters, API routes. Test A03 Injection on parameter-heavy endpoints — manual single-quote first, sqlmap second. Test A01 Broken Access Control on any user-specific object reference (IDOR: increment numeric ID, swap user B’s token into user A’s request). Exploitation — on a SQLi hit: extract credentials via union-based or blind time-based queries; test OS command execution if DB user has xp_cmdshell or FILE privileges. If authentication fails: exploit token predictability or JWT none-algorithm. Privilege escalation — test vertical authz failures on admin API routes (A05). Data exfiltration — map high-value stores, enumerate S3 buckets if cloud-hosted. Timestamp and capture raw request/response throughout.

What they’re really probing: Whether you think in chains, not isolated vulnerabilities — and whether you document as you go rather than only at the end.

Anchor each phase to an OWASP Top 10 2021 category. Stating what you’re probing for before finding it is the methodology signal interviewers verify.

You’ve got initial domain-user access on an internal network. What’s your AD enumeration approach?

Concept: AD attack-path enumeration | Difficulty: mid | Stage: technical

Direct answer: From a domain-user shell, start with BloodHound + SharpHound — run SharpHound collector (Invoke-BloodHound -CollectionMethod All) to enumerate users, groups, GPOs, ACLs, and trust relationships, then ingest into BloodHound for graph-based attack-path analysis. Per SpecterOps AD Attack Paths research, many enterprise environments have non-privileged-user paths to Domain Admin via group-membership or ACL misconfigurations — no exploitation required to map them. Identify Kerberoastable accounts (SPNs registered to domain accounts) and accounts with pre-auth disabled for AS-REP Roasting candidates — BloodHound surfaces both categories without executing any attack. Check for misconfigured delegation, AdminSDHolder anomalies, and ADCS certificate template misconfigurations that BloodHound now surfaces. Use CrackMapExec to validate credential scope across the /24.

What they’re really probing: Whether you start with BloodHound (graph-first, path identification) rather than manual enumeration — and whether you can distinguish what enumeration reveals from how the attack chain executes (covered in the senior tier).

The mid-tier signal is mapping what attack-path classes exist; execution details for Kerberoasting and AS-REP Roasting belong in the senior post-exploitation chain question.

How do you approach testing a REST API for authorization vulnerabilities?

Concept: API authorization methodology | Difficulty: mid | Stage: technical

Direct answer: Use OWASP API Security Top 10 2023 as the testing checklist. Start with API1 (BOLA) — Broken Object Level Authorization: APIs that expose object IDs without per-request authz checks. Testing: capture tokens for two accounts (A and B); send A’s requests with B’s object IDs — a valid response confirms BOLA. Test API2 (Broken Auth): JWT algorithm confusion (none algorithm, RS256→HS256 key confusion), expired token acceptance. Test API3 (Property-Level Authz): inject extra properties in POST/PUT bodies ("role":"admin"). Fuzz undocumented endpoints first — they often lack the authz middleware applied to documented routes.

What they’re really probing: Whether you know OWASP API Security Top 10 2023 specifically and test with two simultaneous user contexts — BOLA can’t be confirmed with a single account.

Citing only the web app OWASP Top 10 signals web testing prep, not API testing — the distinction is what interviewers probe.

Walk me through how you’d structure a pen test report for a non-technical executive.

Concept: finding communication and risk translation | Difficulty: mid | Stage: technical/behavioral

Direct answer: Two audiences, two content layers. Executive summary (1–2 pages): overall risk posture (Critical/High/Medium/Low count), two or three highest-impact findings in plain language (“an attacker with internet access can read any customer’s financial records”), prioritized remediation roadmap with effort estimates. Technical findings: per-finding documentation — title, severity (CVSS score plus business context), affected asset, evidence (screenshots, raw request/response), remediation steps, and verification criteria. A pattern documented across r/netsec post-mortems: when turnaround is under three days, the pentester almost certainly didn’t write the report — scanner output delivered as a pen test report is the industry’s most cited quality failure.

What they’re really probing: Whether you understand that the report is the deliverable — and whether you can translate a technical RCE into board-readable business risk.

A CVSS 9.8 on an internal-only system unreachable from the internet requires explicit business-context framing. Scores alone cause panic without calibration.

A client says “test our website.” What scoping questions do you ask?

Concept: engagement scoping and rules of engagement | Difficulty: mid | Stage: technical/behavioral

Direct answer: Six categories before accepting scope: (1) Exact scope — which domains, subdomains, IP ranges? Third-party SaaS included? (2) Knowledge tier — black-box, gray-box, or white-box? (3) Test window — dates, times, production vs. staging (determines safe exploit attempts). (4) Explicit exclusions — payment processors, healthcare records, active-user PII out of scope? (5) Written authorization — signed rules of engagement (ROE), emergency contacts who can extend scope. (6) Notification chain — who gets paged if something breaks; who can halt the engagement. An r/cybersecurity thread documented a physical tester soft-arrested because they lacked their ROE letter. These questions prevent criminal liability.

What they’re really probing: Whether you understand that an unscoped engagement is a legal liability, not just a planning gap.

The follow-up: “You find a critical finding that’s out of scope — what do you do?” Document immediately, escalate to the authorization contact, take no further action without written amendment.

Senior-Tier Questions: Named-CVE Chains and Modern Attack Surfaces (5+ Years)

Senior screens at NCC Group, Mandiant, and Bishop Fox probe named-CVE postmortems explicitly — not as trivia, but because walking through a real breach chain reveals whether you have the mental model to discover novel vulnerabilities. Expect follow-up on CVE numbers, exact mechanism classes, and defender-perspective mitigations.

Walk me through the Microsoft Exchange ProxyLogon chain. Why was it different from a typical web vuln?

Concept: pre-auth SSRF + file-write chain | Difficulty: senior | Stage: technical

Direct answer: ProxyLogon (March 2021) chained two CVEs for unauthenticated RCE on Exchange via port 443. CVE-2021-26855 — a pre-auth SSRF: the Exchange Frontend’s OwaResourceProxyRequestHandler read a backend URL from the X-AnonResource-Backend cookie without authentication, allowing an attacker to force the frontend to generate a Kerberos ticket for attacker-controlled backend routing. CVE-2021-27065 — a post-auth arbitrary file write: the DDIService XAML WriteFileActivity didn’t validate the output file path, allowing webshell drop to the Exchange webroot. Chained: the SSRF satisfied the authentication requirement for the file write, producing unauthenticated RCE. Per Orange Tsai DEVCORE ProxyLogon part-1 write-up: “all vulnerabilities we unveiled here are logic bugs, which means they could be reproduced and exploited more easily than any memory corruption bugs.” Over 400,000 Exchange Servers were exposed.

What they’re really probing: Whether you distinguish ProxyLogon from ProxyShell (August 2021, CVE-2021-34473 + CVE-2021-34523 + CVE-2021-31207, NVD CVE-2021-34473 (ProxyShell), CVSS 9.8) — a separate chain from the same researcher disclosed five months later — and explain that “logic bug” means easier exploitation than memory corruption.

Mitigation: patch KB5000871 immediately; IIS log review for X-AnonResource-Backend artifacts; webshell scan at known drop paths.

How would you discover a MOVEit-style SQLi zero-day in a managed file transfer product?

Concept: SQLi zero-day discovery methodology | Difficulty: senior | Stage: technical

Direct answer: MOVEit CVE-2023-34362 (May 2023) was a SQL injection zero-day in Progress Software’s MOVEit Transfer web application. Per NVD CVE-2023-34362 (MOVEit) and CISA AA23-158A (MOVEit / CL0P advisory), CL0P exploited it to install the LEMURLOOT webshell at human2.aspx, authenticated via a hard-coded X-siLock-Comment header. For zero-day discovery on similar products: (1) Map all database-backed parameters — file transfer products process metadata fields (filename, description, recipient, folder path) that commonly feed unsanitized SQL queries. (2) Fuzz parameter boundaries with SQL metacharacters, focusing on fields that aren’t in primary UI flows (background sync APIs, notification parameters). (3) Probe with OAST-based blind SQLi payloads (DNS callbacks via Burp Collaborator) where boolean differences aren’t visible. Critical persistence note: CL0P accounts created in the database survive a full web-server rebuild — if the database is not reset and audited, persistence remains.

What they’re really probing: Whether you understand blind SQLi discovery methodology, and whether you know the CL0P persistence mechanism that makes “just rebuild the server” an insufficient remediation.

TA505/CL0P followed the same zero-day-SQLi-to-webshell pattern against Accellion FTA (2020–21) and GoAnywhere MFT (January 2023) before MOVEit — a repeatable playbook you should recognize.

Walk me through how you’d discover and exploit an SSRF that leads to AWS IAM credential exfiltration.

Concept: cloud SSRF to IAM credential theft | Difficulty: senior | Stage: technical

Direct answer: The Capital One 2019 breach (per Krebs on Capital One 2019) established the canonical SSRF-to-IMDSv1 chain: the attacker queried http://169.254.169.254/latest/meta-data/iam/security-credentials/ through a misconfigured ModSecurity WAF EC2 instance, retrieving temporary IAM credentials for an over-permissive EC2 role — 100M+ records exfiltrated via those credentials. Discovery: test all URL-accepting parameters (webhooks, import-from-URL, URL preview) with the metadata endpoint. A valid metadata response confirms IMDSv1 SSRF. IMDSv2 mitigation requires a PUT-based session token request before any GET — a direct GET to the metadata IP fails. Evan Johnson (Cloudflare): “SSRF has become the most serious vulnerability facing organizations that use public clouds.” Confirm IMDSv2 enforcement by verifying GET requests to 169.254.169.254 are rejected without a prior PUT token.

What they’re really probing: The IMDSv1 vs. IMDSv2 distinction and the specific URL path that leaked credentials in Capital One — not just “SSRF is dangerous in cloud environments.”

Remediation: enforce IMDSv2 (hop limit = 1, HTTP tokens = required); IAM least-privilege on EC2 instance roles; WAF SSRF rules (absent from ModSecurity defaults in 2019).

You’ve got a domain-user shell. Walk me through getting to Domain Admin without using public exploits.

Concept: AD post-exploitation chain | Difficulty: senior | Stage: technical

Direct answer: Six steps, each anchored to MITRE ATT&CK Credential Access (TA0006) and MITRE ATT&CK Lateral Movement (TA0008):

1. BloodHound + SharpHound — collect all AD relationships; graph-analyze paths to DA including ACL misconfigurations requiring no exploitation, per SpecterOps AD Attack Paths research.
2. AS-REP Roasting (T1558.004) — query accounts with DONT_REQ_PREAUTH set; retrieve AS-REP messages unauthenticated; crack offline with Hashcat. No valid TGT required.
3. Kerberoasting (T1558.003) — request TGS tickets for SPN-registered service accounts using your TGT; crack the NTLM-encrypted TGS offline. Target high-privilege service accounts (SQL, backup agents).
4. Pass-the-Hash (T1550.002) — use NTLM hashes directly via SMB/WMI without cleartext. CrackMapExec validates hash acceptance across the subnet.
5. DCSync (T1003.006) — once you hold “Replicating Directory Changes All” ACL (via a compromised account, not necessarily DA), abuse MS-DRSR to pull all domain hashes via Impacket secretsdump without local DC access.
6. Golden Ticket — forge TGTs using the krbtgt NTLM hash; persist even through individual account password resets. Only a krbtgt double-reset invalidates them.

What they’re really probing: AS-REP Roasting (T1558.004) distinct from Kerberoasting (T1558.003), and DCSync (T1003.006) requiring a specific ACL — not DA membership itself.

Defender signals: monitor for MS-DRSR replication requests from non-DC sources; enable Credential Guard; audit pre-auth-disabled accounts and high-privilege SPNs via SpecterOps ADCS Attack Paths.

Citrix Bleed (CVE-2023-4966) exposed session tokens via memory disclosure. How would you validate full remediation?

Concept: memory-disclosure remediation validation | Difficulty: senior | Stage: technical

Direct answer: NVD CVE-2023-4966 (Citrix Bleed) (CVSS 9.4, not 9.8 — that score belongs to ProxyShell) is an out-of-bounds memory read — not a buffer overflow — in Citrix NetScaler ADC and NetScaler Gateway. The mechanism: unauthenticated requests caused the appliance to leak memory containing valid authenticated session tokens, enabling session hijacking and MFA bypass without credentials. Per CISA AA23-325A (Citrix Bleed), both LockBit ransomware affiliates and Storm-0501 exploited it widely in Q4 2023. Remediation validation requires three steps, not one: (1) Patch the binary — confirm the patched NetScaler build is installed; (2) Invalidate all in-memory sessions — kill all authenticated sessions established before the patch (sessions established during the vulnerable window remain valid post-patch until they expire); (3) Rotate all tokens issued before the patch window — session tokens that were disclosed during the vulnerable period remain usable until explicitly rotated. Patching alone is insufficient if active hijacked sessions persist.

What they’re really probing: Whether you know that patching a memory-disclosure vulnerability doesn’t invalidate already-disclosed tokens — a critical gap in many real-world remediation responses.

Storm-0501 used Impacket’s SecretsDump for lateral movement post-exploitation, confirming the Citrix Bleed initial-access chain connected to full AD credential compromise.

How would you red-team for a SolarWinds-style software supply-chain attack?

Concept: supply-chain attack surface modeling | Difficulty: senior | Stage: technical/system-design

Direct answer: SolarWinds SUNBURST (December 2020, 18,000+ organizations) involved a trojanized DLL inserted into the Orion build pipeline — signed with a legitimate code-signing certificate and beaconing via DNS. Supply-chain red team scope covers four surfaces: (1) Build-system access — test whether CI/CD (Jenkins, GitHub Actions, Azure DevOps) is reachable via a compromised developer credential; verify build artifacts are signed and signing keys aren’t accessible from build agents. (2) Dependency-graph audit — enumerate third-party libraries; test whether a compromised upstream package bypasses code review. (3) Code-signing gate — can a developer push a build that gets signed without a separate signing-authority approval? (4) Beaconing baseline — does network monitoring detect low-and-slow DNS C2 mimicking legitimate software telemetry? Per Google Project Zero Root Cause Analyses, supply-chain attacks exploit trust assumptions in build and distribution pipelines.

What they’re really probing: Whether build-pipeline trust is in your attack surface model. SUNBURST succeeded because no integrity check existed between source and signed artifact.

Concrete test: push a test DLL with a modified checksum — does any control gate detect it before the artifact is signed and distributed?

Blockchain protocol attack surfaces are an emerging offensive security domain that senior pen testers at crypto-native firms, Big 4 FS practices, and smart contract auditing shops are increasingly expected to cover. The Solidity audit-track interview prep covers reentrancy exploits (DAO hack), delegatecall privilege escalation (Parity wallet), and cross-chain bridge attack chains — the same postmortem-driven format that senior offensive security interviews use for named CVE walk-throughs.

Named-CVE Quick Reference for Interview Recall

Full chain walk-throughs are in the senior-tier H3s above. Cross-reference for quick-scan recall; sources: NVD CVE-2023-4966 (Citrix Bleed), NVD CVE-2023-34362 (MOVEit), NVD CVE-2017-5638 (Equifax), NVD CVE-2021-34473 (ProxyShell).

CVE / Incident	Date	Vulnerability Class	Probe	Mitigation Skeleton
CVE-2021-26855 + CVE-2021-27065 (ProxyLogon)	March 2021	Pre-auth SSRF + file write; logic bugs	“What made ProxyLogon different from a buffer overflow?”	Patch KB5000871; IIS log review for X-AnonResource-Backend artifacts; scan for webshell indicators.
CVE-2021-34473/34523/31207 (ProxyShell)	August 2021	Path confusion + privilege escalation; CVSS 9.8 (CVE-2021-34473)	“Separate ProxyShell from ProxyLogon — same researcher, different chain.”	Apply August 2021 Exchange patches; distinct from March 2021 chain despite shared researcher.
CVE-2023-34362 (MOVEit)	May 2023	SQLi zero-day; LEMURLOOT at human2.aspx	“Server rebuilt — does CL0P persistence remain?”	Patch + audit DB for CL0P admin accounts; DB reset mandatory — web rebuild alone is insufficient.
CVE-2023-4966 (Citrix Bleed)	Oct 2023	Out-of-bounds memory read; session token disclosure; CVSS 9.4	“Patch deployed — fully remediated?”	Patch + invalidate all pre-patch sessions + rotate disclosed tokens.
CVE-2017-5638 (Apache Struts / Equifax)	2017	OGNL evaluation via Content-Type header	“What does Equifax teach about n-day patch cadence?”	Immediate patching on disclosure; WAF OGNL rules; complete asset inventory.
SolarWinds SUNBURST (no CVE)	Dec 2020	Supply-chain trojanized DLL; 18,000+ orgs	“How do you red-team for supply-chain compromise?”	Build-pipeline integrity audit; code-signing gate separation; DNS C2 baselining.
Capital One 2019 (no CVE)	2019	SSRF + AWS IMDSv1 IAM exfiltration	“Walk me through SSRF to IAM credential theft on AWS.”	Enforce IMDSv2; IAM least-privilege on EC2 roles; WAF SSRF rules.
Colonial Pipeline (no CVE)	May 2021	Leaked VPN credential + no MFA → DarkSide ransomware	“What external pen test would have caught Colonial Pipeline?”	MFA-required on all remote access; credential-leak monitoring; inactive account decommission.

Red-Flag Answers (And What They Signal)

Experienced interviewers at reputable firms stop interviews — sometimes immediately — when they hear specific answer patterns. These six flags appear consistently in post-interview debrief notes from practitioners.

Questions to Ask Your Interviewer (2026-Aware)

Asking nothing signals you’d take any role. Strong reverse questions show you understand operational differences between employer types — and that you’re evaluating them as much as they’re evaluating you.

For Big 4 advisory pen test practices (KPMG, EY, Deloitte, PwC):

• “What’s the ratio of compliance-driven assessments (PCI-DSS, SOC 2) to true adversarial engagements?”
• “How does the firm balance billable-hour targets with time for proper manual testing versus scanner-plus-report work?”
• “Does this team run MITRE ATT&CK-based adversary simulations, or is the work primarily external engagement delivery?”

For boutique offensive security firms (NCC Group, Mandiant, Bishop Fox, Trustwave):

• “What was the most technically novel engagement in the last 12 months — what attack surface was new to the team?”
• “Do testers have dedicated AWS/Azure lab environments for IMDSv2-bypass and IAM-chain practice?”
• “What’s the path from web app delivery to red team campaign planning within the firm?”

For in-house red teams at Fortune 500:

• “Continuous adversary simulation or point-in-time assessments — who owns the purple team process?”
• “Is cloud pen testing in scope for this role, or separate from the cloud security team’s mandate?”
• “Are findings mapped to MITRE ATT&CK technique IDs in the deliverable today, or is that a future-state goal?”

8-Week Penetration Tester Interview Prep Roadmap

This roadmap assumes ten hours per week of focused practice — achievable alongside a full-time role. Per an OSCP first-attempt passer on r/oscp: “enumerate properly, enumerate deeply, enumerate consistently.” Structure matters more than volume.

Weeks 1–2: Foundations. Work through OWASP Top 10 2021 and OWASP WSTG v4.2 testing domains; read NIST SP 800-115 phases and TrustedSec PTES; set up Burp Suite Pro; practice Nmap host discovery and NSE scripting on a lab network. Fluency on methodology frameworks before touching tools.

Weeks 3–4: Web app depth. Complete PortSwigger Web Security Academy SQLi, XSS, CSRF, and SSRF labs. Work through BOLA and API authorization testing via the OWASP API Security Top 10 2023 guide. Practice manual testing on SQLi labs until you can identify boolean-blind injection without sqlmap.

Weeks 5–6: Active Directory and lateral movement. Set up a home lab AD environment (two DCs, three workstations). Run SharpHound, ingest into BloodHound, trace attack paths manually. Practice Kerberoasting (T1558.003) and AS-REP Roasting (T1558.004) with Impacket and Rubeus. Work through HTB Active, Forest, and Resolute for the full BloodHound-to-Domain-Admin chain. Read SpecterOps ADCS Attack Paths.

Weeks 7–8: Named-CVE postmortems and mock interviews. Read the Orange Tsai DEVCORE ProxyLogon part-1 write-up and CISA AA23-158A (MOVEit / CL0P) in full. Study Krebs on Capital One 2019 and CISA AA23-325A (Citrix Bleed). Run three mock interviews focused on ProxyLogon vs. ProxyShell distinction, Citrix Bleed CVSS 9.4 / out-of-bounds memory read, and the Capital One IMDSv1 URL path. Check PayloadsAllTheThings and HackTricks for command-level detail.

What 2026 Pen Test Hiring Actually Rewards

Senior interviewers at NCC Group, Mandiant, and Bishop Fox open with named-CVE chain questions specifically because they surface candidates who study original research, not just course material. Candidates who distinguish ProxyLogon (CVE-2021-26855 + CVE-2021-27065, logic bugs, March 2021) from ProxyShell (CVE-2021-34473, CVSS 9.8, August 2021) in their first answer reveal that depth immediately. Cloud and API attack surfaces aren’t specializations anymore — they’re baseline expectations at mid-tier and above. Ground your answers in CVE numbers, ATT&CK technique IDs, and named breach chains, and you’ll compete in the top tier regardless of certification status.