Security Engineering & Operations Topics
Operational security practices, secure systems implementation, threat modeling, penetration testing, vulnerability assessment, and security operations at production scale. Covers network security, endpoint security, secure architecture implementation, incident response mechanics, and security automation. Distinct from Security & Compliance (which addresses governance, compliance frameworks, and policy) and from Security Research & Innovation (which addresses novel techniques and research contributions).
Incident Response Forensics and Crisis Management
Covers the full spectrum of preparing for, detecting, investigating, containing, and recovering from security and operational incidents, plus managing their business and regulatory impact. Candidates should understand the incident response lifecycle including detection and monitoring, triage and prioritization, containment, eradication, recovery, and post incident review. This includes forensic evidence preservation and analysis practices such as secure collection of logs and artifacts, tamper proofing, chain of custody, immutable storage, timeline building, memory and disk examination fundamentals, and legal and regulatory considerations for evidence. It also covers designing infrastructure and tooling to enable rapid response at scale: logging and telemetry architecture, data retention policies, secure evidence storage, automated collection and alerting, integration with runbooks and response workflows, and readiness of teams and playbooks. Finally, it addresses crisis and stakeholder management skills: incident command and coordination across engineering, security, product, legal, customer support and executive stakeholders, internal and external communications and status updates, customer and regulator notification procedures, postmortem and lessons learned processes, tabletop exercises and drills, and leadership and decision making under pressure.
Security Architect Role Understanding
Evaluates the candidate's understanding of the security architect function. Topics include designing security frameworks and standards, conducting risk assessments and threat modeling, selecting and evaluating security technologies, defining security requirements and controls, collaborating with engineering and business teams, and distinguishing security architecture from security engineering and security operations. Candidates should explain how security architecture informs design decisions and governance.
Investigation and Information Gathering
Skills and methods for systematically collecting, validating, and organizing information during investigations and when clarifying ambiguous situations. Covers technical evidence collection such as gathering relevant logs from security information and event management systems, firewalls, endpoints, applications and other telemetry; correlating data across sources; building timelines of events; identifying affected systems and users; and preserving evidence and chain of custody where required. Also covers threat context and enrichment, for example determining whether an external internet address or indicator is known to be malicious and whether observed patterns match known threat actors. Includes the communication and clarification side of information gathering: asking targeted clarifying questions to stakeholders, understanding what factual details matter for legal or business analysis, prioritizing missing information, working effectively with incomplete data, and obtaining necessary inputs from business owners in a time efficient manner. Emphasizes judgment about evidence versus circumstantial information, efficient triage and prioritization of collection steps, and balancing technical, legal, and business concerns when assembling a coherent investigation narrative.