InterviewStack.io LogoInterviewStack.io

Reconnaissance and Information Gathering Questions

Covers the preparatory information collection stage used in security assessments and offensive engagements, including both passive and active reconnaissance. Passive techniques include open source intelligence gathering from public records, domain registration and domain name system enumeration, certificate transparency monitoring, public repository and source code review, social media and corporate disclosure analysis, and review of job postings and public disclosures. Active techniques include network scanning and mapping, port and service enumeration, banner analysis, content discovery on web endpoints, application programming interface identification, technology fingerprinting, targeted probing, and vulnerability fingerprinting. Candidates should be able to describe tools and end to end workflows, how to select and tune scanning profiles, and the tradeoffs between coverage, speed, stealth and safety. The topic also covers building an attack surface map, identifying high value assets and likely entry points, prioritizing and validating findings to reduce false positives, operational security and evidence handling practices, ethical and legal considerations, reporting and documentation practices, and how reconnaissance findings inform further security testing and risk assessment.

HardTechnical
87 practiced
Create a reporting schema that maps reconnaissance findings to risk levels and remediation guidance suitable for both technical teams and executives. Define required fields for each finding (summary, technical details, evidence, reproduction steps, confidence, impact, remediation), provide example templates for severity labels and remediation steps, and describe how you would present aggregated risk trends over time to different stakeholders.
MediumTechnical
80 practiced
Describe how you would combine passive DNS data, Shodan/Censys lookups, and certificate transparency results to enrich a list of discovered hosts. Explain deduplication strategies, metadata to populate (open ports, geolocation, ASN), how to surface anomalous/high-risk hosts, and how to avoid relying on stale or spoofed data.
HardTechnical
62 practiced
Design a scoring model to prioritize assets discovered during reconnaissance for further testing. Define attributes to use (exposure, sensitivity, criticality, exploitability, business impact), propose weightings and normalization, describe how to compute a final score, and explain how manual triage feedback is incorporated to refine the model over time.
MediumTechnical
84 practiced
Explain how you would perform service and vulnerability fingerprinting by combining banner analysis, nmap NSE scripts, Shodan/Censys data, and active probes. Describe methods to validate tentative version detections and reduce false positives, and give an example where an apparent banner version was misleading.
MediumTechnical
80 practiced
You discover an API that requires a bearer token provided after SPA login and you have a set of test credentials. Describe safe methods to map the API surface and parameter behaviors: using Burp Repeater, intercepting devtools traffic, creating authenticated crawlers, rate-limiting considerations, and ways to avoid exposing sensitive test data while performing thorough discovery.

Unlock Full Question Bank

Get access to hundreds of Reconnaissance and Information Gathering interview questions and detailed answers.

Sign in to Continue

Join thousands of developers preparing for their dream job.