Security Engineering & Operations Topics
Operational security practices, secure systems implementation, threat modeling, penetration testing, vulnerability assessment, and security operations at production scale. Covers network security, endpoint security, secure architecture implementation, incident response mechanics, and security automation. Distinct from Security & Compliance (which addresses governance, compliance frameworks, and policy) and from Security Research & Innovation (which addresses novel techniques and research contributions).
Container and Kubernetes Security
Security for containerized applications and Kubernetes platforms across the full lifecycle: secure image creation and supply chain, image scanning and vulnerability management, secure base images, image signing, runtime protection and intrusion detection, container isolation and least privilege at the container level, secrets management, pod security policies and admission controllers, network policies and microsegmentation, role based access control for cluster access, cluster hardening and configuration management, secure cluster bootstrapping and upgrades, and compliance considerations and audit logging for container environments. Candidates should be able to discuss tooling, threat models specific to cloud native workloads, and operational practices for preventing and responding to container and orchestration security incidents.
Incident Investigation and Remediation
Focuses on systematic investigation methodology and the distinction between immediate mitigation and long term prevention. Topics include collecting and preserving evidence, establishing a reliable timeline, identifying affected systems, performing root cause analysis, containment versus remediation, and documenting findings. Covers basic digital forensics principles and chain of custody, techniques for reducing blast radius and restoring service as a short term response, and planning permanent fixes to prevent recurrence. Also addresses privacy incident investigation practices such as interviewing stakeholders, assessing regulatory and compliance implications, timeliness and documentation requirements, remediation planning, and using post incident analysis to improve processes and controls.
Infrastructure Security and Compliance
Designing, implementing, and operating security and compliance controls for infrastructure and delivery pipelines at scale. Topics include identity and access management, authentication and authorization patterns, role based access control and least privilege, secrets management and rotation, encryption for data at rest and in transit, network segmentation and microsegmentation, zero trust architecture, audit logging and retention, vulnerability scanning and patch and remediation workflows, endpoint protection, threat detection and monitoring, threat modeling and risk assessment, incident detection and response planning and runbooks, software supply chain security including artifact signing and dependency scanning and provenance, policy as code and automated security gates in continuous integration and continuous delivery pipelines, automated testing and validation of controls, and the trade offs between security controls and developer velocity. Also covers embedding and operationalizing compliance requirements from common regulatory frameworks and standards such as the General Data Protection Regulation, the Health Insurance Portability and Accountability Act, Service Organization Controls two, the Payment Card Industry Data Security Standard, and International Organization for Standardization two seven zero zero one, and how those requirements influence architecture, controls, automation, monitoring, and auditability as systems scale globally.
Security Incident Response and Operations
Covers the practices, processes, and tooling for responding to security incidents and operating a security capability. Topics include the security incident lifecycle of preparation, detection, analysis, containment, eradication, recovery, and post incident review; development and execution of playbooks and runbooks tailored to threat types; severity classification and decision criteria for escalation; evidence preservation and forensic analysis and chain of custody; crisis communication to stakeholders and regulators; notification and regulatory compliance considerations; and coordination with legal, privacy, communications, and executive leadership. Also includes operational aspects of building and staffing a security operations center, on call schedules and escalation, ticketing and case management, leadership and coordination during major incidents, running blameless post incident reviews to identify systemic improvements, and integration of security incident learnings into engineering and operations.
Threat Modeling and Secure System Design
Applying threat modeling and structured problem solving to secure system design. Candidates should be able to decompose complex security challenges by identifying business context, critical assets, threat actors, attack surfaces, and compliance requirements. Topics include threat modeling methodologies, attacker capability and motivation analysis, risk assessment and prioritization, selection of mitigations and compensating controls, and evaluation of trade offs among security, usability, cost, and performance. Candidates should also be able to produce implementation and monitoring plans that address scalability and maintainability and to clearly explain and justify design choices and residual risk to stakeholders.
Logging and Log Analysis
Covers operating system and application logging architecture, log collection, parsing, analysis, and security monitoring workflows. Topics include where logs are stored on Linux systems, system logging daemons and their configuration such as rsyslog, using the systemd journal and journalctl, and log rotation and retention strategies. Skills include parsing and inspecting logs with command line tools and regular expressions, extracting key fields such as timestamps, user identifiers, internet protocol addresses, actions performed, and error codes, and working with structured log formats such as JavaScript Object Notation. Also includes forwarding logs to centralized systems and agents, transport protocols and collectors, and upstream processing pipelines. For security and monitoring, this covers log aggregation, normalization, event correlation, alerting and thresholding, building searches and dashboards, and deriving forensic and operational insights for incident response and troubleshooting. Candidates may be evaluated on practical configuration tasks, example queries, interpreting log entries, designing log pipelines for reliability and scale, and applying best practices for retention, privacy, and performance.
Incident Response Fundamentals
Comprehensive understanding of standard incident response methodology and the analyst role across all phases. Candidates should know the primary phases at a practical level: detection including common detection sources and how incidents are identified; containment strategies to limit blast radius and isolate affected systems; eradication techniques to remove malware or malicious access and to close exploited vulnerabilities; recovery practices such as restoring from clean backups and validating system integrity; and post incident review to capture lessons learned and improve controls. The topic also covers initial triage thinking and operational decision making: how to prioritize alerts by impact, scope, and confidence; what contextual information to collect such as logs, timestamps, affected assets and user activity; how to distinguish true incidents from false positives; and how to classify incidents and assign severity levels. Candidates should be familiar with evidence preservation and chain of custody basics, use of playbooks and runbooks, communication and escalation paths with stakeholders, and common metrics used to evaluate response effectiveness.
Incident Containment and Remediation
Focuses on the practical judgment, processes, and technical actions used to respond to active security incidents, contain attacker activity, eradicate threats, remediate affected systems, preserve evidentiary integrity, and restore services with minimal business impact. Coverage includes containment strategies from immediate short term isolation and network segmentation to longer term monitored observation and selective blocking of attacker infrastructure; trade offs between rapid containment that reduces blast radius and slower approaches that preserve forensic visibility to determine attacker objectives and scope; and prioritization of remediation steps such as removing attacker access, eradicating malware, applying patches, closing exploited vulnerabilities, resetting compromised credentials, rebuilding or hardening systems, and validating fixes through testing and monitoring. Also includes recovery procedures such as phased restoration, rollback to known good images, and integration with business continuity plans. Operational topics include defining decision boundaries and escalation paths for analyst actions versus management or change control approvals, assessing business impact and continuity trade offs, coordinating with system administrators, database teams, application owners, legal and business stakeholders, preserving evidence and maintaining chain of custody for forensic analysis, communicating status to stakeholders, and conducting post incident activities including root cause analysis, lessons learned, and updates to runbooks and controls.
TLS Protocol Security
Deep understanding of transport layer security protocols and their secure deployment. Topics include TLS handshake mechanics, cipher suite negotiation, certificate validation and management, session resumption and key exchange algorithms, forward secrecy, common vulnerabilities and mitigations such as downgrade and padding oracle attacks, practical configuration for servers and clients, certificate revocation and lifecycle management, and compatibility considerations across protocol versions.