⚡ Expert Edge — Points 1101–1200
Format: Point & Concept → Interview Answer → Example / Tool
Each row gives you a clean definition you can say in an interview, plus a real-world example or tool.
🏗️ Architecture, Engineering & Operations (1101–1150)
| Point & Concept | Interview Answer | Example / Tool |
|---|---|---|
| 1101. Security Architecture | The high-level design that defines how security controls, trust boundaries, and data flows fit together across the enterprise. | Creating an active-active DMZ architecture separating web servers from the internal network |
| 1102. Zero Trust Architecture (ZTA) | A security model that eliminates the concept of 'trusted networks'; every user and device must be dynamically authenticated and authorised before access is granted. | Google's BeyondCorp or Cloudflare Access replacing traditional VPNs |
| 1103. Security Engineering | The hands-on technical work to build, test, and implement the systems designed by the security architecture. | Automating the deployment of an AWS KMS using Terraform |
| 1104. Threat Modelling (STRIDE) | A systematic process used during system design to identify potential threats, categorised by Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, and Elevation of privilege. | Identifying that an API lacks rate limiting (DoS threat) before code is written |
| 1105. Attack Surface Reduction | The practice of actively removing unnecessary ports, services, protocols, and unused code to give attackers fewer ways in. | Disabling unused RDP and SMB protocols on all non-admin workstations |
| 1106. Principle of Least Privilege (PoLP) | Ensuring that identities (users or services) are granted only the minimum permissions required to perform their discrete function. | Giving a web app service account 'Read-Only' access to one specific database |
| 1107. Micro-segmentation | Isolating workloads and applications from each other down to the individual host or container level to prevent lateral movement. | VMware NSX preventing a compromised HR server from talking to the Finance server |
| 1108. Defence in Depth | Implementing multiple, overlapping layers of security controls so that if one layer fails, another stops the attack. | Phishing filters + MFA + EDR + SIEM monitoring + Offline Backups |
| 1109. SOC (Security Operations Centre) | A dedicated function and team focused on continuous monitoring, detection, and response to security incidents 24/7. | A team of L1, L2, and L3 analysts operating out of Splunk and EDR |
| 1110. MSSP (Managed Security Service Provider) | A third-party company that provides outsourced monitoring and management of security devices and systems. | Hiring Secureworks to run 24/7 SIEM monitoring because you lack an internal team |
| 1111. MDR (Managed Detection and Response) | An outsourced service specifically focused on proactive threat hunting, deep investigation, and active containment using EDR/XDR technologies. | CrowdStrike Falcon Complete actively stopping a ransomware attack for a client |
| 1112. XDR (Extended Detection & Response) | A platform that correlates alerts and telemetry from endpoints, network, cloud, and email into unified incidents, breaking operational silos. | Palo Alto Cortex linking an email click to an endpoint PowerShell execution |
| 1113. SOAR (Security Orchestration, Automation & Response) | Platforms that execute automated playbooks to enrich alerts, make decisions, and triage incidents much faster than a human could. | Cortex XSOAR automatically looking up an IP on VirusTotal and closing the Jira ticket if benign |
| 1114. SIEM Tuning | The ongoing process of adjusting correlation rules to suppress false positives and increase the fidelity of alerts for the SOC. | Exempting an approved vulnerability scanner's IP from triggering 'Port Scan' alerts |
| 1115. Alert Fatigue | A dangerous state where SOC analysts receive too many low-fidelity alerts, causing them to ignore or miss actual threats. | A SOC receiving 10,000 baseline "successful login" alerts a day, causing them to miss a brute-force |
| 1116. Threat Hunting | A proactive, hypothesis-driven approach where analysts search through raw data for malicious activity that evaded automated alerts. | Assuming attackers bypassed the firewall and querying EDR for unusual WMI execution |
| 1117. Purple Teaming | A collaborative exercise where the Red Team attacks and the Blue Team defends simultaneously to test and tune detections in real time. | Red team drops a payload; Blue team confirms the SIEM fired; they tune the rule together |
| 1118. CTI (Cyber Threat Intelligence) | Curated, actionable information regarding attacker motives, infrastructure, and TTPs used to prepare for and detect attacks. | Subscribing to Mandiant Intel to learn how the APT29 group specifically targets cloud tokens |
| 1119. TTPs (Tactics, Techniques, Procedures) | The highest level of threat intelligence, describing the overall goals and specific methods an adversary uses, rather than just their IP or hash. | Using Mimikatz to dump credentials (Technique) to achieve Privilege Escalation (Tactic) |
| 1120. MITRE ATT&CK Framework | The industry-standard knowledge base of adversary behaviour, mapping exactly how attackers operate across the kill chain. | Mapping a SIEM alert to ATT&CK Technique T1059.001 (Command and Scripting Interpreter: PowerShell) |
| 1121. Cyber Kill Chain | Lockheed Martin's 7-step model conceptualising how an attack progresses from Reconnaissance to Actions on Objectives. | Breaking the chain at the 'Delivery' phase by filtering a malicious email |
| 1122. Mean Time to Detect (MTTD) | A KPI measuring how long it takes an organisation to discover a security breach after it has occurred. | Reducing MTTD from 30 days to 2 hours by deploying EDR |
| 1123. Mean Time to Respond (MTTR) | A KPI measuring the average time it takes to contain and remediate an incident once it has been detected. | Automating host isolation via SOAR to drop the MTTR to 5 minutes |
| 1124. Vulnerability Management | The continuous, lifecycle process of identifying, evaluating, prioritising, and mitigating vulnerabilities. | Running weekly authenticated Nessus scans and patching criticals within 48 hours |
| 1125. CVSS (Common Vulnerability Scoring System) | The standardised mathematical framework used to rate the technical severity of software vulnerabilities from 0.0 to 10.0. | Log4Shell receiving a CVSS score of 10.0 due to remote, unauthenticated code execution |
| 1126. Exploitable vs Discovered | The difference between a tool finding a CVE, and the vulnerability actually being reachable or usable by an attacker in your specific context. | A critical flaw exists in an admin portal, but it's only accessible via a hardwired management VLAN |
| 1127. Compensating Control | An alternative security measure used when the primary desired control cannot be implemented due to technical or business constraints. | Unable to patch a legacy medical device, so placing it on a strictly isolated, internet-disconnected VLAN |
| 1128. Shadow IT | Software, devices, or cloud services used by employees without the knowledge or explicit approval of the IT department. | A marketing team storing customer data in a personal Dropbox account, bypassing corporate DLP |
| 1129. Acceptable Use Policy (AUP) | A document stipulating constraints and practices that users must agree to before accessing the corporate network or internet. | Firing an employee for viewing illicit material on a company laptop according to the AUP |
| 1130. Information Security Management System (ISMS) | The holistic framework of policies, processes, and people ensuring the CIA triad is maintained, central to ISO 27001. | The overarching document that links the risk register, policies, and audit schedule together |
| 1131. Security Governance | The alignment of security strategy with business objectives, ensuring risks are managed and regulatory obligations are met by leadership. | The Board of Directors reviewing the quarterly cybersecurity risk posture |
| 1132. Risk Assessment | The formal process of identifying threats, assessing vulnerabilities, and determining the likelihood and impact of harm to the business. | Calculating the financial impact of a 3-day database outage to decide if a backup site is worth the cost |
| 1133. Risk Appetite | The level of risk an organisation is willing to accept in pursuit of its business objectives, guiding control implementation. | A startup accepting the risk of using untested open-source tools to ship faster |
| 1134. Risk Treatment: Accept | Acknowledging the risk but deciding not to implement a control because the cost outweighs the potential impact. | Choosing not to install a $50k physical safe for a $200 laptop |
| 1135. Risk Treatment: Transfer | Shifting the financial impact of a risk to a third party. | Purchasing a comprehensive cyber-liability insurance policy |
| 1136. Risk Treatment: Mitigate | Implementing controls to shrink the likelihood or impact of the risk. | Implementing MFA to drastically reduce the likelihood of credential-stuffing success |
| 1137. Risk Treatment: Avoid | Stopping the activity that causes the risk entirely. | Deciding not to launch an app feature because it requires collecting too much sensitive PII |
| 1138. Third-Party Risk Management (TPRM) | Assessing and monitoring the security posture of vendors, suppliers, and partners who have access to your data or network. | Sending a 200-question security questionnaire to a new SaaS payroll provider |
| 1139. Supply Chain Attack | Compromising an organisation by hiding malicious code in the trusted software or hardware provided by a third-party vendor. | The SolarWinds Orion breach (2020) where attackers poisoned the software updates sent to thousands of companies |
| 1140. Business Continuity Planning (BCP) | The creation of strategies and manual workarounds to ensure critical business functions keep operating during a disaster. | Providing paper forms to hospital staff when the electronic health record system is hit by ransomware |
| 1141. Disaster Recovery (DR) | The technical subset of Business Continuity, focused specifically on restoring IT infrastructure and databases to operational status. | Failing over the primary SQL database to the disaster recovery site in another geographic region |
| 1142. RTO (Recovery Time Objective) | The maximum acceptable duration of time that a system or business process can be offline during a disaster. | A tier-1 payment gateway must have an RTO of less than 1 hour |
| 1143. RPO (Recovery Point Objective) | The maximum acceptable amount of data loss, measured in time, an organisation can tolerate before the disaster occurred. | A financial database taking 5-minute incremental backups has an RPO of 5 minutes |
| 1144. Hot Site | A fully equipped alternate data centre with real-time cloned data, capable of taking over production within minutes. | Used by banks; extremely expensive but offers near-zero RTO. |
| 1145. Cold Site | A leased physical space with power and cooling, but no hardware or data; takes days or weeks to bring online. | Used for non-critical systems where prolonged downtime is acceptable |
| 1146. Tabletop Exercise | A discussion-based simulation where the IR team and executives talk through their response to a hypothetical disaster scenario. | A 3-hour workshop role-playing how the company would handle a critical ransomware infection |
| 1147. Patch vs Vulnerability Management | Patch management is the operational act of installing updates; vulnerability management is the strategic process of discovering, rating, and tracking weaknesses. | Vuln management flags a flaw; Patch management deploys the fix via WSUS |
| 1148. Immutable Backups | Backup copies that cannot be altered, deleted, or encrypted by anyone — including administrators — for a set retention period. | Preventing a ransomware actor with stolen admin credentials from destroying the backup servers |
| 1149. BIA (Business Impact Analysis) | The foundational process of identifying critical systems and determining the financial and operational impact of an outage. | Discovering that restoring the ERP system is more critical than the marketing website |
| 1150. Lessons Learned (IR Phase) | The most critical but often skipped phase of incident response, dedicated to reviewing what failed and how to prevent it again. | Writing a post-mortem report that leads to a new policy banning macro-enabled attachments |
🧬 Advanced DevSecOps, AppSec & Cryptography (1151–1200)
| Point & Concept | Interview Answer | Example / Tool |
|---|---|---|
| 1151. Shift-Left Security | Moving security testing earlier into the software development lifecycle, rather than waiting until the end to perform a pentest. | Providing developers with IDE plugins that flag insecure code as they type |
| 1152. DevSecOps | The cultural and technical integration of security checks seamlessly into the continuous integration and delivery (CI/CD) pipelines. | A Github Action automatically running a Snyk vulnerability scan on every pull request |
| 1153. SAST (Static Application Security Testing) | Analysing source code from the inside without executing it to find potential security flaws early. | Scanning Java code during the build phase and finding a hardcoded API key |
| 1154. DAST (Dynamic Application Security Testing) | Analysing a running application from the outside by sending simulated attacks to see how the system responds. | Running Burp Suite automated scans against a staging environment to find XSS |
| 1155. IAST (Interactive Application Security Testing) | Combining SAST and DAST by placing an agent inside the running application to monitor code execution during dynamic testing. | Seeing exactly which line of backend code was triggered by an external SQL injection payload |
| 1156. SCA (Software Composition Analysis) | Analysing the third-party open-source libraries and dependencies included in your project for known CVEs or license issues. | Discovering your Node.js app relies on a vulnerable version of the 'lodash' library |
| 1157. Secrets Management | Avoiding hardcoded passwords in code by using dedicated vaults that provide short-lived credentials at runtime via API. | Using HashiCorp Vault to inject a database password directly into a container's memory |
| 1158. IaC (Infrastructure as Code) | Managing and provisioning cloud and networking infrastructure through machine-readable definition files rather than manual clicks. | Using Terraform to spin up 50 AWS EC2 instances perfectly configured in minutes |
| 1159. IaC Security Scanning | Checking Infrastructure as Code templates for misconfigurations before the infrastructure is actually built. | Checkov rejecting a Terraform plan because it attempts to create a public S3 bucket |
| 1160. CI/CD Pipeline Attack | Compromising the automated build system itself to inject malicious code into a trusted software release. | Gaining access to a Jenkins server and poisoning the software update mechanism |
| 1161. Input Validation | Ensuring that data entered by a user exactly matches expected formats, length, and content before the application processes it. | Rejecting a phone number field entry that contains alphabetical characters |
| 1162. Output Encoding | Converting untrusted user data into a safe form where the browser interprets it as text rather than executable code. | Encoding <script> to <script> so it fails to execute, preventing XSS |
| 1163. Parameterised Queries (Prepared Statements) | The absolute best defence against SQL injection; separating the SQL code from the user-supplied data at the database driver level. | Using Python psycopg2 passing variables via %s rather than string concatenation |
| 1164. CSRF (Cross-Site Request Forgery) | An attack that tricks a victim's browser into executing an unwanted action on a site where they are currently authenticated. | Tricking a logged-in bank user into clicking a link that silently transfers money |
| 1165. Anti-CSRF Tokens | Unpredictable, hidden, session-unique tokens included in web forms that the server verifies before processing a state-changing request. | A hidden <input> field containing a 32-character random string submitted alongside a password change |
| 1166. SSRF (Server-Side Request Forgery) | Tricking the backend server into making an HTTP request to an internal resource that the attacker cannot reach directly. | Making a web app request the AWS metadata IP 169.254.169.254 to steal temporary IAM credentials |
| 1167. Code Signing | Applying a cryptographic digital signature to software to verify the publisher's identity and ensure the code has not been tampered with. | A Windows executable signed with a DigiCert certificate, preventing SmartScreen warnings |
| 1168. OWASP Top 10 | A globally recognised awareness document representing the ten most critical security risks to web applications. | A standard baseline for pentest reporting; Broken Access Control currently sits at #1 |
| 1169. WAF (Web Application Firewall) | A reverse proxy placed in front of web applications to inspect HTTP traffic and block common attacks like SQLi and XSS. | Cloudflare WAF preventing a malicious botnet from brute-forcing a login endpoint |
| 1170. Symmetric Encryption | Cryptography where the exact same key is used to both encrypt and decrypt the data. Very fast, used for bulk data. | AES-256 (Advanced Encryption Standard) used to encrypt a hard drive |
| 1171. Asymmetric Encryption | Cryptography using two mathematically linked keys (Public and Private); what one encrypts, only the other can decrypt. Slower, solves key distribution. | RSA-2048 used to securely exchange the symmetric key during a TLS handshake |
| 1172. Hashing | A one-way cryptographic mathematical algorithm that takes an input of any size and produces a fixed-size string. Cannot be decrypted. | SHA-256 generating a unique fingerprint for a malware file to be checked on VirusTotal |
| 1173. Digital Signatures | Using hashing and asymmetric encryption to provide authentication, non-repudiation, and data integrity for a message. | Encrypting the hash of a PDF with your private key so anyone with your public key knows you signed it |
| 1174. Salt (Cryptography) | Random data appended to a password before it is hashed, ensuring that identical passwords produce completely different hashes. | Defeats pre-computed Rainbow Table attacks against stolen password databases |
| 1175. Forward Secrecy | A property of secure communication protocols where compromising the long-term private key does not compromise past session keys. | Using Ephemeral Diffie-Hellman (ECDHE) in TLS 1.3 so recorded traffic cannot be decrypted later |
| 1176. Certificate Authority (CA) | A trusted third-party entity that issues digital certificates, verifying the identity of the certificate owner. | Let's Encrypt or GlobalSign issuing the TLS certificate for a bank's website |
| 1177. Root vs Intermediate CA | The Root CA is kept offline and highly secure; it signs Intermediate CAs, which are kept online to sign end-entity web certificates. | Reduces the risk; if the Intermediate is compromised, the Root can revoke it without destroying the whole PKI |
| 1178. Quantum Cryptography Threat | The theoretical reality that sufficiently powerful quantum computers could crack RSA and ECC asymmetric encryption instantly using Shor's algorithm. | The drive toward NIST Post-Quantum Cryptography algorithms to protect data today that might be decrypted tomorrow |
| 1179. Steganography | The practice of concealing a secret message, file, or payload within an ordinary, non-secret file (like an image). | Malware hiding its C2 configuration data inside the pixels of a benign-looking logo on a website |
| 1180. Obfuscation | Deliberately making code incredibly difficult for humans and analysis tools to read and understand, without changing how it executes. | Malware packing or renaming all variables to a, b, c to bypass basic antivirus signatures |
| 1181. API Security (OAuth 2.0) | An authorisation framework that allows third-party applications limited access to a user's account without exposing their password. | Logging into a new app using "Sign in with Google" |
| 1182. API Rate Limiting / Throttling | Restricting the number of requests a user or IP can make to an API within a specific timeframe to prevent DoS or brute forcing. | Allowing a maximum of 5 password-reset requests per IP per hour |
| 1183. JWT (JSON Web Token) | A compact, URL-safe means of representing claims to be transferred between two parties, digitally signed for integrity. | Used commonly in stateless APIs; the client stores the JWT and sends it in the Authorization header |
| 1184. Privacy vs Security | Security is about protecting data from unauthorised access; Privacy is about ensuring data is collected, used, and shared legally and ethically. | Security = Encrypting the database. Privacy = Having a lawful right to collect the data in the database |
| 1185. GDPR (General Data Protection Regulation) | The strict EU privacy law granting subjects the right to access, delete, and control their data, imposing massive fines for breaches. | Requiring explicit consent for tracking cookies and mandating breach reporting within 72 hours |
| 1186. CCPA (California Consumer Privacy Act) | The primary US state privacy law granting Californian consumers the right to know what data is collected and 'opt-out' of its sale. | Mandating a "Do Not Sell My Personal Information" link on the homepage |
| 1187. SOC 2 Type II | An auditing standard evaluating a service organisation's controls relevant to security, availability, and confidentiality over a period of time (e.g. 6-12 months). | B2B SaaS companies use this report to prove to enterprise clients that they are secure |
| 1188. ISO 27001 | The premier international standard for building, operating, and continuously improving an Information Security Management System (ISMS). | Requires formal risk management and executive commitment, subject to external certification audits |
| 1189. NIST CSF (Cybersecurity Framework) | A completely voluntary US government framework organising security into Identify, Protect, Detect, Respond, and Recover. | Widely adopted by enterprises as a plain-language way to report security maturity to the board |
| 1190. Threat Actor | The individual, group, or state conducting malicious operations against an organisation. | A financially motivated cyber-criminal gang like LockBit |
| 1191. APT (Advanced Persistent Threat) | Highly resourced, highly skilled threat actors, usually nation-states, who maintain long-term covert access to steal specific intelligence. | Notorious groups like Russia's APT29 (Cozy Bear) or China's APT41 |
| 1192. Living off the Land (LotL) | Identifying and using native, legitimate system tools (like PowerShell or WMI) to conduct malicious actions, avoiding the need to drop detectable malware. | Using Windows certutil.exe to download a payload instead of writing a custom downloader script |
| 1193. Kill Switch | A mechanism built into malware or systems to immediately halt an operation. | Marcus Hutchins registering the unregistered domain he found in the WannaCry code, instantly halting the global infection |
| 1194. Polymorphic Malware | Malware that alters its observable characteristics (like its file hash) every time it replicates, defeating basic signature-based antivirus. | Modifying its own encryption routine when moving to a new host so the file hash completely changes |
| 1195. Ransomware | Malicious software that uses strong encryption to lock users out of their data until a cryptocurrency ransom is paid. | Ryuk or Conti encrypting all file servers and demanding 50 Bitcoin for the decryption key |
| 1196. Double Extortion | A variant of ransomware where the attacker first steals the sensitive data, then encrypts it. If the victim refuses to pay, the attacker threatens to leak the data online. | Exfiltrating 2TB of patient health records before encrypting the hospital's database |
| 1197. Container Escape | A severe exploit where an attacker breaking into a Docker container manages to break out and gain root execution on the underlying host operating system. | Usually requires the container to have been improperly run in 'privileged' mode |
| 1198. Server-Side Request Forgery vs CSRF | SSRF tricks the server into making a malicious request on the attacker's behalf; CSRF tricks the user's browser into making a malicious request. | SSRF attacks internal cloud APIs; CSRF steals money from a logged-in user |
| 1199. FIDO2 / Passkeys | The modern standard for passwordless authentication, using public-key cryptography and local biometrics (FaceID/TouchID) to completely eliminate phishing. | Logging into a website using your phone's fingerprint sensor; the private key never leaves the device's secure enclave |
| 1200. Continuous Improvement / Post-Mortem | The hallmark of a mature security programme: acknowledging that perfection is impossible, learning deeply from every incident, and engineering out the root causes. | Conducting a blameless post-mortem after an outage to ensure the automated detection rule is fixed for next time |