Code Room
On-callHardoc-g599
Subject Security data exfiltrationLevel Senior–Staff~40 minCommon in Security interviewsIndustries Technology, Software development

Question

Your egress-bandwidth dashboard for a backend service that normally pushes <50 MB/hour outbound shows a sustained 400 MB/hour to an external IP for the last 3 hours, all over HTTPS on 443 to a domain registered four days ago. The service runs in a private subnet and shouldn't be talking to the internet at all except to two known APIs. A dependency was bumped in a deploy 5 days ago. You're on call. Triage and respond.

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.