Code Room
On-callHardoc-g609
Subject Security breach lateral movementLevel Senior–Staff~45 minCommon in Security interviewsIndustries Technology, IT services

Question

EDR fires on a production app server: a process spawned by your web app ran whoami, then nmap against the internal /16, then attempted SSH to 14 internal hosts using a key it found at /home/app/.ssh/id_rsa. Two of those SSH attempts succeeded. The web app had a known unpatched deserialization bug. Auth logs show the same key now logging into a database bastion. It's 04:00 and you're the on-call incident commander. How do you run this?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.