Cybersecurity hiring is high-stakes and saturated with certification-heavy CVs that lack operational depth. Every other CV in the Indian cybersecurity pool now lists CEH, CompTIA Security Plus, and a CISSP variant. Most of those candidates have never triaged a real alert, never been on a real incident response, and cannot tell you what a SYN flood actually looks like in a packet capture. Certifications are necessary for government and BFSI compliance; they are almost never sufficient to predict on-the-job performance. A real cybersecurity analyst reads a SIEM alert and tells you in five minutes whether it is real, a false positive, or worth escalating. They know current attack trends in their client industry. One staffing-specific note: Indian BFSI clients (RBI-regulated banks, insurers, NBFCs) and government PSU clients have certification minimums that must be met regardless of analyst quality. Run a two-track process — verify certifications first because they are gate criteria, then screen for operational depth in the interview.
Has worked with at least one real SIEM — Splunk, Microsoft Sentinel, Elastic Security, IBM QRadar, Chronicle — and triaged real alerts in production. Can describe how alerts reach their queue, how they prioritize, and how they close them. Not "I did a Splunk course."
Has been on at least one real incident from detection through containment, eradication, recovery, postmortem. Can walk through the specific timeline and decisions. Analysts without incident response are effectively juniors regardless of tenure.
Can perform a basic STRIDE threat model on a feature description under interview conditions — spoofing, tampering, repudiation, information disclosure, denial of service, elevation of privilege. Live exercise with a simple feature (file upload, password reset) reveals depth fast.
Knows what good logging looks like, which forensic artifacts matter (process tree, network connections, file writes, registry changes on Windows), chain-of-custody basics. Understands why tampering with evidence even to "help" is destructive.
Reads tcpdump and Wireshark output without struggling. Understands the three-way handshake, TLS basics, DNS behavior, and common network-layer attacks. Cloud has not replaced this — cloud added to it.
AWS Security Hub, GuardDuty, Macie, Azure Sentinel, GCP Security Command Center. Cloud is where most modern incidents originate — exposed S3 buckets, compromised access keys, misconfigured IAM. Strong premium for Bangalore product clients.
Python, PowerShell, or bash for log parsing, IR tooling, and custom detection logic. Pure GUI analysts are slow during real incidents. Ask what they built in the last quarter.
SOC2, ISO 27001, PCI DSS with real audit experience — not just "I read the framework." Knows the difference between gap analysis and readiness assessment. Valuable for BFSI, healthcare, SaaS.
Even basic offensive experience produces better defensive analysts. They understand attacker mindset, common tooling (Burp, Metasploit, Cobalt Strike), and realistic attack paths. OSCP or equivalent is a strong signal.
CrowdStrike Falcon, Microsoft Defender, SentinelOne, or equivalent. Can hunt through process telemetry, write custom detections, tune out false positives. Critical for enterprise client environments.
Walk me through the worst security incident you responded to in the last two years. Detection, response, lessons, and what you changed afterward.
What to listen for
Specific timeline with detection method, containment, eradication, recovery, postmortem. Specific tools at each stage. Honest reflection on what went slowly. "I cannot share specifics due to NDA" without structure is yellow flag. "We never have incidents" is disqualifying.
SIEM alert fires: user logged in from an unusual geographic location. You have 60 seconds to decide if this is worth investigating further. Walk me through your reasoning out loud.
What to listen for
Check user history for travel pattern, check device fingerprint, check correlated events (password change, MFA used, data accessed), check authentication method (SSO vs local), check whether ASN belongs to VPN provider. Strong candidates ask one or two clarifying questions before deciding.
How do you distinguish a false positive from a real incident when the SIEM alone does not tell you?
What to listen for
Correlate signals across data sources (endpoint plus network plus auth), check user and host history, consult business context (scheduled maintenance, known deploys, authorized testing), validate against threat intelligence. Not "I just look at the alert and decide."
Threat model a web feature that lets users upload PDF files for processing. What could go wrong and how would you mitigate each risk?
What to listen for
Malicious file upload (disguised executables, PDF parser exploits), denial-of-service via large files, server-side request forgery via embedded URLs, content disclosure via predictable URLs, storage cost attacks. Strong candidates cover 5+ threats with specific mitigations (file type validation, sandboxed parsing, size limits, signed URLs, rate limiting).
A developer requests an exception to a security control — say, disabling MFA for a service account because their automation tool breaks with it. Walk me through your response.
What to listen for
Listens to the underlying need, suggests compensating controls (IP allowlist, short-lived credentials, monitoring with alerting), escalates if inadequate, documents the decision either way. Not "no, absolutely not" and not "sure, I will disable it." Senior analysts find a path that meets business needs without compromising posture.
Monitoring detects a suspicious outbound connection from a production server to an IP on the threat intel blocklist. Walk me through your investigation.
What to listen for
Isolate the server from network if feasible, capture process list with command line arguments, check recent authentication and process execution, pull firewall and proxy logs, capture memory if possible, correlate with other hosts. Strong candidates mention preserving evidence and chain of custody.
One common misconception about cybersecurity that non-security people hold, and how you correct it without being condescending.
What to listen for
Reveals communication skill and self-awareness. Common strong answers: "more tools means more security" (wrong), "compliance equals security" (overlap but not same), "attackers need advanced zero-days" (most start with phishing or credential reuse), "we are too small to be a target" (small is easier).
Describe how you stay current with threat landscape and defensive techniques. Name specific sources.
What to listen for
Specific sources — Krebs on Security, SANS ISC, The DFIR Report, Red Canary blog, specific threat intelligence feeds. Conference attendance (DEF CON, BSides, Nullcon for Indian scene). Community engagement. Not "I read security news."
Score each candidate against these weighted criteria. Total: 100%.
| Criterion | Weight | Signal |
|---|---|---|
| SOC and alert triage | 30% | Has triaged real alerts at scale. Knows SIEM tools deeply. Can reason about alerts under time pressure. |
| Incident response | 25% | Has been on real incidents. Knows the lifecycle. Can walk through a specific incident with specific decisions. |
| Threat modeling | 15% | Models threats on a feature description in real time. Knows STRIDE and applies it without prompting. |
| Communication | 15% | Explains risk to non-security stakeholders without jargon. Writes clear incident reports. Collaborates with engineers rather than antagonizing them. |
| Tooling depth | 15% | Comfortable with SIEM, EDR, forensics tools, scripting. Has built or tuned custom detections. Not pure GUI-driven. |
CV is mostly certifications (CEH, Security Plus, CISSP) with no operational stories or specific incidents they responded to
Cannot describe a real incident they personally worked on — everything is abstract or third-person
Treats security as primarily compliance rather than risk — checkbox mentality rather than threat-informed
Hostile to engineering teams — frames security work as "gatekeeping" or "enforcement" rather than partnership
Cannot triage a basic SIEM alert within 60 seconds under observation — theoretical knowledge without operational reflex
Upload Cybersecurity Analyst CVs and let AI score every candidate against the same 42-point evidence rubric.
Try CVPRO Free