Infra decisions aren't made in isolation — you'd be planning alongside a central Group IT function and external vendors/consultants. Expect questions testing whether you can operate within that structure, not just execute technically.
This is an ongoing operational cadence, not a one-time project — they want evidence you can sustain a patching/vulnerability-assessment rhythm without it silently lapsing.
Alerts are already flowing from a real CrowdStrike deployment. The interviewer wants evidence you can triage under pressure, not just define what EDR is.
Two wireless vendor ecosystems (Meraki + Aruba) in one environment — expect operational questions about coexistence and troubleshooting, not just feature comparisons.
Compare EDR/vuln-scan asset lists against actual network inventory to find blind spots.
DiscoveryDocument what each vendor/consultant owns and their SLA commitments.
GovernancePull current open vulnerabilities by severity/age to see what's actually overdue.
RiskReview recent EDR alert volume/types to understand normal noise vs real signal.
SOCPull coverage/health reports from both Meraki and Aruba consoles.
WirelessDetections vs Incidents (grouped correlated activity), Network Contain for host isolation, IOC (indicator of compromise) vs IOA (indicator of attack — behavior-based).
Cloud-managed dashboard, zero-touch provisioning, built-in heatmap and client health views — favors distributed sites without local IT.
Controller-based (or Central-managed), AirWave/Central for monitoring, ClientMatch for RF-aware roaming optimization.
| Term | Meaning |
|---|---|
| MTTD / MTTR | Mean Time To Detect / Respond — core SOC efficiency metrics |
| IOC vs IOA | Indicator of Compromise (evidence something already happened) vs Indicator of Attack (behavior suggesting it's happening) |
| CVSS | Common Vulnerability Scoring System — standardized severity score, not a complete risk picture on its own |
| EDR vs XDR | EDR covers endpoints; XDR correlates endpoint, network, identity, and cloud telemetry together |
| Dwell Time | How long an attacker/threat is present in the environment before detection |
| SLA | Service Level Agreement — committed response/resolution time, from a vendor or internally between teams |
| Rogue AP | Unauthorized wireless access point that could bypass network security controls |
| Containment | Isolating an affected host from the network while preserving it for investigation |