The comprehensive hiring journey entails a phone screening, hands-on coding assessment, and architectural evaluation. Final stages include an HR interview and reference checks, ultimately culminating in a formal employment offer.
Interview questions [1]
Question 1
Design and implement a detection engine that matches security telemetry events against configurable rules. Focused on your design thinking, architecture decisions, and problem-solving approach.
The Problem
Engine Behavior
Input:
List of rules
List of events
When event matches rule: ALERT: Event [event_id] matched Rule [rule_id]
Each rule evaluates against an individual event
Telemetry Events
Security events containing indicators:
Event ID: Unique identifier
Indicators: One or more of: FileName, Sha1, Md5, IP, Domain (all strings)
Constraint: Each indicator type appears only once per event
Example Event:
{
"eventId": "evt_001",
"fileName": "suspicious.exe",
"sha1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
"ip": "192.168.1.100"
}
Detection Rules
Rules that define matching logic:
Rule ID: Unique identifier
Detection Expression: Built from indicator conditions using the structure below
Expression Structure:
Simple Expression: [IndicatorType] [Operator] [Value]
IndicatorType: FileName, Sha1, Md5, IP, Domain
Operator: Equals, Contains, StartsWith
Value: String to match against
Complex Expression: Built using simple expressions and boolean operators: AND, OR
Expression Examples:
Simple:
(FileName Contains 'malware')
Complex:
((FileName Equals 'virus.exe') AND (IP StartsWith '192.168'))
((Domain Contains 'malicious') OR (Sha1 Equals 'abc123'))
Important Implementation Note on Rule Structure:
The examples above are for illustration only. You do not need to parse these string expressions. Instead, design your rule structure - Choose the data structure that makes the most sense for your
implementation.
Matching Examples
Example 1 - MATCH:
Event: {"eventId": "evt_001", "fileName": "suspicious.exe", "ip": "192.168.1.100"}
Rule: (FileName Contains 'suspicious')
Output: ALERT: Event evt_001 matched Rule rule_001
Example 2 - MATCH:
Event: {"eventId": "evt_002", "fileName": "clean.exe", "ip": "192.168.1.50", "domain": "safe.com"}
Rule: ((IP StartsWith '192.168') AND (Domain Equals 'safe.com'))
Output: ALERT: Event evt_002 matched Rule rule_002
Example 3 - NO MATCH:
Event: {"eventId": "evt_003", "fileName": "document.pdf", "sha1": "xyz789"}
Rule: (FileName Contains 'exe')
Output: No alert (document.pdf does not contain 'exe')
Your Approach
1. Design: Explain your class structure and component interactions
2. Implement: Build the core matching engine
3. Discuss: How would you scale or extend this?
I applied through an employee referral. The process took 4 weeks. I interviewed at Sedric (Tel Aviv-Yafo) in Jan 2022
Interview
I had two interviews for the position. The first interview was with two members of the team, while the second one was with the CTO. The interviews stood out because they didn’t include any LeetCode-style algorithmic questions. Instead, they focused on system design and problem-solving. Both interviews were engaging and conducted in a friendly atmosphere, making the experience quite enjoyable.
Interview questions [1]
Question 1
Bunch of technical questions and design.
No Leetcode questions.
