New · Cohort 3Engineering Analytics Cohort 3 goes live 25 July — only 30 seatsRegister Now
200 questionsMedium difficulty5 rounds3.37/5

EY Cybersecurity Analyst Interview Questions (2026)

200 real Cybersecurity Analyst interview questions compiled for EY, 200 of them tailored to EY's actual interview flavor. Below: the interview process, the questions with answer outlines, the topics tested, and how to prepare.

EY GDS (Global Delivery Services) in India hires at scale through online aptitude/technical assessments followed by a technical interview, a managerial round, and HR, organized by service line (Assurance, Tax, Consulting, Technology). Interviews stress domain fundamentals, communication for global stakeholder work, and fit with EY's 'Building a better working world' purpose.

Questions

200

200 company-tailored

Difficulty

Medium

from our question mix

Rounds

5

typical loop

EY rating

3.37/5

Top 100% in Management Consulting

EY's interview process

  1. 1Online Assessment60 minMedium

    Timed aptitude and domain MCQs that shortlist for service-line interviews.

  2. 2Technical Interview45 minMedium

    Domain depth for the line: accounting standards for Assurance, SQL/cloud/SAP scenarios for GDS Technology, tax law for Tax.

  3. 3Analytics Case Round45 minMedium

    Data roles work an audit-analytics or reporting case: profile a dataset, flag exceptions, present findings.

  4. 4Managerial Round45 minMedium

    Delivery manager tests escalation handling, global-stakeholder communication, estimation, and pressure scenarios.

  5. 5HR Round30 minEasy

    Values-fit, shift/relocation flexibility, compensation, and joining formalities.

Cybersecurity Analyst interview questions asked at EY

  1. Q1

    Which cloud forensic artifacts would you collect to determine actions taken and data accessed? In your answer, cover data-access validation, legal hold requirements, and collection order

    AdvancedForensicsEY-specific

    Context: A cloud account shows suspicious API calls during a scheduled maintenance window.

    How to answer: To determine actions taken and data accessed in a cloud environment, I would prioritize collecting logs from Identity and Access Management (IAM) services, CloudTrail/Azure Monitor/Google Cloud Audit Logs, and object storage access logs. Data-access validation involves correlating these logs with network flow logs (VPC Flow Logs) and application-specific logs to confirm actual data exfiltration or modification. Legal hold requirements necessitate preserving all relevant logs and snapshots of affected resources immediately, ensuring immutability and chain of custody. Collection order should prioritize volatile data and logs, starting with live system memory (if applicable and accessible), then high-fidelity audit logs, followed by object storage logs, and finally network flow logs.

  2. Q2

    Which browser, identity, and SaaS artifacts would help confirm the export? In your answer, cover artifact reliability, reporting language, and forensic imaging

    Lead/ConsultantForensicsEY-specific

    Context: A browser-based SaaS export may have occurred from an ERP server.

    How to answer: To confirm data export, browser download history, cache, and autofill data (e.g., file paths, filenames, timestamps) are crucial, though modifiable. Identity artifacts like SAML/OAuth logs from SSO providers or local user activity logs (e.g., Windows Event Logs 4688, 4663, Sysmon) can link user actions to the export. SaaS application audit logs (e.g., M365 Unified Audit Log, Salesforce Event Monitoring) provide the most reliable evidence of export events, including user, timestamp, and file details. Reporting language must reflect artifact reliability (e.g., 'indicates,' 'suggests' vs. 'confirms'), and forensic imaging ensures data integrity and completeness for analysis.

  3. Q3

    How would you reconcile conflicting timestamps, time zones, and log source reliability? In your answer, cover timeline construction, collection order, and reporting language

    EntryForensicsEY-specific

    Context: Two analysts produce different incident timelines for suspicious service creation.

    How to answer: A strong answer will emphasize establishing a consistent timeline by converting all timestamps to Coordinated Universal Time (UTC) and documenting the original time zone. It should detail prioritizing log sources based on their reliability (e.g., system logs over application logs, trusted network devices over user endpoints) and the order of collection, starting with volatile data. Finally, the answer must address how to clearly articulate any discrepancies, assumptions, and the confidence level in the constructed timeline within the final report, using cautious and precise language.

  4. Q4

    How would you collect and analyze evidence while respecting legal and HR requirements? In your answer, cover volatile evidence, chain of custody, and legal hold requirements

    IntermediateForensicsEY-specific

    Context: A suspected insider used a dormant contractor account to access files outside normal duties.

    How to answer: A strong answer will detail a systematic approach starting with the immediate preservation of volatile evidence, such as RAM and network connections, using forensically sound methods. It will then explain the critical importance of establishing and maintaining an unbroken chain of custody for all collected evidence, documenting every transfer and handler. Finally, the answer must address legal hold requirements, outlining how to identify relevant data, preserve it without alteration, and communicate the hold to all custodians to prevent spoliation.

  5. Q5

    How would you reconstruct the timeline and determine whether mail was accessed or exfiltrated? In your answer, cover hash validation, scope boundaries, and forensic imaging

    AdvancedForensicsEY-specific

    Context: Email headers, mailbox audit logs, and forwarding rules suggest possible business email compromise.

    How to answer: To reconstruct the timeline and determine mail access/exfiltration, I would first establish clear scope boundaries, including relevant systems and timeframes. Next, I'd acquire forensic images of all pertinent storage devices (endpoints, mail servers, cloud storage) using forensically sound methods, validating their integrity with cryptographic hashes. Subsequently, I'd analyze system logs (event logs, browser history, mail client logs), network traffic, and file system metadata (MAC times) for evidence of mail access, attachment viewing, or suspicious network connections. Finally, I'd correlate these findings to build a chronological timeline and identify indicators of exfiltration, such as large uploads or use of external storage.

  6. Q6

    How would you reconstruct the timeline and determine whether mail was accessed or exfiltrated? In your answer, cover evidence storage, integrity risks, and volatile evidence

    Lead/ConsultantForensicsEY-specific

    Context: Email headers, mailbox audit logs, and forwarding rules suggest possible business email compromise.

    How to answer: To reconstruct the timeline and determine mail access/exfiltration, I would start by acquiring volatile memory (RAM) using forensically sound tools, ensuring write blockers are used for disk imaging. Key evidence sources include memory dumps for process analysis (e.g., email clients, web browsers, cloud sync tools), network traffic captures (PCAP) for exfiltration attempts, and disk images for email client artifacts, browser history, and log files. Integrity is maintained through hashing (MD5/SHA256) at each acquisition step and storing evidence on write-protected media with strict chain-of-custody documentation. Volatile evidence, such as active network connections, open files, and running processes, is prioritized due to its ephemeral nature.

  7. Q7

    How would you reconstruct the timeline and determine whether mail was accessed or exfiltrated? In your answer, cover scope boundaries, timeline construction, and chain of custody

    EntryForensicsEY-specific

    Context: Email headers, mailbox audit logs, and forwarding rules suggest possible business email compromise.

    How to answer: To reconstruct the timeline and determine email access/exfiltration, first define the scope (user, time range, mailboxes, systems involved). Collect data from email servers (logs, message tracking), endpoint devices (OS logs, browser history, mail client logs), network devices (firewall, proxy logs), and cloud providers. Establish a chronological timeline by correlating timestamps from all sources, normalizing for time zones. Analyze logs for access patterns (IPs, user agents), unusual deletions, forwarding rules, large downloads, or external access. Maintain a strict chain of custody for all collected evidence to ensure its integrity and admissibility.

  8. Q8

    What would you look for during memory analysis and how would you validate findings? In your answer, cover scope boundaries, data-access validation, and time-zone normalization

    IntermediateForensicsEY-specific

    Context: A memory image from a VIP executive laptop contains suspicious network connections and injected processes.

    How to answer: During memory analysis, I would look for active processes, network connections, loaded modules, open files, and evidence of rootkits or malware injection. Validation involves cross-referencing findings with other forensic artifacts like disk images and log files, ensuring data access is authorized and documented. I would also normalize all timestamps to UTC to avoid time-zone discrepancies and ensure a consistent timeline.

  9. Q9

    How would you plan disk, memory, and external media forensic collection? In your answer, cover hash validation, scope boundaries, and volatile evidence

    AdvancedForensicsEY-specific

    Context: A laptop may have been used to exfiltrate sensitive data before being powered off.

    How to answer: A strong plan for disk, memory, and external media forensic collection prioritizes volatile evidence first (memory, then external media, then disk) to prevent loss. It establishes clear scope boundaries based on the incident, ensuring all relevant systems and data are included while avoiding over-collection. Throughout the process, cryptographic hash validation (e.g., SHA256) is crucial for every collected artifact to prove integrity and authenticity, with write-blockers used for disk imaging. Documentation of the chain of custody and collection methodology is paramount.

  10. Q10

    What forensic process would you follow from identification to final reporting? In your answer, cover legal hold requirements, reporting language, and timeline construction

    Lead/ConsultantForensicsEY-specific

    Context: A legal hold requires preserving evidence for a suspected breach in an insurance client under regulatory review.

    How to answer: A strong answer outlines the forensic process: Identification, Preservation (including legal hold), Collection, Examination, Analysis, and Reporting. It emphasizes the critical role of maintaining an unbroken chain of custody throughout. The candidate should detail legal hold requirements, focusing on scope, communication, and enforcement, and discuss the iterative nature of timeline construction during analysis. Finally, they should address reporting language, stressing clarity, objectivity, and defensibility for legal scrutiny.

  11. Q11

    What evidence would you preserve first and how would you avoid contaminating it? In your answer, cover legal hold requirements, timeline construction, and time-zone normalization

    EntryForensicsEY-specific

    Context: EY is asked to investigate a developer workstation after a newly registered domain appearing in proxy logs is reported in a finance transformation project. The host sits in a regulated network segment.

    How to answer: The first evidence to preserve is volatile data from live systems (RAM, running processes, network connections), followed by disk images. To avoid contamination, use forensically sound tools (e.g., write-blockers for disks, memory acquisition tools that don't write to the target disk) and work from a trusted forensic workstation. Legal hold requirements dictate immediate preservation of all potentially relevant data, ensuring no spoliation. Timeline construction relies on system logs and artifacts, requiring careful time-zone normalization to establish a coherent sequence of events.

  12. Q12

    How would you assess evidence integrity and collect artifacts safely? In your answer, cover integrity risks, data-access validation, and artifact reliability

    IntermediateForensicsEY-specific

    Context: An endpoint was isolated automatically after a firewall deny storm from one internal subnet, but the user continued working remotely.

    How to answer: To assess evidence integrity, one must establish a chain of custody, utilize cryptographic hashing (e.g., SHA256) before and after acquisition, and document all actions. Safe artifact collection involves using forensically sound tools (e.g., write-blockers for disk imaging, live acquisition tools for volatile memory) to prevent data alteration. Data access validation requires proper authorization, logging of access attempts, and ensuring the collection process adheres to legal and company policies. Artifact reliability is ensured by cross-referencing multiple sources, validating tool outputs, and maintaining a robust chain of custody.

  13. Q13

    How would you recover enough evidence to determine execution and impact? In your answer, cover hash validation, volatile evidence, and reporting language

    AdvancedForensicsEY-specific

    Context: A phishing attachment was deleted before analysis, but endpoint and email logs remain.

    How to answer: To recover evidence for execution and impact, first acquire a forensically sound image of the relevant disk, ensuring hash validation (e.g., SHA256) at acquisition and verification. Prioritize volatile evidence collection (RAM, network connections, running processes) before disk imaging. Analyze disk artifacts like MFT, USN Journal, ShimCache, Amcache, Prefetch files, and Registry hives (Run keys, UserAssist, AppCompatCache) for execution, and event logs (Security, System, Application) for impact. Finally, construct a clear, defensible report detailing findings, methodologies, and conclusions using precise, objective language suitable for legal or executive review.

  14. Q14

    How would you reconstruct the timeline and determine whether mail was accessed or exfiltrated? In your answer, cover reporting language, scope boundaries, and artifact reliability

    Lead/ConsultantForensicsEY-specific

    Context: Email headers, mailbox audit logs, and forwarding rules suggest possible business email compromise.

    How to answer: To reconstruct the timeline and determine mail access/exfiltration, I would start by acquiring volatile memory (RAM) and disk images. I'd then analyze memory for active processes, network connections, open files, and clipboard contents using tools like Volatility to identify email client activity or suspicious data transfers. Concurrently, disk forensics would focus on email client artifacts (e.g., PST/OST files, MBOX, EML), browser history, download folders, and USB device connection logs to corroborate memory findings and establish a comprehensive timeline. Reporting would clearly state findings, their reliability based on artifact type, and scope limitations, such as encrypted containers or wiped free space.

  15. Q15

    How would you determine whether sensitive records were viewed, exported, or altered? In your answer, cover chain of custody, reporting language, and time-zone normalization

    EntryForensicsEY-specific

    Context: A database audit trail indicates unusual SELECT queries from a help-desk analyst account.

    How to answer: To determine if sensitive records were viewed, exported, or altered, I would first establish a robust chain of custody for all acquired evidence, ensuring its integrity. Next, I'd focus on collecting and analyzing relevant logs (e.g., system, application, audit, network) for access, modification, and data transfer events, paying close attention to timestamps. Time-zone normalization is critical for correlating these events accurately across different systems. Finally, I would compile findings into a clear, concise report using precise, objective language suitable for legal or internal review.

Practice these with instant AI feedback in a live mock interview → Start a EY Cybersecurity Analyst mock

Topics tested most

Incident Response34
Threat Detection34
Forensics33
SIEM33
SOC33
Security Monitoring33

How to prepare for the EY Cybersecurity Analyst interview

Focus your prep on the topics above, rehearse structured answers out loud, and do at least one full mock loop before the real thing.

Frequently asked questions

How hard is the EY Cybersecurity Analyst interview?

Based on our bank of 200 Cybersecurity Analyst questions asked at EY, the overall difficulty is medium (EY's process is generally rated standard). Expect around 5 rounds spanning Incident Response, Threat Detection, Forensics.

How many interview rounds does EY have for a Cybersecurity Analyst?

EY typically runs about 5 rounds for Cybersecurity Analyst candidates: Online Assessment → Technical Interview → Analytics Case Round → Managerial Round → HR Round.

Explore more

Cybersecurity Analyst interviews at other companies

Compiled by PrepNPlaced from 200+ interview reports and question banks for the EY Cybersecurity Analyst loop, cross-referenced with 14,976 employee reviews. Data refreshed 2026-07-12. Updated 2026.