Cybersecurity Interview Questions

Comprehensive Cybersecurity Interview Questions & Answers

Basic Cybersecurity Fundamentals

Q: What is the CIA triangle?

A: The CIA Triad represents the three core principles of information security:

• Confidentiality: Ensuring information is accessible only to authorized individuals
• Integrity: Maintaining accuracy and completeness of data
• Availability: Ensuring information and resources are accessible when needed

Q: What is the Cyber Kill Chain?

A: A framework developed by Lockheed Martin that describes the stages of a cyberattack:

1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command & Control
7. Actions on Objectives

Q: What is MITRE ATT&CK?

A: A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, used for developing threat models and methodologies.

Q: Explain the difference between Vulnerability, Threat, and Risk.

A:

• Vulnerability: A weakness in a system that could be exploited
• Threat: A potential danger that could exploit a vulnerability
• Risk: The likelihood and impact of a threat exploiting a vulnerability

Q: What is the difference between Vulnerability Assessment (VA) and Penetration Testing (PT)?

A:

• VA: Automated scanning to identify known vulnerabilities
• PT: Manual testing that attempts to exploit vulnerabilities to determine actual risk

Q: What is the difference between Events, Alerts, and Incidents?

A:

• Event: Any observable occurrence in a system
• Alert: A notification triggered by specific criteria or thresholds
• Incident: A confirmed security breach or violation requiring response

Q: What are APT Groups?

A: Advanced Persistent Threat groups are sophisticated, well-resourced attackers (often nation-state sponsored) who conduct long-term, targeted attacks against specific organizations.

Encryption and Cryptography

Q: What’s the difference between symmetric and asymmetric (public-key) cryptography?

A:

• Symmetric: Uses the same key for encryption and decryption (faster, but key distribution challenge)
• Asymmetric: Uses a pair of keys (public/private) - encrypt with one, decrypt with the other

Q: What is Encryption, Encoding, and Hashing?

A:

• Encryption: Converting data to protect confidentiality (reversible with key)
• Encoding: Converting data for compatibility/transmission (easily reversible)
• Hashing: One-way function creating fixed-length output (irreversible)

Q: What is Salting in the context of Hashing, and why is it used?

A: Salting adds random data to passwords before hashing to prevent rainbow table attacks and ensure identical passwords produce different hashes.

Q: Would you Encrypt and Compress or Compress and Encrypt? Why?

A: Encrypting data before compressing it is inefficient, as the compression will not work effectively on encrypted data. On the other hand, compressing data before encrypting it is efficient but can expose it to the risk of side-channel attacks. Given this trade-off, in sensitive contexts, it is often best to avoid compression altogether and only use encryption.

Q: How does the Three-way Handshake work?

A: TCP connection establishment process:

1. Client sends SYN packet
2. Server responds with SYN-ACK packet
3. Client sends ACK packet Connection is now established.

Q: What is Perfect Forward Secrecy?

A: A security feature that ensures session keys are not compromised even if the server’s private key is compromised, as ephemeral keys are used for each session.

Network Security

Q: What port does SSH work on?

A: Port 22 (TCP)

Q: What port does DNS work on?

A: Port 53 (both TCP and UDP - UDP for queries, TCP for zone transfers)

Q: What port does PING work on?

A: Trick question - PING uses ICMP, which is a Layer 3 protocol and doesn’t use ports.

Q: What is the difference between IPS and IDS?

A:

• IDS (Intrusion Detection System): Monitors and alerts on suspicious activities
• IPS (Intrusion Prevention System): Monitors and actively blocks/prevents suspicious activities

Q: What is a firewall? What are different types?

A: A security device that controls network traffic. Types include:

• Packet filtering firewalls
• Stateful inspection firewalls
• Application layer firewalls
• Next-generation firewalls (NGFW)

Q: Do you prefer filtered ports or closed ports on your firewall?

A: Filtered ports are generally preferred as they don’t respond to probes, providing security through obscurity and making reconnaissance harder.

Q: What is the difference between deep web and dark web?

A:

• Deep Web: Content not indexed by search engines (private databases, password-protected sites)
• Dark Web: Intentionally hidden networks requiring special software (like Tor) to access

Q: What is a honeypot?

A: A decoy system designed to attract and detect attackers, providing early warning and intelligence about attack methods.

Q: What is worse in detection: false negative or false positive?

A: Context-dependent, but generally false negatives are worse as they mean actual threats go undetected, while false positives only waste resources.

Q: Explain man-in-the-middle attack.

A: An attack where an attacker secretly intercepts and potentially alters communications between two parties who believe they’re communicating directly.

Q: What is ARP Poisoning?

A: An attack where malicious ARP messages are sent to link the attacker’s MAC address with a legitimate IP address, allowing traffic interception.

Web Application Security

Q: What is Cross-Site Scripting (XSS)?

A: An injection attack where malicious scripts are inserted into web pages viewed by other users.

Q: What’s the difference between stored, reflected, and DOM-based XSS?

A:

• Stored: Malicious script stored on server and executed when page loads
• Reflected: Script reflected off server in response (like error messages)
• DOM-based: Script executed in DOM environment on client-side

Q: What is CSRF (Cross-Site Request Forgery)?

A: An attack that tricks users into performing unwanted actions on authenticated web applications.

Q: How do you protect against CSRF?

A:

• Anti-CSRF tokens
• SameSite cookie attributes
• Origin/Referer header verification
• Double-submit cookies

Q: What is SQL Injection?

A: An attack where malicious SQL code is inserted into application queries to manipulate database operations.

Q: Name some types of SQL Injection.

A:

• Union-based
• Boolean-based blind
• Time-based blind
• Error-based
• Second-order

Q: What is the Same Origin Policy (SOP)?

A: A security concept that restricts scripts from one origin from accessing resources from another origin.

Q: What is CORS?

A: Cross-Origin Resource Sharing - a mechanism that allows restricted resources on a web page to be requested from another domain.

Authentication and Authorization

Q: What is the difference between Authentication and Authorization?

A:

• Authentication: Verifying who someone is
• Authorization: Determining what they’re allowed to do

Q: What is 2FA? Can it be bypassed with phishing?

A: Two-Factor Authentication adds a second verification step. Yes, it can be bypassed through sophisticated phishing attacks that capture both factors in real-time.

Q: How do you handle brute force attacks on applications?

A:

• Account lockout policies
• Rate limiting
• CAPTCHA implementation
• IP blocking
• Progressive delays

Incident Response and SOC

Q: What is Incident Response?

A: The organized approach to addressing and managing security incidents to limit damage and reduce recovery time and costs.

Q: What is the lifecycle of Incident Response?

A:

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Q: What are IOCs and IOAs?

A:

• IOC (Indicators of Compromise): Evidence of a security breach
• IOA (Indicators of Attack): Evidence of ongoing malicious activity

Q: How can you detect if an email is phishing?

A: Check for:

• Suspicious sender addresses
• Grammar/spelling errors
• Urgent language
• Suspicious links/attachments
• Mismatched URLs
• Requests for sensitive information

Q: What would you do if a user reports clicking a phishing link and sharing credentials?

A:

1. Immediately reset the compromised credentials
2. Monitor accounts for unauthorized access
3. Scan the user’s system for malware
4. Review logs for suspicious activities
5. Document the incident

Q: What are some malware persistence techniques?

A:

• Registry modifications
• Scheduled tasks
• Service installation
• DLL hijacking
• Startup folder entries
• WMI event subscriptions

Penetration Testing

Q: What are the phases of penetration testing?

A:

1. Planning and Reconnaissance
2. Scanning and Enumeration
3. Gaining Access
4. Maintaining Access
5. Analysis and Reporting

Q: What is the difference between Black-box, White-box, and Gray-box testing?

A:

• Black-box: No prior knowledge of the system
• White-box: Full knowledge of the system
• Gray-box: Limited knowledge of the system

Q: What NMAP argument shows version information?

A: -sV for version detection

Q: What’s the difference between -v and -V in NMAP?

A:

• -v: Increases verbosity (detailed output)
• -V: Shows version of NMAP itself

Q: Can SQL injection lead to RCE?

A: Yes, through techniques like:

• xp_cmdshell in SQL Server
• LOAD_FILE() and INTO OUTFILE in MySQL
• Custom functions in PostgreSQL

Q: How do you erase tracks after hacking a Linux machine?

A:

• Clear log files (/var/log/)
• Clear bash history
• Remove uploaded tools
• Clear temporary files
• Modify timestamps

Cloud Security

Q: What are common AWS S3 bucket misconfigurations?

A:

• Public read/write permissions
• Insufficient access controls
• Missing encryption
• Inadequate logging
• Default configurations
• Overprivileged IAM policies

Malware Analysis

Q: What types of malware analysis are possible?

A:

• Static Analysis: Examining malware without executing it
• Dynamic Analysis: Analyzing malware behavior during execution
• Behavioral Analysis: Studying malware actions and system interactions

Q: What is the difference between Spyware and PUP?

A:

• Spyware: Malicious software that secretly monitors user activities
• PUP (Potentially Unwanted Program): Software that may be legitimate but often unwanted by users

Programming and Automation

Q: Write a RegEx to filter email addresses.

A: [a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}

Q: How would you fetch IP addresses from a JSON file using Python?

A:

import json
import re

with open('file.json', 'r') as f:
    data = json.load(f)
    
ip_pattern = r'\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b'
for item in dat
A:
    ips = re.findall(ip_pattern, str(item))
    print(ips)

Compliance and Frameworks

Q: What is SOC 2?

A: A security framework for service organizations handling customer data, focusing on five trust service criteri A: Security, Availability, Processing Integrity, Confidentiality, and Privacy.

Q: What is the NIST framework?

A: A cybersecurity framework providing guidelines for managing cybersecurity risk through five core functions: Identify, Protect, Detect, Respond, and Recover.

Q: What is Zero Trust?

A: A security model based on the principle “never trust, always verify” - no user or device is trusted by default, regardless of location.

Industry Knowledge and Opinion-Based Questions

Q: Do you prefer open-source or proprietary security tools?

A: Both have advantages:

• Open-source: Transparency, community support, cost-effective, customizable
• Proprietary: Professional support, comprehensive features, easier integration

Q: How do you stay updated in cybersecurity?

A:

• Security news feeds (KrebsOnSecurity, The Hacker News)
• Professional communities (Reddit r/netsec, Twitter)
• Conferences and webinars
• Vendor advisories
• Threat intelligence feeds
• Hands-on labs and CTFs

Q: Who’s more dangerous: insiders or outsiders?

A: Insiders are often more dangerous due to:

• Privileged access
• Knowledge of internal systems
• Ability to bypass security controls
• Trust relationships However, the actual risk depends on the specific organization and its security posture.

Q: Should organizations pay ransomware demands?

A: Generally not recommended because:

• No guarantee of data recovery
• Encourages more attacks
• May violate legal requirements
• Funds criminal activities Focus should be on prevention, backup strategies, and incident response planning.

Advanced Network Security

Q: What is traceroute and how does it work at the protocol level?

A: Traceroute maps the path packets take to a destination. It works by sending packets with incrementally increasing TTL values. Each router decrements TTL and sends back an ICMP “Time Exceeded” message when TTL reaches 0, revealing the router’s IP address.

Q: What is the difference between TCP and UDP?

A:

• TCP: Connection-oriented, reliable, ordered delivery, error checking, flow control
• UDP: Connectionless, faster, no guaranteed delivery, no error recovery

Q: What is NAT (Network Address Translation)?

A: A method of mapping private IP addresses to public IP addresses, allowing multiple devices on a private network to share a single public IP address.

Q: What is Port Forwarding and why is it used?

A: Port forwarding redirects communication requests from one address/port to another. Used to allow external access to internal services behind NAT/firewall.

Q: What is a VLAN?

A: Virtual Local Area Network - logically separates a physical network into multiple broadcast domains for security and traffic management.

Q: What is IP Subnetting?

A: Dividing a network into smaller sub-networks to improve performance, security, and management. Uses subnet masks to define network and host portions.

Q: What is a Load Balancer?

A: A device that distributes network or application traffic across multiple servers to ensure availability, reliability, and optimal resource utilization.

Q: What is CDN (Content Delivery Network)?

A: A geographically distributed network of servers that deliver web content to users from the nearest server location to improve performance.

Q: What is the difference between Forward Proxy and Reverse Proxy?

A:

• Forward Proxy: Acts on behalf of clients, hiding their identity from servers
• Reverse Proxy: Acts on behalf of servers, hiding server details from clients

Q: What is a Fragmentation attack?

A: An attack that exploits how systems handle fragmented IP packets, potentially bypassing security controls or causing DoS conditions.

Q: Besides firewalls, what other devices enforce network boundaries?

A:

• Routers with ACLs
• Network Access Control (NAC) systems
• VPN gateways
• Proxy servers
• Network segmentation appliances

Extended Web Application Security

Q: What is XXE (XML External Entity)?

A: A vulnerability that allows attackers to interfere with XML processing by referencing external entities, potentially leading to file disclosure, SSRF, or DoS.

Q: What is SSRF (Server-Side Request Forgery)?

A: An attack where an attacker can make the server perform requests to unintended locations, potentially accessing internal resources.

Q: What is RCE (Remote Code Execution)?

A: A vulnerability that allows attackers to execute arbitrary code on a remote system, often through injection flaws or deserialization vulnerabilities.

Q: What is OS Command Injection?

A: An attack where malicious commands are injected into applications that execute system commands, allowing attackers to run arbitrary OS commands.

Q: What are Security Headers in HTTP Response?

A:

• Content-Security-Policy (CSP)
• X-XSS-Protection
• X-Content-Type-Options
• X-Frame-Options
• Strict-Transport-Security (HSTS)

Q: What is CSP (Content Security Policy)?

A: A security header that helps prevent XSS attacks by controlling which resources the browser is allowed to load for a particular page.

Q: What is a Race Condition vulnerability?

A: A flaw that occurs when the behavior of software depends on the relative timing of events, potentially allowing attackers to manipulate the sequence of operations.

Q: What are Cookie Attributes/Flags?

A:

• Secure: Cookie only sent over HTTPS
• HttpOnly: Cookie not accessible via JavaScript
• SameSite: Controls when cookies are sent in cross-site requests

Q: What is Threat Modeling?

A: A structured approach to identifying, quantifying, and addressing security risks in applications and systems.

Q: What is STRIDE?

A: A threat modeling methodology:

• Spoofing: Impersonation attacks
• Tampering: Data modification
• Repudiation: Denying actions
• Information Disclosure: Data exposure
• Denial of Service: Service unavailability
• Elevation of Privilege: Gaining unauthorized access

Mobile Application Security

Q: What are common risks in mobile applications?

A:

• Insecure data storage
• Weak server-side controls
• Insufficient transport layer protection
• Unintended data leakage
• Poor session handling
• Insecure communication

Q: How can you detect if an iOS/Android device is jailbroken/rooted?

A:

• Check for jailbreak/root detection files
• Verify app signature integrity
• Test sandbox restrictions
• Check for common jailbreak/root apps
• Analyze system behavior anomalies

Q: What are SSL Pinning bypass techniques?

A:

• Frida scripts to hook SSL functions
• Xposed modules
• Custom certificate installation
• Patching application binaries
• Using tools like objection

Advanced Penetration Testing

Q: What is a 0-Day (Zero-Day) attack?

A: An attack that exploits a previously unknown vulnerability before security patches are available.

Q: What is Subdomain Takeover?

A: An attack where an attacker gains control over a subdomain by claiming an unclaimed external service that the subdomain points to.

Q: How can you detect the presence of a WAF?

A:

• Analyze HTTP response headers
• Test with common attack payloads
• Look for specific error messages
• Check response timing differences
• Use tools like wafw00f

Q: What is a C2 (Command and Control) server?

A: A server used by attackers to maintain communication with compromised systems and send commands to malware.

Q: What is the difference between Pass-the-Hash and Pass-the-Ticket?

A:

• Pass-the-Hash: Uses NTLM hash to authenticate without knowing plaintext password
• Pass-the-Ticket: Uses Kerberos tickets to authenticate without needing password or hash

Q: How does NMAP determine the Operating System?

A: Through OS fingerprinting techniques:

• TCP sequence number analysis
• IP header field analysis
• TCP option analysis
• Response to malformed packets

Q: What is Supply Chain Attack?

A: An attack that targets less-secure elements in the supply chain to compromise the final target, often through third-party software or hardware.

Q: What are some SSL/TLS vulnerabilities?

A:

• Heartbleed (CVE-2014-0160)
• POODLE (SSLv3 vulnerability)
• BEAST (CBC mode vulnerability)
• CRIME (compression vulnerability)
• Weak cipher suites

Extended Incident Response

Q: What is SLA (Service Level Agreement)?

A: A contract defining expected service levels, including response times for different types of incidents (P0, P1, P2, P3, P4).

Q: How do you prioritize incidents?

A: Based on:

• P0/P1: Critical business impact, immediate response required
• P2/P3: Significant impact, response within hours
• P4: Low impact, response within days

Q: What are SPF, DKIM, and DMARC?

A: Email authentication protocols:

• SPF: Specifies authorized sending servers
• DKIM: Digital signature for email integrity
• DMARC: Policy for handling authentication failures

Q: How would you create a playbook for BEC (Business Email Compromise)?

A:

1. Immediate containment (disable compromised accounts)
2. Evidence preservation
3. Impact assessment
4. Communication to stakeholders
5. Investigation and analysis
6. Recovery and remediation
7. Lessons learned documentation

Q: What is Process Injection?

A: A technique where malicious code is inserted into legitimate processes. Methods include:

• DLL injection
• Process hollowing
• Thread execution hijacking
• PE injection

Q: How do you respond to a DDoS attack?

A:

1. Activate DDoS response team
2. Identify attack type and source
3. Implement rate limiting/traffic filtering
4. Engage DDoS mitigation service
5. Scale infrastructure if possible
6. Communication to users/stakeholders
7. Post-incident analysis

Q: How do you detect DNS Exfiltration?

A:

• Monitor DNS query patterns
• Look for unusual domain names
• Analyze DNS traffic volume
• Check for long domain names or suspicious TXT records
• Use DNS analytics tools

Q: What logs would you collect in a Windows environment?

A:

• Windows Event Logs (Security, System, Application)
• PowerShell logs
• Process creation logs (Sysmon)
• Network connection logs
• File system access logs
• Registry modification logs

Extended Cryptography

Q: What is a block cipher vs stream cipher?

A:

• Block cipher: Encrypts fixed-size blocks of data (e.g., AES with 128-bit blocks)
• Stream cipher: Encrypts data bit by bit or byte by byte (e.g., RC4)

Q: What are different block cipher modes of operation?

A:

• ECB: Electronic Codebook (least secure)
• CBC: Cipher Block Chaining
• CFB: Cipher Feedback
• OFB: Output Feedback
• GCM: Galois/Counter Mode (provides authentication)

Q: What is an IV (Initialization Vector)?

A: A random value used to initialize encryption algorithms to ensure the same plaintext produces different ciphertext each time.

Q: What are rainbow tables?

A: Precomputed tables of hash values and their corresponding plaintext inputs, used to crack password hashes quickly.

Q: How do CAs store their private root keys?

A: In Hardware Security Modules (HSMs) with strict physical and logical access controls, often in air-gapped environments.

Q: What is the difference between DSA and RSA?

A:

• RSA: Can be used for both encryption and digital signatures
• DSA: Primarily designed for digital signatures, not encryption

System Administration Security

Q: Where are passwords stored in Windows machines?

A: In the Security Account Manager (SAM) database, typically located at C:\Windows\System32\config\SAM

Q: How can you read the SAM file in Windows?

A:

• Boot from external media
• Use tools like pwdump or samdump2
• Access through registry hives
• Use shadow copies

Q: Where are Linux passwords stored and what hash does it use?

A: In /etc/shadow file, typically using SHA-512 hashes (indicated by $6$ prefix)

Q: How can you break BIOS password on a locked machine?

A:

• Remove CMOS battery
• Use BIOS backdoor passwords
• Short CMOS reset jumper
• Use hardware programmer on BIOS chip

Q: What are your first three steps when securing a Linux server?

A:

1. Update system and install security patches
2. Configure firewall and disable unnecessary services
3. Set up proper user accounts and SSH key authentication

Q: What are your first three steps when securing a Windows server?

A:

1. Install latest updates and security patches
2. Configure Windows Firewall and disable unnecessary services
3. Implement proper user account controls and password policies

Advanced Malware Analysis

Q: What is drive-by-download?

A: A method where malware is automatically downloaded and installed when a user visits a compromised or malicious website.

Q: Can a website with SSL (green lock) be dangerous?

A: Yes, SSL only ensures encrypted communication but doesn’t guarantee the website is legitimate or safe.

Q: What makes EDR different from traditional Antivirus?

A:

• EDR: Behavioral analysis, threat hunting, incident response capabilities, continuous monitoring
• Antivirus: Signature-based detection, primarily preventive

Q: How would you classify a website as malicious?

A: Based on:

• Known malicious domains/IPs
• Suspicious redirects
• Malware hosting
• Phishing indicators
• Certificate anomalies
• Content analysis

Data Protection and Privacy

Q: What is GDPR and how does it affect organizations?

A: General Data Protection Regulation - EU privacy law requiring:

• Data protection by design
• User consent for data processing
• Right to data erasure
• Data breach notifications
• Significant financial penalties for violations

Q: What is DLP (Data Loss Prevention)?

A: Technologies and policies to detect and prevent unauthorized data exfiltration or sharing.

Q: What is Data Exfiltration and what are some methods?

A: Unauthorized transfer of data from a system. Methods include:

• Email attachments
• USB drives
• Cloud storage uploads
• Network protocols (DNS, HTTP)
• Steganography

Q: How can you check for Data Exfiltration activities?

A:

• Monitor unusual network traffic patterns
• Analyze user behavior analytics
• Check for large file transfers
• Monitor cloud storage activities
• Review email attachments and activities

Programming and Scripting Security

Q: Write code to fetch valid email addresses from a JSON file.

A:

import json
import re

def extract_emails_from_json(filename):
    email_pattern = r'\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b'
    emails = []
    
    with open(filename, 'r') as file:
        data = json.load(file)
        text = json.dumps(data)
        emails = re.findall(email_pattern, text)
    
    return list(set(emails))  # Remove duplicates

Q: Write a RegEx to filter websites/URLs.

A: https?:\/\/(www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b([-a-zA-Z0-9()@:%_\+.~#?&//=]*)

Q: Write a RegEx for phone numbers (10 digits).

A: (\+\d{1,3}\s?)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}

Q: How would you replace all occurrences of ‘string_1’ with ‘string_1_1’ in a text file using Bash?

A: sed -i 's/string_1/string_1_1/g' filename.txt

Risk Management and Compliance

Q: What is residual risk?

A: The level of risk that remains after security controls have been implemented.

Q: Is there an acceptable level of risk?

A: Yes, organizations must determine their risk appetite based on business objectives, regulatory requirements, and available resources.

Q: How do you measure information security risk?

A: Risk = Threat × Vulnerability × Impact Common frameworks include FAIR (Factor Analysis of Information Risk) and qualitative risk matrices.

Q: What is Business Continuity Management?

A: The process of creating systems of prevention and recovery to deal with potential threats and ensure business operations continue.

Q: What is Change Management in security context?

A: The process of controlling and documenting changes to systems to maintain security posture and prevent unauthorized modifications.

Advanced Topics

Q: What security challenges does SOA (Service-Oriented Architecture) present?

A:

• Service discovery vulnerabilities
• Message-level security requirements
• Identity propagation across services
• Denial of service attacks on services
• Data validation at service boundaries

Q: What is capability-based security?

A: A security model where permissions are based on capabilities (tokens) that grant specific access rights rather than identity-based access control.

Q: How do you ensure a design anticipates human error?

A:

• Implement fail-safe defaults
• Use principle of least privilege
• Provide clear user interfaces
• Implement confirmation dialogs for critical actions
• Regular security awareness training

Q: What type of security flaw exists in VPN?

A:

• Split tunneling vulnerabilities
• DNS leaks
• Weak encryption protocols
• Authentication bypass
• Side-channel attacks

Q: What is the 80/20 rule in networking?

A: Originally, 80% of network traffic stayed local, 20% crossed the network boundary. Modern networks often reverse this ratio due to cloud services and remote work.