Core technical questions for DevOps engineers
Hiring managers use foundational questions to assess a candidate's hands-on experience with the core pillars of DevOps: CI/CD, containers, Infrastructure as Code (IaC), and version control. These topics form the baseline of technical competency required for the role.
Strong answers demonstrate practical experience and the ability to reason through trade-offs. Candidates should move beyond textbook definitions to explain how they've applied these concepts in real-world environments to solve specific problems.
DevOps Security Best Practices [Cheat Sheet]
In this 12 page cheat sheet we'll cover best practices in the following areas of DevOps: secure coding practices, infrastructure security, monitoring and response.
What is CI/CD and how have you implemented it?
Understanding automation philosophy and hands-on experience building and maintaining pipelines matters here. Look for whether candidates view CI/CD as just a set of tools or as a methodology for delivering software reliably and repeatedly.
Good answers detail specific tools used, such as Jenkins, GitHub Actions, or GitLab CI, and explain the stages implemented within the pipeline. Candidates should discuss how they handle build failures, automated testing gates, and rollback strategies when a deployment goes wrong. They should articulate the value of fast feedback loops for developers.
Red flags include vague answers about "automation" without concrete examples of pipeline structure or tool usage. An inability to explain why certain stages (like linting, unit testing, or integration testing) exist suggests a lack of practical depth.
How do you manage Infrastructure as Code, and what tools have you used?
The ability to treat infrastructure declaratively and maintain reproducibility across environments is critical. Look for whether candidates understand the shift from manual provisioning to code-based management.
Good answers demonstrate experience with tools like Terraform, CloudFormation, or Pulumi. Candidates should explain concepts like state management, drift detection, and the benefits of module reuse to avoid duplication and maintain consistency. They should also mention storing IaC in version control to enable collaboration and auditability.
Red flags include confusion between configuration management tools like Ansible and provisioning tools like Terraform. A failure to mention version control for IaC suggests the candidate may still rely on manual processes or "ClickOps."
Explain the difference between Docker containers and virtual machines.
A foundational understanding of containerization, resource isolation, and the architectural differences between modern and legacy infrastructure comes through here.
Good answers explain that containers share the host OS kernel and are lightweight, whereas virtual machines (VMs) include a full guest operating system and rely on a hypervisor. Candidates should discuss startup time differences and use cases, such as using VMs for strong isolation and containers for microservices and density.
Red flags include an inability to explain when VMs are still appropriate or confusion about the security boundaries of containers. Candidates should understand that containers are processes on the host, not fully independent machines.
How do you handle secrets in a CI/CD pipeline?
Security awareness within DevOps workflows is essential. Look for whether candidates prioritize security best practices or rely on insecure shortcuts that could lead to data breaches, which IBM reports cost $4.88 million on average.
Candidates should explain how secrets are injected as environment variables or delivered via short-lived identity federation (e.g., GitHub Actions OIDC with AWS IAM, GCP Workload Identity) at runtime rather than being hardcoded. Strong candidates distinguish between long-lived secrets requiring rotation and ephemeral credentials that expire automatically. They should also mention practices like secret rotation and strict access controls.
Red flags include suggesting that secrets be stored in environment files committed to repositories. A lack of mention regarding rotation or limiting access scope indicates a weak security mindset.
What is the difference between Git merge and Git rebase?
Version control fluency and collaboration practices matter. Understanding how candidates manage code history and resolve conflicts in a team setting provides valuable insight.
Good answers provide a clear explanation of how "merge" preserves history while "rebase" rewrites it to create a linear progression. Candidates should explain when to use each strategy and discuss team conventions they have followed to maintain a clean repository history.
Red flags include an inability to explain the implications of rewriting history on shared branches. Confusion about conflict resolution or how these commands affect the commit log suggests a lack of experience working in collaborative coding environments.
Watch 5-minute demo
Watch the demo to learn how Wiz Code scans infrastructure as code, container images, and CI/CD pipelines to catch risks early—before they reach the cloud.
Watch now
Cloud platform and architecture questions
Experience with major cloud providers and architectural decision-making becomes increasingly important as organizations adopt multi-cloud strategies. The ability to design resilient and scalable systems is a critical skill for DevOps engineers.
How do you design for high availability in AWS, Azure, or GCP?
Understanding cloud-native resilience patterns and the ability to design systems that can withstand failures is key.
Good answers focus on multi-AZ (Availability Zone) deployments to ensure redundancy across physical data centers. Candidates should discuss load balancing, auto-scaling groups, and database replication strategies to maintain uptime. They should also mention failover mechanisms and health checks.
Red flags include single-region thinking without considering disaster recovery. A failure to mention specific failure scenarios or metrics like Recovery Time Objectives (RTO) indicates a lack of architectural maturity.
What is the difference between horizontal and vertical scaling?
Understanding scalability fundamentals and the trade-offs involved in managing resource growth is essential.
Good answers provide clear definitions: vertical scaling (scaling up) involves adding more power to an existing machine, while horizontal scaling (scaling out) involves adding more machines to a pool. Candidates should explain when each is appropriate, noting the cost and complexity trade-offs.
Red flags include an inability to explain the physical limitations of vertical scaling. Candidates should also connect horizontal scaling to cloud auto-scaling features and stateless application design.
How do you manage Kubernetes clusters in production?
Hands-on orchestration experience and the ability to maintain complex distributed systems in a live environment matter here.
Good answers cover specific deployment strategies like rolling updates, blue-green deployments, or canary releases. Candidates should discuss setting resource limits (requests and limits) to prevent contention, implementing health checks (liveness and readiness probes), and using namespaces for isolation.
Red flags include possessing only theoretical knowledge without operational scars. A failure to mention troubleshooting pod failures, managing node pools, or handling resource contention suggests the candidate has not managed Kubernetes at scale.
Explain the difference between a Deployment and a StatefulSet in Kubernetes.
The depth of a candidate's Kubernetes understanding, specifically regarding how different workload types are managed, comes through here.
Good answers distinguish between stateless workloads managed by Deployments and stateful workloads managed by StatefulSets. Candidates should explain that StatefulSets provide stable network identities and persistent storage for applications like databases.
Red flags include confusion about when to use each controller. Candidates who cannot provide practical examples of when a StatefulSet is necessary often lack experience with data-intensive workloads on Kubernetes.
DevSecOps vs DevOps: Key differences & Comparison
DevOps is a way of working that breaks down walls between development and operations teams. This means developers and IT operations work together instead of in separate silos, which helps companies build and release software faster.
Read more
DevSecOps and security questions
Security is now embedded in DevOps responsibilities rather than being a siloed function. Look for whether candidates can integrate security practices directly into pipelines and infrastructure, a practice often referred to as DevSecOps.
How do you shift security left in the development lifecycle?
Understanding proactive security integration and the ability to catch issues early when they're cheaper and easier to fix is critical.
Good answers describe implementing Infrastructure as Code (IaC) scanning and container image scanning directly in the CI pipeline. Candidates should mention dependency vulnerability checks and policy-as-code enforcement to prevent misconfigurations from reaching production.
Red flags include treating security as a gate at the very end of the process. A failure to mention feedback loops that empower developers to fix security issues themselves indicates a traditional, siloed mindset.
How do you handle vulnerabilities discovered in production?
Incident response maturity and prioritization skills matter when prevention fails and a risk is live.
Good answers describe a triage process based on exploitability and exposure, not just severity scores. Candidates should discuss patching workflows, automated rollback procedures, and the importance of post-incident reviews to prevent recurrence.
Red flags include a lack of a prioritization framework, such as treating all vulnerabilities equally regardless of context. Candidates should understand that not every vulnerability requires an immediate 2 a.m. wake-up call.
What is the principle of least privilege and how do you implement it?
Identity and access management (IAM) understanding is fundamental to securing cloud environments against lateral movement.
Good answers discuss using scoped IAM roles and service account restrictions. Candidates should mention regular access reviews and the practice of avoiding wildcard permissions (*) in policies. They should explain that users and services should only have the permissions necessary to perform their specific tasks.
Red flags include defaulting to admin access for convenience. A failure to mention auditing or the risks of over-provisioned identities suggests a disregard for security best practices.
How do you secure container images before deployment?
Container security awareness and the ability to secure the software supply chain come through here.
Good answers include selecting minimal, trusted base images (e.g., Chainguard, Distroless, Alpine) and implementing automated vulnerability scanning in CI pipelines. Candidates should discuss image signing with tools like Cosign or Notary to verify integrity, enforcing deploy-time verification via Kubernetes admission controllers (e.g., Kyverno, OPA Gatekeeper), and using registry access controls to prevent unauthorized modifications. They should also mention avoiding running containers as the root user.
Red flags include having no scanning process in place. Pulling unverified images from public registries without validation is a significant security risk that candidates should identify.
How do you ensure CI/CD pipelines produce auditable evidence for compliance?
Understanding that compliance frameworks like SOC 2, ISO 27001, and NIST require demonstrable controls, not just implemented controls, is essential.
Good answers describe immutable build logs, artifact provenance tracking, and automated evidence collection. Candidates should mention storing pipeline outputs (test results, scan reports, approval records) in tamper-evident storage and generating audit trails that map to specific control requirements.
Red flags include treating compliance as a manual, periodic activity rather than an automated, continuous process. Candidates who cannot explain how their pipelines support auditor requests lack enterprise readiness.
How do you implement segregation of duties in release workflows?
Understanding access controls that prevent single individuals from deploying unreviewed code to production is a requirement in many compliance frameworks.
Good answers describe requiring code review approvals from different individuals than the author, separating build and deploy permissions, and implementing approval gates for production deployments. Candidates should mention role-based access controls in CI/CD platforms like GitHub branch protection rules or GitLab merge request approvals.
Red flags include allowing developers to merge and deploy their own code without review. Candidates who see segregation of duties as bureaucratic overhead rather than a security control may struggle in regulated environments.
DevOps engineer resume: Structure, skills, and examples
The best DevOps resumes show collaboration, not just automation. Top candidates demonstrate they can bridge development, operations, and security teams rather than working in isolation. Hiring managers look for evidence of cross-functional communication.
Read more
Monitoring, observability, and incident response questions
Observability is critical for fast-moving cloud environments where system behavior can be unpredictable. Look for how candidates maintain visibility and respond to production issues effectively.
What is the difference between monitoring and observability?
Understanding modern operational practices and distinguishing between tracking known failure modes and understanding complex system behavior is key.
Good answers define monitoring as tracking known metrics to detect expected failures ("known knowns"). Observability is defined as the ability to infer internal system behavior from emitted outputs (logs, metrics, and distributed traces) and ask new questions to understand unexpected behaviors ("unknown unknowns"). Unlike monitoring, which tracks predefined thresholds, observability enables debugging novel failure modes by correlating signals across services.
Red flags include treating the two terms as synonyms. A failure to mention distributed tracing suggests the candidate may struggle to debug microservices architectures.
How do you approach troubleshooting a production outage?
Systematic debugging skills and communication under pressure matter. Look for whether candidates panic or follow a logical process.
Good answers outline a structured approach: checking dashboards, reviewing recent changes, and isolating components. Candidates should emphasize communication with stakeholders and the importance of documenting findings. They should mention that restoring service is the priority, often via rollback, before root cause analysis begins.
Red flags include random guessing or "shotgun debugging." A failure to mention rollback as an immediate remediation option or poor communication practices are warning signs.
What tools do you use for monitoring and alerting?
Practical tooling experience and the ability to configure effective alert strategies come through here.
Good answers list specific tools like Prometheus, Grafana, Datadog, or CloudWatch. Candidates should explain how they configure alerts to avoid noise and alert fatigue, such as using thresholds and grouping similar alerts.
Red flags include having no experience with monitoring tools. An inability to explain how to tune alerts to prevent false positives suggests the candidate has not operated a production system.
Describe a time you responded to a critical production incident.
Real-world experience and a learning mindset matter. Look beyond theory to actual performance in high-stress situations.
Good answers provide specific details about the incident, the actions taken to resolve it, and the outcome. Crucially, candidates should discuss lessons learned and the improvements made to prevent recurrence.
Red flags include blaming others for the incident. Vague stories that lack detail or a failure to mention post-incident improvements suggest the candidate may not take ownership of reliability.
GitOps vs. DevOps: How GitOps Keeps You Aligned
While DevOps delineates collaboration and automation practices that emphasize infrastructure provisioning and continuous monitoring, GitOps extends its concepts by employing Git as the single source of truth for both application and infrastructure settings.
Read more
Behavioral and collaboration questions
DevOps is fundamentally about collaboration between teams. Look for how candidates work with developers, security, and operations to build a culture of shared responsibility.
How do you handle disagreements with developers about deployment processes?
Collaboration skills and the ability to find common ground matter. Look for whether candidates act as gatekeepers or enablers.
Good answers involve listening to concerns, explaining the trade-offs of different approaches, and finding compromises. Candidates should mention making data-driven decisions and aligning on shared goals like stability and velocity.
Red flags include dismissing developer concerns or rigid adherence to process without flexibility. DevOps engineers must balance reliability with the need for speed.
Describe a time you automated a manual process.
Initiative and the ability to measure impact come through here. Look for the core DevOps value of eliminating toil.
Good answers identify a specific manual process, describe the tools used to automate it, and quantify the improvement (e.g., "reduced deployment time by 50%"). Candidates should explain how they drove adoption of the new process.
Red flags include automating for the sake of automation without clear value. A failure to measure the impact suggests the candidate focuses on tasks rather than outcomes.
How do you keep your technical skills current?
A growth mindset and self-direction are vital in a field where tools and best practices change rapidly.
Good answers list specific learning methods, such as home labs, certifications, or community involvement. Candidates should mention recent technologies they have explored and why they found them interesting.
Red flags include a lack of proactive learning. Relying solely on on-the-job exposure limits a candidate's ability to introduce new and better solutions.
How do you bridge the gap between development and operations teams?
Understanding DevOps culture and the ability to break down silos is essential.
Good answers discuss shared ownership, blameless postmortems, and establishing cross-team communication channels. Candidates should demonstrate empathy for the different priorities of developers (speed) and operations (stability).
Red flags include adversarial framing, such as "us vs. them." Candidates who prefer working in silos are generally poor fits for DevOps roles.
Unified platforms and modern DevOps security
Modern DevOps roles benefit significantly from platforms that unify visibility across code, cloud, and runtime. Disconnected tools create data silos, making it difficult to prioritize risks and collaborate effectively.
Context-aware prioritization reduces alert noise, helping teams focus on exploitable risks rather than chasing every vulnerability. For example: instead of fixing every CVE, teams can prioritize the ones on internet-exposed workloads with high-privilege identities and paths to sensitive data, turning thousands of findings into a focused remediation list. This is critical for maintaining deployment velocity while ensuring security. Integrating security checks without adding friction allows DevOps engineers to operationalize security naturally.
Wiz integrates code, cloud, and runtime security into a unified workflow, giving DevOps teams full visibility across the development lifecycle. Wiz Code maps code repositories and CI/CD pipelines to cloud environments, prioritizing critical issues and linking them to the responsible teams for faster remediation. DevOps engineers get real-time feedback in IDEs and pull requests to secure code from the start, reducing security debt and speeding up fixes. By integrating with developer tools, Wiz strengthens security without slowing down development, helping teams operationalize security without managing additional agents or juggling disconnected tools.
Request a demo to see how unified code, cloud, and runtime context helps teams prioritize and remediate real risk faster.
Catch code risks before you deploy
Learn how Wiz Code scans IaC, containers, and pipelines to stop misconfigurations and vulnerabilities before they hit your cloud.
