LLM / AI Security — Interview Grill

100+ active-recall questions. Pair with LLM_SECURITY_DEEP_DIVE.md. Answer each in <60 seconds out loud. Mark anything you can't answer cleanly and re-read the relevant section.

Section A — Foundations and threat model (Q1–10)

  1. Why is LLM security different from classical infosec and from classical alignment?
  2. Why does "instructions and data share a channel" matter?
  3. Define misuse, confidentiality, integrity, availability attacks against LLMs. Give one example of each.
  4. What's a confused deputy? Why are LLM agents prone to it?
  5. What does "the lethal trifecta" mean? Name the three legs.
  6. Black-box vs grey-box vs white-box LLM attacks — what changes for the attacker?
  7. Why are open-weights frontier models a security headache?
  8. Name three pretraining-time attack vectors.
  9. Name three inference-time attack vectors.
  10. Why does behavioural alignment evaluation alone not rule out misalignment? (Reference Sleeper Agents.)

Section B — Prompt injection (Q11–20)

  1. Define direct prompt injection.
  2. Define indirect prompt injection. Who coined it?
  3. Give three real channels through which indirect injection can land in context.
  4. What's multi-modal prompt injection? Give one image-based and one audio-based example.
  5. Why does "putting the rule in the system prompt" not defend against indirect injection?
  6. Why does pattern-matching for injection strings fail?
  7. Walk through how the lethal trifecta enables data exfiltration via an indirectly-injected agent.
  8. What's the "spotlighting" defense?
  9. What's the "dual-LLM / quoting" defense?
  10. Why is indirect injection considered the worst class of LLM attack right now?

Section C — Jailbreaks (Q21–32)

  1. Define a jailbreak. How is it different from injection?
  2. What's DAN / persona jailbreak?
  3. What's prefix injection?
  4. What's refusal suppression?
  5. Why do encoding tricks (base64, ROT13, ASCII art) sometimes succeed?
  6. Walk through Crescendo. Why does it exploit context coherence?
  7. Walk through Skeleton Key.
  8. Walk through Many-Shot Jailbreaking. Why does it scale with context length?
  9. Walk through Best-of-N. Why is it model-agnostic?
  10. Why do low-resource languages still produce jailbreak vectors?
  11. Why doesn't more RLHF "fix" jailbreaks once and for all?
  12. Why is fine-tuning even a small dataset (BadLlama / Qi et al.) a jailbreak?

Section D — Optimization-based adversarial attacks (Q33–40)

  1. Sketch GCG end-to-end.
  2. Why do GCG suffixes transfer across models?
  3. Walk through PAIR.
  4. What's AutoDAN?
  5. What's PAP and what's the high-level claim?
  6. What does "latent-space attack" mean?
  7. What is a Universal Adversarial Trigger? How does it differ from a per-prompt attack?
  8. Compare GCG (white-box gradient) vs PAIR (black-box LLM-vs-LLM).

Section E — Defenses against jailbreaks (Q41–50)

  1. Why is RLHF refusal training only a partial defense?
  2. What's adversarial training, and what are its limits?
  3. What are circuit breakers (Zou et al. 2024) and why are they more robust?
  4. What's latent adversarial training?
  5. What does Llama Guard do?
  6. What are Constitutional Classifiers?
  7. What's SmoothLLM, and what attack does it defeat?
  8. Output-side classifiers vs input-side classifiers — when do you use each?
  9. Why is "the system prompt is secret" a fragile defense?
  10. Defense in depth — what does it mean for an LLM product?

Section F — Data poisoning and backdoors (Q51–58)

  1. What is pretraining-data poisoning? How can an attacker inject content cheaply?
  2. What's a backdoor / trojan attack?
  3. What are sleeper agents? What was Anthropic's headline finding?
  4. Why does standard safety training fail on sleeper agents?
  5. Walk through the BadLlama-style fine-tuning attack.
  6. Why does this make fine-tuning APIs a security perimeter?
  7. What is RLHF-data poisoning? What's the defense?
  8. How does deduplication of training data interact with backdoor robustness?

Section G — Memorization, extraction, privacy (Q59–66)

  1. What is training-data extraction? Cite the canonical paper.
  2. Walk through the ChatGPT divergence attack (Nasr et al. 2023).
  3. Why does memorization scale with model size?
  4. What is membership inference? Two methods.
  5. What is Min-K%-prob? Why does it work?
  6. What is logit-extraction stealing (Carlini 2024)? What does it recover?
  7. What is embedding inversion (Vec2Text)? What's the privacy implication?
  8. Why are vector DB embeddings PII?

Section H — Agents and tools (Q67–78)

  1. What's the agent security threat model in one sentence?
  2. Indirect injection in tool output — give a concrete attack chain.
  3. What's a tool-arg injection attack?
  4. Markdown image-fetch exfiltration — how does it work and how do you prevent it?
  5. What's denial-of-wallet? How do you defend?
  6. What does AgentDojo measure?
  7. Why does an agent that browses the web AND reads private files AND can post webhooks have a critical risk?
  8. How do you architect a coding agent to avoid the lethal trifecta?
  9. What's the defense pattern for "send email" tools?
  10. What does human-in-the-loop add and why is it imperfect?
  11. What attacks does sandboxing protect against? What does it not protect against?
  12. Capability scoping per task — give an example.

Section I — Output handling and product vulns (Q79–86)

  1. How does markdown XSS work in chat UIs?
  2. Why is rendering raw HTML from an LLM dangerous?
  3. SQL injection via LLM-generated queries — how to prevent?
  4. SSRF via LLM-proposed URLs — how to prevent?
  5. Path traversal via LLM-proposed filenames — how to prevent?
  6. Why is OWASP Top 10 for LLM Applications worth memorizing?
  7. Why is logging an LLM product subtle from a privacy perspective?
  8. Code-execution agent — what's the minimum viable sandbox?

Section J — Red-teaming and evaluation (Q87–94)

  1. Manual vs automated red-teaming — when do you use each?
  2. What does HarmBench measure? What does JailbreakBench add?
  3. What's StrongREJECT and why is it harder to fool than a vanilla GPT-judge?
  4. What's WMDP measuring?
  5. What's CyberSecEval?
  6. What's Perez et al. 2022's contribution?
  7. What does an external pre-deployment AISI evaluation look like?
  8. Why do bug bounty programs exist for LLMs in 2024+?

Section K — Privacy and unlearning (Q95–100)

  1. What is differential privacy at training? Why is it impractical at frontier scale?
  2. What is machine unlearning? Name two methods (TOFU / NPO).
  3. What's the GDPR right-to-be-forgotten implication for LLMs?
  4. PII redaction at training-time vs inference-time — what's the difference?
  5. What's the EU AI Act's treatment of frontier "general purpose AI"?
  6. What does HIPAA require for an LLM-based medical app?

Section L — Frameworks and policy (Q101–105)

  1. What's Anthropic's RSP? What is ASL-3?
  2. What's OpenAI's Preparedness Framework?
  3. What's DeepMind's Frontier Safety Framework? What are CCLs?
  4. What's METR? Why does it matter?
  5. NIST AI RMF + AI 600-1 — what's it for?

Section M — Senior-level scenario questions (Q106–115)

  1. Scenario. You're shipping a customer-support agent that reads internal docs, searches the web, and can email customers. Walk me through the security architecture.
  2. Scenario. A pen-tester demonstrates GCG suffix jailbreak on your API. What's your incident response and what do you ship?
  3. Scenario. Researchers report indirect-injection in your RAG pipeline causing exfiltration via image-fetch. Walk me through root cause and the layered fix.
  4. Scenario. Your product offers a code-interpreter tool. Design the sandbox.
  5. Scenario. Your customer wants on-prem deployment with their fine-tunes. What policy controls do you require?
  6. Scenario. A user reports the model emitted what looks like another customer's PII. What's your investigation and remediation?
  7. Scenario. You're red-teaming a new release. What benchmarks do you run, and what gates do you put on shipping?
  8. Scenario. Design the eval suite and gating policy for an agent that controls a browser.
  9. Scenario. The model is suspected to have been pretrained on contaminated benchmarks. How do you confirm and what do you publish?
  10. Scenario. Your fine-tuning API is being abused to strip safety training. Design the abuse-detection pipeline.

Quick fire (Q116–135)

  1. One line: prompt injection.
  2. One line: indirect prompt injection.
  3. One line: lethal trifecta.
  4. One line: GCG.
  5. One line: PAIR.
  6. One line: Crescendo.
  7. One line: Many-Shot Jailbreaking.
  8. One line: Best-of-N Jailbreaking.
  9. One line: Skeleton Key.
  10. One line: Sleeper Agents.
  11. One line: BadLlama.
  12. One line: SmoothLLM.
  13. One line: Circuit Breakers.
  14. One line: Constitutional Classifiers.
  15. One line: AgentDojo.
  16. One line: HarmBench.
  17. One line: StrongREJECT.
  18. One line: Min-K%-prob.
  19. One line: Vec2Text.
  20. One line: RSP / Preparedness / FSF.

Self-grading

  • 110+ correct: ready for frontier-lab security or AI-safety-engineering rounds.
  • 80–109: re-read §3 (injection), §4 (jailbreaks), §9 (agents), §12 (defenses), §16 (production).
  • 50–79: re-read full deep dive then redo.
  • <50: take three days on the deep dive, drill §18 senior signals, then come back.

7-day drill plan

  • Day 1: §1–2 (foundations, threat model). Drill A.
  • Day 2: §3 (prompt injection) + §4 (jailbreak taxonomy). Drill B, C.
  • Day 3: §5 (optimization attacks) + §12 (defenses). Drill D, E.
  • Day 4: §6 (poisoning) + §7–8 (extraction/privacy). Drill F, G.
  • Day 5: §9 (agents) + §10–11 (plugins, output). Drill H, I.
  • Day 6: §13 (red-team/eval) + §14 (privacy) + §15 (frameworks). Drill J, K, L.
  • Day 7: §16 (production) + §17 (case studies) + §18 (senior signals). Drill M (scenarios) + Quick fire. Whiteboard a security architecture for one product.