Capstone: Mock Loop & Self-Exam
Run the full loop on yourself before the real thing
Scripting drill (timed)
After this you can rehearse the live automation problem under time.
Cursor's first technical screen hands you a real automation problem and a clock. The IT Systems Engineer role is software engineering applied to IT, so the interviewer is watching whether you reach for code by default and whether that code is safe to run against a production tenant.
Set a 45-minute timer and solve the canonical IT scripting problem out loud, exactly as you would on the call. The prompt below is the one this role gets asked in some shape every time, because it touches identity lifecycle, API hygiene and the blast radiusHow much breaks if a change goes wrong; the scope of potential damage. of getting deactivation wrong.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Each section of this capstone rehearses one stage. Click a stage to see what it tests and how to prep.
The prompt: write a script that reconciles your IdP's user list against an HRIS export and deactivates accounts that no longer have an active employee record. Treat “deactivate a human's access” as the highest-stakes line you'll write and design every safeguard around the possibility that the HRIS export is wrong.
The four constraints they gradeNon-negotiable for this role
Running it twice changes nothing the second time.
Already-deactivated users are a no-op, not an error.
State lives in the systems, not in a local file you have to keep.
Default mode prints what it would do and touches nothing.
A --apply flag is required to make a change.
Output is a diff a human can review before committing.
Okta and Google paginate; you must follow next links.
Honor 429s with backoff and respect Retry-After.
Never assume page one is the whole directory.
Token from env or a secret manager, never hard-coded.
Structured logs of every decision, with the reason.
Logs are your audit evidence for a SOC 2 access review.
Notice the safety asymmetry. A missed deactivation leaves a stale account for a day until the next run catches it. A false deactivation locks an active employee out of everything mid-sprint. So your default has to fail toward not acting: dry-run unless told otherwise and a guardrail that refuses to deactivate more than a sane fraction of the directory in one pass.
import os, sys, time, logging, requests
logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(message)s")
log = logging.getLogger("jml-reconcile")
OKTA_URL = os.environ["OKTA_URL"] # never hard-code
TOKEN = os.environ["OKTA_API_TOKEN"] # from env / secret manager
HEADERS = {"Authorization": f"SSWS {TOKEN}", "Accept": "application/json"}
MAX_DEACTIVATE_RATIO = 0.10 # refuse a runaway purge
def get_paged(url):
while url:
r = requests.get(url, headers=HEADERS, timeout=30)
if r.status_code == 429: # respect rate limits
wait = int(r.headers.get("Retry-After", "5"))
log.warning("rate limited, sleeping %ss", wait); time.sleep(wait); continue
r.raise_for_status()
yield from r.json()
url = r.links.get("next", {}).get("url") # follow pagination
def active_hris_emails(path):
import csv
with open(path) as f:
return {row["work_email"].lower() for row in csv.DictReader(f)
if row["status"].lower() == "active"}
def reconcile(hris_path, apply=False):
truth = active_hris_emails(hris_path)
idp_active = [u for u in get_paged(f"{OKTA_URL}/api/v1/users?filter=status eq \"ACTIVE\"")]
orphans = [u for u in idp_active if u["profile"]["email"].lower() not in truth]
if len(orphans) > len(idp_active) * MAX_DEACTIVATE_RATIO:
log.error("guard tripped: %d/%d would deactivate - aborting, check the HRIS export",
len(orphans), len(idp_active)); sys.exit(2)
for u in orphans:
email = u["profile"]["email"]
if not apply:
log.info("DRY-RUN would deactivate %s (no active HRIS record)", email); continue
resp = requests.post(f"{OKTA_URL}/api/v1/users/{u['id']}/lifecycle/deactivate",
headers=HEADERS, timeout=30)
if resp.status_code in (200, 404): # 404 = already gone => idempotent no-op
log.info("deactivated %s", email)
else:
log.error("FAILED %s: %s %s", email, resp.status_code, resp.text)
log.info("done: %d orphans, apply=%s", len(orphans), apply)
if __name__ == "__main__":
reconcile(sys.argv[1], apply="--apply" in sys.argv)Typing it perfectly is not the bar. The bar is that you can defend every line: why dry-run is the default, why the ratio guard exists, why a 404 on deactivate is success rather than failure. If you can't justify a line, you don't own it yet.
The 45-minute protocolRun it like the real screen
- 10–5 min · Clarify the source of truth and the blast radiusHow much breaks if a change goes wrong; the scope of potential damage.. Is HRIS authoritative? What's the worst case if the export is stale? Are there service accounts to exclude? The answers shape every safeguard.
- 25–10 min · State the plan and the failure mode out loud. Commit: “Pull active IdP users, diff against active HRIS emails, dry-run by default and abort if the diff is suspiciously large.”
- 310–35 min · Write it with the safe default first. Pagination, env-based secrets, structured logs and the ratio guard before you write the deactivate call. Make the destructive path the one that needs an explicit flag.
- 435–42 min · Test the happy path and the dangerous path. Run dry-run, then simulate a truncated HRIS export and confirm the guard trips instead of purging the company.
- 542–45 min · Name what you'd add in prod. Idempotency you'd verify, a Slack notification on every apply and a scheduled run in CI with the secret injected, not stored.
The trap is treating the HRIS export as gospel. A late payroll sync, a contractor not yet loaded or a column rename can turn “reconcile” into a mass lockout. Senior candidates build the guardrail unprompted and say so: “I won't deactivate more than 10% in one run without a human confirming the export looks right.”
“I'm defaulting to dry-run because deactivating a real person's access is irreversible in the moment and the cost of a false positive is far higher than the cost of catching a stale account one run later.”
Run the drill twice: once with AI assistance and once without. The first technical screen may bar AI tooling to test fundamentals, while the later work-trial expects fluent AI use. You want to be calm in both modes.
Takeaway. Treat the live scripting problem as a deactivation with real blast radiusHow much breaks if a change goes wrong; the scope of potential damage.: dry-run by default, idempotent re-runs, paginate and respect rate limits, secrets from env and a ratio guard that refuses a runaway purge - then narrate every safeguard out loud.
Self-check
QYour reconciliation script reads an HRIS export, finds 400 of 1,200 IdP users with no matching active record and is about to deactivate all 400. What's the senior response and why?
Design prompt (whiteboard)
After this you can execute a full end-to-end systems-design answer.
The second technical screen is a scenario round: design a system end-to-end with the trade-offs spoken. For this role the canonical prompt is the joiner/mover/leaver pipeline - automate onboarding and offboarding across the IdP, HRIS and downstream SaaS so access is instant, correct and audited.
Time-box it to 30 minutes and start by clarifying, not drawing. The interviewer is grading whether you find the source of truth, reason about drift and name failure modes before you commit to an architecture.
Clarify first - the questions that anchor the designSpend the first 3 minutes here
- What's authoritative for identity - the HRIS (Workday/Rippling) or a manual request? Everything downstream flows from that answer.
- What's the access model: static role-to-group mappings or dynamic groups derived from department and title attributes?
- How fast must offboarding be - same-minute on termination or end-of-day batch? That decides event-driven vs scheduled.
- Which apps support SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. and which only have a REST API or no API at all? The long tail of non-SCIM apps is where the design earns its keep.
The data flow, end to endSource of truth → IdP → SaaS + device
- 1HRIS is the source of truth. A new hire, role change or termination in the HRIS is the trigger. Prefer a webhook for same-minute action, with a scheduled full reconciliation as the safety net that catches missed events.
- 2IdP is the control plane. The HRIS event provisions or updates the user in Okta/Entra and assigns groups from role and department attributes. Group membership, not per-app clicks, is what grants access.
- 3SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. pushes to downstream SaaS. Group assignment drives SCIM provisioning into Google Workspace, Slack, Zoom and the rest. Deprovisioning is the same path in reverse: remove from group, SCIM deactivates downstream.
- 4MDM handles the device. A joiner triggers zero-touch enrollment (ABM/Autopilot) so the laptop arrives configured; a leaver triggers a remote lock or wipe and license reclaim.
- 5Reconciliation closes drift. A scheduled job re-derives expected state from the HRIS and diffs it against every downstream system, alerting on or correcting accounts that drifted out of band.
The single highest-value idea to volunteer here is that the pipeline is a reconciliation loop, not a one-shot script. Events drift, webhooks get missed, an admin grants access by hand. A design that only reacts to events will silently rot; a design that periodically re-derives truth and corrects drift stays correct.
Hit every axis the rubric gradesSay these unprompted
- Axis
- Source of truth
- What a strong answer says
- HRIS authoritative; IdP is the control plane; manual grants are exceptions that reconciliation will flag.
- Axis
- Idempotency
- What a strong answer says
- Every provision/deprovision is safe to re-run; reconciliation converges to the same state regardless of how many times it runs.
- Axis
- Drift + reconciliation
- What a strong answer says
- Scheduled diff of expected vs actual across IdP and SaaS; out-of-band grants are detected and remediated or alerted.
- Axis
- Secrets
- What a strong answer says
- API tokens in a secret manager, scoped and rotated; no standing admin creds in the pipeline; least privilege per integration.
- Axis
- Audit
- What a strong answer says
- Every JML action logged with actor, target, reason and timestamp - this is the SOC 2 access-review evidence, generated for free.
- Axis
- Failure modes
- What a strong answer says
- Webhook dropped → reconciliation catches it; SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. endpoint down → retry with backoff + dead-letter queue; partial failure → idempotent retry, not double-grant.
- Axis
- Scale
- What a strong answer says
- Group-based access so adding an app is one mapping, not N user edits; the design holds as headcount and M&A integrations grow.
| Axis | What a strong answer says |
|---|---|
| Source of truth | HRIS authoritative; IdP is the control plane; manual grants are exceptions that reconciliation will flag. |
| Idempotency | Every provision/deprovision is safe to re-run; reconciliation converges to the same state regardless of how many times it runs. |
| Drift + reconciliation | Scheduled diff of expected vs actual across IdP and SaaS; out-of-band grants are detected and remediated or alerted. |
| Secrets | API tokens in a secret manager, scoped and rotated; no standing admin creds in the pipeline; least privilege per integration. |
| Audit | Every JML action logged with actor, target, reason and timestamp - this is the SOC 2 access-review evidence, generated for free. |
| Failure modes | Webhook dropped → reconciliation catches it; SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. endpoint down → retry with backoff + dead-letter queue; partial failure → idempotent retry, not double-grant. |
| Scale | Group-based access so adding an app is one mapping, not N user edits; the design holds as headcount and M&A integrations grow. |
Naming a failure mode before the interviewer asks is the difference between a 3 and a 5.
If you draw the JML pipeline, expect the follow-up: now design zero-trust access combining identity, device posture and network. Same clarify-first habit. Every access decision is evaluated per request on three signals - verified identity (Okta + MFA/passkey), device trust (MDM-managed, compliant, posture-checked) and context (network, location, risk) - through an identity-aware proxy, with no implicit trust from being on the corporate network. Defense-in-depth, not a perimeter.
Self-score against the rubric the moment you finish: requirements coverage, correctness, security, scalability and trade-off clarity, each 1–5. Saying “I'd rate my drift story a 4 - I named reconciliation but didn't fully specify the dead-letter handling” shows the kind of self-awareness this flat, senior team is hiring for.
Takeaway. Design JML as a reconciliation loop, not a one-shot: HRIS is truth, the IdP is the control plane, SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. and MDM are the actuators and a scheduled diff closes drift - clarify first, then name source of truth, idempotency, drift, secrets, audit, failure modes and scale before you're asked.
Self-check
Work-trial simulation
After this you can rehearse the practical round end-to-end.
Cursor's signature round is a paid work-trial - engineering roles get a real-project day and for IT/Systems it takes the form of a hands-on build: a runnable automation or a small self-service tool, plus the documentation a teammate would need to run it tomorrow.
The artifact matters, but the process is what's scored: how fast you scope, whether the thing actually runs, how visibly and competently you use AI tooling and whether you owned it end-to-end. Rehearse against a fixed time-box so the real day feels familiar.
Pick a build you can finish and demoRunnable over impressive
A Slack slash-command or small web form that lets an employee request access to a group.
Routes to an approver, then calls the IdP API on approval.
Demoable: type the command, watch the request land.
A script that audits SaaS for accounts with no SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. or no MFA and reports them.
Reads from the Okta/Google API, writes a clean findings table.
Demoable: run it, show the report it produces.
A tiny AI help-desk responder that answers “how do I get access to X” from a docs index.
Shows AI-native instinct without being a toy.
Demoable: ask it a question, get a grounded answer.
Whatever you pick, bias hard to shipping something that runs. A working tool with one rough edge beats a beautiful design that never executed. The work-trial is a proxy for the job and the job rewards people who deliver from week one.
The time-box protocolScope → build → document → demo
- 1First 15% · Scope ruthlessly and write it down. State the one outcome you'll ship and the things you're explicitly cutting. “I'll deliver a working access-request command; I'm cutting the approval UI and hard-coding the approver for now.”
- 2Build the thin vertical slice first. Get one end-to-end path working - request in, API call out, result back - before you polish anything. A demoable spine beats four half-features.
- 3Use AI tooling visibly and well. Drive Cursor's agent to scaffold the boilerplate, then review and correct what it generates out loud. Showing judgment over AI output is the signal, not raw speed.
- 4Write the runbook as you go. A short README: what it does, how to run it, the env vars it needs and the one thing that would break it. This is the “owned end-to-end” evidence.
- 5Leave time to demo it running. End on a live run, not a code tour. Then narrate the two decisions you'd revisit with more time.
“I had the agent stub the Slack handler and the Okta client, but I rewrote the error handling myself - the generated version swallowed failures silently and for an access tool I want every failed grant to be loud and logged.”
That sentence does three things at once: it shows fluent AI use, it shows you review AI output critically and it shows the security instinct this role demands. That's the texture the work-trial is built to surface.
Self-score the trialThree questions, honestly
- Did it run?
- A live demo of the happy path, not a walkthrough of code that was never executed.
- Is it owned end-to-end?
- Runbook present; secrets handled; you can explain every dependency and what breaks it.
- Would a teammate get it tomorrow?
- Clear names, a README that stands alone, no tribal knowledge required to run it.
A “no” on any row is the gap to close before the real trial.
Don't go silent and build. The practical round evaluates how you think, so narrate scoping decisions, trade-offs and dead ends as you hit them. A candidate who builds a smaller thing while explaining their reasoning out-scores one who builds a bigger thing in silence.
Takeaway. In the work-trial, scope ruthlessly and ship a thin slice that actually runs, use AI tooling visibly while reviewing its output critically, write the runbook as you go and end on a live demo - a working tool with a rough edge beats a perfect design that never executed.
Self-check
Behavioral & values mock
After this you can pressure-test your stories and AI-authenticity answers.
The cross-functional and final rounds probe how you operate on a flat, talent-dense team. Run six rapid-fire behavioral prompts on yourself and score each story coldly, because a vague answer here sinks an otherwise strong loop.
Each story needs four parts: a clear situation, your specific action (not the team's), a quantified outcome and the value it demonstrates. If a story has no number, flag it now and go find one before the real loop.
The six prompts - one strong story eachMap each to a value this role screens for
- Prompt
- Tell me about a system you owned end-to-end.
- Value it tests
- Extreme ownership
- Your story must show
- You ran it from design to on-call with little oversight; a metric for reliability or adoption.
- Prompt
- When did you automate away painful manual work?
- Value it tests
- Automation-first mindset
- Your story must show
- Hours/week reclaimed, error rate dropped or toil eliminated - with the before/after number.
- Prompt
- Walk me through an incident you handled.
- Value it tests
- High agency under pressure
- Your story must show
- Detection, your decisions, time-to-resolve and the prevention you shipped after.
- Prompt
- How did you tighten security without slowing the team?
- Value it tests
- Security-as-enabler
- Your story must show
- A control you made frictionless; adoption or risk reduction without a productivity complaint.
- Prompt
- A time you had to prioritize under ambiguity.
- Value it tests
- Pragmatism / bias to ship
- Your story must show
- What you cut, why and the outcome of shipping the smaller thing first.
- Prompt
- A disagreement with Security or Engineering.
- Value it tests
- Cross-functional collaboration
- Your story must show
- You disagreed on substance, found the shared goal and the better outcome it produced.
| Prompt | Value it tests | Your story must show |
|---|---|---|
| Tell me about a system you owned end-to-end. | Extreme ownership | You ran it from design to on-call with little oversight; a metric for reliability or adoption. |
| When did you automate away painful manual work? | Automation-first mindset | Hours/week reclaimed, error rate dropped or toil eliminated - with the before/after number. |
| Walk me through an incident you handled. | High agency under pressure | Detection, your decisions, time-to-resolve and the prevention you shipped after. |
| How did you tighten security without slowing the team? | Security-as-enabler | A control you made frictionless; adoption or risk reduction without a productivity complaint. |
| A time you had to prioritize under ambiguity. | Pragmatism / bias to ship | What you cut, why and the outcome of shipping the smaller thing first. |
| A disagreement with Security or Engineering. | Cross-functional collaboration | You disagreed on substance, found the shared goal and the better outcome it produced. |
Drill the AI-authenticity question hardest, because Cursor builds an AI code editor and there's an implicit bar that you genuinely use these tools daily. The weak answer is generic enthusiasm. The strong answer is a specific, recent example with a real artifact.
- Be specific
- Name the exact task: “Last week I had Cursor's agent scaffold a Terraform module for our Okta app integrations.”
- Be recent
- Within the last week or two, not “I tried it a while ago.” Daily use should be obvious.
- Show judgment
- Where you trusted the output and where you overrode it - judgment over AI is the real signal.
- Tie to outcome
- What it saved: a half-day of boilerplate, a script you'd have put off, a runbook drafted in minutes.
“I use Cursor daily for IT automation. This week I drove the agent to build a Python script that diffs our Slack workspace members against Okta groups and flags drift. It got the API pagination right; I rewrote the deactivation logic to dry-run by default because I don't trust an agent with irreversible access changes.”
The 90-second “why Cursor / why this role”Tight, specific, no filler
- 1Why this company. One genuine, specific reason - the AI-native culture, the chance to build IT as software at a hypergrowth company, the talent density. Not “I love your product.”
- 2Why this role. You want to own identity and automation end-to-end and treat IT as engineering, which is exactly how this role is framed.
- 3Why you, now. The one credential that proves you'll deliver from week one: a JML pipeline you built, a fleet you automated, a zero-trust rollout you led.
Record yourself answering all six prompts plus the AI question, then watch it back with the four-part rubric in hand. Any story missing a quantified outcome gets a red flag and a fix before the loop. A story you can't tell in under two minutes is too long - cut it to situation, your action, the number.
Takeaway. Run six behavioral prompts and score each story on situation, your specific action, a quantified outcome and the value shown - and drill the AI-authenticity answer until it's a specific, recent example with real judgment over the tool, deliverable in under two minutes.
Self-check
QAn interviewer asks how you use AI in your daily work. Which answer best clears Cursor's implicit AI-authenticity bar?
Readiness scorecard & gap plan
After this you can self-assess across every dimension and close gaps before the loop.
End the prep where the loop will test you: a cold self-assessment across every dimension, each gap mapped to the exact section to revisit and a 3-day plan to close what's left. The loop grades your floor, so a single weak axis is what sinks an otherwise strong candidate.
Treat the rubric as a gap finder, not a score to admire. Mark the weakest proof, turn it into one practice rep and keep the artifact you would show an interviewer.
Rate yourself 1–5 on each row below. Be honest - a 5 you can't defend in an interview is a 2. Anything under a 4 is a gap that gets a plan.
The readiness scorecardRate 1–5, then map each low score
- Dimension
- Identity protocols
- A 4–5 means you can…
- Explain SAMLAn enterprise standard that powers single sign-on. vs OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth./OAuth flows (auth-code + PKCE, client credentials) and when each fits.
- Revisit if low
- Identity protocols module + design prompt (s2)
- Dimension
- SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. / lifecycle
- A 4–5 means you can…
- Design SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. provisioning, schema mapping and drift reconciliation between IdP and apps.
- Revisit if low
- JML / SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. module + design prompt (s2)
- Dimension
- MDM / fleet
- A 4–5 means you can…
- Run zero-touch enrollment (ABM/Autopilot) and posture baselines across mac/Win/Linux/ChromeOS.
- Revisit if low
- MDM module
- Dimension
- Automation / IaCInfrastructure as Code. Managing servers and cloud resources through version-controlled config files (e.g. Terraform).
- A 4–5 means you can…
- Write idempotent Python/Bash against REST APIs and treat IT config as version-controlled code.
- Revisit if low
- Scripting drill (s1) + IaCInfrastructure as Code. Managing servers and cloud resources through version-controlled config files (e.g. Terraform). module
- Dimension
- Zero-trust
- A 4–5 means you can…
- Combine identity + device posture + context into per-request access via an identity-aware proxy.
- Revisit if low
- Zero-trust module + design prompt (s2)
- Dimension
- Compliance
- A 4–5 means you can…
- Map controls to SOC 2 / ISO 27001, run access reviews and produce audit evidence.
- Revisit if low
- Compliance module
- Dimension
- Behavioral
- A 4–5 means you can…
- Tell one quantified story per value theme in under two minutes.
- Revisit if low
- Behavioral & values mock (s4)
- Dimension
- AI-native
- A 4–5 means you can…
- Give a specific, recent example of using Cursor/AI with judgment over the output.
- Revisit if low
- Behavioral & values mock (s4)
| Dimension | A 4–5 means you can… | Revisit if low |
|---|---|---|
| Identity protocols | Explain SAMLAn enterprise standard that powers single sign-on. vs OIDCOpenID Connect. A modern standard that powers single sign-on, built on OAuth./OAuth flows (auth-code + PKCE, client credentials) and when each fits. | Identity protocols module + design prompt (s2) |
| SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. / lifecycle | Design SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. provisioning, schema mapping and drift reconciliation between IdP and apps. | JML / SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave. module + design prompt (s2) |
| MDM / fleet | Run zero-touch enrollment (ABM/Autopilot) and posture baselines across mac/Win/Linux/ChromeOS. | MDM module |
| Automation / IaCInfrastructure as Code. Managing servers and cloud resources through version-controlled config files (e.g. Terraform). | Write idempotent Python/Bash against REST APIs and treat IT config as version-controlled code. | Scripting drill (s1) + IaCInfrastructure as Code. Managing servers and cloud resources through version-controlled config files (e.g. Terraform). module |
| Zero-trust | Combine identity + device posture + context into per-request access via an identity-aware proxy. | Zero-trust module + design prompt (s2) |
| Compliance | Map controls to SOC 2 / ISO 27001, run access reviews and produce audit evidence. | Compliance module |
| Behavioral | Tell one quantified story per value theme in under two minutes. | Behavioral & values mock (s4) |
| AI-native | Give a specific, recent example of using Cursor/AI with judgment over the output. | Behavioral & values mock (s4) |
The loop screens the floor: a sub-3 on any axis is blocking and a 5 elsewhere can't buy it back.
Two things you must be able to produce on demandNon-negotiable artifacts
Ownership, automation, incident, security-without-friction, prioritization, conflict.
Each with a number and tellable in under two minutes.
If a theme has no story, that's the first gap to fill.
A real script or tool you built that runs and that you can talk through.
Bonus if you can show where you used AI and where you overrode it.
This is your proof you do IT as engineering.
Pre-loop checklistTick all before you walk in
- Stack research done: confirm Cursor's likely IdP (Okta/Entra), MDM (Kandji/Jamf) and SaaS (Google Workspace, Slack, Zoom) so your examples land in their world.
- Three sharp questions prepared for each interviewer - about the IT roadmap, the M&A integration cadence and how the team uses AI internally.
- AI examples ready: two specific, recent uses of Cursor with the judgment call you made on each.
- Scripting warmed up: you've re-run the s1 drill within the last 48 hours, both with and without AI assistance.
Go bar: every scorecard dimension at 3 or higher, every behavioral theme has a quantified story and your demoable artifact runs. If any axis is below 3 the day before, spend the last day there - closing a blocking weakness beats polishing a strength.
- Day 1 - close the lowest axis
- Whatever scored worst. Re-read its module, then re-run the drill or design prompt that exercises it.
- Day 2 - stories + artifact
- Lock one quantified story per theme; get your demoable automation running clean and rehearse the walkthrough.
- Day 3 - full mock + rest
- Timed s1 drill, a 30-min s2 design out loud, the s4 behavioral set on camera; review, fix red flags, then stop early.
Bring your demoable artifact to the loop in your head, ready to reference. When a behavioral or design question opens the door - “tell me about something you automated” - you have a concrete, runnable example instead of a hypothetical. Specificity is the whole game on a senior IC loop.
Takeaway. Score yourself 1–5 across the eight dimensions, map every low axis to its module and confirm one quantified story per value plus one demoable artifact - then spend your last focused days closing the lowest score, because the loop grades the floor and a blocking weakness sinks the whole thing.
Self-check
QYour mock scores are: zero-trust design 5, SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave./lifecycle 5, automation 4, but behavioral 2 and AI-native 2. You have one focused day left. Where does it go and why?