Capstone: Mock Loop & Self-Exam
Run the full loop end-to-end before the real thing
Timed coding + security screen
After this you can simulate the technical screen under realistic time pressure.
Cursor's technical phone screen is a medium-hard coding problem with a security overlay. You write clean code under a clock and you carry a threat lens while you do it. The only honest prep is to run that exact constraint on yourself, on a timer, out loud.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Each section of this capstone is one timed stage - run them in order, self-graded, before the real loop.
Set a 45-minute timer and pick a problem that forces you to handle untrusted input: parse and validate a config file, build a URL allowlist for an outbound fetcher or sanitize a path before a file read. The coding bar is real, so the code has to compile and pass your own tests. The security bar is the second axis the interviewer is grading in parallel.
Pick one input-handling problemDrill scope
Validate an untrusted JSON config against an explicit schema, rejecting unknown keys.
Bound recursion depth and array length so a hostile payload can't blow the stack.
Tests: do you fail closed on malformed input instead of best-effort parsing?
Given a user-supplied URL, decide whether your service may fetch it.
Block private CIDRs, link-local 169.254.0.0/16 and redirect-to-internal.
Tests: do you resolve and re-check the host after redirects, not just the first URL?
Safely resolve a filename inside a sandbox root with no ../ escape.
Build a shell call without string concatenation of user input.
Tests: do you canonicalize then check containment or just blocklist ..?
Narrate the entire time as if an interviewer is on the call. State your approach and its complexity before you type, then call out the threat implication of each decision as you hit it: “I'm allocating the buffer after I've checked the declared length, so a lying length header can't over-allocate.”
The 45-minute protocolRun it like the real screen
- 10–5 min · Clarify and define the trust boundary. Name where untrusted data enters and what's authoritative. Is the input attacker-controlled? What's the max size? Who calls this? The boundary changes your whole design.
- 25–10 min · State the plan, the Big-O and the failure mode. Commit out loud: “Single pass, O(n) and I fail closed - reject on any field I don't recognize rather than ignoring it.”
- 310–35 min · Write production code with secure defaults. Validate before you use. Parameterize, don't concatenate. Canonicalize then check containment. Keep functions small enough to defend line by line.
- 435–42 min · Test the happy path and the attack path. Run a normal input, an oversized input and a crafted bypass (a
..%2f, a redirect to127.0.0.1, a deeply nested array). Fix what breaks while narrating the bug. - 542–45 min · State residual risk and what you'd add in prod. Name what your code does not defend against and the next control: rate limits, a deny-by-default WAF rule, structured audit logging.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Defining the trust boundary is the gate - get it wrong and every later step inherits the mistake.
import net from "node:net";
import dns from "node:dns/promises";
const BLOCKED_V4 = [
/^10\./, /^127\./, /^169\.254\./, /^192\.168\./,
/^172\.(1[6-9]|2\d|3[01])\./,
];
async function isPublicHost(host: string): Promise<boolean> {
// Resolve first - a hostname can point anywhere, incl. internal IPs.
const { address } = await dns.lookup(host);
if (net.isIPv6(address)) return false; // be conservative; vet v6 explicitly
return !BLOCKED_V4.some((re) => re.test(address));
}
// Caller MUST re-run isPublicHost on every redirect target,
// not just the original URL - the bypass is a 302 to 169.254.169.254.Typing it isn't the point. The point is that you can answer: why resolve DNS before deciding, why re-check on each redirect, why IPv6 is a separate landmine. If you can't defend a line, you don't actually know it yet.
Self-rubric - score four axes 1–5Match what Cursor grades
- Axis
- Correctness
- What a 5 looks like
- Compiles, passes happy + edge + attack tests
- What a 2 looks like
- Logic bug or never ran it
- Axis
- Code quality
- What a 5 looks like
- Small functions, clear names, no dead branches
- What a 2 looks like
- One big function, magic values
- Axis
- Security judgment
- What a 5 looks like
- Fails closed, validates before use, names residual risk
- What a 2 looks like
- Blocklist-only, trusts input shape
- Axis
- Communication
- What a 5 looks like
- Narrated trust boundary and tradeoffs live
- What a 2 looks like
- Coded silently, explained after
| Axis | What a 5 looks like | What a 2 looks like |
|---|---|---|
| Correctness | Compiles, passes happy + edge + attack tests | Logic bug or never ran it |
| Code quality | Small functions, clear names, no dead branches | One big function, magic values |
| Security judgment | Fails closed, validates before use, names residual risk | Blocklist-only, trusts input shape |
| Communication | Narrated trust boundary and tradeoffs live | Coded silently, explained after |
A sub-3 on any axis is a blocking signal a 5 elsewhere won't offset.
Blocklisting is the trap this round catches. “Reject anything with .. in it” feels secure and is trivially bypassed (..%2f, ....//, absolute paths, symlinks). The strong move is to canonicalize the resolved path and assert it still lives under your sandbox root - an allowlist of where the result may land, not a blocklist of what the input may contain.
When you finish the working solution, volunteer the residual risk before the interviewer asks. “This validates the URL but doesn't rate-limit, so an attacker could still use me as a scanner - in prod I'd add a per-caller budget and log every blocked host.” Naming what you didn't solve reads as senior, not as a gap.
Cross-check your patterns against the secure-coding module before you move on. The screen rewards the same defaults every time: validate at the boundary, parameterize queries, fail closed. If those aren't reflexes yet, that's the drill for tomorrow.
Takeaway. Run the screen on yourself: 45 minutes, narrate the trust boundary and Big-O before coding, test the attack path not just the happy path and volunteer residual risk - fail closed beats a clever blocklist every time.
Self-check
QYou're asked to write a function that fetches a user-supplied URL. You add a check that blocks any URL whose hostname is literally “localhost” or “127.0.0.1”. Why is this insufficient and what's the robust design?
Secure code review drill
After this you can find the real vulnerabilities in a deliberately flawed snippet.
Cursor runs agent-assisted security review on 3,000+ internal PRs a week, catching 200+ vulnerabilities before they reach production. The onsite code-review round asks you to do by hand what that system does at scale: read unfamiliar code, find the real bugs, rank them by impact and propose fixes a developer will actually accept.
Below is a small Express handler with three seeded flaws: a broken object-level authorization (IDOR), a SQL injection and a secret-handling mistake. Set a 15-minute timer, find them cold and write PR-style comments before you read on.
app.get("/api/invoices/:id", async (req, res) => {
const id = req.params.id;
const sql = "SELECT * FROM invoices WHERE id = " + id;
const invoice = await db.query(sql);
console.log("fetched invoice", invoice, "key:", process.env.STRIPE_SECRET);
return res.json(invoice);
});The three seeded flawsWhat review should surface
- Flaw
- Broken object-level authz (IDOR)
- Where
- No check that
req.userowns invoiceid - Impact
- Any authed user reads any invoice by guessing IDs
- Severity
- Critical
- Flaw
- SQL injection
- Where
idconcatenated into the query string- Impact
- Full read/write of the DB, auth bypass, data exfil
- Severity
- Critical
- Flaw
- Secret in logs
- Where
STRIPE_SECRETwritten to stdout- Impact
- Live key leaks to log aggregation, on-call screens, retention
- Severity
- High
| Flaw | Where | Impact | Severity |
|---|---|---|---|
| Broken object-level authz (IDOR) | No check that req.user owns invoice id | Any authed user reads any invoice by guessing IDs | Critical |
| SQL injection | id concatenated into the query string | Full read/write of the DB, auth bypass, data exfil | Critical |
| Secret in logs | STRIPE_SECRET written to stdout | Live key leaks to log aggregation, on-call screens, retention | High |
Rank by impact and exploitability, then fix the criticals first.
Prioritize the way the review system does. The SQLi and the IDOR are both critical and trivially exploitable, so they block the PR. The logged secret is high, separately tracked because it needs a key rotation, not just a code change - the key is already compromised the moment it hits a log.
Write the fix as a frictionless PR commentRemediation quality is half the score
app.get("/api/invoices/:id", requireAuth, async (req, res) => {
const id = req.params.id;
// Parameterized query - driver escapes; injection closed.
// Ownership in the WHERE clause - authz can't be forgotten downstream.
const invoice = await db.query(
"SELECT * FROM invoices WHERE id = $1 AND owner_id = $2",
[id, req.user.id],
);
if (!invoice) return res.status(404).end(); // 404, not 403: don't confirm existence
return res.json(invoice); // no secrets logged, ever
});Note the design choices a reviewer rewards. Ownership lives in the WHERE clause, so the authorization can't be skipped by a later refactor. The miss returns 404 rather than 403, because a 403 confirms the record exists and leaks information. That's the difference between patching a line and removing the bug class.
“Three issues, two blocking. Line 3 concatenates id into SQL - that's injection, fix is a parameterized query. There's also no ownership check, so it's an IDOR; I'd put owner_id = req.user.id in the WHERE clause so authz can't be forgotten. Separately, line 5 logs the Stripe secret - that key is now burned, so this needs a rotation, not just a deletion.”
Score yourself honestlyFindings caught vs missed and fix quality
- Did you catch all three or did one slip? Which class did you miss - authz, injection or secret handling?
- Did you rank by impact or list them in the order you happened to read them?
- Did your fix remove the bug class (ownership in the query) or just patch the one line?
- Did you flag the secret as needing rotation, not just removal from the log line?
The most-missed flaw in this drill is the IDOR, because the code “looks fine” - there's no scary string concatenation to draw the eye. Broken object-level authorization is the top item on the OWASP API list precisely because it's invisible in a quick read. Train the habit: on every handler that takes an id, ask who is allowed to see this object and where is that enforced?
Mirror the agent-assisted-review output style: one finding per comment, each with severity, the exploit in one sentence and a copy-pasteable fix. Interviewers read that as someone who's shipped security review at scale, not someone auditing for the first time. End with the prioritization call - which one blocks the merge - because triage judgment is what separates a senior reviewer from a linter.
Log the vuln class you keep missing across drills. If IDOR slips twice, that's not bad luck, it's a blind spot - revisit the secure-coding module on broken access control and re-run this drill with a fresh snippet.
Takeaway. Read for the invisible bug (IDOR) as hard as the obvious one (SQLi), rank by impact and write fixes that delete the bug class - ownership in the WHERE clause, parameterized queries and rotate any secret that touched a log.
Self-check
Threat-model a system live
After this you can produce a threat model and least-privilege design on the clock.
The onsite threat-modeling round hands you a prompt and a whiteboard and watches how you reason about trust. The two prompts most aligned to this role: design just-in-time cloud access or design a safe agent-execution sandbox. Pick one, set a 30-minute timer and produce trust boundaries, attacker goals and systemic mitigations.
There's no diagram tool in your head, so work the structure explicitly. A threat model is four questions in order: what are we building, what can go wrong, what do we do about it and did the mitigations hold. Most candidates jump to mitigations and skip the boundaries - the boundaries are where the score is.
The four-step protocolRun it on whichever prompt you draw
- 10–5 min · Enumerate trust boundaries. Draw the components and mark every line where data or control crosses a privilege level: user → control plane, control plane → cloud API, agent → host filesystem. Name what's trusted on each side.
- 25–15 min · Enumerate attacker goals per boundary. For each crossing, ask what an attacker wants: standing admin creds, lateral movement, reading another tenant's data, escaping the sandbox to the host. STRIDE is a fine checklist if you blank.
- 315–25 min · Design systemic mitigations. For each goal, a control that kills the class: least-privilege scoping, JIT grants with auto-expiry, blast-radius isolation per tenant, deny-by-default egress from the sandbox.
- 425–30 min · Justify the friction tradeoff. State what each control costs the engineer or the agent and why it's worth it - or where you deliberately accepted risk to keep the paved road usable.
Worked example: just-in-time cloud accessTrust boundaries and the controls that fit
- Trust boundary
- Engineer → cloud IAM
- Attacker goal
- Use standing admin creds found on a laptop
- Systemic mitigation
- No standing access; JIT grant, scoped role, auto-expires in hours
- Trust boundary
- Approval flow → grant issuance
- Attacker goal
- Self-approve or replay an old approval
- Systemic mitigation
- Approver ≠ requester; grants are single-use and time-boxed
- Trust boundary
- Granted session → cloud APIs
- Attacker goal
- Pivot from one service to the whole account
- Systemic mitigation
- Role scoped to the one resource/action; deny by default
- Trust boundary
- Audit → detection
- Attacker goal
- Act without leaving a trace
- Systemic mitigation
- Every grant + API call logged immutably, alert on anomalies
| Trust boundary | Attacker goal | Systemic mitigation |
|---|---|---|
| Engineer → cloud IAM | Use standing admin creds found on a laptop | No standing access; JIT grant, scoped role, auto-expires in hours |
| Approval flow → grant issuance | Self-approve or replay an old approval | Approver ≠ requester; grants are single-use and time-boxed |
| Granted session → cloud APIs | Pivot from one service to the whole account | Role scoped to the one resource/action; deny by default |
| Audit → detection | Act without leaving a trace | Every grant + API call logged immutably, alert on anomalies |
Each row pairs a boundary with the control that shrinks blast radius there.
The least-privilege story is the spine of this answer. Standing permissions are a constant liability - every credential that exists is a credential that can leak. JIT flips the default: zero standing access, a scoped grant when you prove you need it, automatic revocation when the window closes. The blast radiusHow much breaks if a change goes wrong; the scope of potential damage. of a stolen laptop drops from “the whole account, forever” to “one resource, for two hours, fully logged.”
The DX tradeoff is part of the designFrictionless or it gets bypassed
If a JIT grant takes 20 minutes during an incident, engineers will keep a break-glass admin role - and now you have standing access anyway.
Design for sub-minute grants on the common path or the control gets routed around.
An approver-≠-requester step on production-data roles costs one click and stops self-service privilege escalation.
Auto-expiry costs nothing at use time and removes a whole class of forgotten-credential risk.
Say explicitly that the secure path has to be the easy path. A defense that engineers bypass under pressure is worse than none, because it gives false assurance. The senior move is to design the JIT flow so the fast way and the safe way are the same way - that's the builder-first, developer-empathy posture Cursor hires for, stated out loud.
Lead with boundaries, not controls. Open with “let me mark the trust boundaries first” and physically draw them before proposing a single mitigation. It signals you reason from the system's structure rather than reaching for a checklist and it gives the interviewer a map to push on. Then tie each control back to a specific boundary so nothing is a free-floating best practice.
Cross-check against the cloud-security and threat-modeling modules. If you stalled enumerating boundaries or couldn't justify a friction tradeoff, that's the gap to close before the onsite.
Takeaway. Threat-model in order - boundaries, attacker goals, systemic mitigations, friction tradeoff - and make least-privilege concrete: JIT turns “the whole account forever” into “one resource, two hours, logged,” on a fast path engineers won't bypass.
Self-check
QIn your JIT access design, why is replacing standing IAM permissions with just-in-time grants a reduction in blast radiusHow much breaks if a change goes wrong; the scope of potential damage. rather than just a process change?
Agent-security rapid fire
After this you can defend the agent threat model under fast questioning.
The AI/agent-security deep dive is where this role's edge shows. Cursor builds agents that read, write and execute code on customer systems, which is a threat surface off-the-shelf playbooks don't cover. Expect rapid Q&A: crisp one-paragraph answers that diagnose the threat, name a mitigation and admit the residual risk.
The unifying frame to carry into every answer is the lethal trifecta: an agent that has access to private data, can be exposed to untrusted content and can communicate externally is the dangerous combination. Remove any one leg and the worst exfiltration paths close. Say that frame out loud - it shows you reason about the system, not the individual prompt.
Rapid-fire answer bankDiagnose → mitigate → residual risk
- Question
- Indirect prompt injection?
- One-paragraph answer (shape)
- Untrusted content the agent reads (a file, a web page, an issue comment) carries instructions it then follows. Diagnose: the trust boundary between content and instructions has collapsed. Mitigate: treat all tool output as data not commands, constrain capabilities, require human confirm on high-impact actions. Residual: you can't fully sanitize natural language, so assume injection and contain blast radiusHow much breaks if a change goes wrong; the scope of potential damage..
- Question
- MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. / tool-use risk?
- One-paragraph answer (shape)
- An MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. server or tool the agent trusts can return malicious payloads or expose more capability than intended. Diagnose: every tool is a new trust boundary and a new privilege. Mitigate: least-privilege tool scoping, allowlist servers, validate tool I/O, no implicit credential passthrough. Residual: a compromised trusted server is still a supply-chain risk you monitor, not eliminate.
- Question
- Command-execution abuse?
- One-paragraph answer (shape)
- Injected or misguided instructions get the agent to run a destructive or exfiltrating command. Diagnose: the agent→host execution boundary. Mitigate: run in a sandbox with deny-by-default egress, no standing cloud creds, human approval for irreversible actions. Residual: sandbox-escape bugs exist, so defense in depth and monitoring, not a single wall.
- Question
- Context exfiltration?
- One-paragraph answer (shape)
- Secrets or other tenants' code leak out through the model context - logged, sent to a tool or echoed to an attacker. Diagnose: data crossing the model-context boundary. Mitigate: redact secrets before they enter context, tenant isolation, egress controls, data-retention limits. Residual: minimize what's in context, because anything in context can leak.
| Question | One-paragraph answer (shape) |
|---|---|
| Indirect prompt injection? | Untrusted content the agent reads (a file, a web page, an issue comment) carries instructions it then follows. Diagnose: the trust boundary between content and instructions has collapsed. Mitigate: treat all tool output as data not commands, constrain capabilities, require human confirm on high-impact actions. Residual: you can't fully sanitize natural language, so assume injection and contain blast radiusHow much breaks if a change goes wrong; the scope of potential damage.. |
| MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. / tool-use risk? | An MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. server or tool the agent trusts can return malicious payloads or expose more capability than intended. Diagnose: every tool is a new trust boundary and a new privilege. Mitigate: least-privilege tool scoping, allowlist servers, validate tool I/O, no implicit credential passthrough. Residual: a compromised trusted server is still a supply-chain risk you monitor, not eliminate. |
| Command-execution abuse? | Injected or misguided instructions get the agent to run a destructive or exfiltrating command. Diagnose: the agent→host execution boundary. Mitigate: run in a sandbox with deny-by-default egress, no standing cloud creds, human approval for irreversible actions. Residual: sandbox-escape bugs exist, so defense in depth and monitoring, not a single wall. |
| Context exfiltration? | Secrets or other tenants' code leak out through the model context - logged, sent to a tool or echoed to an attacker. Diagnose: data crossing the model-context boundary. Mitigate: redact secrets before they enter context, tenant isolation, egress controls, data-retention limits. Residual: minimize what's in context, because anything in context can leak. |
Each answer names the boundary first - that's what's being scored.
Notice the common spine: every answer starts by naming the trust boundary that's being crossed. “The boundary between content and instructions” for injection, “the agent-to-host execution boundary” for command abuse. Naming the boundary is the senior signal; jumping straight to “add a guardrail prompt” is the junior one.
Defense in depth for the agentLayers, because no single control holds
- Capability layer: least-privilege tools, no standing creds, scoped MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. servers.
- Execution layer: sandbox with deny-by-default egress, ephemeral environments, irreversible actions gated on human confirm.
- Data layer: redact secrets before context, tenant isolation, retention limits, privacy modes.
- Detection layer: log tool calls and commands, alert on anomalous egress and on blocked-action spikes.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
No single control holds - each layer is what catches what the layer below it missed.
“You can't fully solve prompt injection with prompting - a guardrail instruction is just more text the attacker's text can override. So I don't rely on the model behaving. I constrain what the agent can do: least-privilege tools, a sandbox with no egress by default, secrets redacted before they ever hit context and human confirmation on anything irreversible. The model can be fooled; the blast radiusHow much breaks if a change goes wrong; the scope of potential damage. stays small.”
The failure mode in this round is proposing a prompt-based fix for an architecture problem. “I'd add a system prompt telling the agent to ignore instructions in files” is a near-automatic downgrade, because injected text can override that just as easily. Always escalate from “make the model behave” to “remove the capability or contain the blast radiusHow much breaks if a change goes wrong; the scope of potential damage..”
Score yourself on two things per answer: did you name a trust boundary and did you reach for the lethal-trifecta framing when exfiltration came up? If you named neither, you gave a generic answer. Re-run the rapid fire until both are reflexes and revisit the agent-security module on whichever boundary you fumbled.
Takeaway. For every agent threat, name the trust boundary first, then contain capability and blast radiusHow much breaks if a change goes wrong; the scope of potential damage. - you can't fully solve prompt injection with prompting, so break a leg of the lethal trifecta (private data, untrusted content, external comms) instead.
Self-check
QAn interviewer asks how you'd stop indirect prompt injection in a coding agent that reads files and can run shell commands. A candidate answers: “Add a strong system prompt telling the agent to never follow instructions found in file contents.” Critique this and give the stronger answer.
Values rehearsal & final readiness
After this you can deliver polished STAR stories and self-score readiness.
The behavioral round checks whether you're builder-first and attacker-minded, whether you own problems end-to-end with little guidance and whether you tell the truth about what you don't know. Run your stories out loud, map each to a Cursor value and tighten every one to under two minutes.
You need three stories ready, each a clean STAR with a quantified result. Rehearse them spoken, not read - the gap between a story you've written and a story you can deliver in 90 seconds is the gap this round measures.
Three stories, mapped to Cursor valuesOne per behavioral theme
- Builder + attacker
- A defense you built (a tool, a paved road, a sandbox) after reasoning like an attacker - not a ticket you triaged. Quantify adoption or threat-surface reduction.
- End-to-end ownership
- A security problem you owned start to finish with limited guidance: found it, scoped it, shipped the fix, verified it held.
- Truth-seeking
- A time you were wrong or admitted an unknown, with the real cost and the concrete fix you carried forward. No humble-brag fake flaw.
- Developer empathy
- A defense you deliberately made frictionless so it got adopted instead of bypassed - the DX choice and the adoption it bought.
The builder-vs-attacker story is the one that most distinguishes this role. Cursor wants security as a superpower on top of strong engineering, so the hero of your best story should be something you shipped that shrank a class of risk, with you narrating the attacker's view that motivated it.
The two-minute shapeTighten every story to this
- 1Situation (20s). The system, the stakes and the trust boundary at risk. No backstory.
- 2Action (60s, first person). What you did - the attacker reasoning, the design choice, the build. “I” not “we.”
- 3Result (30s, quantified). The outcome in numbers: vulns prevented, threat surface reduced, adoption rate, time-to-detect.
- 4Reflection (10s). What you'd do differently or carried forward. This is where truth-seeking shows.
Final readiness checklist - score each axis 1–5Across all five rounds
- Axis
- Timed coding + security
- Ready (4–5)
- Solve medium-hard with a threat lens, narrate live
- Gap (≤2)
- Stall on the code or miss the security overlay
- Axis
- Secure code review
- Ready (4–5)
- Catch IDOR + injection + secret, rank, fix the class
- Gap (≤2)
- Miss a class or only patch the line
- Axis
- Threat modeling
- Ready (4–5)
- Boundaries first, JIT/least-privilege, friction tradeoff
- Gap (≤2)
- Jump to controls, skip the boundaries
- Axis
- Agent security
- Ready (4–5)
- Name the boundary, lethal-trifecta, contain not prompt
- Gap (≤2)
- Reach for a guardrail prompt
- Axis
- Behavioral + why Cursor
- Ready (4–5)
- Three STAR stories <2 min, product-grounded why
- Gap (≤2)
- Stories ramble or why is generic
| Axis | Ready (4–5) | Gap (≤2) |
|---|---|---|
| Timed coding + security | Solve medium-hard with a threat lens, narrate live | Stall on the code or miss the security overlay |
| Secure code review | Catch IDOR + injection + secret, rank, fix the class | Miss a class or only patch the line |
| Threat modeling | Boundaries first, JIT/least-privilege, friction tradeoff | Jump to controls, skip the boundaries |
| Agent security | Name the boundary, lethal-trifecta, contain not prompt | Reach for a guardrail prompt |
| Behavioral + why Cursor | Three STAR stories <2 min, product-grounded why | Stories ramble or why is generic |
The loop grades the floor: spend your last hours on the lowest axis.
Interactive diagram. Tab through its regions; each focused region shows its detail in the panel below.
Every axis is blocking - the loop grades your floor, so a sub-3 anywhere sinks it. Weights show where this role's edge is decided, not which axis you can skip.
If you score agent security 5 and secure code review 2, almost all remaining time goes to code review. A blocking sub-3 on any axis sinks the loop and a fifth point on your strongest round can't buy it back. Date each mock score so you can see the weakest axis trending up, not just feel busy.
Your concrete, product-grounded “why Cursor”Specific beats enthusiastic
The recruiter screen and the values round both probe genuine interest. A strong answer is specific to the security surface: you want to defend a product where the threat model is genuinely new - autonomous agents executing code on customer systems - and to build paved-road defenses in a flat, fast org rather than gatekeep. Ground it in something real you've seen: the agent-assisted review on 3,000+ PRs a week, the privacy modes, the JIT posture.
“Most security jobs are applying known playbooks. Cursor's threat model is one that mostly doesn't have a playbook yet - agents reading, writing and running code on customer machines. I want to build the defenses for that, the paved-road kind that engineers adopt because they're the easy path, not the kind people route around. And you already practice it: agent-assisted review on thousands of PRs a week is the exact work I want to own.”
Bring evidence that you actually use Cursor for real work - interviewers expect it. A sentence on something you built or secured with the agent or a sharp observation about a rough edge, beats any rehearsed enthusiasm and proves the authentic-use bar in one line.
Takeaway. Rehearse three STAR stories spoken and under two minutes (builder+attacker, ownership, truth-seeking), self-score all five axes and pour your last hours into the lowest one - the loop grades your floor and your “why Cursor” must name the real, playbook-less agent threat surface.