Capstone, the interview spine & self-assessment
The structures you fall back on when a question is ambiguous.
The spine: one page you never abandon under pressure
Everything you've learned compresses into one structure you can run from memory when the room gets hostile, the VP interrupts, or you blank. The spine is not a script — it's a load-bearing skeleton. Seven beats, in order, that turn any messy enterprise conversation into a coherent path from where work waits today to what gates the expansion.
Why a spine and not talking points? Because under pressure you don't lose your facts — you lose your order. You start defending a feature before you've established the risk it must respect, or you quote a metric before anyone agreed on the baseline. The spine fixes sequence so each beat earns the right to the next. Master it and you can be interrupted at beat 4, dragged back to beat 2, and still know exactly where you are.
Run it in order. Current → Risk → Use case → Cursor fit → Pilot → Proof → Expand. Each beat is a question you answer before advancing. The closing message rides on top of all seven.
- 1 · Current
- Where does work wait today? Name the value streamThe end-to-end path a change takes from idea to running in production. and the queue — review, env, handoff, ticket aging.
- 2 · Risk
- What must hold no matter what? Separation of duties, ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run., the controls that don't bend for velocity.
- 3 · Use case
- One bounded slice of value — not 'AI everywhere.' A repo, a team, a workflow with a clear edge.
- 4 · Cursor fit
- Context, rules, control. Why this tool fits the use case and respects the risk.
- 5 · Pilot
- A cohort with guardrails. Allowlists, hooks, sandboxing, audit on — scoped blast radiusHow much breaks if a change goes wrong; the scope of potential damage..
- 6 · Proof
- Baseline → outcome. You measured before you changed; you can show the delta.
- 7 · Expand
- What gates the next ring? Name the condition, not a date. Expansion is earned, not assumed.
"I don't sell AI everywhere. I find where work waits, name what has to hold, and earn the next ring of rollout with evidence. That's the whole job."
The spine is a risk-respecting value argument. Beats 1–3 establish the problem and its constraints. Beat 4 is your only product moment. Beats 5–7 are about controlled proof and earned expansion.
If you ever feel yourself pitching features, you've skipped to beat 4 without finishing beats 1–3. Stop and back up.
The recurring closing message rides on top of all seven: the work is to expand autonomy as fast as the evidence allows, and not one ring faster. That single line reframes every objection — speed, security, cost, skepticism — as a question about evidence and guardrails rather than a fight about whether AI is good.
Self-check
Beat-by-beat: what each move actually does
Knowing the seven labels isn't the skill. The skill is knowing what work each beat does, and the single best question that opens it. Here's the operating detail behind each beat, with the named controls and metrics you reach for.
Opener: "Walk me through your value streamThe end-to-end path a change takes from idea to running in production. — where does a change wait the longest?"
You're hunting the queue: review backlog, env provisioning, cross-team handoffs, ticket aging. DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate, and time to restore service.'s lead-time-for-changes lives here. No queue named = no problem to solve.
Opener: "What can never bend, even for velocity?"
Separation of duties, ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run., change-management controls, the regulated boundaries. You name these before product so the room knows you respect them. This is where you earn the right to be in an enterprise.
Opener: "If we fixed one workflow first, which one moves the needle?"
One repo, one team, one workflow with a clear edge. Bounded = measurable = safe. 'AI everywhere' is the anti-pattern; it has no baseline and infinite blast radiusHow much breaks if a change goes wrong; the scope of potential damage..
Opener: "Here's why this tool fits that workflow and respects those controls."
Context (codebase awareness, MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs.), Rules (.cursor/rules, model/repo allowlists), Control (hooks, sandboxing, audit logs, RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave.). Your one product moment.
Opener: "We start with a cohort, guardrails on, blast radiusHow much breaks if a change goes wrong; the scope of potential damage. scoped."
Model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs./repo allowlists, hooks, terminal sandboxing, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code., audit logs all enabled. Box's mentorship model (+75% usage in 6 weeks) is the template.
Opener: "We measured before we changed, so we can show the delta."
DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate, and time to restore service. four keys, throughput, migration-effort reduction (Box: 80–90% less), daily-active. No baseline = no proof, just vibes.
The most common failure is collapsing beats 3 and 4 — describing the tool as the use case. 'The use case is Cursor' is not a use case. The use case is 'cut PR review wait time on the payments repo for the platform team.' Cursor is how you address it.
Second most common: skipping beat 2 with a regulated buyer. If you reach beat 4 and they haven't heard you name separation of dutiesNo single person can author, approve, and deploy the same change. The core control AI autonomy has to respect. or ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run., you've already lost the security lead in the room.
Beat 7 deserves its own disciplineexpansion is earned
Beat 7 — Expand — is where weak reps invent a timeline ('then we roll out org-wide in Q3') and strong reps name a gate. A gate is a condition: 'when the pilot cohort holds DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate, and time to restore service. change-fail rate flat while lead time drops 20%, we expand to the next two teams.' Conditions are defensible; dates are hostages. Organizations (GA to Enterprise ~June 2026) is the structural answer to 'expand' — one admin plane over many teams, each with its own governance and budget, Groups for cohort-level model access and spend.
When an interviewer asks 'how do you expand a successful pilot?' they're testing whether you'll say a date or a gate. Answer with a gate every time, then name Organizations/Groups as the mechanism that lets each new ring keep its own security, governance, and budget.
Self-check
QMultiple choice — Which statement is a real use case (beat 3), not a disguised product pitch (beat 4)?
The 10 capstone drills
These are the ten scenarios you will face, in some form, in a Cursor Field Engineer loop. The bar is 8 of 10 fluent — meaning you can run the spine through each one and name specific controls, features, and metrics, not generic reassurance. Fluent means: no hedging, no 'it depends' without a fork, and at least one named artifact (a control, a feature, a number) per answer.
| # | Drill | The spine move that wins it |
|---|---|---|
| 1 | Skeptical VP ('AI is hype') | Beat 1+6: name where work waits, then offer to prove it with a baselined pilot. Reframe to evidence, not belief. Cite 64% of the Fortune 500 as social proof, not as the argument. |
| 2 | Regulated rollout (finance/health) | Beat 2 first, loudly: separation of dutiesNo single person can author, approve, and deploy the same change. The core control AI autonomy has to respect., ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run., audit logs, SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave., RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it., AWS PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet.. Then bounded pilot inside the boundary. |
| 3 | Security lead evaluation | Beat 2+5: SOC 2 Type II, AES-256 at rest, TLS 1.2+, annual pen test, model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs./repo allowlists, hooks, terminal sandboxing, AI-code tracking. Note ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. does NOT apply with your own API keys. |
| 4 | Discovery simulation | Beats 1–3 only. Resist demoing. Find the queue, the controls, the bounded slice. Earn beat 4. |
| 5 | 'BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. is just noise' | Beat 6: 90% of runs under 3 min, ~3x faster and 22% cheaper (June 2026), custom rules via .cursor/BUGBOT.md to tune signal. Autofix lands ~35% of changes. Tune, don't defend. |
| 6 | Mixed pilot results | Beat 6+7: segment the cohort. Find who succeeded and why (mentorship — Box's +75% in 6 weeks), gate expansion on replicating that, not on averages. |
| 7 | Enterprise demo design | Beat 4 narrated against beat 3. Demo the bounded use case with controls visible — allowlists, audit log, a hook firing. Never a generic feature tour. |
| 8 | 'Copilot/this is free' | Beat 1+6: free tools don't change lead time; outcomes do. Price (~$40/user/mo Business; Enterprise negotiated) is trivial against a throughput gain (Box: 30–50%). |
| 9 | Senior-engineer objection | Beat 5: autonomy is dialed, not dumped. Sandboxing + review gates + AI-code tracking keep the senior in control; the agent removes toil, not judgment. |
| 10 | Autonomy boundary | Beat 2+5: name the autonomy ladder. What the agent may do unattended vs. gated vs. forbidden, enforced by hooks, sandboxing, and SoDSeparation of Duties. No single person can author, approve, and deploy the same change. The core control AI autonomy has to respect. — blast radiusHow much breaks if a change goes wrong; the scope of potential damage. is a setting, not a hope. |
"BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. isn't noise you tolerate — it's signal you tune. Ninety percent of runs finish under three minutes, and custom rules in .cursor/BUGBOT.md let the team shape exactly what it flags. If it's noisy, that's a config conversation, not a verdict."
Drill 3 trap: a security lead will ask 'do you retain our data?' If the customer brings their own API keys, zero-data-retention does not apply — the retention terms ride on the model provider, not on Cursor. Saying 'we never retain anything' when they use their own keys is a credibility-ending error. Get this distinction exactly right.
Several of the perishable stats (BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. speed/cost, the '~70% flags resolved pre-merge' line) are directional and dated — verify before quoting in a live loop.
BugbotCursor's automated PR reviewer that posts inline findings and can push fix commits from isolated VMs. June-2026 figures (~3x faster, 22% cheaper, ~10% more bugs, 90% of runs <3 min, ~35% autofix merge rate) and the older '~70% flags resolved pre-merge' directional stat. Pricing (~$40/user/mo) and seat-discount thresholds. Treat these as perishable — confirm against current Cursor materials before you say them out loud.
Self-check
QMultiple choice — A security lead asks: 'Does Cursor retain our prompts and code?' Your team uses its own model API keys. What's the precise answer?
Final self-assessment: the 10 capabilities
Before you walk into a loop, score yourself honestly against these ten. Each is a capability — something you can do live, not a fact you can recite. The bar for each is: could you do this in front of a skeptical buyer, right now, without notes?
- 1Run the full 7-beat spine cold, in order, on a use case you've never seen — and recover when interrupted.
- 2Open discovery and stay in beats 1–3 without demoing, finding the queue and the controls.
- 3Name the enterprise control surface from memory: SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool./SCIMSystem for Cross-domain Identity Management. A standard for automatically creating and removing user accounts when people join or leave., RBACRole-Based Access Control. Granting permissions by role rather than configuring each person individually., model/MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs./repo allowlists, hooks, terminal sandboxing, audit logs, AI-code tracking.
- 4State the security posture precisely: SOC 2 Type II, AES-256 at rest, TLS 1.2+, annual pen test, Privacy ModeCursor's setting that routes requests under zero-data-retention terms so providers don't store or train on your code. + ZDRZero Data Retention. A contractual guarantee that the model provider won't store your code or train on it. (and the own-keys caveat), PrivateLinkAn AWS feature that keeps traffic to a service on your private network instead of the public internet./Cloudflare Tunnel.
- 5Map a customer's value streamThe end-to-end path a change takes from idea to running in production. to DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate, and time to restore service.'s four keys and identify which one the pilot will move.
- 6Design a guardrailed pilot: cohort, allowlists on, sandboxing on, audit on, baseline captured.
- 7Articulate the autonomy ladder — unattended vs. gated vs. forbidden — and how hooks/SoDSeparation of Duties. No single person can author, approve, and deploy the same change. The core control AI autonomy has to respect. enforce it.
- 8Convert any objection (hype, free, security, skeptical senior) into an evidence-and-guardrails question.
- 9Quote proof responsibly: Box (85%+ DAU, 30–50% throughput, 80–90% less migration effort), 64% of Fortune 500 — and flag perishable stats as verify-before-quoting.
- 10Define expansion as a gate, not a date, and tie it to Organizations/Groups.
8 of 10 fluent is the pass bar. 'Fluent' means you can perform the capability live, with at least one named artifact, without hedging. If you can recite a capability but can't perform it under a follow-up question, score it half.
Your weakest two are your prep list. Don't broaden — go deep on the two you'd most fear being asked to do live.
Self-check
Portfolio artifacts: the proof you bring
Talk is beat 4. The portfolio is beats 5 and 6 made tangible — artifacts that prove you've actually done the work, not just memorized the vocabulary. Seven pieces, mapped to the spine. In a loop, the candidate who opens a real current-state map beats the candidate who describes one.
| # | Artifact | Spine beat | What it proves |
|---|---|---|---|
| 01 | Current-state SDLC map | 1 Current | You can find where work waits — the queue, the value streamThe end-to-end path a change takes from idea to running in production., the DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate, and time to restore service. bottleneck — before proposing anything. |
| 02 | Risk & control register | 2 Risk | You speak ITGCIT General Controls. The baseline IT controls auditors check: who can change what, how changes get approved, and how systems are run., separation of dutiesNo single person can author, approve, and deploy the same change. The core control AI autonomy has to respect., and risk tier as a register a security lead would recognize, not as buzzwords. |
| 03 | Bounded use-case brief | 3 Use case | You can scope one workflow with an owner, an edge, and a measurable target — and resist 'AI everywhere.' |
| 04 | Cursor fit / config plan | 4 Fit | Concrete rules, allowlists, MCPModel Context Protocol. A standard that lets an AI agent pull in context from outside the repo, like Jira tickets or internal docs. setup, hooks — context/rules/control instantiated for this customer, not a feature list. |
| 05 | Pilot plan with guardrails | 5 Pilot | Cohort, blast radiusHow much breaks if a change goes wrong; the scope of potential damage., sandboxing, audit, and a captured baseline. A security lead could sign it. |
| 06 | Proof / outcomes readout | 6 Proof | Baseline-to-outcome deltas on DORADORA metrics. Four widely-used delivery measures: deployment frequency, lead time for changes, change failure rate, and time to restore service. + throughput, segmented by cohort — evidence, not anecdote. |
| 07 | Field interview pack | all | The spine, the 10 drills, the verified facts, and your self-assessment — your run-from-memory kit. |
Bring artifact 01 (current-state map) and artifact 05 (pilot plan with guardrails) to every loop. They're the two that most cleanly demonstrate the discipline interviewers are screening for: finding the queue, and scoping the blast radiusHow much breaks if a change goes wrong; the scope of potential damage.. The other five support; these two lead.
- Discovery round
- Artifacts 01 + 02 — show you find the queue and the controls before pitching.
- Solution round
- Artifacts 03 + 04 — bounded use case + concrete config, never a feature tour.
- Rollout round
- Artifacts 05 + 06 — guardrailed pilot and baselined proof.
- Whiteboard / closing
- Artifact 07 — run the spine and 10 drills from memory.
A portfolio of polished slides with no baseline is a tell that you've never run a real pilot. The one artifact interviewers probe hardest is 06 — 'show me the baseline you measured against.' If your outcomes readout has outcomes but no documented before-state, it reads as marketing, not evidence.
Self-check
QMultiple choice — Which two portfolio artifacts should you bring to every loop, and why?
The mindset to walk in with
The spine, the drills, the artifacts — they all rest on one posture: you are not there to sell AI. You're there to expand autonomy as fast as the evidence allows, and not one ring faster. Walk in as the person who makes risk smaller, not the person who makes risk go away by ignoring it.
The strongest Field Engineers in the room sound less like vendors and more like a careful internal champion the customer wishes they already had. They lead with the customer's constraints, not the product's capabilities. They say 'no' to a bad use case faster than they say 'yes' to a good one — because a failed unbounded pilot poisons the whole account, and a small proven one earns the next ring.
Never argue whether AI is good. Argue what the baseline shows and what the pilot proved. Move every fight onto the evidence axis.
Don't ask the customer to trust autonomy. Show them blast radiusHow much breaks if a change goes wrong; the scope of potential damage. is a setting — allowlists, hooks, sandboxing, audit. Earned, enforced, not hoped.
One proven ring beats ten promised ones. Say no to 'AI everywhere' faster than yes to a clean slice. Expansion is the reward, not the plan.
"My job isn't to make your risk disappear — it's to make it small enough to measure, and then to earn the next ring of autonomy with evidence. I'll say no to a bad use case faster than I'll say yes to a good one."
If you remember nothing else: lead with where work waits, name what must hold, scope the smallest proof, and expand only as fast as the evidence allows. That sentence is the spine, the mindset, and the close — all at once. Everything else is detail hung on that frame.
Close the loop the way you'd close a customer: not with a feature, but with the recurring message. Find where work waits. Name what must hold. Earn each ring with evidence. You can be interrupted, doubted, and dragged off-script — and still land there. That's what 'fluent' means, and that's what walks you through the door.