A while back I went through a recruiting loop at Mandiant, thinking it would be an upgrade. Some time has passed and the role has probably been filled by now. Writing it down before I forget.
TLDR: organisational chaos, two recruiter sick-leave no-shows, multiple last-minute interview cancellations, unresponsive comms, and a final interview where the scheduled architect was absent and a random manager from a different department took his place.
Why I applied
Mandiant is the canonical name in the space. Their reports for APT1, APT28, TRITON, and SolarWinds, the fact that they are part of mighty Google. Crossing over to do TI full-time, from the inside of the company that publishes M-Trends, felt like the obvious next step.
So I took the call.
Timeline
| When | Event |
|---|---|
| Jan 30 | Initial outreach. "Greetings from Google, Stockholm." |
| Feb 9 | Recruiter screen #1. No-show. Sick-leave OOO auto-reply. |
| Feb 17 | Recruiter screen #2. Rescheduled by them, my availability not asked. |
| Feb 20 | Invited to the technical assessment. |
| Feb 23 | Assessment delivered. |
| Mar 3 | Positive feedback. Two HM interviews scheduled for Mar 6. |
| Mar 6 | HM 1 (technical lead). Canceled 12 minutes before start. |
| Mar 9 | HM 2 (senior hiring manager). Completed. |
| Mar 10 | HM 1 attempt 2. Canceled. Second sick-leave OOO. |
| Mid March | HM 1 attempt 3. Wrong meeting link. Substitute interviewer. |
| Late March | Two weeks of radio silence, then rejection. |
| Next day | Same job ad reappears on LinkedIn. |
The screening
Not much to say about the screenings themselves. Sick leaves, no-shows, shit happens.
What was interesting was the pace. Quick, do this. Short, say that. Not many questions outside work experience.
The recruiter said she expected questions. Later, when I emailed her twice with mine, none got answered. Totally ignored, while she replied to other parts of the same email.
The technical assessment
| # | Topic | Format |
|---|---|---|
| 1 | RFI: Compromise of a financial service | Full client-style RFI |
| 2 | Ransomware affiliate cluster briefing | Threat actor profile |
| 3 | Assessment on threat objectives | Comparative analysis |
| 4 | Hypothesis on TTPs used by an APT | Hypothesis-led writeup |
Rules:
- No AI allowed. Not sure how they would detect it tho, Shadowbane maybe?
- Minimum text.
- Use trustworthy sources.
It took me 33 hours to do it. I focused on one objective at a time and progressed through.
RFI: Compromise of a financial service
Three inputs, three trust tiers. Open-source news on the intrusion. A closed-source forum screenshot (paid registration to read it). A private-source screenshot one degree closer to the action.
Triage first. Not everything is signal. Some sources recycle others with embellishment.
The data spans days and weeks. The job is to build the timeline. Why X happened after Y. What's cause, what's coincidence. What's the actor's actual decision versus an analyst's after-the-fact rationalisation.
The client's question stays visible the whole time: what happened, how does it affect them. Everything in the writeup serves that or gets cut.
Ransomware affiliate cluster briefing
Input was a question. "We saw threat actor X in the news. Brief us." Two audiences, executive and technical. Five to ten minutes total. The hardest part is picking what actually matters.
The actor was a ransomware operator running double extortion. The work was lighter than it could have been because the public reporting is well-covered. Mandiant, Recorded Future, and Intel 471 have all already done the heavy lifting.
Assessment on threat objectives
Comparative analysis. Two actor types, side by side. Where the differences land in motivation and in resources.
How an APT operator running for a nation-state is dangerous in a different way than a ransomware operator running for money.
Same target, two different risk profiles. Same defenders, two different programmes of work.
Hypothesis on TTPs used by an APT
The hardest of the four. Also the most rewarding.
A specific event from the modern Russo-Ukrainian conflict. Russia has used hybrid attacks, false flags, and cyber operations against Ukrainian critical infrastructure throughout. In one of those, the APT did something unusual: stepped down from their bespoke kit and reached for something publicly available.
The question: why?
Three arguments for the hypothesis. Three arguments against. Time limit. Word limit.
The hard part was that the answer wasn't in the public reporting. Plenty exists on the conflict, on the actor, on this specific operation. None of it explained the choice in the terms the prompt was asking. I had to assemble the case myself: pull primary-source facts, form the hypothesis, structure the argument so the for-side and against-side both held up.
The for-and-against structure is what made it work. It's harder to write three arguments against your own conclusion than three for it. That's also where the writeup starts being worth reading.
I submitted the reports after writing them non-stop, only for sleep, for two days.
The feedback was positive: "We would love to speak to you again. Let's book Googliness and Leadership interviews with hiring manager 1 and 2."
That's where things turned sideways.
The interview carousel
The two hiring manager interviews got rescheduled four times across two weeks.
HM 2: Leadership
Met the senior hiring manager. They acknowledged the offensive background straight away and asked the right question: how does your TI volume compare to someone who's been doing TI full-time for five years? Fair. The honest answer is "less, but the work goes deeper per engagement than a generalist".
The conversation was the kind I'd hoped the loop would be throughout. Direct. Technically engaged. Specific.
HM 1: Googliness
Canceled twice. On the third attempt I sat in the active Google Meet link for 8 minutes with no one joining. Guessed they were in the old, canceled link instead. Swapped to it. Was let in.
The scheduled senior architect, call him Frank, was absent. In his place was a random manager, call him Bob, from a different department.
Bob was visibly disengaged. Monotone, uncomfortable, no follow-ups.
Questions I actually received: all of them can be found on the Google Careers site, but here are two: "Explain how you improved something" and "Tell me about a time you made a mistake or failed."
When I asked for feedback, the manager flat-out refused. Because of this, I thought the process was over.
The aftermath
Two weeks of radio silence after HM 1.
Emailed both recruiters for status. Got two out-of-office auto-replies back.
Then suddenly, on a Friday evening: Great news Denny! We are happy to inform you that your profile will be presented to the client. Stay tuned!
Then the rejection landed on Monday. According to the recruiter, the client picked someone with deeper TI experience.
The same job ad reappeared on LinkedIn the next day.
What I took from it
Two threads worth pulling.
On the rejection
The technical deliverables were praised, and the senior HM's stated reason was depth of TI experience – a fair gap to flag, and one I named myself in that conversation. But the client was a government institution, and in that context background and country-of-origin filters are common enough that I can't rule them out as the actual deciding factor. I'll never know which it was.
What I do know is that the second possibility is the one I can't do anything about. Being born in a country I left in childhood and have no ties to – one currently ruled by a bunker-dwelling gopnik so paranoid his staff collects his feces to prevent analysis, and who wages war on neighboring Ukraine – is a line on my CV that some clients will weight more heavily than anything I've actually done. That's the part that stings, regardless of which factor decided this particular loop.
On the process
The pattern in the timeline is the more interesting part. A single sick leave is fine. Two sick leaves, four reschedules, a substitute interviewer from a different team, ignored questions, and out-of-office auto-replies as the final correspondence isn't bad luck – it's the company showing you how it operates day to day.
The TI work that comes out of Mandiant is excellent. I've read a lot of it. The process that hires the people who write it is something else. The technical bar was high and clear.
The operational bar was visible too. Between them, you have enough to know whether you'd want to join – even if the answer had been yes.