"Tell me about a time you had to lead a security review or white-box assessment of a newly launched REST API when the scope, risks, or documentation were incomplete. How did you decide what to test first, align the right people, and communicate findings through remediation?"
