QA & Software Testing Interview Questions

739+ interview questions drawn from every lesson across the bootcamp — organised by career level so you can focus your prep where it matters most.

How to use this page: Answer each question out loud before reading the lesson. Open the linked page if you’re not confident — every lesson has a worked answer. Use the Guru button (“?”) for coaching on any question.

What NZ interviewers ask

Most QA interviews test three things: technical knowledge (can you explain the concept?), practical experience (can you give a real NZ-context example?), and judgement (what would you do when rules conflict or requirements are vague?). The questions here build the first layer. The lessons they link to build the second and third.

For NZ government roles specifically, expect questions about Privacy Act 2020, the Web Accessibility Standard 1.2 (WCAG 2.2 AA), NZISM, and how you approach testing when documentation is thin. For banking and fintech, expect AML/CFT, PCI DSS, and open banking API testing questions.

Grad — First Principles

Accessibility Basics

Q1. What is the minimum colour contrast ratio required by WCAG 2.2 AA for normal body text?
Q2. Name three ways a user who cannot use a mouse might navigate a webpage.
Q3. What does "alt text" do and when would you leave it empty?

Agile for Testers

Q1. What is the difference between a user story and an acceptance criterion?
Q2. What happens if a story is not finished by the end of a sprint?
Q3. What is the tester's role in a three amigos session?

Basic Exploratory

Q1. What is exploratory testing, and how is it different from scripted testing?
Q2. You have one hour to explore a new feature. What do you do first?
Q3. How do you decide what to test when there is no test plan or specification?

Copy Review

Q1. What are you checking when you test copy on a web page?
Q2. You find a typo in a button label on a production website. How do you report it?
Q3. Why would a tester be involved in reviewing copy, not just functionality?

DevTools for Testers

Q1. How would you use browser DevTools to verify that an API call is being made correctly?
Q2. What can the Console tab in DevTools tell you about the health of a page?
Q3. You notice a page is slow. How would you use DevTools to identify the cause?

Email & Notification Testing

Q1. What would you test for an automated email confirmation sent after a user registers?
Q2. How do you test email without sending real emails to real users during testing?
Q3. An email contains a link that expires in 24 hours. What test cases would you write?

How Projects Are Delivered

Q1. What is the difference between waterfall and agile delivery, from a tester's perspective?
Q2. What is the Definition of Done and why does it matter to testers?
Q3. What is a regression bug, and how does continuous integration help prevent regressions?

Link & Button Check

Q1. What would you check when testing a set of navigation links on a webpage?
Q2. You find a button that does nothing when clicked. How do you investigate and report this bug?
Q3. What is the difference between a 404 error and a 500 error?

Mobile & Responsive Testing

Q1. What is responsive design, and what are the key things you test for it?
Q2. Why is it important to test on real devices, not just browser DevTools device emulation?
Q3. What should you do if a feature works on desktop but not on mobile?

The SDLC & Where Testing Fits

Q1. At which stage of the SDLC is it cheapest to fix a defect, and why?
Q2. What is UAT and who is responsible for it?
Q3. What is the difference between verification and validation?

Security Testing Basics

Q1. What is SQL injection, and how would you test a login form for it?
Q2. What is the difference between authentication and authorisation?
Q3. Why should you never log sensitive data like passwords or credit card numbers?

Smoke Testing

Q1. What is a smoke test and when do you run one?
Q2. How is a smoke test different from a regression test?
Q3. You are the only tester on a project and you have 10 minutes before a release. What do you test?

Spec vs Reality

Q1. You are testing a form and notice the spec says the field maximum is 100 characters, but the form accepts 500. Is this a bug?
Q2. A specification says the button should be blue. In production it is teal. Is this a bug worth reporting?
Q3. How do you know what the expected behaviour of a feature should be when the specification is ambiguous?

Static Testing

Q1. What is static testing, and what does it find that dynamic testing cannot?
Q2. You are reviewing a colleague's test cases. What would you look for in a good test case?
Q3. What is a code review, and why should testers care about it?

Test Case Writing

Q1. What is the difference between a test case and a test step?
Q2. A test case says "enter valid data in all fields and click Submit." What is wrong with this?
Q3. When would you write a positive test case and when would you write a negative test case?

Testing Mindset

Q1. What is a "testing mindset" and how is it different from a development mindset?
Q2. A developer tells you "I tested this myself, you do not need to check it." How do you respond?
Q3. You find a bug 30 minutes before a production release. What do you do?

Visual Review

Q1. What is visual testing and what kinds of defects does it find that functional testing misses?
Q2. You notice a pixel-level misalignment in a design. Is it worth reporting?
Q3. How do you test visual responsiveness across many screen sizes efficiently?

Write It Down

Q1. What should a bug report contain, and why does each element matter?
Q2. A developer cannot reproduce a bug you found. How do you approach this?
Q3. Why is it important to document your testing, even when everything passes?

Junior — Core Skills

API Testing Fundamentals

Q1. Why should you test APIs directly instead of only through the frontend?
Q2. What tools would you use to test an API?
Q3. What makes a good API test case?

Boundary Value Analysis

Q. "How is boundary value analysis different from equivalence partitioning?"
Q. "When would you use 3-value BVA instead of 2-value?"
Q. "Can you apply BVA to non-numeric boundaries?"

Database & SQL Testing Fundamentals

Q1. Why must you test the database directly instead of trusting the UI?
Q2. What tools do you use to access a database?
Q3. What's the difference between NULL and an empty string? Why does it matter?
Q4. You discover that a date was stored in the database as 2026-04-24 but the form showed 24/04/2026. Is this a bug?

Decision Table Testing

Q. "How is a decision table different from writing test cases ad-hoc?"
Q. "When should you collapse rules in a decision table?"
Q. "How do you handle decision tables with too many conditions?"

How to Write a Defect Report

Q. "What makes a good bug report?"
Q. "You discover a bug that can only reproduce on your machine. What do you do?"
Q. "How would you decide between marking a bug Critical vs. Medium?"

Equivalence Partitioning

Q1. What is equivalence partitioning?
Q2. How many test cases would you write for a password field with length 8–20 characters?
Q3. Why do we test invalid partitions separately?
Q4. Can EP be used for non-numeric inputs?

Error Guessing

Q1. What is a fault attack?
Q2. When is error guessing most effective?
Q3. How does the SFDPOT heuristic help with error guessing?
Q4. Can a junior tester use error guessing effectively?

Error Message Quality

Q1. What makes a good error message?
Q2. What WCAG 2.1 criteria apply to error messages?
Q3. What is wrong with saying "Please enter a valid zip code" in a New Zealand form?

Exploratory Testing

Q1. How is exploratory testing different from ad-hoc testing?
Q2. What is SBTM and why does it matter?
Q3. When would you choose exploratory testing over scripted testing?
Q4. What does PROOF stand for in a debrief?

Form Validation Testing

Q1. Why must you test backend validation even if frontend has it?
Q2. What HTML5 attributes help with form validation?
Q3. How do you bypass frontend validation during testing?

Git & GitHub for Testers

Q1. How do you test a feature that is in a pull request?
Q2. What is a branch and why do developers use them?
Q3. What is the difference between main and a feature branch?
Q4. Why is testing before the merge better than testing after?

Psychology of Testing

Q. "What is the difference between a developer testing their own code and an independent tester?"
Q. "How would you report a bug you found without offending the developer who wrote it?"
Q. "Can you give an example of confirmation bias affecting testing?"

State Transition Testing

Q1. What is state transition testing and when would you use it?
Q2. Why are invalid transitions important?
Q3. What is the difference between a state and a screen?

Test Coverage Planning

“I hand you a user story for a registration form. Walk me through how you decide what to test.”
“How do you know when you’ve tested enough?”
“You learned several test design techniques in training. How do you choose between them on a real task?”

Test Levels

Q. "What's the difference between unit testing and integration testing?"
Q. "When would you skip a test level, and when would you never skip it?"
Q. "How is acceptance testing different from system testing?"

Test Types

Q. "What's the difference between a test type and a test level, and why does it matter?"
Q. "Give me an example of non-functional testing and why it matters."
Q. "How would you explain the four test types to someone who's never heard of them?"

The 7 ISTQB Testing Principles

Q. "Why do testing principles matter if they seem obvious?"
Q. "What is the most important principle and why?"
Q. "How would you explain principle #7 to a non-technical stakeholder?"

Use Case Testing

Q1. What is use case testing and when would you use it?
Q2. What are the three flow types in use case testing?
Q3. How many test cases should you derive from a use case?

Senior — Advanced

Accessibility Testing

Q. "How do you test with a screen reader?"
Q. "What percentage of accessibility issues can automated tools catch?"
Q. "What is 'shift left' in accessibility?"
Q. "What are the WCAG 2.1 levels and which should we target?"

Advanced Exploratory Testing & SBTM

Q. "What goes in a session debrief?"
Q. "How do you measure coverage in exploratory testing?"
Q. "How do you balance exploratory testing with automation?"
Q. "What makes a good charter?"

AI Model Validation & ML Testing

"Have you tested machine learning models? What was your testing strategy?"
"How would you test for bias in a hiring recommendation model?"
"A model's test accuracy is 98%, but production accuracy dropped to 85%. What could cause this and how would you investigate?"

Advanced API Testing Patterns

Q. "How do you test a stateful workflow across multiple API endpoints?"
Q. "How do you test an async API with webhooks?"
Q. "What is contract testing and why is it important?"
Q. "How do you balance performance testing with security testing at the API layer?"

BDD & Gherkin Fundamentals

Q. "What's the difference between BDD and traditional test automation?"
Q. "Who writes the Gherkin scenarios?"
Q. "How do you handle flaky BDD tests?"
Q. "How do you maintain BDD scenarios over time?"
Q. "What's the ROI of BDD vs traditional test automation?"

Coverage-Based Testing

Q. "What's the difference between branch and condition coverage?"
Q. "A developer says they have 100% unit test coverage. Should you still do exploratory testing?"
Q. "How do you decide which coverage metric to target?"
Q. "What do you do when path coverage is infeasible?"

Advanced Database Testing & Data Integrity

Q. "How do you test data integrity in a system with triggers and stored procedures?"
Q. "You discover that a schema migration will block production for 2 hours. What do you do?"
Q. "How do you ensure data consistency when the system spans multiple databases or microservices?"
Q. "What are the NZ Privacy Act 2020 implications for database testing?"

Error Recovery Testing

Q. What does idempotent mean and why does it matter for error recovery?
Q. How would you test a payment gateway timeout scenario?
Q. What metrics do you use to measure error recovery?
Q. Describe the circuit breaker pattern and how you would test it.

Reading Logs & Stack Traces

Q. Walk me through how you would debug a 500 error a user reported.
Q. What would you do if logs are missing or not configured?
Q. How do you differentiate between a user error and a system bug?
Q. What information would you include in a bug report about a backend error?

Message Queue & Event-Driven Testing

Q. "How do you ensure exactly-once processing with at-least-once delivery?"
Q. "What's your strategy for testing async consumers?"
Q. "How do you handle dead letter queues and poison pills?"
Q. "How do you test message ordering?"

Microservices Testing

Q. "How do you test service contracts?"
Q. "How do you handle service timeouts and cascading failures?"
Q. "How do you test eventual consistency?"
Q. "What's your strategy for testing with Docker Compose locally?"

NZ Privacy Act 2020 Testing & Compliance

Q. "We're GDPR-compliant, so we're GDPR-compliant under NZ Privacy Act too, right?"
Q. "How do you test data retention policies?"
Q. "A customer in NZ and one in the EU. Which privacy law applies to each?"

NZ Timezone & Daylight Saving Testing

"Have you tested for daylight saving edge cases? Give an example."
"What is the most common timezone bug you have seen?"
"How do you test scheduled tasks that might be affected by DST?"

Performance Testing Deep Dive

Q. "How do you establish a performance baseline?"
Q. "How do you approach profiling a slow application?"
Q. "What's the difference between load testing and stress testing?"
Q. "How do you prevent performance regressions?"

Requirements & Acceptance-Criteria Review

“A PO hands you a one-line user story and asks for an estimate. What do you do?”
“How do you make a vague requirement like ‘the system should be fast and secure’ testable?”
“Tell me about a time finding a defect early saved real cost.”

Responsive & Cross-Browser Testing

Q. How do you decide which browsers and devices to test?
Q. What is the iOS safe area inset and why does it break modals?
Q. When would you automate cross-browser testing versus doing it manually?
Q. What is prefers-reduced-motion and why test it?

Root Cause Analysis & Blameless Post-Mortems

“A production bug just got fixed. As the tester, what do you do next?”
“Walk me through how you’d run a 5 Whys without it turning into finger-pointing.”
“What makes a post-mortem action item good or useless?”

Advanced Security Testing

Q. How do you approach security testing beyond running a DAST scanner?
Q. How would you test for second-order injection vulnerabilities?
Q. What are the key differences between security testing for NZ government and NZ health-sector projects?
Q. How do you ensure a DAST scan is audit-grade evidence for a compliance review?

Session & Authentication Testing

Q. What is an IDOR vulnerability and how would you test for it?
Q. How do you test session timeout behaviour?
Q. What is the difference between authentication and authorisation?
Q. How would you test an OAuth 2.0 login integration?

Test Lead

AI Agent Testing

"Have you tested an AI agent? What was your approach?"
"What is the most important thing to test in an AI agent?"
"How would you design a test plan for an agent that makes financial transactions?"

API Testing

Q1. How do you test an API with no documentation?
Q2. How do you ensure API tests are maintainable as the API evolves?
Q3. What's your approach to testing API performance?
Q4. How do you handle flaky API tests?

Coaching & Leadership

Q1. How do you handle a high-performer who wants to move to development?
Q2. Describe how you would run a 1-on-1 with a struggling junior tester.
Q3. How do you build a quality culture in a team that sees testing as a bottleneck?
Q4. A team member is resistant to automation. How do you coach them?

Configuration Management for Testing

Q1. Describe a time you implemented version control or configuration management. What was the resistance, and how did you overcome it?
Q2. How do you prove that a build released to production was actually tested?
Q3. A developer says, "We do not have time for all this CM bureaucracy." How do you respond?

Data Integrity Testing

Q1. How do you verify a database migration was successful?
Q2. A migration passes row count and sum checks, but users report missing data. Where do you look first?
Q3. How do you test data integrity in a microservices architecture where multiple services write to the same data store?
Q4. What is your approach to testing audit trails?

Entry and Exit Criteria

Q1. Tell me about a time you had to hold the line on exit criteria despite pressure to release early.
Q2. How do you handle disagreement about whether exit criteria have been met?
Q3. What do you do if exit criteria become unrealistic during the project?

Metrics & Reporting

Q1. What happens when you set "100% test case execution" as a hard target?
Q2. How do you report testing status to a non-technical executive?
Q3. Which test metrics do you consider leading indicators versus lagging indicators?
Q4. How do you handle a stakeholder who dismisses your quality red flag because "the metrics look fine"?

Organisational Change Management for Testers

“Tell me about a time you drove a change a team resisted. How did you get buy-in?”
“A developer tells you they don’t have time to write tests. What do you say?”
“How do you communicate the value of testing to non-technical managers and executives?”

Release Management & Deployment Testing

Q1. Tell me about a release that went wrong and how you handled it.
Q2. How do you ensure a canary doesn't cause a cascade failure?
Q3. What would you do if the database migration required during release can't be rolled back?
Q4. How do you coordinate a deployment across multiple services?

Security Testing

Q1. What's the difference between vulnerability scanning and penetration testing?
Q2. How do you prioritise which security findings to fix first?
Q3. How do you convince a product owner to invest in security testing?
Q4. What is "shift-left" security and how do you implement it?

Test Environment Management

Q1. Tell me about a time when environment drift caused a test failure that production didn't have.
Q2. How do you manage test data across environments?
Q3. What would you do if third-party staging APIs are often unavailable?
Q4. How do you ensure a newly provisioned environment is ready for testing?

Test Estimation

Q1. How do you estimate when there's no historical data?
Q2. A project manager demands a single date, not a range. How do you handle it?
Q3. How do you prevent estimates from becoming self-fulfilling overruns?
Q4. What estimation factors are unique to testing (as opposed to development)?

Running the Three Amigos

Q. "How do you handle disagreement in a Three Amigos session?"
Q. "Can you run Three Amigos remotely or async?"
Q. "What if the developer or QA isn't available for the meeting?"
Q. "How do you measure if Three Amigos is working?"
Q. "What's the difference between Three Amigos and a requirements review?"

Introducing a Test Tool

Q1. Describe a tool introduction that failed. What would you do differently?
Q2. How do you measure whether a tool introduction was successful?
Q3. A team is resistant to adopting a new tool. How do you respond?

Test Manager

Building a Quality Centre of Excellence

Q1. Tell me about a CoE you built or led. What succeeded and what would you do differently?
Q2. How do you get teams to adopt CoE standards when they are resistant?
Q3. How do you prevent a CoE from becoming a bottleneck or a bureaucracy?
Q4. How would you handle geographic distribution or remote/hybrid teams in a CoE?

Māori Data Sovereignty & Te Tiriti Testing

"Have you tested systems that handle sensitive community data? How did you approach it?"
"What is Māori data sovereignty, and why should a test manager care about it?"
"What would you do if the development team wanted to launch a system without a formal partnership agreement with the Māori community providing data?"

Automation — Junior

Running & Reading Results

Q1: Your test passes locally with `npm test` but fails in CI with exit code 1. What's the first thing you check? Reproduced the failure using the exact CI command locally: `npm run test:ci`. This runs tests in the same environment and configuration as CI. If it still fails, it's a real bug. If it passes, it's a CI-specific issue (different browser version, network, timing). Q2: Your Playwright test report shows 'Test flaky: failed then passed on retry.' You're running CI with automatic retries. Should you merge? No. Flakiness is a real bug that retries are hiding. Investigate why it's flaky: is a selector timing out? Is a network call slow? Is a mock inconsistent? Fix the root cause, don't rely on retries. Retries mask instability. Q3: A test fails in the HTML report, but you need to know exactly what assertion broke. Where do you look? Open the HTML report, find the failed test, and look at the failure screenshot. Playwright also shows the line number of the failing assertion and often the actual vs expected values. If that's not enough, check the test trace file for a frame-by-frame replay. Q4: Your Trade Me checkout test reports exit code 0 but the team says 'the checkout feature is broken.' How? Exit code 0 means all tests passed. But if your test coverage is incomplete or your assertions are weak (not actually checking the right behaviour), a broken feature can hide. Review what your test actually asserts—is it checking that money moved, that an order was created, or just that a button clicked? Why teams fail here

Setup & Environment

Q. "A new teammate clones the repo and the tests fail immediately. What's your first debugging step?"
Q. "Why should setup take under 15 minutes on a fresh machine?"
Q. "What's the difference between installing packages globally vs. in a virtual environment?"
Q. "How would you document setup for a Windows user if you normally work on Mac?"

Automation — Mid-Level

API Test Automation

Q1. "How do you handle authentication in an API test suite?"
Q2. "What is contract testing, and how is it different from API testing?"
Q3. "How do you test an API that depends on a third-party service?"
Q4. "Describe your approach to testing a POST endpoint that creates a resource."

Async Flakiness & Determinism

“One of our tests fails maybe one run in ten, only in CI. How would you approach it?”
“Why not just set retries: 2 and move on?”
“What makes a test suite deterministic by design?”

BDD & Gherkin for Automation Engineers

Q1. "Walk me through how you'd introduce BDD to a team that's currently doing manual testing with Word documents."
Q2. "What's the difference between a Gherkin step and a step definition?"

CI Basics

Q1. "Describe a time a CI pipeline change broke your workflow. How did you fix it?"
Q2. "How do you prevent flaky tests from breaking CI?"
Q3. "What is your approach to secrets and credentials in CI?"
Q4. "How would you reduce a 25-minute CI pipeline to 8 minutes without losing coverage?"

Debugging Failures

Q1. "A test fails only in CI but passes locally. How do you debug it?"
Q2. "What is your approach to a suite with 10% flaky tests?"
Q3. "How do you decide whether a failing test is worth fixing versus deleting?"
Q4. "What artifacts do you configure your test runner to keep on failure?"

Page Object Model

Q1. "How does POM differ from the Screenplay Pattern?"
Q2. "Our UI changed and fifty tests broke. How would POM have helped?"
Q3. "How do you handle shared components like a header that appears on every page?"
Q4. "What is the trade-off of using POM in a small project?"

Test Data Management

Q1. "Describe a test data problem you solved. What was the root cause?"
Q2. "Where should API keys and database passwords live in your test suite?"
Q3. "How do you test code that uses production data without violating privacy?"
Q4. "Your test suite runs in parallel but is intermittently failing with 'foreign key constraint violation.' What do you check?"

Visual Regression Testing

Q1. "How do you prevent visual regression tests from becoming flaky?"
Q2. "What would you do if every PR starts failing visual regression because designers make frequent intentional UI changes?"

Automation — Senior

Observability & Telemetry

Q. "Your test failed with 'Connection Timeout.' How do you quickly determine if it's an app bug or infrastructure?"
Q. "Your test dashboard shows a 'spike' in latency at 2 AM every night. Tests still pass. Is this a problem?"
Q. "What information should you capture in a test failure that helps you debug faster?"
Q. "Your backend team says 'We don't emit traces yet.' Should you skip telemetry?"

Performance Test Automation

Q. "Your baseline p95 is 200ms. A PR brings it to 220ms (10% regression). Do you fail the build?"
Q. "You detect a performance regression two weeks after deployment. How do you find the culprit?"
Q. "You notice tests pass but production p99 latency is 2x staging. What's wrong?"
Q. "What metric do you care more about: p95 latency or error rate?"

Security Automation in CI

“We have a yearly pen test. Why would you add security scanning to the pipeline as well?”
“A developer says the security gate is too noisy and wants it turned off. What do you do?”
“Where would you place a DAST scan in the pipeline, and what would you scan against?”

Synthetic Data Engineering

Q: When would you choose data masking over synthesis, and when the opposite?
Q: You're generating 10 million synthetic customer records with 20 related order records per customer. How do you ensure referential integrity at that scale?
Q: Your ML model training pipeline uses synthetic data. How do you know if the synthetic distribution is close enough to production?
Q: A teammate says: "Let's just snapshot the production database monthly and use that for testing instead of maintaining a generator." How do you push back?

Automation — Architect

Agentic AI & The Future of QE

Q. "How would you design an AI test agent for a large system?"
Q. "What are the risks of AI-driven testing?"
Q. "How do you handle hallucinations or false positives in AI testing?"
Q. "What's the difference between agentic and traditional automation?"

AI in Testing

Q. "What problems can AI solve in your test strategy?"
Q. "How would you measure ROI on AI testing adoption?"
Q. "What skills do teams need for AI-driven testing?"
Q. "What are the limitations of current AI in testing?"

Chaos Engineering

Q. "How do you design a chaos experiment that's safe to run in production?"
Q. "What's the relationship between chaos testing and traditional load testing?"
Q. "How do you measure the impact of a chaos test?"
Q. "What scenarios would you test with chaos engineering on a fintech system?"

Cross-Team Implementation

Q. "How would you implement testing practices across 5+ independent teams?"
Q. "What are the biggest blockers to consistent test automation adoption?"
Q. "How do you maintain test quality as you scale to hundreds of tests?"
Q. "How do you make the case for automation investment to leadership?"

Human-in-the-Loop AI

“How do you decide when AI can act autonomously in your testing pipeline?”
“Walk me through the guardrails you put around an AI test-generation tool.”
“Your CTO wants to replace half the QA team with AI. What is your response?”
“How would you meet the Algorithm Charter obligations for an AI-assisted testing workflow?”

Infrastructure as Code

Q. "How does IaC change your approach to test environment provisioning?"
Q. "What's the relationship between IaC and test data management?"
Q. "How do you handle secrets and credentials in IaC test environments?"
Q. "How would you test infrastructure code itself?"

Scalability Patterns

Q. "How do you scale test execution from 100 to 10,000 test cases?"
Q. "What's the cost of maintaining highly scalable test infrastructure?"
Q. "How do you balance test coverage with execution time at scale?"
Q. "What patterns would you use for distributed test execution?"

Technical Vision

Q. "What's your vision for the future of test automation?"
Q. "How do emerging technologies (AI, cloud, edge) change testing?"
Q. "How do you balance innovation with stability in test tooling?"
Q. "What would make testing a true competitive advantage?"

Automation — Test Lead

Tool Selection

Q. "We've selected tool X, but the team hates it. Performance is slower than our old tool, and the learning curve is steep. Half the team wants to switch back. How do you handle this?"
Q. "A vendor approaches with a 'limited-time' offer: $100K discount if you sign for 3 years today. No time for PoV. What do you say?"
Q. "You've just migrated to tool B. Three months in, a critical issue emerges that the vendor says is 'by design' and won't fix. How do you respond?"
Q. "Your evaluation matrix weights cost at 20% and team skill fit at 15%. The cheap tool scored highest, but the team preferred the expensive one. Which do you recommend, and why?"

AI Testing

Agent Testing

“How would you test an AI agent that can take actions in our systems, not just answer questions?”
“The agent reached the right result. Why might you still fail the test?”
“We want to swap the model behind our agent for a cheaper one. How do you decide if that’s safe?”

Deterministic-Consistency Testing

“How do you write a stable test for a system that gives a different answer every time?”
“A teammate marked an AI test as known-flaky with auto-retry. What would you say?”
“How would you test that an AI assistant is consistent, not just correct once?”

Human-in-the-Loop Sign-Off

“A team says their system is human-in-the-loop because a person approves every case. How do you test that claim?”
“How would you set and test an escalation threshold for an AI that makes decisions about people?”
“An applicant complains and the agency can’t explain how the AI-assisted decision was made. What went wrong, and what’s your role?”

Metamorphic Testing Relations

“How would you test an AI model when you don’t know what the correct output should be?”
“How would you find bias in an AI model that achieves 99% accuracy?”
“Your team says ‘we test our AI on 10,000 cases, that’s good enough.’ What would you add?”

Model Benchmarking

“How would you choose between two models for a production feature?”
“Our provider is upgrading the model next month. What do you do?”
“A stakeholder wants the highest-accuracy model regardless of cost. How do you respond?”

Neural Network Coverage Metrics

“Your model has 99% accuracy. Why would you still be concerned about test coverage?”
“How is neuron coverage different from traditional code coverage?”
“We are testing an LLM-powered chatbot. Should we use neuron coverage metrics?”

Prompt-Injection Testing

“What is prompt injection, and how would you test for it on our customer support assistant?”
“Our assistant blocks ‘ignore your instructions’. Are we safe from injection?”
“You found the assistant will print its system prompt on request. How do you report it?”

RAG Evaluation

“How would you test a retrieval-augmented chatbot beyond just reading its answers?”
“A RAG answer was factually correct but you marked it as failing faithfulness. Explain.”
“Our RAG system gives bad answers about half the time. Where do you start?”

Applying 42119 in a Real NZ Project

“Walk me through how you’d apply AI testing across a project, start to finish.”
“The developers and PM have never heard of 42119 and think it’s overhead. How do you bring them along?”
“Where is the AI testing standards space heading, and how do you keep your approach current?”

Audit-Ready Test Artefacts

“A regulator asks how our AI system was tested. What do you need to be able to show them?”
“What’s the difference between requirements traceability and risk-based traceability, and why does AI need both?”
“Our test report has no open risks listed — isn’t that a good thing?”

Bias and Fairness Testing

“How would you test an AI loan model for bias when we don’t collect ethnicity?”
“The data scientists say they’ve already de-biased the model. Is there anything left for you to test?”
“Which fairness metric should we use for our eligibility model?”

Data Quality Testing

“Our model scores 94% accuracy on the test set. Why would you still want to test the training data?”
“What is label correctness testing, and how would you do it on a fraud model?”
“How does the Privacy Act 2020 come into data testing for an AI model?”

Drift, Monitoring & Ongoing Testing

“Our model passed all its tests and is live. Why would you keep testing it?”
“What is concept drift, and can you give a NZ example?”
“Where does the tester’s role end and the MLOps engineer’s begin in monitoring?”

Model Testing

“A team tells you their model is 91% accurate and ready to ship. What do you ask next?”
“How would you set up testing so we catch model drift before customers do?”
“What is explainability testing and why would a tester care about it?”

Risk-Based AI Testing

“We have limited time to test three AI features. How would you decide where to focus?”
“A stakeholder says our model is 99% accurate, so it is low risk. How do you respond?”
“If you think a model is too risky to release, do you block it?”

Why AI Testing Is Different

“We’re building our first AI feature. Our regression suite is green. Why isn’t that enough?”
“What is model drift, and how would you test for it?”
“How does ISO/IEC 42119 relate to the 29119 testing you already do?”

Adopting GenAI in Your Test Organisation

Q: "How would you introduce AI-assisted testing to a team that has never used it?"
Q: "What would you include in an AI testing governance policy?"
Q: "How has the role of the tester changed with the introduction of AI?"

Managing AI Risks in Testing

"How do you handle AI hallucinations in your testing workflow?"
"What would you do if a team member suggested using a free public AI tool to generate test cases for a banking application?"
"How does the NZ Privacy Act 2020 affect your use of AI in testing?"

AI Test Data Management

"How would you manage test data for an AI-powered customer service chatbot?"
"What is data drift and how would you detect it in a production AI system?"
"A developer suggests using a real customer data dump to test the AI system because it is faster than generating synthetic data. How do you respond?"

GenAI Foundations for Testers

Q: "How would you explain what a large language model is to a non-technical stakeholder?"
Q: "What would you check before using an AI tool to generate test cases for a banking application?"
Q: "Can you describe a risk of using an AI model for testing and how you would mitigate it?"

LLM-Powered Test Infrastructure

Q: "What is RAG and how would it improve AI-generated test cases for your system?"
Q: "A developer asks why you are not just using a simple AI chatbot for test generation. What would you say?"
Q: "How would you manage the risk of an AI-generated regression suite degrading over time as the model or prompts change?"

Prompt Engineering for Testing

Q: "Describe how you have used AI to improve your testing process."
Q: "What techniques do you use to get consistent output from an AI model for testing?"
Q: "How would you explain the risk of AI hallucination to a project manager who wants to use AI for all test case generation?"

Technique Library

Accessibility Testing Automation

What automated accessibility checks can you include in a CI pipeline, and what percentage of WCAG issues do they typically catch?
A developer says our 98% Lighthouse accessibility score proves the site is accessible. How do you respond?
What is the difference between aria-label and aria-labelledby, and when would you test each?
Walk me through how you would test a custom dropdown component built with divs for accessibility.

Accessibility Testing (WCAG)

Q: What is WCAG 2.1 AA and why does it matter for a government project in New Zealand?
Q: If axe DevTools reports zero violations, can you sign off the page as accessible? Why or why not?
Q: A new React single-page application passes every automated check and every keyboard tab-through on individual pages, but screen-reader users report they cannot tell when they have navigated to a new screen. What is happening and how do you test for it?
Q: When would you advise a product team NOT to run a full accessibility test pass on a sprint, and what lightweight alternative would you propose?
Q: A developer argues that adding ARIA roles to all custom components is sufficient for accessibility. How do you respond?

API Mocking & Stubbing

What is the difference between a mock and a stub, and when would you use each?
When should you NOT mock an API dependency, and what are the risks of over-mocking?
How does WireMock differ from Pact, and when would you choose one over the other?

API Testing

Q: What is API testing and why do we use it instead of just testing through the UI?
Q: What is the difference between a 401 and a 403 response, and why does it matter in practice?
Q: Walk me through how you would test a new POST /payments endpoint on a KiwiSaver provider API. What scenarios would you cover?
Q: Your team is under time pressure and wants to skip the negative test cases for the new ACC claims API. How do you respond?
Q: When would you NOT write API tests for a system that has APIs, and how do you decide?

Blockchain Testing

"How would you approach testing a smart contract if you are not a Solidity developer?"
"A team says 'it is on the blockchain so it must be correct and final'. How do you respond?"
"What is the biggest source of user-facing bugs in a blockchain product, in your experience?"

Boundary Value Analysis

Q: What is Boundary Value Analysis and why do testers bother with it when Equivalence Partitioning already covers the same input ranges?
Q: A KiwiSaver contribution-rate field accepts whole percentages from 3 to 10 inclusive. Walk me through your 2-value BVA test cases and explain what bug each boundary pair is designed to catch.
Q: You are testing an IRD income-threshold field where a penalty applies above $48,000. The developer says the UI already blocks anything over five digits, so the just-above boundary value is impossible to enter. How do you respond?
Q: When would you recommend 3-value BVA over 2-value BVA for an ACC or MSD system, and are there situations where you would skip BVA entirely even though a numeric boundary exists?
Q: A developer on your squad pushes back every sprint, saying boundary tests are redundant because “no real user enters $10,001.” How do you build team-wide adoption of BVA without it feeling like a bureaucratic checkbox?

Branch Coverage

Your team has 85% branch coverage but users are still reporting production bugs. What does this tell you?
What is the difference between statement coverage and branch coverage, and why does it matter?
When is 100% branch coverage insufficient for a safety-critical component?

Canary & Progressive Deployment Testing

Walk me through how you would validate a canary deployment before rolling it out to 100% of traffic.
A canary deployment shows a 2% increase in error rate compared to the baseline. How do you decide whether to proceed?

Cause-Effect Graphing

Explain what cause-effect graphing is and how it differs from a decision table.
When would you choose cause-effect graphing over pairwise testing for combinatorial test design?

Chaos Engineering & Resilience Testing

What is the difference between chaos engineering and traditional resilience testing?
How do you determine whether it is safe to run a chaos experiment in production?
What is the difference between fault injection and chaos engineering?

Checklist-Based Testing

What makes a testing checklist effective, and what makes it become a liability?
How do you prevent checklist compliance from replacing actual test thinking?

Compatibility Testing

How do you decide which browser and device combinations to test? You cannot test everything.
A cross-browser visual regression test keeps failing on Safari due to sub-pixel rendering differences. How do you handle this?

Compliance & Privacy Testing

Under the NZ Privacy Act 2020, what test cases would you write for a new user registration form?
A developer says the privacy impact assessment is done and approved — no privacy testing needed. How do you respond?
What is the difference between data masking and data anonymisation for test data, and why does it matter for NZ Privacy Act compliance?

Condition Coverage

What is Modified Condition/Decision Coverage (MC/DC) and why do aviation standards require it?
How does MC/DC coverage differ from full combinatorial coverage, and what is the trade-off?

Contract Testing

Explain consumer-driven contract testing and why it is preferable to integration testing against a shared staging environment.
What is the difference between a Pact provider test and a Pact consumer test?
A provider team says adding contract testing will slow their CI by 20%. How do you make the case for it?

Decision Table Testing

Q: What is a decision table and why do we use it in testing?
Q: How many test cases does a decision table with three binary conditions produce, and can that number ever be reduced?
Q: Walk me through how you’d apply decision table testing to an IRD income tax rate rule where the rate depends on whether the taxpayer is a resident AND whether their income exceeds $70,000.
Q: When would you NOT use a decision table, even though a feature has multiple conditions?
Q: A developer on your ACC claims processing project says the failure columns in your decision table all hit the same error page, so you only need to test the approval column. How do you respond?

Defect Management

What makes a bug report actionable, and what are the most common reasons bug reports get ignored or rejected?
How do you decide whether to fix a bug now, defer it, or accept it as a known issue?
What does a healthy defect removal efficiency (DRE) look like, and how do you use it to improve the testing process?

Domain Analysis

How does domain analysis inform your test design on a new project in an unfamiliar domain?
You are assigned to test a new KiwiSaver management feature. What domain knowledge do you need before writing test cases?

Equivalence Partitioning

Q: What is equivalence partitioning, and why do we use it instead of testing every possible input value?
Q: A KiwiSaver contribution-rate field accepts whole percentages from 3 to 10. Walk me through the equivalence partitions you would define.
Q: When would you NOT use equivalence partitioning, even on a field that clearly has valid and invalid values?
Q: A developer tells you "we validate the field client-side in JavaScript, so invalid inputs never reach the server — you only need to test the happy path." How do you respond?
Q: A developer tells you the valid range for a KiwiSaver earnings field is "one partition" — all values behave the same. You suspect there are actually sub-ranges with different code paths. How do you investigate, and what would make you split the valid partition further?

Error Guessing

Q: What is error guessing, and how is it different from just randomly trying things in a system?
Q: When would you use error guessing on a project, and when would you not rely on it?
Q: You’re joining a team testing the IRD’s income tax return portal and have two days before go-live. How do you prioritise your error guessing?
Q: How does using a defect taxonomy improve error guessing compared to relying on a personal fault list alone?
Q: A developer on your team says senior testers should do error guessing but juniors should stick to scripted test cases from the spec. How would you respond, and what would you do differently as a lead?

Exploratory Testing Charters

Write a test charter for exploring a new patient appointment booking system at a NZ DHB.
How do you document an exploratory testing session without losing the freeform nature of the exploration?

Exploratory Testing

Q: What is exploratory testing, and how is it different from scripted testing?
Q: What is a charter in exploratory testing, and what makes a charter weak versus strong?
Q: You’re testing an IRD myIR tax return flow. The scripted regression suite is green and you have 90 minutes before the go/no-go call. How would you structure an exploratory session?
Q: When would you NOT use exploratory testing, even under time pressure with bugs expected?
Q: A developer argues, “Our testers know what they tested — we don’t need to document exploratory sessions.” How do you respond, and how would you introduce session reporting to a team that doesn’t currently use it?

Grey-Box Testing

What distinguishes grey-box testing from black-box testing, and when would you use each?
You are testing a payment processing service. What grey-box information would you request, and how would you use it?

Idempotency Testing

Why is idempotency important in payment APIs, and how do you test it?
A retry storm hits your API after a brief outage. How does idempotency protect users, and what do you need to test to verify that protection?

IoT Testing

What are the main categories of IoT device testing, and how do they differ from standard web application testing?
How would you test the firmware update process for a NZ smart meter that serves 100,000 homes?

Localisation & Internationalisation (i18n/L10n) Testing

What is pseudo-localisation and why is it useful?
What te reo Māori-specific issues should you test for in a NZ government application?

Model-Based Testing

Describe how you would use a state machine model to test a NZ government benefit application workflow.
What is the difference between model-based testing and property-based testing?

Pairwise Testing

A form has five dropdowns, each with four options. Why is exhaustive combinatorial testing impractical here, and how does pairwise testing help?
How do you handle constraints in pairwise testing — for example, where choosing one option invalidates certain combinations of other options?

Path Coverage

Why is 100% path coverage impractical for most software, and what do we use instead?
Symbolic execution claims to achieve path coverage automatically. What are its practical limitations?

Performance Testing Techniques

What is the difference between load testing, stress testing, and soak testing?
k6 shows your API has a p99 response time of 2.1 seconds under load. Your SLO is 2 seconds. How do you proceed?
What would you instrument to diagnose a performance regression between two releases?

Property-Based Testing

What is a property in property-based testing, and how does it differ from a test case?
Give an example of a good property for a function that applies a discount to a NZ GST-inclusive price.

Regression Testing

Your regression suite takes 45 minutes to run. The team wants to deploy multiple times a day. What do you do?
How do you decide which tests belong in a regression suite versus which to retire?

Risk-Based Testing

Q: What is risk-based testing and why do we use it?
Q: What is the difference between product risk and project risk, and which does a risk register address?
Q: You're testing an IRD income tax calculator. The developer scored their own module's likelihood as 2 out of 5 because they're confident in the code. How do you handle that?
Q: When would you NOT use risk-based testing, and what would you use instead?
Q: ACC is two weeks from launching a new online injury claim form. The schedule just got cut by four days. How do you use risk-based testing to manage the cut?

Smoke Testing

What should a post-deployment smoke test cover, and how long should it take?
A smoke test fails in production after deployment. What are your next steps?

State Transition Testing

Q: What is state transition testing, and why would you use it on a feature like a KiwiSaver withdrawal application?
Q: What are the three coverage levels in state transition testing, and which one would you target as a minimum for an IRD tax return workflow?
Q: A developer tells you the UI prevents users from triggering invalid transitions, so you don’t need to test them. How do you respond?
Q: When would you NOT use state transition testing, and what technique would you reach for instead?
Q: Your team inherited an ACC claims system with no state documentation. A new sprint adds a “Reopen” event to Closed claims. How do you approach testing it, and how do you get the rest of the team using state transition testing on a codebase like this?

Statement Coverage

Why can 100% statement coverage still leave significant bugs unfound?
Your manager asks why the team's 90% coverage metric did not prevent a production bug. How do you explain this?

Sustainable Testing

What makes a test flaky, and how do you diagnose and fix flakiness?
The team wants to keep all tests, no matter how old or slow, because "they might catch something." How do you make the case for test deletion?

Test Automation Design Patterns

What problem does the Page Object Model solve, and what are its limitations?
When would you use the Screenplay pattern instead of Page Objects?
What is the test automation pyramid, and why does it matter for sustainability?

Test Estimation

A project manager asks you to estimate the testing effort for a new feature in a codebase you have not seen. How do you approach this?
Your sprint has five stories and four days before the release. Testing is only one day behind development. What do you do?

Test Metrics & Reporting

What metrics do you track to show the quality of a test suite, not just the coverage percentage?
Your team is under pressure to show value to stakeholders. Which testing metrics would you present, and which would you avoid?

Test Planning

Q: What is the difference between a test strategy and a test plan?
Q: Why do we define entry criteria in a test plan, and what happens when teams skip them?
Q: You’re testing an IRD myIR portal release. Requirements are still being finalised two days before sprint testing is due to start. Walk me through how you handle that.
Q: A release deadline arrives and two P2 defects are still open in the ACC claims portal. The product owner wants to ship anyway. Your exit criteria say “all P2s resolved or formally risk-accepted with documented justification.” What do you do?
Q: When would you advise against writing a formal test plan? What’s the trade-off?

Usability Heuristics (Nielsen's 10)

Describe how you would apply Nielsen's heuristics to evaluate a new benefits application portal at WINZ.
How do you handle a disagreement with a designer who believes a heuristic violation is intentional and intentional?

Use Case Testing

How do you derive test cases from a use case document?
A 200-page use case specification has been handed to you three days before UAT begins. How do you prioritise?

Visual Regression Testing

What is the difference between functional testing and visual regression testing, and when do you need both?
How do you handle the problem of visual tests failing due to font rendering differences across environments?

Webhook Testing

What test cases would you include in a webhook integration test for a Stripe payment webhook handler?
How do you test webhook delivery in a local development environment?

WebSocket Testing

What is the lifecycle of a WebSocket connection, and what are the key test points at each stage?
How do you load test a WebSocket-based real-time system, and what metrics matter most?

Specialised Tracks

IAAP CPACC Foundations

Q1. What does CPACC stand for and what does it cover?
Q2. Name three disability categories covered by CPACC and a web accessibility implication of each.
Q3. What is the difference between CPACC and WAS and who should pursue each?

IAAP WAS — Web Accessibility Specialist

Q1. What is WAI-ARIA and when should you use it?
Q2. How do you test a custom dropdown for keyboard accessibility and screen reader compatibility?
Q3. What is the difference between WCAG 2.2 conformance levels A, AA, and AAA?

Keyboard-Only Testing

“If you had time for only one accessibility test on a new component, what would it be?”
“How do you test a modal dialog for accessibility?”
“A developer says they made a div accessible by adding role="button". What do you check?”

Screen-Reader Testing

“The page passed visual review and keyboard testing. Why would you still run a screen reader over it?”
“How do you judge whether an image’s alt text is good?”
“A developer can’t reproduce your screen-reader defect. How do you write it so they can?”

WCAG 2.2 AA in Practice

“Our pipeline runs an automated accessibility scan and it passes. Do we still need manual accessibility testing?”
“What level of WCAG do we have to meet for a NZ government service, and which version?”
“Walk me through how you’d test one component against WCAG.”

AML/CFT & Fraud Testing

“How would you test a new transaction-monitoring rule?”
“A fraud rule has a 95% detection rate. Why might that still be a bad rule?”
“What does the AML/CFT Act 2009 require, and how does that shape your testing?”

Core Banking & Ledger Testing

“You are testing a transfer feature. What do you check beyond the two account balances?”
“A customer says their balance showed $300 but their payment was declined. How do you investigate?”
“Why does cut-off time matter in settlement, and how would you test it?”

Open Banking & APIs

“How would you test an Open Banking account-information API?”
“A consent expires at 90 days. The cleanup job runs weekly. What is the bug and how do you prove it?”
“Why is a client-supplied customer ID dangerous in an Open Banking API?”

Payments Testing

“Walk me through how you would test a card payment end to end.”
“A customer says they were charged twice for one online order. What is your first hypothesis?”
“How does testing a real-time payment differ from testing a traditional bank transfer?”

PCI-DSS for Testers

“You are testing a checkout. What do you do specifically for PCI-DSS?”
“What is PCI scope, and how does a tester help keep it small?”
“A developer wants to log the full card number to debug failures. How do you respond?”

BBST Foundations

Q: What is the “oracle problem” in software testing and can you give an example from a NZ context?
Q: How do you design test coverage when you can’t test everything? Walk me through your approach.
Q: A developer says “all our automated tests pass, so we’re good to ship.” How do you respond?
Q: How do you mentor junior testers to move from script execution to genuine investigation?
Q: How does BBST thinking change your approach to test automation?

Testing Oracles & Heuristics

Q: What is a testing oracle, and can you give an example where a bad oracle caused a real testing failure?
Q: Walk me through SFDIPOT and explain how you would use it to plan oracle selection for a new feature.
Q: A developer says, “All our automated tests pass — the system is correct.” How do you challenge this using oracle theory?
Q: How do you incorporate oracle analysis into a test plan for an NZ government project where compliance is a mandatory deliverable?
Q: You are leading QA on a system migration where the oracle strategy is “new system matches old system”. What risks do you raise, and how do you mitigate them?

Three Amigos & Specification by Example

“What actually is BDD — is it just writing tests in Given/When/Then?”
“You are the tester in a Three Amigos session. What do you bring that the BA and developer do not?”
“Give me an example where a Three Amigos session would have stopped a real defect.”

Writing Good Gherkin

“A teammate writes Gherkin full of ‘click the button with id btnSubmit’. What is wrong with that, and how would you fix it?”
“When would you reach for a Scenario Outline versus a Background?”
“People say BDD gives you ‘living documentation’. What does that actually mean?”

Anatomy of a Great Bug Report

“Walk me through what makes a good bug report.”
“A developer keeps marking your bugs ‘cannot reproduce’. What do you do?”
“You found a crash on an admin screen only two people use once a year. How do you classify it?”

Logs, Console & Network Evidence

“A page shows ‘Something went wrong’ and nothing else. How do you investigate?”
“What is a correlation ID and how have you used one?”
“How do you report a bug you can only reproduce one time in ten?”

Data & Referential Integrity

“A merge job ran in production and now some policies have no owner. How would you have caught this in testing?”
“What is referential integrity, and why can you not assume it is enforced?”
“How do you test for defects that never throw an error?”

Migration & Schema-Change Testing

“How would you test that a data migration preserved the data correctly?”
“A column is being dropped from a busy table. What are you worried about?”
“Why insist on a rollback plan if the migration tested fine?”

SQL for Testers

“How would you verify that an address change in the UI actually saved correctly?”
“What is the difference between an inner join and a left join, and when does it matter to a tester?”
“Why is NULL dangerous in test queries, and how do you handle it?”

Test Data Management & Masking

“A developer wants to copy production into the test environment to get realistic data. What do you say?”
“What is the difference between masking, de-identification, and anonymisation?”
“How would you verify that a test environment refresh did not leak real data?”

Azure DevOps for Testers

“Our Azure DevOps pipeline is green but a broken change still reached production. Where would you look?”
“How would you wire a Playwright suite into Azure Pipelines so it actually gates a merge?”
“A team is choosing between Azure DevOps, GitHub Actions, and GitLab CI. What would you tell them as the QA voice?”

Canary & Blue-Green Validation

“Our canary passed its checks but users still complained the new version was slower. How did that happen?”
“How would you validate a blue-green release, and what is the riskiest part?”
“What does a tester actually own when releases are gated automatically by observability?”

Container & Kubernetes Testing

“Our pipeline tests pass on every build, but we still get failed production rollouts. Where would you look?”
“How would you test that a readiness probe is doing its job?”
“What is the value of ephemeral environments to a tester, and what is the catch?”

Feature Flags & Progressive Delivery

“We use feature flags everywhere. How does that change your test approach?”
“A feature was tested and worked, but caused an incident in production. It was behind a flag. What probably went wrong?”
“How do you stop feature flags becoming a maintenance and risk problem over time?”

Environment Strategy & Topology

Q1. What environments should a typical NZ enterprise project have and what is each for?
Q2. How do you manage configuration differences across environments without hard-coding values?
Q3. What is environment drift and how do you detect and prevent it?

Release Gates & Go/No-Go Decisions

Q1. What is a release gate and what authority is required to override one?
Q2. How do you define go/no-go criteria before a release?
Q3. What do you do when a release is blocked by a gate failure 24 hours before go-live?

Test Data in Environments

Q1. What are the risks of using production data in test environments and how do you mitigate them?
Q2. How do you reset test data between runs in a shared environment?
Q3. How do you test a feature requiring specific edge-case data that does not exist in any environment?

Microsoft Dynamics 365 Testing

“What is RSAT and how does it compare to Playwright for D365?”
“How do you handle test data reset between test runs in D365?”

ERP Testing Fundamentals

“What’s different about testing an ERP versus testing a bespoke application?”
“How would you approach test data for an ERP implementation?”

Oracle Fusion Cloud Testing

“How do you approach regression testing when Oracle does quarterly cloud updates?”
“What is FBDI and why does it matter to testers?”

Salesforce Testing

“How do you test a Salesforce Flow end-to-end?”
“What’s the difference between a profile and a permission set, and why do both matter for testing?”

Clinical Systems & Patient Safety

“How does testing a clinical system differ from testing ordinary business software?”
“A result has been filed against the wrong patient. How would you investigate and prevent it?”
“What is the National Health Index and why does it matter to a tester?”

EHR Integration Testing

“How would you test an eReferral integration from a GP to a hospital?”
“A GP referral was marked sent but the patient never got an appointment. How do you investigate?”
“What makes patient identity hard to get right across integrated systems?”

HL7 & FHIR Interoperability Testing

“How would you test an HL7 v2 lab-results integration between a lab and a GP system?”
“What is the difference between validating against the base standard and against a profile?”
“A numeric result came through wrong after a system upgrade. How would you approach it?”

Regulated & Medical-Device Software Testing

“How does testing regulated medical software differ from testing an ordinary app?”
“What is traceability and why does it matter here?”
“A team built a dose-calculation app and wants to adopt it in a hospital. What would you flag?”

PHI & Health-Data Privacy Testing

“How would you test access control on a clinical record system?”
“A patient asks who has viewed their record. How does that shape your testing?”
“How do you test that data is properly de-identified for research?”

Claims Processing Testing

“How would you test a claim settlement calculation?”
“A customer says they were paid less than they expected on a claim. What is your first hypothesis?”
“How do you think about testing fraud detection on claims?”

Policy Administration & Lifecycle Testing

“Walk me through how you would test a mid-term endorsement.”
“A customer says their cover was reduced but they never asked for it. What is your first hypothesis?”
“How would you test that impossible policy actions are actually impossible?”

Regulatory & Conduct Testing

“How do you test something as vague as ‘treat customers fairly’?”
“A customer complains that new buyers pay less than they do for the same cover. Is that a defect?”
“How do you keep conduct and prudential concerns straight, and where does ACC come in?”

Renewals, Endorsements & Financial Integrity Testing

“How would you test a pro-rata refund on a mid-term cancellation?”
“Reconciliation is off by a small amount that keeps growing. How do you investigate?”
“What is the riskiest renewal to test, and why?”

Underwriting & Rating-Engine Testing

“How would you test a rating engine?”
“The actuaries have loaded new rates. What is your test approach for the release?”
“A whole segment of policies turned out to be under-priced. How would you investigate?”

Flaky API Resilience Testing

“How would you test that our app handles a third-party API going down?”
“A dependency had a brief outage and we ended up with duplicate records and a flood of traffic. What went wrong?”
“What is the difference between graceful degradation and just catching the error?”

State & Caching Bugs

“A user reports a bug you cannot reproduce. How do you approach it?”
“We shipped a fix but some users still see the old behaviour. What is your hypothesis?”
“How would you test an app that keeps a user logged in across a long task?”

Throttling & Offline Testing

“How would you test a field app that has to work where there is no signal?”
“A user on rural broadband says their entries sometimes appear twice. What is your first hypothesis?”
“Why is testing the reconnect more important than testing offline mode?”

Health Information Security (HISF)

“A team wants to copy production patient data into a test environment to make testing realistic. How do you respond?”
“How would you verify that a clinical test dataset is properly de-identified?”
“What does the Health Information Privacy Code mean for how you test a health system?”

Privacy in Test Environments

“Your team refreshes the test environment from production every week so testing is realistic. What’s your concern?”
“Which NZISM controls would you actually verify for a test environment holding real personal data?”
“A real-data spreadsheet was emailed to a vendor from a test cycle. Is that a breach, and what do you do?”

Te Tiriti in Digital Testing

“How would you bring Te Tiriti o Waitangi into a test plan for a public-facing service?”
“What is Māori Data Sovereignty, and how does it change how you handle data in testing?”
“A service passed all its functional tests but a regulator is asking whether it’s fair to Māori. How do you answer?”

Advanced Playwright — Network Interception & Auth

Q1. How do you intercept and mock network requests in Playwright?
Q2. How do you handle authentication efficiently across a large Playwright suite?
Q3. What is the Playwright Trace Viewer and how do you use it to debug CI failures?

Playwright CI & Pipelines

Q1. How do you configure Playwright to run in GitHub Actions?
Q2. How do you handle flaky tests in a Playwright CI suite?
Q3. How do you shard a large Playwright suite to keep CI runtime under 5 minutes?

Component Testing with Playwright

Q1. What is Playwright component testing and how does it differ from E2E testing?
Q2. How do you mock dependencies in a Playwright component test?
Q3. When would you choose Playwright component testing over jsdom unit tests?

Playwright Fundamentals

Q1. What is Playwright and how does it differ from Selenium?
Q2. How does Playwright auto-waiting work, and when should you add explicit waits?
Q3. What is the Page Object Model and why is it used in Playwright suites?

Broken Auth & Access Control

“Explain IDOR to me and how you would test for it.”
“A feature is admin-only and the button only shows for admins. Is that secure?”
“What authentication weaknesses would you check on an NZ services portal?”

Injection Flaws

“How would you test a login form for SQL injection?”
“A developer says they fixed injection by escaping quotes. Are you satisfied?”
“Where besides the login would you look for injection in an NZ government services portal?”

Security Misconfiguration

“The code passed review and all tests are green. Why would you still test for security?”
“How would you test an API’s CORS configuration?”
“You find an API key hard-coded in the repo. What do you do?”

Risk-Based Prioritisation

“You have time to run about 60% of your test cases before a fixed go-live. How do you decide which 60%?”
“A change is small and isolated. The team says no regression is needed. Do you agree?”
“How do you defend a decision to cut testing scope if something later fails in production?”

Test Estimation Techniques

“A delivery manager asks you in a meeting how long testing will take. You haven’t seen the detail yet. What do you say?”
“Walk me through how you’d estimate test effort for a release on a system you’ve tested before.”
“The build is late, the go-live can’t move, and you’re told to make testing fit. How do you respond?”

Test Strategy & Planning

“What goes into a test plan, and how long should it be?”
“How do you write exit criteria that actually mean something?”
“It’s the go/no-go meeting and there’s one open High defect. What do you do?”

Capstone

Requirements & Clarifying Questions

“You’re handed a user story that’s already signed off. What do you do first?”
“Give me an example of an ambiguous requirement and the question you’d ask.”
“How do you make sure non-functional requirements aren’t forgotten?”

Test Design

“You can’t test every possible input. How do you decide what to test?”
“Walk me through designing tests for a field that accepts a fixed set of values.”
“What makes a test case good enough to hand to someone else?”

Execution & Evidence

“A developer says they can’t reproduce your bug. How do you respond?”
“What’s the difference between a failed test and a blocked test, and why does it matter?”
“How do you make your test results trustworthy to an auditor?”

Defect Reporting

“What makes a good defect report?”
“How do you decide the severity of a bug?”
“A developer pushes back on one of your bugs. How do you handle it?”

Regression Strategy

“You’ve got a fix going out tomorrow and no time to re-run everything. What do you test?”
“A change was made to one screen. Why might a completely different screen break?”
“How do you decide what’s safe to skip in regression?”

Release & Reporting

“The business wants to ship and you still have open defects. What do you do?”
“What goes in a test summary report for senior stakeholders?”
“Have you ever had to deliver bad news about a release? How did you handle it?”

Incident Review — Chaos Day

“Several things break in production at once. Walk me through how you’d approach it.”
“What is a blameless post-mortem and why does it matter?”
“A test passed but the feature was clearly broken in production. How does that happen?”