SoftwareTestPilot
30 Q&A · Real Scenarios · Mid → Senior

Scenario-Based Testing Interview Questions and Answers (1970)

30 real scenario-based testing questions QA and SDET candidates face at product companies — web/UI, API, data + security, automation + CI/CD, and stakeholder/release scenarios. Every answer uses the CIA framework: Clarify, Investigate, Act.

  • 8 min read
  • Difficulty: Medium → Hard
  • 2–10+ YOE
  • Updated July 1970
  • Avinash Kamble

1. Web & UI Scenarios

Medium Very Common 1 min read

Q1.A button works on Chrome but not on Safari. How do you debug?

Reproduce on the exact Safari version + macOS/iOS combo. Compare console errors (Safari's stricter CSP, missing polyfills, unsupported CSS). Inspect Network tab for blocked requests. Check user-agent-specific code paths. File a bug with browser matrix, screen recording, and the failing console line — assign severity based on Safari's traffic share for the product.

Easy Very Common 1 min read

Q2.The QA environment shows the old logo, prod shows the new one. Is this a bug?

Not necessarily. Verify (1) the deployed build number on QA vs prod, (2) the CDN cache TTL, (3) any feature flag. If QA is behind because the pipeline promoted prod first, log a process defect, not a product bug. Always compare build numbers before filing a UI regression.

Easy Very Common 1 min read

Q3.You find a UI defect but the sprint ends today. What do you do?

Assess severity + priority + reachability. If P1/P2 or affects paid users, escalate to PO for a same-day hotfix. If cosmetic and low-traffic, log with severity/priority and evidence, add to next sprint. Never silently sit on a defect because the sprint is closing — log it and let the PO decide.

Easy Very Common 1 min read

Q4.A dropdown loads 10,000 items and freezes the browser. How do you test and file this?

Reproduce with Chrome DevTools Performance panel — capture Long Tasks, layout thrashing, memory heap. File as performance defect (high severity, medium priority) with metrics: initial render time, TTI, memory used. Suggest fixes: virtualised list, server-side search, pagination. Add a regression test that fails if render > 500ms.

Easy Very Common 1 min read

Q5.The design in Figma doesn't match the implementation. Is this a bug?

Yes — file it as a UI/visual defect against the story's acceptance criteria. Attach side-by-side screenshots + pixel measurements. Severity depends on user impact (spacing off by 2px = low; wrong CTA colour on paid button = high). Confirm the Figma version matches the story before filing.

Easy Very Common 1 min read

Q6.A user reports the app is 'slow' but you cannot reproduce it. How do you proceed?

Ask for device, OS, browser, network, time-of-day, and a screen recording. Check backend logs / APM (Datadog, New Relic) for that user's session ID. Reproduce with throttled network + CPU in DevTools. Never close as 'not reproducible' before checking server-side traces.

Confidence check

If you can confidently answer the Web & UI Scenarios questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

2. API & Integration Scenarios

Easy Very Common 1 min read

Q7.An API returns 200 OK but the response body is empty. How do you handle it?

File a defect — a successful 2xx must carry the expected schema or explicitly return 204 No Content. Attach the request, response headers, and expected schema. Add a contract test asserting the response schema so regression catches this earlier.

Easy Very Common 1 min read

Q8.How do you test a payment API without a real card?

Use provider test cards (Stripe 4242 4242 4242 4242, Razorpay sandbox tokens), sandbox endpoints, and webhook simulators. Cover: valid card, decline, insufficient funds, 3-D Secure challenge, network timeout, idempotency-key replay, refund, partial refund. Never test with production credentials.

Easy Very Common 1 min read

Q9.A downstream service is down. How do you test your app's resilience?

Stub the downstream with WireMock / MSW / Playwright route interception. Simulate 5xx, timeouts, and slow responses. Assert your app shows a graceful error (not a blank screen), retries with backoff, and does not corrupt local state. Add a chaos test in staging that kills the dependency for 30s.

Medium Very Common 1 min read

Q10.You get a 401 intermittently. How do you debug?

Check token expiry, clock skew between client/server, and race conditions between token refresh and request send. Capture the failing request's Authorization header and the token's exp claim. Fix at the client (proactive refresh 60s before expiry) or server (bigger clock skew tolerance).

Medium Very Common 1 min read

Q11.How do you test rate-limiting on an API?

Send N+1 requests in a burst where N = the documented limit. Assert the (N+1)th returns 429 with a Retry-After header. Test window reset: wait the window, retry, assert 200. Test per-user vs per-IP limits separately.

Easy Common 1 min read

Q12.A webhook is called twice for the same event. Is this a bug?

No — webhooks must be treated as at-least-once. The bug is if the consumer processes it twice. Test idempotency: send the same webhook payload twice with the same event ID and assert the DB state changes only once. File a defect if you see duplicate rows or double charges.

Confidence check

If you can confidently answer the API & Integration Scenarios questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

3. Data, Security & Edge Cases

Easy Common 1 min read

Q13.A user deletes their account. What happens to their data?

Depends on the compliance profile. Verify: (1) GDPR/CCPA soft-delete + purge job runs on schedule, (2) PII removed but audit logs retained, (3) related rows (orders, comments) anonymised or cascaded correctly, (4) user cannot log in with old credentials, (5) email is released for re-registration only per policy.

Medium Common 1 min read

Q14.How do you test an application for SQL injection?

Send classic payloads (' OR 1=1--, '; DROP TABLE users;--) in every input, URL param, and JSON field. Verify DB error messages don't leak to the UI, parameterised queries are used (check code), and WAF/ORM filters. Automate with OWASP ZAP as part of the pipeline.

Easy Common 1 min read

Q15.The same user is logged in on 5 devices. Should tests fail?

Depends on the product policy. If concurrent sessions are allowed (Netflix-style), assert all 5 work. If limited to N, assert the (N+1)th kicks the oldest session and shows a clear message. Test session-hijack via stolen token and confirm the server invalidates on logout-everywhere.

Easy Common 1 min read

Q16.How do you handle test data for 1M+ row tables?

Never seed via UI. Use SQL scripts, DB snapshots, or a data-factory API to create representative fixtures. Cover: empty state, small (10s), medium (1K), large (100K), max (1M+). Reset via transaction rollback or a nightly restore — not manual cleanup.

Easy Common 1 min read

Q17.A calculation rounds ₹0.5 differently in two places. Is this a bug?

Yes — file as high-severity data-integrity defect. Attach both call sites' code paths. Root cause is usually mixed rounding modes (HALF_UP vs HALF_EVEN) or float vs decimal. Fix requires a single rounding policy library + regression tests with edge inputs (0.5, -0.5, 0.05, ₹0.005).

Easy Common 1 min read

Q18.An error message reveals a database column name. Should you file it?

Yes — it's an information-leak security defect (OWASP A05). Verify in dev + staging + prod. Assign high priority. Fix: generic 500 message to the user, full stack in server logs only. Add an automated test that scrapes error responses for column/table names.

Confidence check

If you can confidently answer the Data, Security & Edge Cases questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

4. Automation & CI/CD Scenarios

Easy Common 1 min read

Q19.A test passes locally but fails in CI. How do you approach it?

Reproduce inside the same Docker image CI uses. Compare env vars, browser version, screen resolution, timezone, and parallel-worker count. Capture Playwright trace or Selenium video from CI. Never mark 'flaky' before you've reproduced the failure at least once with evidence.

Medium Common 1 min read

Q20.Your suite takes 90 minutes. How do you cut it to 15?

(1) Parallelise across shards (Playwright --shard, TestNG parallel classes). (2) Move low-value UI tests down to API layer. (3) Cache dependencies + browser binaries. (4) Reset state via API/DB, not UI. (5) Quarantine chronically slow tests. Measure per-test wall time first — 20% of tests usually eat 80% of runtime.

Easy Common 1 min read

Q21.A test is flaky. Do you retry it, quarantine it, or fix it?

Diagnose first — never blanket-retry. If root cause is timing (fix with explicit wait), test data (isolate per-run), or order-dependence (add fixture), fix it. If root cause is unknown after 30 minutes, quarantine with an owner + due date, not indefinitely. Blanket retries hide real regressions.

Easy Common 1 min read

Q22.How do you test a feature flag rollout?

Test flag ON: full happy + edge path. Flag OFF: legacy behaviour intact. Flag mid-rollout: 50% of test users see new, 50% see old, no leak between them. Test flag flip: users mid-session don't crash. Automate with a config-override fixture that pins the flag per test.

Easy Occasional 1 min read

Q23.Your CI is green but prod is on fire. How can that be?

Coverage gap. Common causes: test data doesn't match prod scale, environment-only feature flags off in CI, external dependency stubbed in CI but real in prod, flaky test silently ignored, or CI tests one region but bug is region-specific. Do a post-mortem, add the missing test, and audit the CI matrix.

Easy Occasional 1 min read

Q24.You need to run tests on 100 device combinations. How?

Use a cloud device farm (BrowserStack, Sauce Labs, LambdaTest) with parallel sessions. Build a device matrix by traffic share, not exhaustively. Run smoke on all 100, full regression on top-20 by traffic. Nightly full-matrix, PR-time smoke-only, to balance cost and feedback speed.

Confidence check

If you can confidently answer the Automation & CI/CD Scenarios questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

5. Process, Stakeholder & Release

Easy Occasional 1 min read

Q25.The PO asks you to skip regression to hit a deadline. What do you say?

Never a flat no. Quantify the risk: 'skipping regression on module X exposes flows A, B, C — historical defect rate 12%'. Offer a middle path — targeted regression on changed modules + P0 flows in 90 minutes vs full 4-hour suite. Let the PO make the call with data.

Easy Occasional 1 min read

Q26.A developer merges without your sign-off. How do you handle it?

Escalate privately first — most merges without sign-off are process ignorance, not malice. Reiterate the DoD in the next standup. Add a branch-protection rule requiring a QA approval on the target repo. Track 'merged-without-QA' as a team-health metric, not to blame individuals.

Easy Occasional 1 min read

Q27.Two P1 defects are open on release day. Do you ship?

Not your call alone — ship decisions belong to the PO/release manager. Your job: present the two defects with severity, priority, reachability, workaround, and blast-radius. Recommend hotfix, rollback, or ship-with-known-issue. Whatever the call, log it in the release notes.

Easy Occasional 1 min read

Q28.You disagree with a senior tester on a testing strategy. What do you do?

Ask for their reasoning first — often experience surfaces a constraint you missed. If you still disagree, propose a spike: run both approaches on a small feature, compare defect find-rate, runtime, and cost. Let data pick the winner, not seniority.

Easy Occasional 1 min read

Q29.A production defect from your module reaches a customer. How do you respond?

Own it — don't hide behind 'devs missed it'. Post-mortem: root cause (missing test, environment gap, unclear requirement), what test would have caught it, add it to the suite, share learning with the team. No blame; systemic fix. Track escape rate over time to show improvement.

Easy Occasional 1 min read

Q30.You're asked to test something with zero documentation. How do you start?

Reverse-engineer: (1) talk to the developer for 15 mins, (2) explore the UI + API traffic to build a mental model, (3) list assumptions and share back for confirmation, (4) write a lightweight charter (feature, risks, coverage), (5) run exploratory sessions, log findings and questions as you go. Refuse to 'test blind' without a shared charter.

Confidence check

If you can confidently answer the Process, Stakeholder & Release questions above, you're well prepared for this section of your interview. Move on, or rehearse the trickier ones aloud with our AI mock interviewer.

Quick revision

  1. Q1: A button works on Chrome but not on Safari. How do you debug — Reproduce on the exact Safari version + macOS/iOS combo.
  2. Q2: The QA environment shows the old logo, prod shows the new one. Is this a bug — Not necessarily.
  3. Q3: You find a UI defect but the sprint ends today. What do you do — Assess severity + priority + reachability.
  4. Q4: A dropdown loads 10,000 items and freezes the browser. How do you test and file this — Reproduce with Chrome DevTools Performance panel — capture Long Tasks, layout thrashing, memory heap.
  5. Q5: The design in Figma doesn't match the implementation. Is this a bug — Yes — file it as a UI/visual defect against the story's acceptance criteria.

Frequently asked questions

Scenario-based questions describe a real situation — a failing build, a flaky test, a stakeholder request — and ask how you'd investigate, decide, and act. They test judgment, not memorised definitions. Product companies and senior QA rounds lean heavily on them.

Use CIA: Clarify (ask 2–3 crisp clarifying questions), Investigate (list the signals you'd gather — logs, envs, repro steps, metrics), Act (propose a decision with tradeoffs). Never jump straight to 'I'd retry the test'.

Different, not harder. Technical questions have one right answer; scenario questions test how you narrow ambiguity, communicate tradeoffs, and pick a decision under time pressure — exactly what senior QA does every day.

SDET, Senior QA, QA Lead, and Test Architect rounds — especially at product companies (Google, Amazon, Microsoft, Atlassian) and mid-stage startups. Service companies ask fewer scenarios and more definitions.

Rehearse 8–10 real bugs, 3 flaky-test war stories, 3 release-window tradeoffs, and 2 stakeholder-conflict cases from your own work. Practise aloud with an AI mock interviewer for pacing.

STAR (Situation, Task, Action, Result) works for behavioural stories about your past. For hypothetical 'how would you handle X' questions, use CIA (Clarify, Investigate, Act) — it maps closer to how interviewers grade judgment.

Was this article helpful?

Cluster · QA Career

More from QA Interview Questions

Behavioral, framework, coding — full interview prep.

Pillar guide · 10 articles
More in this cluster
From the QA Career pillar

Key takeaways

  • Master the fundamentals before tackling advanced Scenario-Based QA scenarios.
  • Always explain trade-offs — interviewers reward judgement, not memorisation.
  • Use real project examples; generic answers blend in.
  • Practice answers out loud — written prep doesn't transfer to live rounds.
  • Revise the 30-second cheat sheet the night before your interview.
  • Keep one strong scenario story ready for every section above.

These Questions Are Just the Start

Get 1000+ more with detailed model answers in our QA Interview Preparation Kit. Covers manual testing, automation, API, SQL, Selenium, Playwright, and framework concepts — everything asked in real QA interviews.

Get Interview Kit — ₹1,045

Scenario-Based QA jobs hiring now

Live, indexable Scenario-Based QA openings — updated daily in Jobs Radar.

Browse all QA jobs on Jobs Radar

Loading current openings…

Home