Tell me about a time you disagreed with a dev team about the risk of a finding.

Show that you lead with evidence and empathy, not authority. Good structure: restate their constraints, present the concrete attack scenario and business impact, agree on a risk rating using a shared framework (e.g. CVSS + business context), and propose options with trade-offs (fix now / compensating control / accept with owner sign-off). The goal is the right risk decision, not 'winning'.