The IT Cheat Sheets Every Sysadmin Needs (PowerShell, Azure, Networking, Security)

Why cheat sheets still matter in 2026

AI can answer almost any technical question now. But interviews don't let you Google. Exams don't let you paste prompts. The terms you know fluently — without looking up — are the ones that come out naturally when a hiring manager asks "explain how RBAC works in Azure" or when the cert exam gives you a scenario question with 4 plausible-sounding answers.

Here's a preview of the most useful terms from four of our 16 cheat sheets.

PowerShell — 5 terms you need at interview level

• Pipeline: Passes output of one cmdlet as input to the next. Get-Process | Where-Object CPU -gt 50 | Sort-Object CPU -Descending. Essential for filtering and chaining operations without storing intermediate variables.
• Foreach-Object (%): Iterates through pipeline objects. Get-ADUser -Filter * | Foreach-Object { Set-ADUser $_ -Description "Migrated" }. Faster than foreach loop for pipeline data.
• Get-ADUser: Queries Active Directory users. Get-ADUser -Filter {Department -eq "Finance"} -Properties EmailAddress, Manager. Add -Properties * to return all attributes. Part of RSAT module.
• $Error[0]: Last error in the session. Check it immediately after a failed command to diagnose. Use -ErrorAction Stop on cmdlets to force errors into try/catch blocks.
• Connect-MgGraph: Connects to Microsoft Graph via PowerShell. Replace AzureAD and MSOnline modules (deprecated). Requires Microsoft.Graph module. Use -Scopes to specify permissions needed.

Azure Engineer — 5 terms at Intermediate level

• NSG (Network Security Group): Stateful firewall rules for Azure NICs and subnets. Rules have priority (lower = higher priority), source/destination IP/port, protocol, and action (Allow/Deny). Default rules allow VNet-to-VNet and block inbound internet. Applied at subnet level for broad rules, NIC level for VM-specific rules.
• VNet Peering: Direct network connectivity between VNets (same or different regions) without gateway. Traffic stays on Azure backbone — low latency. No transitive peering by default (VNet A peers with B, B peers with C — A cannot reach C without additional peering or NVA). Enable "Allow Gateway Transit" and "Use Remote Gateway" for hub-spoke topologies.
• RBAC (Role-Based Access Control): Assign roles to identities at different scopes (Management Group, Subscription, Resource Group, Resource). Built-in roles: Owner (full control including access management), Contributor (full control except access management), Reader (read-only). Custom roles: create with specific allowed/notAllowed actions. Assignment inheritance: child scopes inherit parent scope assignments.
• Azure Key Vault: Secure storage for secrets (passwords, connection strings), keys (HSM-backed), and certificates. Access via RBAC or vault access policies. Use Managed Identity to grant VMs/App Services access without storing credentials. Soft delete and purge protection prevent accidental or malicious deletion.
• Log Analytics Workspace: Central repository for logs from Azure resources, VMs (via agent), and Microsoft services. Query with KQL. Data retention: 30 days free, up to 730 days configurable. Connect to Microsoft Sentinel for SIEM. Multiple workspaces for data sovereignty; single workspace simplifies querying.

Network Engineer — 5 terms at Advanced level

• BGP (Border Gateway Protocol): The internet's routing protocol. Path-vector protocol using AS (Autonomous System) numbers. eBGP between different ASNs (internet routing), iBGP within the same ASN. Attributes: AS-PATH (loop prevention, shorter = preferred), LOCAL_PREF (iBGP, higher = preferred), MED (suggest preferred path to external neighbours). BGP doesn't care about link speed — manipulate attributes to influence routing.
• OSPF LSA Types: Type 1 (Router LSA — router's links), Type 2 (Network LSA — DR generates for broadcast segments), Type 3 (Summary LSA — ABR generates for inter-area routes), Type 4 (ASBR Summary — location of ASBR), Type 5 (External LSA — external routes redistributed into OSPF). Type 3 and 5 are filtered by stub area configuration.
• 802.1Q Trunk: VLAN tagging on inter-switch links. 4-byte tag inserted into frame header: TPID (0x8100), PCP (priority), DEI (drop eligible indicator), VID (12-bit VLAN ID, supports 4096 VLANs). Native VLAN frames are untagged on 802.1Q trunks — both sides must agree on native VLAN to prevent VLAN hopping attacks.
• HSRP/VRRP: First-hop redundancy protocols. Provide a virtual IP/MAC that end devices use as their default gateway. HSRP: Cisco proprietary, Active/Standby election, hello timer 3s, hold timer 10s. VRRP: open standard, Master/Backup, faster convergence (1s/3s default). Preempt: allows higher-priority router to take over when it comes back online.
• MPLS: Label switching for WAN connectivity. Provider inserts a label between Layer 2 and Layer 3 headers — packets are forwarded based on labels, not IP lookups. Faster than IP routing in hardware. Used by ISPs for managed WAN services and traffic engineering. Customer edge (CE) router peers with provider edge (PE) router. VRF (Virtual Routing and Forwarding) separates customer traffic on shared infrastructure.

Cybersecurity Analyst — 5 terms at Guru level

• MITRE ATT&CK — Lateral Movement: Techniques used to move through a network after initial access. Key techniques: Pass-the-Hash (use NTLM hash without cracking), Pass-the-Ticket (Kerberos ticket theft), Remote Services (RDP, SMB, WinRM), Lateral Tool Transfer (copy tools to new hosts). Detection: unusual authentication events, SMB traffic between workstations, WMI/PowerShell remoting from unexpected sources.
• SIEM Correlation Rules: Logic that aggregates multiple events into a single alert. Example: "5 failed logins from the same IP in 60 seconds followed by a successful login" = brute force succeeded. Key SIEM metrics: detection rate (alerts generated / threats present), false positive rate (false alerts / total alerts), mean time to detect (MTTD). Tune rules to reduce false positives without missing true positives.
• Threat Intelligence — IOC vs TTP: IOC (Indicator of Compromise): specific artefacts — IP address, domain, file hash, registry key. Short-lived (attackers change IPs/hashes easily). TTP (Tactic, Technique, Procedure): how the attacker operates. Harder to change — if you can detect the behaviour pattern, hash changes don't matter. Maturity path: start with IOC blocking, evolve to TTP detection for resilient defence.
• Zero Trust — Microsegmentation: Divide the network into small segments with access controls between each. Each workload (VM, container, application) has its own security policy. Even if an attacker breaches one segment, lateral movement is blocked. Implementation: host-based firewalls, NGFWs with app-ID, software-defined networking. Contrast with traditional flat networks where a breach in one subnet means access to all.
• Incident Response — Chain of Custody: Documentation trail proving digital evidence hasn't been tampered with. Required for legal proceedings. Steps: identify evidence, document collection (who, what, when, where), create forensic image (hash before and after), log every access to evidence. Break in chain of custody = evidence inadmissible in court. Use write-blockers when imaging storage devices.

The full sheets

Each cheat sheet on InterviUni has 200 terms across four levels (Beginner, Intermediate, Advanced, Guru). You can search by keyword and filter by level. The full library is here — individual sheets are $4.99, or $29.99 for all 16 with the complete pack.