Hands-on hiring: the alternative to trust-based cyber recruitment

Cyber security is the last technical discipline that does not test skills before hiring.

Software engineering solved this years ago. Nobody hires a senior developer without a coding assessment. HackerRank, Codility, LeetCode and CodeSignal built a multi-billion dollar industry around the simple principle that a candidate should write the kind of code the job requires before you offer them the job. Engineering teams do not consider this experimental. They consider it the bare minimum.

Cloud, DevOps, data engineering, networking, database administration - every adjacent technical discipline has moved to hands-on assessment as standard practice. The major cloud certifications now include practical components specifically because the certification bodies discovered that multiple-choice exams did not predict on-the-job performance. Audition the work, not the credential.

Cyber security has not caught up. The cyber hiring funnel still runs on CVs, certifications, structured interviews and gut feel. The candidate is trusted to be capable based on what they say about themselves and what their certificates say about them. They never have to demonstrate the work before they are hired into a role where the work matters.

This post is the case for hands-on hiring - the term for bringing the already-proven engineering-screening playbook to cyber security.

The short version

Hands-on hiring is the practice of testing candidates on real, role-relevant tasks in realistic environments before you make hiring decisions. Candidates demonstrate they can do the job by actually doing the job, on representative work, under representative conditions. The hiring manager sees evidence, not claims.

This is not a new idea. It is the standard hiring practice in every other technical discipline. Cyber security is unusual in not having adopted it - and the cost of being unusual is now visible in the data. 49% of UK businesses report a basic cyber security skills gap. 30% report an advanced gap. 28% of cyber security businesses report skills gaps in their own staff. The seats are filled. The work is not getting done.

The shift cyber security needs to make is the same shift software engineering made between 2010 and 2018. Move the practical assessment to the front of the funnel. Stop relying on credential filters. Build calibrated, hands-on, role-mapped tests. Send them before the senior engineer time gets burnt. Hire on what the candidate did, not on what their CV claims.

How every other technical discipline already hires

Take a quick walk through the adjacent disciplines.

Software engineering moved to hands-on coding assessment more than a decade ago. The dominant platforms (HackerRank, Codility, LeetCode, CodeSignal, CoderPad) have collectively run tens of millions of candidate assessments. The pattern is now so embedded that a software hiring funnel without a coding assessment looks immediately suspect to senior engineers. The practice is undisputed. The platforms are public companies or have raised hundreds of millions in venture capital. The industry consensus is settled.

Cloud certifications - AWS, Microsoft Azure, Google Cloud - all introduced hands-on components into their professional and specialty certifications, specifically because the multiple-choice-only versions had stopped predicting actual capability in the cloud platforms they were certifying. AWS’s Solutions Architect Professional and Microsoft’s Azure Solutions Architect Expert both require candidates to solve practical problems in real cloud environments. The certification bodies did this voluntarily, against their own previous business model, because they had to.

Data and analytics - SQL screens, Python live-coding, real dataset exploration tasks. Specialised platforms (Stratascratch, DataLemur, Coderbyte’s data tracks) emerged in the last five years to formalise what data teams were already doing informally.

DevOps and SRE - Terraform challenges, Kubernetes troubleshooting tasks, real incident scenarios with real systems. The high-end SRE interview at Google, Meta or Netflix already involves hands-on system-design and debugging work. The model has filtered down through the industry.

Adjacent non-software fields - even fields where the parallel feels less obvious have already settled the question. Music conservatory auditions test the music. Pilot training tests pilots in flight simulators long before they touch a real aircraft. Surgical residencies have hands-on practical examinations. Restaurant kitchens run trail shifts before hiring chefs. The principle that you test for the work before you trust someone to do the work is so universal across high-stakes professions that it does not need defending in any of them.

Cyber security is the holdout. The discipline whose entire job is defending the most critical systems an organisation runs is the only technical discipline that still hires its practitioners on the strength of paper claims and conversation.

What cyber security still does - trust-based hiring

The cyber hiring funnel that most teams currently run looks roughly like this:

1. Job posting - lists required certifications, years of experience, vendor-specific badges. Filter is credential-shaped.
2. CV review - human or HR-system filter, typically against the same credentials. Candidates without the listed certifications are filtered out before any human conversation. Candidates with them advance regardless of capability.
3. Recruiter screen - a 20-30 minute call confirming interest, salary expectations, notice period. Not technical.
4. HR interview - 45 minutes of behavioural questions. “Tell me about a time you handled a difficult stakeholder.” Tests communication and interview poise, not cyber security capability.
5. Hiring-manager interview - 60 minutes, mostly conversational, sometimes with a few “describe how you would investigate this scenario” prompts. Tests articulate description of cyber work, not the work itself.
6. Senior-engineer or panel interview - more technical conversation, occasionally a whiteboard scenario. Closer to actual capability evaluation, but still verbal and theoretical rather than hands-on.
7. Offer.

At no point in this funnel does the candidate touch the kind of system, log, query, or scenario the job will require them to handle from week one. The hiring decision is made on what they say they can do, what their CV claims they have done, and what their certifications imply they have learned. Trust-based hiring.

This works in industries where credentials reliably predict capability. It does not work in cyber security in 2026. The DSIT 2025 numbers, the ISACA 57% finding on certified-but-uncalibrated practitioners, the £4.88M average breach cost in the IBM 2024 report (with £1.76M added when caused by a skill gap) - the data is consistent. Trust-based hiring in cyber security has stopped predicting the job. We covered the wider picture in the cyber skills gap is a validation problem hiding in plain sight.

Why we still default to it

Three reasons cyber hiring defaults to trust-based, despite the data.

The credential layer is culturally embedded. Cyber security has more certification bodies and credential frameworks per practitioner than any adjacent discipline. ISC2, ISACA, Offensive Security, SANS GIAC, CompTIA, EC-Council, vendor-specific badges from Cisco, Microsoft, AWS, Splunk, CrowdStrike. Each one represents a real ecosystem of training and a community of practitioners. Saying credentials are weakening predictors of capability does not mean those bodies are useless - many of them produce real value at the training stage. It means the ratio of credential to capability has shifted, and hiring funnels need to update for that.

The technical infrastructure for hands-on cyber assessment took longer to build. A coding assessment platform was relatively easy to build by 2010. A cyber assessment platform that provisions a real Linux box per candidate, hosts a live SIEM with realistic logs, simulates Active Directory attack chains, and runs in an integrity-aware browser environment is a much harder engineering problem. The platforms that solve it cleanly are recent. The category did not exist as a self-serve product five years ago.

Existing assessment vendors were not cyber-shaped. When cyber teams looked at the engineering-screening platforms, the cyber category was a thin afterthought. Generic coding assessments were not the answer to “can this person triage a real alert.” So cyber teams concluded, reasonably, that the platforms did not exist, and reverted to credential-based hiring as the only operational option. That conclusion was right at the time. It is no longer right.

All three of those barriers are now lower than they have ever been. The credential layer is being undermined by the data we keep collecting on certified-but-uncalibrated candidates. The technical infrastructure for cyber-specific hands-on assessment is mature. Cyber-specific assessment platforms now exist as self-serve products. The reasons for trust-based hiring’s persistence are fading.

Hands-on hiring, defined

Hands-on hiring is the practice of putting candidates in front of the actual work the role requires, in realistic environments, before any hiring decision is made.

Three components define it:

1. Real tasks, not abstractions. The candidate reads a real authentication log, writes a real KQL query, examines a real packet capture, triages a real alert. Not multiple-choice questions about logs, queries, captures or alerts. The actual artefact, in the actual tool.
2. Realistic environment, not a sandbox. The candidate works in a real Linux box, a real SIEM interface, a real browser-based assessment surface. Not a contrived simulator that abstracts away the real workflow. If the job is “use Splunk,” the assessment uses Splunk.
3. Calibrated scoring across candidates. Same task, same environment, same scoring rubric, applied consistently across the cohort. The output is comparable - candidate A scored 82% and candidate B scored 64% on the same evaluation, and you can see exactly what differentiated them.

The output of hands-on hiring is a ranked, scored, evidence-backed list of candidates that lets the hiring manager interview the people who have already demonstrated the basics. Senior engineer time is not spent on first-round technical screening - it is spent confirming and contextualising what the assessment has already shown.

This is the same shape software engineering hiring has had since 2015. Coding assessment first, technical interview second, decision conversation third. The shape works in software engineering and it works in cyber security for exactly the same reason: it filters on the work, not on the proxies for the work.

What hands-on hiring looks like for a SOC analyst hire

The worked example. You are hiring one mid-level SOC analyst. Eighty applicants have come in.

Step 1 - Calibrated assessment goes out the same day. Every applicant who clears basic eligibility (right to work, salary range, basic role-fit) receives the same hands-on assessment. The assessment includes:

• A real Windows event log (40-100 events) with a buried indicator of compromise. The candidate is asked to identify what is unusual, what they would investigate, and what conclusion they would reach.
• A simple KQL query task against a sample Sentinel dataset. Find an attack pattern, write the query, explain the false positives.
• A short triage scenario. Given an alert and the supporting telemetry, draft a triage note that a tier-3 lead could action.
• A pivoting question. Given one indicator (an IP, a hash, a username), what would they check next, in what order, and why?

The assessment runs for 60 minutes in an isolated environment under your chosen integrity tier (LLM-use detection, paste detection, second-screen telemetry, optional webcam proctoring with explicit candidate consent). Submission is automatic. Scoring is calibrated against the same rubric for every candidate.

Step 2 - Ranked dashboard. Twenty-four hours after the deadline, you have eighty scored, ranked, evidence-attached candidate reports. The top of the list is your shortlist - five to ten candidates whose work you can read directly. The middle goes on a watchlist for the next hire. The bottom gets a polite reject with the option to retake in six months.

Step 3 - One structured technical interview. Sixty minutes per shortlisted candidate. The interviewer arrives with the candidate’s full assessment work in hand. The conversation is not for discovery - it is for confirmation. I see you wrote this Sigma rule. Walk me through why you chose those fields and not the others. You scored bottom quartile on the pivoting scenario - what would you do differently? Real examples from real work the candidate has already done.

Step 4 - Decision. One twenty-minute conversation between hiring manager, team lead and a senior peer. Offer goes out the same day.

Total elapsed time: a week, sometimes less. Senior engineer time spent: one interview per shortlisted candidate. Volume of senior engineer time freed up: roughly thirty hours compared to the trust-based equivalent of running first-round technical interviews on twenty candidates.

This is the same end-to-end process software engineering hiring has been running for a decade. The only difference is that the assessment content is cyber-shaped instead of code-shaped. We covered the wider end-to-end version in how to screen cybersecurity candidates without wasting 6 weeks.

Why now

The reasons hands-on hiring is becoming standard in cyber security in 2026 specifically:

AI broke the interview. Candidates with ChatGPT in another tab can answer any conversational technical interview question with confident competence. The interview as a capability filter has lost calibration the same way the certification has. Hands-on assessment with integrity controls is the only signal that survives.

The cost of bad cyber hires is now visible. IBM Cost of a Data Breach 2024 puts the average breach at £4.88M with £1.76M added when caused by a skill gap. Boards have started asking whether their security team was hired on credentials or on capability. Compliance frameworks - ISO 27001, SOC 2, NIS2, DORA - all increasingly require documented evidence that security personnel are competent.

The data is undeniable. DSIT 2025, ISACA 2024, the cumulative pattern across vendor reports - the gap between cyber-credentialed people and cyber-capable people is now measured, public and growing. Defending a hiring funnel that runs purely on credentials is harder than it has ever been.

The category-defining tools now exist. Five years ago, building a hands-on cyber hiring assessment was a custom project per company. Now there are platforms designed end-to-end for it. We covered the wider category in the seven best cyber security skills assessment platforms.

Not new - just catching up

The framing the cyber security industry needs to internalise is that hands-on hiring is not an experiment. It is the standard hiring practice in every adjacent technical discipline, with a decade of evidence behind it.

Software engineering teams who adopted coding assessments in 2012 did not regret it. Cloud platform teams who built hands-on certification components did not regret it. Data engineering teams who run live SQL screens do not regret them. The pattern is consistent: once a technical discipline moves to hands-on assessment, it does not move back.

Cyber security teams who adopt hands-on hiring in 2026 are not pioneering anything. They are catching up. The risk is not in adopting it too early. The risk is in being the team still running CV-and-interview hiring funnels in 2028 while everyone they compete with for talent has moved to evidence-based screening.

Where to start

Three changes you can make on your next hire.

One. Build or borrow a calibrated 60-minute hands-on assessment for the role you are next hiring for. If you have an internal team, you can probably author one in a day. If you need a platform that handles the assessment authoring, integrity controls and ranked-dashboard output, CyberHire was built for exactly this use case.

Two. Move the assessment to the front of the funnel. Send it to every applicant who clears basic eligibility. Use the assessment results to decide who advances to interview, not the CV.

Three. Score every candidate against the same rubric. Build the comparison data. Within three hires you will have a calibrated baseline that lets you defend hiring decisions to the board, the regulator, or anyone else who asks.

The mechanics are simple. The cultural shift is the harder part. Trust-based hiring is the default because it has been the default for a long time, not because it works better. Once you run one hire end-to-end through hands-on assessment and see the difference in candidate quality, the cultural shift takes care of itself.

One honest sentence

Every other technical discipline tests for the work before they hire someone to do the work. Cyber security has not yet, and the data is starting to bite. Hands-on hiring is the term for cyber security catching up - not for cyber security trying something new.