How to screen cybersecurity candidates without wasting 6 weeks

We used to spend six weeks screening one SOC analyst hire. Now it takes days.

The six weeks were not because the work was hard. They were because the process was full of manual triage, low-signal interviews, and a calibration step that was really just “the senior engineer reads the CV again, slower.” The candidate experience was poor, the cost was high, and the final hire was usually decided on a vibes-check anyway.

This post is the process that replaces it.

The short version

A modern cyber security screening process should look like this. An inbound funnel that is gated by an automated, hands-on, role-calibrated assessment. A one-page evidence pack per shortlisted candidate. One structured technical interview against the evidence. One decision conversation. Total elapsed time from application to offer, somewhere between three and ten working days depending on candidate availability.

If your current process takes six weeks, the bottleneck is almost never the candidates. It is the screening steps that produce no usable signal.

Why six weeks happens

Three structural reasons, in roughly the order they show up in a typical pipeline.

Manual CV triage. A senior engineer or hiring manager reads 80, 200, sometimes 500 applications. The signal is bad - certifications, employer logos, year counts - and the time cost is enormous. By week two everyone is exhausted and unconscious bias has crept in. The DCMS Cyber Skills 2024 report puts the average time to fill a UK cyber role at 84 days, the longest of any tech discipline. CV triage is where most of those days go.

Low-signal first interview. Once the senior engineer’s CV pile is down to ten, those ten get a 45-minute screening call. The call is supposed to test technical ability. In practice it tests confidence and storytelling. Strong candidates with mediocre presentation skills get filtered out, weaker candidates with good patter make it through. Another week burnt, signal still ambiguous.

Take-home of unknown duration. Send a take-home assessment, hope it gets returned in three to seven days. Score it manually. Try to compare it against the take-homes from the other candidates, half of whom did it on a different week and may or may not have used an LLM. This is the step that single-handedly wastes the most time and produces the most noise.

Add up those three steps and the six weeks is not surprising. It is structurally encoded into the process.

What replaces them

The principle is simple. Move the calibrated, hands-on assessment to the front of the funnel. Use the result of the assessment as the primary screening signal. Use interviews to confirm and contextualise, not to discover.

That changes the order of operations to:

1. Application comes in.
2. Calibrated, hands-on, role-mapped assessment goes out the same day.
3. Candidate completes the assessment in their own time, with integrity controls applied.
4. The platform returns a ranked, scored, evidence-backed result.
5. Hiring manager reviews the top of the ranked list - usually five to ten candidates - and reads the evidence pack.
6. One structured technical interview per shortlisted candidate, against the evidence.
7. Offer.

Total elapsed time, when the candidates are responsive, is days. When the candidates are slow it is weeks, but those are calendar weeks of the candidate’s life, not your senior engineer’s time.

Step one: gate the funnel with a calibrated assessment

The single highest-leverage change you can make is to move the technical assessment from the middle of the process to the front of it.

That means every applicant who passes a basic eligibility check (right to work, salary range, role-fit at the most superficial level) gets the assessment. Not a phone screen, not a recruiter chat, not a personality questionnaire. The hands-on, role-calibrated test. Same test for every candidate, same conditions, same scoring.

This sounds aggressive on the candidate-experience side. It is the opposite. Strong candidates love being able to show their skill in 60 minutes instead of suffering through three weeks of recruiter screens and second-round chats. The candidates who push back on a hands-on assessment are usually the ones who would not have passed it.

Calibration is the part that matters. A generic “cyber awareness” multiple-choice test is not calibrated. A pasted-together set of questions from an old training platform is not calibrated. A real assessment is one where the questions, scenarios and difficulty are mapped to the actual day-to-day of the role. SOC analysts get a triage scenario with real logs. Pentesters get a vulnerable web app and a target. Cloud security engineers get a misconfigured AWS account.

If you cannot author a calibrated assessment in-house, do not stitch one together from rooms or training platforms. A platform built for hiring will produce a calibrated assessment from a job spec in minutes.

Step two: anti-cheat that reflects 2026

This is the step everyone gets wrong. Anti-cheat is not a 2018 problem any more.

In 2018 you needed a webcam and a tab-switch tracker. In 2026 you need to detect LLM use, second-screen tracking, paste-from-another-tab patterns, browser fingerprint shifts, and behavioural drift across the assessment. You also need to do it in a way that is UK GDPR-aligned and that the candidate has consented to in plain language, not buried in a 40-page T&C.

The reason this matters: ISACA’s 2024 State of Cybersecurity report found that 57% of certified cyber professionals lack the practical experience to back the certification. If your assessment is a multiple-choice quiz on Wikipedia-grade content, the LLM-using candidate beats your honest senior every time. The signal is inverted.

Tier the integrity controls by role. A junior IT analyst role might run on a Standard tier. A senior penetration tester or principal SOC role might run on a Proctor tier. Same platform, same content engine, different threat model.

Step three: rank, do not grade

Once the assessments come back, do not do a binary “pass or fail” review. Rank them.

A ranked list of 80 candidates against a calibrated assessment is the highest-signal artefact a cyber hiring manager can have. It removes the noise of “did the recruiter like them,” “did the certs look impressive,” “did they describe themselves well.” The top of the list goes to interview. The middle of the list goes on a watchlist for the next role. The bottom of the list gets a polite rejection with the offer to retake in six months.

The shortlist size is up to you, but for a single role hiring against 80 candidates, five to ten is usually right. Fewer than that and you are over-fitting to platform noise. More than that and you are reintroducing the manual triage step you just deleted.

Step four: one structured technical interview, against the evidence

A senior engineer or hiring manager runs one interview per shortlisted candidate. Sixty to ninety minutes. The interviewer arrives with the candidate’s full assessment evidence: the questions, the answers, the scenarios, the integrity signals, the time-to-completion data.

The interview is not for discovery. It is for confirmation.

• “I see you wrote this Sigma rule. Walk me through why you chose those fields and not the others.”
• “Your KQL query found the persistence mechanism in three minutes. Talk me through how you would tune it for production.”
• “You scored bottom quartile on the pivoting scenario. What would you do differently if you ran it again?”

This is the kind of conversation that takes ninety minutes to be confident about a hire. Not three rounds.

Step five: decide

One conversation between the hiring manager, the team lead, and ideally one senior peer. Twenty minutes. Write the decision down with the reasoning.

If it is a no, the candidate gets a polite rejection with the offer to retake in six months and the watchlist invitation.

If it is a yes, the offer goes out the same day.

What this saves

Two things.

The obvious one is calendar time. Six weeks becomes one. Six weeks of an open SOC seat closing earlier. Six weeks fewer of the gap that the IBM Cost of a Data Breach 2024 report puts a six-figure annual price on, with an extra $1.76M added when the breach traces back to a skill gap.

The less obvious one is senior engineer time. The old process burns 20 to 40 hours of senior engineer effort per hire on triage, calls and take-home review. The new process burns one interview per shortlisted candidate, plus 30 minutes of evidence-pack review. For a five-shortlist hire, that is something like 8 hours total, not 40.

A 30% saving on bad-hire risk - the figure US Department of Labor uses for the cost of a bad hire as a percentage of first-year salary - sits behind that, because the screening signal is now evidence-backed instead of vibes-driven.

The one step everyone gets wrong

If I had to pick the single step most teams get wrong, it is the order. They put the hands-on assessment at the end, after the recruiter screen, after the technical phone interview, after the panel. By then they have already invested 10 to 20 hours of internal time per candidate, the unconscious commitment is high, and a poor assessment result gets explained away (“the senior engineer really liked them in the interview”).

The hands-on assessment goes first. Before the calls, before the panel, before any senior engineer time gets burnt. That is the change that turns six weeks into days, and that is the change that lets the evidence drive the decision instead of the other way round.

What to do tomorrow

A two-step audit on your existing process.

One. Time the steps. Open the last cyber hire your team made. Write down how long each step actually took, not the SLA. The bottleneck will be obvious within five minutes.

Two. Look at the technical signal you actually collected. If the only artefact you have on the eventual hire is “the senior engineer felt good about the interview,” that is the gap.

Closing the gap is not a 12-month transformation. It is a process change you can run on the next requisition that opens.

For a wider read, the seven cyber security skills assessment platforms post covers what the actual tools at each step look like. The CyberHire vs HackerRank post is the version of this argument applied to one of the more common procurement defaults.

One honest sentence

If your screening process has more steps than your candidate’s actual job has, the steps are the problem.