Paper tigers: spotting the cyber candidate who can't do the job

The cyber security industry is full of paper tigers.

People jumping on the bandwagon because cyber is “cool” or because they have heard it pays well. Genuine interest stops at the salary line. They look excellent on paper. They have a stack of certifications. They give a competent interview. They get hired. They provide a bum on a seat and the illusion of security temporarily. And then a real incident lands and the illusion ends.

Every cyber hiring manager I have spoken to recognises this pattern. Few will say it out loud at a conference. This post says it.

What a paper tiger looks like

The defining trait is not lack of effort. Paper tigers usually work hard - at the wrong things. They have collected the credentials the industry rewards, in the order the industry rewards them, with the framing the industry rewards. The CV reads like a textbook progression toward a senior cyber role. CompTIA, then a cyber master’s, then the CCNA, then the CISSP, then a vendor-specific badge or two. Two or three previous roles at firms whose logos pattern-match to “competent cyber operator.” A LinkedIn profile written in the language hiring managers expect to see.

What is missing is the layer underneath. The paper tiger can recite that DNS resolution starts with a recursive query to a resolver. They cannot tell you what the most attacker-useful DNS log entries actually look like, or which fields you would pivot on to find a beacon. They have memorised the OSI model. They cannot read a packet capture and tell you what is happening on the wire.

The CCNA who cannot explain TCP versus UDP at the packet level. The CISSP who cannot triage a simple alert. These are not strawmen. I have interviewed them.

Why the industry produces them

The structural reason this keeps happening is that the cyber industry rewards credential collection more strongly than it rewards capability development, at every layer of the supply chain.

Universities optimise for credential-shaped outcomes because employers ask for credentials. Certification bodies expand their certification portfolios because the demand for certifications is high. Bootcamps promise a job after twelve weeks because employers tell them the certifications they teach to are what employers want to see. Recruiters filter by certification because hiring managers told them to. Hiring managers filter by certification because their HR partners told them they had to keep the funnel narrow somehow. HR keeps the filter strict because they are not technical enough to filter on capability and the credential is the only proxy they trust.

At every step, everyone in the supply chain is doing the rational thing for their own incentive. The collective output is a population of cyber-credentialed people that significantly overlaps the population of cyber-capable people - but is not the same population.

The DSIT 2025 numbers tell this story directly. The UK workforce gap has dropped from 14,100 in 2022 to 3,800 in 2025. Meanwhile 49% of UK businesses still report a basic technical cyber skills gap among their existing workforce, and 30% report an advanced skills gap. We are filling the seats. We are not getting the work done. We covered the wider data picture in the cyber skills gap is a validation problem hiding in plain sight.

How they pass interviews

Paper tigers are not stupid people. They are usually competent at the things they have been rewarded for, which means they are competent at credentials and at the patterned interview behaviour that goes with credentials. A standard cyber interview - thirty minutes of behavioural questions, fifteen minutes of “describe a time when,” and a few high-level technical prompts - is exactly the kind of conversation a paper tiger has rehearsed for.

Three patterns to watch for.

Patterned answers in the language of certifications. Ask how they would investigate a phishing alert and the answer comes back in the structure they were taught for the exam. Defence in depth, IOC enrichment, NIST IR phases, threat intel correlation. The vocabulary is fluent. The grounding is shallow. Push one level down and ask which fields in the email header they would actually examine, in what order, and the fluency falls away.

Confident generalities at the framework level. Strong candidates will answer at the system level (how the SIEM is configured, what the detection rule actually queries, how an attacker would evade the rule). Paper tigers stay at the framework level (the steps in the kill chain, the categories in MITRE ATT&CK). When you ask “and how would you actually do that,” the answer drifts back up to the framework.

Deflection to recent training. “I covered that in my SC-200 prep” is not an answer to “how does Kerberoasting work.” A strong candidate explains what is happening at the protocol level. A paper tiger names the certification they prepared for. The deflection is the tell.

These patterns will not catch everyone. Some paper tigers are skilled at hiding the gap, and some genuinely capable candidates are nervous and stumble through interviews. The interview alone is not enough. But these patterns are signals worth watching for in the interview, especially if the rest of the hiring process is built around credential signals.

How they get caught in hands-on assessments

This is where the story gets short, because hands-on assessments are not subtle.

Drop a paper tiger into a Linux box with a real authentication log file and ask them to find the attacker IP. The strong candidate scrolls through with less, spots the brute-force burst followed by a successful login, and starts asking the right pivot questions in the assessment notes. The paper tiger types the IP into VirusTotal, gets a “no malicious activity detected” verdict, and writes that there is nothing to investigate.

Ask them to write a KQL query that finds Kerberoasting attempts in the last 24 hours. The strong candidate writes a query in their head before they touch the keyboard, knows event 4769 with weak encryption types is the signal, and explains the false positives the query will produce. The paper tiger searches “Kerberoasting KQL” in another tab, pastes the first hit, and cannot explain what it does.

Hand them a packet capture and ask them what is happening. The strong candidate opens it in Wireshark, follows the TCP stream, and walks you through the traffic. The paper tiger opens it in Wireshark, scrolls through, says some of the protocols look unusual, and offers no actual investigation finding.

The reason hands-on assessments work where interviews do not is that hands-on assessments cannot be answered with the language of certifications. Either the candidate can perform the task or they cannot. The artefact does not lie.

What to do instead

If the structural problem is that the hiring funnel filters on credentials and the job needs capability, the structural fix is to move capability filtering to the front of the funnel, before credential filtering ever happens.

Practically that looks like four things.

One. Drop the certification gate at the CV-review stage. Use it as a tiebreaker, not a filter. The strong candidates without your preferred certification are exactly the people you want to find.

Two. Replace the first technical interview with a hands-on assessment in a real environment. Sixty minutes, real systems, real questions. Send it before any senior engineer time gets burnt.

Why before, not after? Because every hour your senior engineers spend on first-round technical interviews is an hour they did not spend on real work. If the assessment is at the front of the funnel, the senior engineers only ever interview people who have already proven they can do the job at the basic level.

Three. Score the assessment against a calibrated baseline, not against intuition. Same questions, same conditions, same scoring rubric across every candidate. Rank the cohort. The top of the rank goes to interview, the bottom gets a polite reject, the middle goes on a watchlist.

Four. Use the interview for confirmation, not discovery. By the time the candidate sits down for interview, you already know they can do the basics. The interview is for “walk me through what you did, why, and what you would do differently.” Ninety minutes, one round, decision conversation, offer.

This is not exotic. We covered the end-to-end version in how to screen cybersecurity candidates without wasting 6 weeks and the structural answer to the paper-tiger problem in hands-on hiring: the alternative to trust-based cyber recruitment.

Where to start

If you have an open cyber security role today, the smallest version of this you can implement before your next hire is:

1. Pick one role you are hiring for.
2. Pick three skills the role actually requires (not framework-level - actual hands-on tasks).
3. Build or borrow a 60-minute assessment that asks the candidate to do those three things.
4. Send it to every applicant who clears basic eligibility.
5. Interview only the top of the assessment-ranked list.

You will know within two weeks whether the new filter changes the shape of who you are hiring. Most teams discover that several of the candidates they would previously have rejected on CV (no big employer logo, no flagship certification, career-changer profile) score in the top quartile on the assessment. Some of the candidates the old funnel was advancing to senior interview score in the bottom quartile and never come back.

That signal is the validation gap closing. It is also the moment most cyber hiring managers stop wanting to go back.

One honest sentence

The cyber industry has produced more paper tigers in the last decade than it has produced any other shape of cyber professional, because the supply chain rewards credential collection more strongly than it rewards capability. The hiring funnel can stop rewarding it any time you choose - by changing what your funnel asks the candidate to demonstrate.