Project Take-Homes: Time-Capped Builds That Resist Cheating
A pragmatic playbook for CISOs, GCs, and audit teams who need coding assessments that are hard to fake, respectful of candidate time, and defensible when challenged.
A take-home only helps if you can prove who did the work, under what constraints, and how you decided.Back to all posts
When a take-home becomes a security incident
A take-home is not just a hiring artifact. For a CISO or GC, it is part of your control narrative: you used reasonable measures to confirm the person who interviewed is the person you hired, and that the demonstrated skills were authentic. If your take-home can be outsourced in an hour, you have funnel leakage in the form of false positives. If your take-home takes a weekend, you create reputational drag and increase dispute risk. The goal is not perfect fraud prevention. The goal is a defensible, repeatable process with step-ups when signals do not reconcile.
Build a 60-120 minute project-based take-home with a hard time cap.
Collect integrity signals without punishing legitimate candidates.
Escalate suspicious cases with Risk-Tiered Verification and documented review outcomes.
What auditors and Legal will ask you to prove
In a dispute or breach review, you will get questions like: What was the candidate asked to do, how did you score it, and how did you ensure the work was theirs. "We had a take-home" is not an answer. You need an Evidence Pack: instructions, outputs, timestamps, identity status, reviewer notes, and disposition reason. Approved stat context: Checkr reports that 31% of hiring managers say they have interviewed a candidate who later turned out to be using a false identity (manager survey, 2025). Directionally, this implies identity mismatch is common enough to warrant explicit controls before skills evaluation. It does not prove prevalence in your industry or that take-homes are the primary vector, but it supports treating identity as a first-class risk signal.
Security risk: privileged access granted to the wrong person.
Legal risk: inconsistent process and weak documentation in an employment dispute.
Reputational risk: candidate backlash if the assessment is perceived as unpaid labor or surveillance.
Design principles for time-capped, hard-to-fake projects
A project-based take-home should be small, realistic, and instrumented.
Make it a "bounded incident" not a greenfield build. Example: "You are on call. A payments webhook is failing intermittently. Add observability and fix idempotency." That is Day 1 work with natural constraints.
Provide a starter repo with failing tests and a narrow target. This forces interaction with your scaffold and reduces copy-paste from public repos.
Require a short design note: tradeoffs, what you did not do, and what you would do with more time. Cheaters struggle to explain constraints coherently.
Make the evaluation rubric explicit: correctness, reasoning, and maintainability. Avoid surprise criteria.
Allow open-book resources but ban delegated work. This is how you separate resourcefulness from proxying.
Set a hard cap (recommended: 90 minutes) and state it plainly in the instructions.
Ask candidates to submit at the time cap even if incomplete, and score partial credit.
Include an attestation checkbox: "I completed this myself within the cap using permitted resources."
Step-by-step implementation you can operationalize
Pick a scenario that matches the role and access level. For high-privilege roles, bias toward tasks that reveal secure coding habits without being security trivia.
Build a template repo. Include: a README with rules, a minimal service skeleton, a single failing integration test, and a "time cap submission" script.
Define integrity signals you will collect. Keep them proportional: timestamps, commit graph, environment fingerprint, similarity score, and identity verification status.
Define step-ups using Risk-Tiered Verification. Example: low risk proceeds; medium risk triggers a short live walkthrough; high risk triggers re-verification before any offer.
Create a reviewer rubric and a review queue. Reviewers only open manual investigations when the system flags discrepancies.
Produce an Evidence Pack automatically and attach it to the ATS candidate record. Include disposition reason codes that are consistent and auditable.
Calibrate quarterly. Track false positives (legit candidates flagged) vs false negatives (post-hire performance mismatch) and adjust thresholds.
Automate: identity verification status, similarity detection, time-window checks, and Evidence Pack generation.
Manual review: only the flagged queue and the final hiring decision.
Escalation: Security and GC approve policy changes and exception handling.
Offer two time windows (weekday and weekend) with the same cap.
Provide accessibility accommodations and allow the candidate to request a different language within the supported set.
Give a transparent appeal path if a submission is flagged, including a live walkthrough option.
A policy artifact you can hand to audit
This is a sample policy configuration for time-capped take-homes with Risk-Tiered Verification, step-ups, and Evidence Pack requirements. Adapt thresholds to your org and role sensitivity. Illustrative values are not performance claims.
Store in your hiring controls repo and version changes.
Require Security and GC approval for threshold changes.
Map outcomes to ATS disposition reason codes.
Anti-patterns that make fraud worse
- Weekend-sized take-homes that force candidates to outsource or drop out, increasing funnel leakage and resentment. - Zero-tolerance auto-rejects on weak signals (for example, a single similarity flag) that inflate false positives and create audit disputes. - Unlogged reviewer decisions in Slack or email, which destroys chain-of-custody and makes consistent enforcement impossible.
Where IntegrityLens fits
Fraud detection and AI screening interviews available 24/7 for early signal without scheduling drag
Coding assessments across 40+ programming languages with integrity instrumentation
Evidence Packs attached to the candidate record for audit-ready chain-of-custody
Security baseline: 256-bit AES encryption, SOC 2 Type II audited infrastructure on Google Cloud, ISO 27001-certified infrastructure, GDPR/CCPA-ready controls
Sources
- Checkr, Hiring Hoax (Manager Survey, 2025): https://checkr.com/resources/articles/hiring-hoax-manager-survey-2025
Key takeaways
- Use a time cap with a scoped deliverable that mirrors Day 1 work, not trivia.
- Design for integrity signals: provenance, constraints, and lightweight attestation, not gotchas.
- Tie signals to a Risk-Tiered Verification policy with step-ups, not zero-tolerance auto-rejects.
- Generate an Evidence Pack that a GC and auditor can understand without engineering translation.
- Keep candidate experience intact: clear rules, accessibility, and a bounded time box.
Operator intent: keep take-homes small and comparable, collect proportional integrity signals, and route ambiguous cases into step-ups instead of silent rejections.
Values below are illustrative thresholds, not performance claims.
version: 1
policyName: time-capped-project-takehome
scope:
roles:
- backend-engineer
- fullstack-engineer
timeCapMinutes: 90
allowedResources:
- "Documentation and official language references"
- "Search engines"
- "AI assistants for explanation only (no copy-paste code)"
prohibited:
- "Delegating work to another person"
- "Submitting previously completed solutions"
- "Using private paid code-writing services"
submissionRequirements:
artifacts:
- type: git-repo
required: true
- type: design-note
required: true
maxWords: 300
prompts:
- "What did you change and why?"
- "What did you not do due to the time cap?"
- "If you had 1 more hour, what is next?"
- type: walkthrough
requiredWhen:
any:
- signal: riskTier
in: ["medium", "high"]
options:
- "5 minute recorded screen walkthrough"
- "10 minute live walkthrough"
integritySignals:
collect:
- name: identityVerificationStatus
source: integritylens.verify
values: ["passed", "failed", "not-run"]
- name: timeWindow
source: integritylens.assess
checks:
- "submission_timestamp_within_assigned_window"
- name: commitProvenance
source: integritylens.assess
checks:
- "commits_present"
- "commit_times_reasonable_for_window"
- name: similarityScore
source: integritylens.fraud
method: "code-similarity"
threshold:
illustrativeFlagAt: 0.85
- name: environmentFingerprintConsistency
source: integritylens.fraud
checks:
- "device_and_network_consistent_with_verified_candidate"
routing:
riskTiering:
low:
when:
all:
- identityVerificationStatus: "passed"
- similarityScore: "below-flag"
action:
- "standard-review"
medium:
when:
any:
- identityVerificationStatus: "not-run"
- similarityScore: "flagged"
- environmentFingerprintConsistency: "inconclusive"
action:
- "require-walkthrough"
- "manual-integrity-review-queue"
high:
when:
any:
- identityVerificationStatus: "failed"
- environmentFingerprintConsistency: "mismatch"
action:
- "block-offer-until-step-up"
- "step-up-verification"
reviewControls:
evidencePack:
include:
- "assignment_instructions"
- "time_window"
- "repo_hash_and_timestamps"
- "design_note"
- "similarity_report_summary"
- "identity_verification_event_ids"
- "reviewer_rubric_scores"
- "final_disposition_reason_code"
retention:
maxDays: 180
biometrics: "zero-retention"
access:
roleBased:
- role: "recruiting-ops"
permissions: ["read", "write-disposition"]
- role: "hiring-manager"
permissions: ["read", "score"]
- role: "security"
permissions: ["read", "investigate"]
- role: "legal"
permissions: ["read"]
appeals:
candidateAppealPath:
enabled: true
resolutionOptions:
- "live-walkthrough"
- "alternative-assessment"
slaBusinessDays: 5
webhooks:
idempotentWebhooks:
enabled: true
events:
- "assessment.submitted"
- "verify.completed"
- "fraud.signal.created"Outcome proof: What changes
Before
Take-homes varied by team, ran long, and produced inconsistent documentation. Flags were handled ad hoc in chat, creating audit gaps and candidate disputes.
After
Standardized 90-minute project take-home templates with explicit rules, Risk-Tiered Verification step-ups, and automatic Evidence Packs attached to the ATS record.
Implementation checklist
- Define a single Day 1 scenario and a success rubric that fits 90 minutes of work.
- Ship a repo template that includes a task board and explicit time cap attestation.
- Require a short design note plus 5-minute walkthrough video or live review slot.
- Instrument integrity signals: commit timing, environment fingerprint, plagiarism similarity, and identity verification status.
- Map signals to actions: pass, manual review, step-up verification, or re-assessment.
- Store outputs in an Evidence Pack with retention and access controls.
Questions we hear from teams
- Does a time cap make the assessment less predictive?
- Not if the task mirrors Day 1 work and your rubric scores reasoning and tradeoffs. The cap forces prioritization, which is often more predictive than completing a large build.
- How do we allow AI tools without inviting cheating?
- State what is allowed (explanations, syntax reminders) and what is not (pasting generated solutions). Then validate with a walkthrough for flagged cases, focusing on the candidate's reasoning and changes made.
- What do we do when similarity flags are high but the candidate seems legitimate?
- Treat similarity as a signal, not a verdict. Route to a medium-risk workflow: require a short walkthrough and ask targeted questions about design decisions and debugging steps, then document the outcome in the Evidence Pack.
- How do we keep Legal comfortable with integrity checks?
- Use notice and consent, collect only what you need, apply retention limits, and keep decisioning explainable. Step-ups and appeals reduce the risk of wrongful rejection claims.
Ready to secure your hiring pipeline?
Let IntegrityLens help you verify identity, stop proxy interviews, and standardize screening from first touch to final offer.
Watch IntegrityLens in action
See how IntegrityLens verifies identity, detects proxy interviewing, and standardizes screening with AI interviews and coding assessments.
