Candidate screening in Defence Tech: Where security ends and paranoia begins
How a defence tech founder’s approach to security vetting evolves as the company grows — and when that evolution takes a wrong turn

Professional skills alone are not enough to land a job in defence tech. Candidates must also convince employers that they do not pose a security risk. As a result, hiring processes in the sector involve far more rigorous background checks than in most other industries. Yet founders and hiring managers sometimes take those checks much further than they should.
In the second article of the Arming with Talents series on recruitment in defence tech, Anna Korol, founder and CEO of CORE Team, explains:
- the four stages of how founders’ attitudes towards security vetting evolve;
- the two pitfalls that can undermine a company at every stage of that journey;
- the three levels of candidate screening;
- the four areas every effective security vetting process should cover.
Whether defence tech companies need security vetting is no longer up for debate. The more difficult question is this: what does the right vetting process look like for your company, at its current stage of growth?
In a company’s first year, the answer is often simple: “He’s a great engineer. We know him personally.” By year five, it becomes: “Put him through a polygraph and a psychological assessment.”
Everything in between is the story of a founder gradually learning what security really means—and the cost of learning those lessons.
How founders’ thinking matures alongside the company
CORE Team’s experience working with defence tech companies reveals a clear pattern. Founders typically go through four stages in how they approach security vetting, with each stage corresponding to a particular phase of company growth. Problems arise when the business has already moved on, but the founder’s mindset has not.
Stage 1. Up to 10 people. Everyone knows everyone personally. The team shares group chats, weekends and a common history. Security is barely on the radar, and that’s perfectly natural. Trust is the primary vetting mechanism because there are few access privileges, limited sensitive information, and most of the risk is concentrated around the founder.
The problem is not the stage itself. The problem is when the founder continues to operate with this mindset long after the company has outgrown it.
Stage 2. Up to 30 people. This is when the company makes its first hires beyond the founder’s personal network. The CTO brings in someone they know, a team lead recruits through a recommendation, or a promising candidate applies from outside.
This is often when founders experience their first uncomfortable realisation: “I know nothing about this person except their CV and two interviews.”
Security becomes part of the conversation, but there is still no structured process. Background checks are carried out on an ad hoc basis: calling mutual contacts, browsing social media, or, quite often, not checking at all.
Stage 3. Between 30 and 100 people. This is where the company’s first systematic security requirements usually emerge. Someone leaves the business and takes information they were never meant to have. Or a new partner asks for security assurances the company has never been required to provide before.
Security moves onto the C-suite agenda.
The most common mistake at this stage is treating vetting as a one-off HR procedure rather than part of a broader security framework. New hires are screened, while no one asks what about the people who are already inside the company.
Stage 4. More than 100 people. Access rights are segmented. Roles are clearly differentiated. Security incidents are recorded and monitored.
At this stage, either a proper security system is already in place, or the company has a problem—it simply hasn’t discovered it yet.
Without a structured approach, businesses either slow recruitment to a crawl through excessive screening or expose themselves to risks that grow alongside the organisation. More often than not, they end up with both.
The pattern is straightforward: a founder’s security mindset usually matures about half a stage behind the company itself. The founder’s task is to close that gap before it turns into a vulnerability.
Two extremes that grow alongside your business
At every stage of growth, companies risk drifting towards one of two equally damaging extremes.
The first is complacency. This is typical of early-stage companies and teams with a purely civilian background.
“He’s a brilliant engineer—why would we need to check him?”
“We’re not big enough to screen everyone.”
“We’re a startup. We have bigger priorities.”
Security vetting feels optional—right up until the first incident reveals its true value.
The second extreme is paranoia—specifically, overinterpreting candidates’ answers. This is a more recent and arguably more dangerous phenomenon, particularly among companies that have already experienced a security incident or have developed a strong security culture without balancing it with sound hiring practices.
During interviews, candidates stop being people and become suspects.
“He paused before answering. He must be hiding something.”
“She didn’t maintain eye contact. That’s suspicious.”
“His answers were too polished. He obviously prepared them. What exactly is he trying to conceal?”
It may look like diligence, but in reality, it poisons the hiring process. These filters rarely weed out hostile actors. Instead, they eliminate perfectly qualified professionals who are simply nervous during an interview.
Between these two extremes lies professional security vetting—not as a compromise or a middle ground, but as an entirely different framework: structured, methodical and proportionate to the level of access and responsibility the role entails.
What are we actually assessing?
Candidate screening in defence tech operates on three distinct levels.
Verifying the facts
Does the story in the CV match reality?
Education. Previous employers. Roles. Projects.
Without establishing these basics, everything else becomes meaningless.

Understanding motivation
- Why does this person want to work in defence tech?
- Why this company—if we are able to disclose its identity?
- Why now?
- What does this job represent to them beyond a salary?
How genuine, well-considered and resilient is that motivation? Will it withstand the realities of working in defence tech—an industry defined by uncertainty, pressure and responsibility?
Assessing vulnerabilities
Here, vulnerability is not a verdict or a reason to reject a candidate. It is simply a map of potential risks.
What factors could make this person susceptible to external pressure? Who could exploit those vulnerabilities? How resilient are they to such influence?
The point is not whether you trust someone.
The point is whether you have a complete picture.
Trust cannot be measured. Understanding a person can.
The four conversations we have with every candidate
Тhose three levels define the philosophy behind security vetting. In practice, they translate into four distinct areas of questioning that we cover with every candidate. Each serves a different purpose and requires a different level of scrutiny.
Security and external influence
This is the most sensitive part of the process—and the one founders from civilian industries are most likely to overlook or treat as a formality.
We ask straightforward questions about the candidate’s connections and geographical ties over recent years.
- Have you travelled to Crimea since 2014?
- Have you visited Russia or Belarus? If so, when and for what purpose?
- Do you hold citizenship, a passport or a residence permit issued by Russia or Belarus?
- Do you have immediate family members living in Russia or employed by Russian state institutions? Are you in regular contact with them?
- Do you have any financial or legal obligations connected to people living in temporarily occupied territories?
These questions only sound harsh until you realise they are not designed to disqualify candidates.
They are designed to build a map of potential vulnerabilities.
Confidentiality and experience working in secure environments
- Has the candidate previously worked with confidential information, such as customer data, internal processes or sensitive contacts?
- Have they gone through security vetting before?
- Have they had any professional interaction with intelligence or security services?
None of these answers indicate whether someone has a “good” or “bad” background.
They simply show how familiar the candidate is with the rules of the industry they are about to enter.

Integrity and accountability
- How did the candidate handle budgets, procurement or access to sensitive resources in previous roles?
- How did they ensure transparency? Were formal controls in place, or did everything rely on trust alone?
- Have they encountered situations where internal rules were violated? If so, how did they respond?
This section often reveals more than any other. It shows not how people talk about integrity in theory, but how they behave when it matters most.
Personal habits and lifestyle
This includes harmful habits, the use of prohibited substances, gambling, or any other behavioural patterns that could create financial dependence or make someone vulnerable to external pressure.
This is the area that tends to make founders with a traditional civilian hiring mindset the most uncomfortable. But failing to ask these questions in defence tech means ignoring one of the most common channels through which individuals can be pressured or compromised.
The logic behind these four areas is relatively simple and transparent. Yet the way founders interpret the answers to the very first set of questions often reveals another type of risk—one that has far less to do with the company’s stage of growth than with the founder’s own mindset.
The civilian mindset’s blind spot
This is a risk that can exist at any stage of a company’s growth—provided the founder never takes a step back to recognise it.
Here’s a typical scenario. The hiring team is discussing a final candidate for the role of CTO. The technical assessment was excellent. The interviews went well.
Then one detail emerges: the candidate’s mother remained in Mariupol because she was unable to leave in 2022. The company’s security adviser says the issue deserves careful discussion.
The founder, coming from a civilian tech background, reacts with genuine surprise:
“So what? He’s not in Mariupol himself. What’s the problem?”
This isn’t a hypothetical conversation. It’s a scene we encounter regularly in companies that have grown out of civilian industries.
Here’s why. Hostile intelligence services rarely recruit “your people.” They exploit your people’s vulnerabilities.
A close family member living in temporarily occupied territory is not evidence that a candidate is disloyal. It is a potential channel of pressure that exists regardless of the candidate’s own intentions.
That pressure can take many forms: blackmail, coercion, manipulation or intimidation. The greater a person’s access to sensitive information, the more valuable that channel becomes.
That does not mean the candidate should automatically be rejected. That would simply create another blind spot—the mirror image of the first. Saying “Any connection to occupied territories? Thank you, goodbye.” would effectively shut the door on millions of Ukrainians who are paying the price of this war through circumstances entirely beyond their control.
A professional assessment looks very different. We do not eliminate candidates because of potential vulnerabilities—we seek to understand them. We ask direct questions. We discuss sensitive issues openly. We assess whether the level of access the role requires is proportionate to the level of risk. And we identify measures that can reduce that risk where necessary.
Very often, candidates themselves initiate these conversations.
And then we put ourselves to the test
Everything described above provides the framework within which the practical tools of security vetting operate: OSINT investigations, reference checks, polygraph examinations and psychological assessments.
Each of these is a discipline in its own right. Most founders recognise their names. Few have ever seen how they actually work—particularly when used together as part of a single assessment.
To complement the theory with practice, the next instalment of the Arming with Talents series will feature a first-hand account from Defender Media’s Editor-in-Chief, who volunteered to undergo CORE Team’s full security screening process.
- Polygraph.
- Psychological assessment.
- OSINT.
- Reference checks.
All four methods, documented as a real-world case study, together with the results and an explanation of how to interpret them correctly.
We believe in a simple principle:
We don’t write about processes we haven’t gone through ourselves.
Until then, keep two blind spots in mind. The first allows risks to enter your organisation unchecked. The second turns suspicion into an obstacle to hiring.
Between them lies neither compromise nor a “middle ground”, but a professional security system—one that matures alongside your company.

Anna Korol
CEO & Founder of CORE Team