The strongest hiring signal in the agent era is not the quality of a candidate's submission. It is the gap between that quality and the candidate's ability to explain it. A polished repo whose author cannot defend its decisions is the central red flag of AI-assisted hiring, and hunr's reasoning defense exists to measure exactly that gap.
The take-home is open: use any agent, any tool, any workflow, exactly like real work. The defense is unaided: just the candidate and questions about the code they submitted. Everything interesting lives in the distance between those two performances.
Why is the gap the signal?
Because it is the one measurement that AI assistance cannot inflate — assistance can only widen it.
The research anchor we built on comes from education, where this experiment has effectively already run at scale: comparing AI-permitted homework against proctored exams showed roughly a 30-point gap, with an effect size of Cohen's d = 1.52. That is an enormous effect. Students whose assisted work looked excellent scored dramatically lower when the assistance was removed — when they hadn't internalized the work. The ones who had understood it all along showed little gap at all.
That maps directly onto hiring. An engineer who used an agent heavily but stayed in charge — reviewed the changes, made the judgment calls, understood the trade-offs — shows a small gap. Their defense sounds like their diff. An engineer who prompted their way to a submission they never really engaged with shows a large one. The artifact says senior; the defense says stranger.
Notice what this stance does not require: knowing whether AI was used. We never ask, and we don't care. Heavy agent use with full understanding is a perfectly good way to work. The gap catches the only thing that matters — shipping work you don't own.
How are the questions grounded?
A generic question bank would be dead on arrival — question banks leak, and agents answer generic questions brilliantly. So the defense asks nothing generic. Every question is generated per-candidate from three sources:
Their actual repo. Questions reference the specific files, functions, and design choices in the submission. "You put validation in the controller layer here — walk me through that choice." A question like that has no canonical answer to look up, because it is about a decision only this candidate made.
The challenge spec. Each hunr challenge is designed to force particular design decisions, and the defense probes the competencies the challenge was built to measure — so the questions land on the decisions that matter for the role, not trivia.
The embedded implicit requirement. Every challenge hides at least one requirement a competent engineer infers but the brief never states. The defense checks whether the candidate actually noticed: "What happens if the same request arrives twice?" If the idempotency handling in their repo was an agent's silent guess, this is where it surfaces.
Because the questions reference specifics that exist only in this one submission, they cannot be pre-answered, pre-scripted, or batch-prompted in advance.
What kinds of questions get asked?
The defense draws from a taxonomy, each type probing something different:
- Rationale — "Why this data structure, this pattern, here?" Probes design ownership.
- Trade-off — "What did you give up by choosing X? When would Y be better?" Probes judgment.
- Failure-mode — "What breaks if the input grows 100×? If this dependency goes down? If two requests race?" Probes robustness thinking.
- Trace — "Walk through what happens when this specific input hits your function." Probes actual comprehension of the code as written.
- Edge/implicit — "You handle case A — what about case B?" Probes the embedded requirement.
- Localization — "Where would you change X, and why there?" Probes whether they know their own codebase.
- Novel extension — "Suppose we now need Z. How would you approach it?" Probes transfer: reasoning that goes beyond anything memorizable.
The session itself is short and dense: two parts (defend your own submission, then reason through a novel related scenario), roughly 8–12 minutes, 4–6 questions. Answers are time-boxed and short, graded on substance rather than prose.
Can't you just ask an AI during the defense?
You can try, and the mechanics are designed to make it a losing trade.
One question per turn, revealed sequentially. A tight per-question timer, sized for someone who knows their own code and punishing for someone round-tripping to an external agent. And the questioning is adaptive: the next question depends on the previous answer, drilling into weak or evasive responses and moving on from strong ones. There is no script to obtain in advance, because the script does not exist until the conversation happens.
There is also a tell that is hard to fake away: explanation-vs-code mismatch. When a candidate's account of their own code contradicts what the code actually does, that is one of the strongest indicators of unowned work — interviewing companies like Karat report it as a top AI tell. We flag those mismatches explicitly.
Doesn't this just become surveillance?
No, and this is a line we drew deliberately. There is light proctoring — tab-focus loss, paste events, answer latency — but these signals are secondary tells only. They never auto-fail anyone and never feed a score. At most they route a session to the human-audit queue or trigger one extra adaptive drill-down question. The moment behavioral signals start deciding outcomes, you are back in the detection arms race, with all of its false-positive injustice. The artifact-vs-defense gap remains the real signal, not surveillance.
How is the defense scored?
Each generated question ships with its own expected-answer rubric, derived from the key decisions in the reference solution plus the candidate's actual code. Question-specific rubrics are what make automated grading trustworthy here: they agree with human graders at roughly 0.91 Pearson correlation, where generic rubrics manage only about 0.3. With standard bias controls layered on (reasoning before scoring, position-swapping, cross-model panels, anchor exemplars), comparable AI-graded oral assessments reach reliability of α 0.83–0.95 — and around 3% of sessions, plus anything borderline or mismatch-flagged, go to human audit.
Then comes the part that makes the gap bite. The defense does not add to the score; it multiplies it. The defense produces an ownership factor between 0 and 1 that scales the entire code-derived score, with a hard floor below which the candidate fails regardless of how good the artifact is. A beautiful submission with a hollow defense drops sharply, exactly as it should. Understanding is not a bonus dimension. It is the credibility of every other number in the report.
All of this is what "understanding-verified" concretely means. hunr is the agent-allowed, understanding-verified technical hiring platform: candidates ship real code against role-specific challenges using any AI agent they like, and hunr then verifies they understood what they shipped. The verification is not a detector or a proctor. It is a short, sharp conversation about the candidate's own code — and the gap it reveals, or doesn't, is the most honest signal left in technical hiring.