Every few weeks someone forwards us a "remote exam security checklist." They are almost always written by a company that sells three of the items on the list. So the list is shaped less by what defeats cheating and more by what happens to be in the catalogue.

Here is the version we would hand a colleague who actually runs a high-stakes programme — no products to push, just the order we would tackle it in.

Start by writing down what you are defending

You cannot secure "the exam." You can secure a specific outcome against a specific adversary. A professional certification that gates a salary band attracts organised, funded cheating. A weekly formative quiz does not. If you treat both the same, you will overspend on one and leave the other wide open.

Write one sentence: who benefits from a fraudulent pass, and how much is it worth to them? That number sets your whole budget. If a pass is worth a year's salary to the candidate, assume someone will pay a few hundred dollars for help — and design accordingly.

The controls that earn their keep

In our experience, the spending that actually moves the needle is unglamorous:

  • Own the capture layer. Most proctoring watches a screen-share feed produced by the same interfaces that modern cheating tools are built to evade. If your capture happens downstream of where the cheating hides, you are reviewing an edited recording. This is the whole reason we built OroLink, and it is the single highest-leverage decision on the list. We unpack the mechanism in why remote proctoring is blind.
  • Question banks large enough to make sharing useless. If the same 40 questions circulate for a year, no amount of monitoring helps. Rotation beats surveillance.
  • Post-hoc analytics. Patterns across sessions — timing, answer clustering, shared mistakes — catch organised fraud that no live proctor can see in the moment. We wrote about this in the fingerprint that exam fraud leaves behind.

The theatre worth skipping

Some controls feel rigorous and accomplish little. Room scans that ask a candidate to wave a webcam around for ten seconds reassure administrators and inconvenience honest test-takers, while a determined cheat simply hides the second device behind the camera. Aggressive eye-tracking flags anxious people far more often than it flags cheating, and every false accusation costs you a credibility you cannot easily rebuild.

A control that punishes honest candidates and misses prepared ones is worse than no control. It just moves the cost onto the wrong people.

Be ruthless here. If a measure cannot survive the question "what does a motivated cheat do to get around this in thirty seconds?", it is theatre.

Plan for the appeal, not just the exam

The moment that decides whether your programme is trusted is not the exam — it is the dispute three weeks later. When you flag a candidate, can you show, calmly and on the record, exactly what you observed? Auditable evidence beats a confident algorithm every time. Privacy law expects this too: the UK regulator's guidance on automated decisions and personal data is a good baseline even outside the UK.

Decide your evidence standard before launch, not during your first contested result. And make identity its own deliberate step rather than an afterthought — we argue for the privacy-respecting version in identity verification without the surveillance.

Key takeaways

  • Define the adversary and the value of a fraudulent pass first; that sets the budget.
  • Spend on owning the capture layer, large rotating question banks, and cross-session analytics.
  • Cut controls that inconvenience honest candidates while a prepared cheat walks past them.
  • Design your evidence and appeal process before launch, not after the first dispute.

If you are scoping a programme and want a second opinion on where the real gaps are, that is exactly the kind of thing our team likes to talk through.