Marty’s Anti-Cheat Monitor helps ensure fair, secure testing by detecting irregularities in candidate behavior during assessments. This article explains what signals are collected, how they are presented, and how the overall risk level is calculated.
Cheating Protection Measures in Marty
Copy/Paste Protection
Candidates cannot copy or paste question text from the assessment. This reduces the risk of searching for answers online.
However, the questions are designed to be unique and practical — not easily found through a search engine. Real-world resource use is acceptable when aligned with job relevance.
Email Verification
Before accessing an assessment, candidates must verify their email address. Only after verification do they receive a secure link to the test.
Proctoring (Webcam & Screen Sharing)
If proctoring is enabled, the system captures webcam snapshots and screen activity during the test at regular intervals. These snapshots are visible in the candidate’s report.
The Anti-Cheat Monitor Explained
Each assessment includes an anti-cheat report with the following sections.
Identity & Environment
Item | Description |
Device | The type of device used by the candidate (e.g., MacBook Pro, iPhone). |
Location | The detected location (city and country) based on the IP address. |
Browser | The browser used during the assessment. |
Unique IPs seen | List of all IP addresses the test was submitted from. More than one suggests the candidate switched networks mid-test. |
Unique locations seen | List of all geographic locations detected. |
Unique devices seen | List of all devices the test was taken from. More than one is a strong impersonation signal. |
Proctoring images captured | Total number of webcam and screen snapshots taken during the test (typically every 30 seconds). |
Behavioral Signals (with occurrence counts)
Rather than a simple “yes/no” flag, each behavior is reported with the number of times it occurred. This makes it easier to distinguish a candidate who briefly lost focus once from one who switched tabs repeatedly.
Signal | What it means |
Tab switches | How many times the candidate switched to another browser tab. |
Window focus lost | How many times the browser window lost focus (candidate switched to another app). |
Full-screen exits | How many times the candidate left full-screen mode. |
Mouse left window | How many times the mouse cursor left the assessment window. This happens naturally for most candidates — a small number is not suspicious. |
Screen configuration changes | Changes in screen resolution or monitor setup (can indicate a second display). |
Copy/paste attempts | Attempts to copy content from the assessment. |
Screen sharing stopped | How many times the candidate ended screen sharing during the test. |
Webcam disabled | How many times the webcam became unavailable during the test. |
Permission & Consent Signals
Signal | What it means |
Camera access skipped | Candidate declined to grant camera access. May include a reason the candidate provided. |
Microphone access skipped | Candidate declined microphone access (a softer signal — not all assessments use audio). |
Screen sharing access skipped | Candidate declined to share their screen. |
Webcam not detected | No webcam was detected on the candidate’s device (hardware missing, not a candidate choice). |
How the Risk Level Is Calculated
Each candidate assessment receives one of four risk levels:
Not Assessed
Low
Medium
High
The risk level is not a simple “yes/no” verdict. It is calculated by weighing behavioral signals together with structural red flags.
1. Weighted Behavioral Signals
Each suspicious signal has a different weight.
Some signals are minor (e.g., the mouse briefly leaving the window), while others are much stronger indicators (e.g., multiple device fingerprints, which can suggest impersonation).
2. Repeated Behaviors Increase Risk
Repeated behaviors contribute more heavily to the score — up to a reasonable cap.
For example:
One tab switch is usually insignificant
Five tab switches may indicate a pattern
Contribution caps prevent broken clients or temporary network issues from inflating the score indefinitely.
3. Structural Red Flags Carry Significant Weight
Some events are treated as strong one-time signals regardless of frequency, including:
Multiple device fingerprints
Multiple IP addresses
No proctoring images captured
These substantially increase the overall risk score.
4. Risk Level Classification
Low
The session showed only minor incidents consistent with normal test-taking behavior.
Examples:
A couple of tab switches
A few natural mouse-leaves
Medium
The session included several moderate incidents or one clear structural red flag.
Example:
The test was submitted from two different IP addresses
High
The session combined multiple serious signals.
Examples:
Repeated copy/paste attempts
Multiple device fingerprints
Missing anti-cheat images
Not Assessed
No behavioral data was collected.
Example:
Proctoring was not enabled for the assessment
Examples
Low Risk Example
A candidate might show:
2 tab switches
1 focus loss
3 natural mouse-leaves
A single IP and device throughout
This is considered a normal test session and typically requires no review.
Medium Risk Example
A candidate might show:
4 tab switches
2 focus losses
Camera access skipped
Microphone access skipped
This may warrant a second look, though there could still be a legitimate explanation.
High Risk Example
A candidate might show:
Multiple detected device fingerprints
Submissions from two different IP addresses
3+ copy/paste attempts
No anti-cheat images captured
This pattern strongly suggests impersonation or active cheating and warrants follow-up.
Understanding the “Possible Cheating” Flag
A Medium or High risk level does not automatically mean the candidate cheated. It indicates irregularities that should be reviewed in context.
Common legitimate explanations include:
A home network reconnecting with a new IP address during the test
A candidate briefly alt-tabbing to dismiss a notification
A slow webcam or unreliable microphone causing permissions to be re-requested
A browser bug logging more events than actually occurred
When Reviewing a Flagged Candidate
Review the counts, not just the risk level
Are the numbers proportionate to a normal session, or unusually high?Check unique IPs, devices, and locations
One switch is very different from multiple switches.Cross-reference with proctoring images
Confirm that the captured images match the invited candidate.Contact the candidate if needed
Clarify irregularities before drawing conclusions.
GDPR Compliance & Data Privacy
Marty is fully GDPR-compliant. No personal data is stored longer than necessary, and proctoring data — including screenshots, behavior logs, and device fingerprints — is handled securely. Candidate activity is tracked only during the assessment for the purpose of ensuring fairness and protecting assessment integrity.