At Duolingo, we take test security seriously. That’s why we broke free from the test center model when we first designed the Duolingo English Test: our digital-first design improves access to testing, while designing out some of the biggest security risks of in-person testing—from bribing proctors to leaking test content.
But in the fast-paced world of digital-first testing, staying one step ahead of attackers is crucial to maintaining a fair and reliable experience for everyone. That’s why we took our security efforts to the next level by enlisting an elite team of ex-spies from around the world to do what they do best—try to hack the DET. Here’s how it all went down.
Why we hired a team of ex-spies to hack the DET
Much like cybersecurity, the best way to protect against cheating is to test the boundaries of your system with skilled professionals. So, who better to challenge our test’s defenses than a team of former spies with years of experience in espionage, intelligence, and covert operations?
We gave this expert team full freedom to exploit the DET in any way they could. Their mission was simple: try every trick in the book—whether it was common tactics like fake IDs or advanced methods like deepfakes—and find ways to cheat the test. Their goal? To see if our test could catch them in the act.
The "War Room" of cheaters
Our ex-spies didn’t hold back. They set up a war room, working for months to devise dozens of potential cheating strategies. This wasn’t just about testing the obvious methods. These pros tackled everything from the most mundane to the highly sophisticated:
- False identification: Trying to impersonate another person with a fake ID or altered credentials.
- Deepfakes: Using cutting-edge technology to simulate a different face or voice to fool the system.
- Outside assistance (human or AI): Trying to get outside help when taking the test, whether it's from another person or ChatGPT
With unlimited testing opportunities, the ex-spies had the chance to explore every angle. But there was one catch: Our security team wasn’t allowed to know which tests belonged to them. Their tests were mixed in with the millions of legitimate DET tests taken by users around the globe.
No attack too small or sophisticated
The team tried to slip through the cracks in numerous ways, but the DET defended against all of their attacks. Even the more mundane cheating attempts, like using fake IDs, were swiftly caught by our AI and human proctoring system.
But what about their more sophisticated tricks? Here’s how we fared:
- Bribing proctors: One of the most common ways people try to cheat during in-person tests is by bribing proctors or persuading them to turn a blind eye. Because the DET is fully remote and uses both AI and human proctors, there was no opportunity for bribery, eliminating one of the biggest cheating vectors from traditional exams.
- Leaked questions: The spies attempted to steal and leak questions before the test. However, the adaptive nature of the DET means each test is unique, making it virtually impossible for any leaked questions to provide an advantage.
- The identical twin test: Perhaps the most interesting (and boldest) attempt was when they had identical twins try to take the test for one another. But even this creative tactic was thwarted by our combination of human proctors and AI-driven biometric analysis, which accurately detected the subtle differences between the twins.
Ongoing security improvements
While we were proud to see the DET hold up against the ex-spies’ best efforts, the exercise wasn’t just about proving our strength. Our spy team helped us identify areas where we can further improve security, showing us how even the most secure systems can always get better. Security is an ongoing battle, and we are committed to staying ahead of emerging threats.
We’ll be repeating this exercise regularly, constantly refining and upgrading our security protocols to ensure that the DET remains one of the most secure and reliable English proficiency tests in the world.
A secure future for the DET
The lessons learned from this high-stakes, spy-led penetration test will continue to guide our security efforts. At Duolingo, we believe that secure testing is the key to fair testing—and by challenging ourselves with the best, we ensure the integrity of the DET for millions of test-takers worldwide. That’s why top universities and governments worldwide accept our test; explore our complete list of over 5,000 accepting programs to see them all!