debrev.
Back to blog

Debrev v0.2: A New Frontier for the Interview Product

June 11, 2026By Debrev Team
✦ AI Overview

Debrev v0.2 builds three new layers on top of the v0.1 capture pipeline. A decision layer — the Decision Hub, scorecards, and an Action Library of per-candidate AI agents — turns evidence into a defensible hiring decision, with every claim indexed back to its source. An agent layer adds semantic candidate search over a vector index, the backbone for natural-language retrieval and agentic workflows. An enterprise trust layer brings Cognito SSO, MFA and passkeys, four-hour step-up authentication on sensitive routes, per-candidate access scoping, and per-IP brute-force limiting. Three results are live and reproducible: storage cost runs 70% lower at month 24 with tiered Glacier archival, only 29 of 300 credential-stuffing attempts reached the password check, and step-up enforcement behaved as designed on all 9 tested actions.

v0.1 captured interviews and analyzed them with AI. v0.2 closes the loop. It adds a decision layer, an agent layer, and an enterprise trust layer on top of that pipeline, turning a recorder into a platform that helps teams reach a hiring decision and defend it.

From interview recorder to hiring-decision platform v0.2 adds a decision layer, an agent layer, and an enterprise trust layer on top of the v0.1 capture pipeline. v0.1 — CAPTURE Record & upload Transcribe + Speaker diarization AI insights Screening v0.2 — DECISION & AGENTS Decision Hubindexed to sources Scorecardstemplates · PDF Action Library5 AI agents Semantic searchvector retrieval v0.2 — COLLABORATE & CONNECT Handoffsaccept / decline ATS via Mergewebhook sync v0.2 — ENTERPRISE TRUST LAYER (spans the platform) Cognito SSOMFA · passkeys Step-up authAAL2 · 4-hr window Per-candidate scopeowner / collaborator Brute-force limitrate limiting Audit loggingplatform-wide PLATFORM Next.js 16 · React 19 · tiered storage with Glacier-class archival · no API gateway timeouts on long AI jobs
Figure 1. The v0.2 architecture. A decision-and-agent layer and a collaboration layer sit on the v0.1 capture pipeline, with an enterprise trust layer spanning the whole platform.

The problem

An interview recording, by itself, is not a decision. v0.1 gave teams clean transcripts and AI insights, but the last and hardest step still happened in someone's head or in a scattered set of documents. Recruiters re-read transcripts, copied notes into ad-hoc scorecards, and tried to reconstruct why a candidate was strong or risky days after the conversation. The evidence existed; the structure to turn it into a defensible decision did not.

At the same time, the data Debrev holds is sensitive. Interview transcripts, resumes, and hiring notes are exactly the kind of records that demand real access control, real session security, and predictable retention. A platform that asks teams to make consequential decisions has to earn that trust at the infrastructure level, not just the feature level.

The decision layer

Decision Hub

The Decision Hub is a new top-level page built on a dedicated AI decision engine. For each candidate it produces a readiness assessment, an evidence-backed narrative, a risk analysis, and coverage of the required competency areas, with supporting charts and tables. Every claim is indexed back to its source — a transcript moment, an insight, or a line in the resume — so a reviewer can trace any statement to the evidence behind it. When data is incomplete, the Hub degrades gracefully and still produces a useful view rather than blocking the recruiter.

Scorecards and the Action Library

Scorecards bring structure to evaluation. Orgs get a seeded default template and can author their own, with completion tracking, import, and export to PDF for sharing outside the platform. Alongside them, the Action Library is a set of built-in AI agents a recruiter can run per candidate:

  • Build Next-Round Interview Brief
  • Interview Gap: Align to Required Areas
  • Determine if Concerns are Role-Critical
  • Prepare Defense Pack
  • Document Risk Surface Summary

Each agent takes the candidate's evidence and produces a specific artifact, so the work of preparing for the next round or defending a decision becomes a single action rather than an afternoon.

Semantic candidate search

Candidate profiles are now embedded into a vector index, with automatic re-embedding on updates and a backfill for existing records. This turns search from keyword matching into natural-language retrieval — a query like "find candidates with payments-infrastructure experience" returns people whose materials describe that work, even when they never used those exact words. The same retrieval layer is the backbone behind the agentic abilities described below.

Collaboration and integration

Candidates can now be handed off between interviewers through an accept/decline flow, backed by a new in-app notification bell, and org member management was expanded alongside it with roles, per-user product access, and invitations. Speaker diarization ships in this release as well: interview audio is now attributed end to end, so transcripts distinguish who said what, with an upgraded audio player and a recording manager built around it.

On integration, v0.2 introduces first-party ATS linking through Merge.dev. Candidate data and attachments sync with webhook-driven refresh, and because the integration is built on Merge, it extends to the full set of ATS platforms on their network. For the current list of supported systems, see Merge's official partner directory.

Two-level assurance: how a sensitive request is gated Enforced in middleware, not per page. A logged-in session is not enough to change org settings, manage users, or touch billing. AAL1 — BASE ACCESS Sign inpassword or SSO Normal requestview candidates, notifications 200 OKalways served AAL2 — ELEVATED ACCESS Sensitive requestsettings, members, billing, admin 403STEP_UP_REQUIRED in-app interceptor Email OTPserver-verified step-up 200 OKelevation valid4-hr window retry, no place lost
Figure 2. Step-up authentication. A normal request is served at base assurance (AAL1); a sensitive request returns a step-up challenge until the session is elevated to AAL2.

The enterprise trust layer

The largest theme of v0.2 is trust. Identity moved to AWS Cognito enterprise SSO with Google OAuth sign-in and account-linking conflict protection. On top of that sit MFA (server-side TOTP plus Cognito MFA, with an enrollment prompt for admins) and passkey support over WebAuthn. Across the platform, v0.2 adds strict signup and input validation, upload validation, inactivity logout, and audit logging with an admin-facing endpoint.

Step-up authentication

Even an active, logged-in session must now re-verify identity before touching sensitive areas. v0.2 introduces a two-level assurance model: a normal sign-in grants base access, but settings, organization management, and admin routes require a recent, server-verified email one-time-code step-up. Elevation stays fresh for a sliding four-hour activity window, so an actively working admin verifies at most once while an abandoned session loses elevated access automatically. Enforcement lives in middleware rather than per page, with a dedicated step-up screen and an in-app interceptor that catches blocked calls and walks the user through verification without losing their place.

We verified the model live. Against a session running with enforcement on, six sensitive actions — org settings, audit-log reads, permissions, billing, and admin activation — each returned a step-up challenge before elevation and succeeded after it, while three normal actions succeeded throughout. All nine outcomes matched the design.

Per-candidate access control

Authorization now goes deeper than the org boundary. Every candidate route enforces owner, collaborator, and admin scoping through a single shared access check, and a non-member receives a 404 rather than a 403 — so the system never even confirms that a candidate exists to someone who should not see it. Interviewers see their own candidates and the ones explicitly shared with them; admins see everything. This sweep is why nearly every candidate API endpoint was touched in the release.

Brute-force resistance

Login is rate-limited per IP. To measure it, we fired 300 credential-stuffing attempts from a single IP over five minutes against the real limiter code path. With the limiter disabled, all 300 reached application logic. With it active, 29 got through — tracking the expected rate of roughly five per minute — and the remaining 90 percent were rejected before any password check.

Brute-force resistance: 300 credential-stuffing attempts from one IP 050100150200250300 0m1m2m3m4m5m Time elapsed Attempts reaching password check v0.1 no rate limiting (300/300) v0.2 authLimiter (29/300) 90% of attempts never reach the password check
Figure 3. Brute-force resistance. Cumulative attempts reaching the password check over five minutes, with rate limiting off (v0.1) and on (v0.2).

Storage and retention

Large interview libraries are expensive to keep in hot storage forever. v0.2 adds a storage viewer for interview files, automated retention runs, and tiered archival: cold files transition to Glacier-class storage with on-demand unarchive. To size the impact we simulated a mid-size org accumulating audio and materials over 24 months, pricing both scenarios at current us-east-1 rates and importing the actual retention constants the product ships with. By month 24 the v0.2 storage bill was 70 percent lower than keeping everything in S3 Standard.

Storage cost per candidate-hour: mid-size org, 24-month projection 70% lower cost at month 24 $0.00$0.10$0.20$0.30$0.40$0.50 16121824 Month v0.1 (S3 Standard only) v0.2 (retention + Glacier IR)
Figure 4. Storage cost over 24 months for a mid-size org. v0.2 retention plus Glacier Instant Retrieval against an S3-Standard-only baseline. Small and large orgs landed at 66.7% and 70.7% respectively.

Results at a glance

All three results below are live, reproducible measurements against the shipping code paths.

70%
lower storage cost at month 24
29/300
attempts reached the password check
9/9
step-up actions behaved as designed
4-hr
sliding step-up elevation window
Test Result Method
Storage cost (mid-size org, 24-month projection) 70% lower at month 24 Simulation using shipping retention + Glacier IR logic
Brute-force resistance 29 of 300 attempts reached the password check (vs 300 of 300) 300 credential-stuffing attempts from one IP over 5 minutes
Step-up enforcement 9 of 9 actions behaved as designed 6 sensitive + 3 normal actions, pre- and post-step-up

Platform and polish

v0.2 runs on an upgraded stack — Next.js 16 and React 19 — with a multi-step dashboard loading experience and an animated product tour. The release also brings a screening insights dashboard, a screening chat, and a "PDF Ask" capability for asking the AI questions directly against a candidate's uploaded materials; AI chat now carries memory across a conversation, and there are new in-app resume and PDF viewers. Rounding it out: tiered pricing with seat selection and volume discounts at checkout, per-seat usage enforcement, refined trial handling, accessibility improvements, an SEO and sitemap overhaul, cookie consent, and the removal of API gateway time limits so long AI jobs no longer time out.

Overview AI ships in this release too. We covered it in depth previously — see Introducing Overview AI. New in v0.2, Overview AI can call tools mid-conversation — searching candidates, fetching details, and comparing them — on top of the semantic search layer above.

What's next

v0.2 turns Debrev into a place where a hiring decision is made, evidenced, and defended, on infrastructure built to hold sensitive data. We are continuing to deepen semantic search and the agentic workflows it powers. If you run interviews at scale, this is the release to try.

Explore the Decision Hub and the rest of v0.2 — this is the version to put in front of your team.

Ready to transform your hiring process?

Discover how Debrev Interview can help your team make better hiring decisions.

Explore Debrev Interview