"I can't even tell a girl where I work." How security is arranged in Ukrainian deftech companies and why when joining the defense industry, you need to be prepared to become a keeper of secrets
When an IT specialist from a defense company agreed to talk to dev.ua, the first thing he clarified was that his name cannot be revealed, the company cannot be named, and his position is also taboo. What exactly his employer company is training him for, how many people work there, is better left unsaid. «I can’t say almost anything. Or rather, absolutely nothing. Where I work, who I work with, what I do, who these developments are for, or where my work is. I can’t even tell my girlfriend, because if someone finds out, there’s a high probability that she’ll come for us,» the publication’s interlocutor says.
This is the daily routine of Ukrainian DefTech in 2026. The industry, which has grown from zero to over 1,500 companies in three years of full-scale war, operates by rules where silence is the basic security standard, not the exception.
dev.ua tried to figure out exactly how security is arranged from the inside. Spoiler: only a few people wanted to talk about this topic. But even what we managed to find out paints a rather revealing picture.
When an IT specialist from a defense company agreed to talk to dev.ua, the first thing he clarified was that his name cannot be revealed, the company cannot be named, and his position is also taboo. What exactly his employer company is training him for, how many people work there, is better left unsaid. «I can’t say almost anything. Or rather, absolutely nothing. Where I work, who I work with, what I do, who these developments are for, or where my work is. I can’t even tell my girlfriend, because if someone finds out, there’s a high probability that she’ll come for us,» the publication’s interlocutor says.
This is the daily routine of Ukrainian DefTech in 2026. The industry, which has grown from zero to over 1,500 companies in three years of full-scale war, operates by rules where silence is the basic security standard, not the exception.
dev.ua tried to figure out exactly how security is arranged from the inside. Spoiler: only a few people wanted to talk about this topic. But even what we managed to find out paints a rather revealing picture.
Silence as a corporate culture
In outsourcing or product companies, an IT person can freely tell friends where they work, what stack they use, what product they are working on. This is not the case in defense. «You can’t talk about the project even in general terms,» says our interlocutor. «People ask, ‘What do you do?’ and you say something abstract — I create websites or just write code.»
The reason is simple: the enemy is actively collecting intelligence on defense enterprises. Therefore, silence is not a corporate whim, but a matter of physical security.
Interestingly, this culture of silence extends to social media. One of the basic hiring requests at defense companies is to review a candidate’s public profiles: what you post, who you interact with, and whether you have followers from potentially dangerous accounts. After hiring, minimizing public activity and restricting access to your profile becomes an unspoken expectation.
NDA is a mandatory minimum
If in a standard IT NDA it is often a formality that is signed incidentally and forgotten, then in DefTech it is the first and very serious conversation with a lawyer.
Bluebird Tech, WIY Advanced Aerial Systems, The Fourth Law, and Odd Systems — companies that dev.ua managed to talk to about security — confirmed that the NDA is signed by every employee without exception.
«We sign NDAs with all employees, with an emphasis on non-disclosure of confidential information — data about clients and contractors, code, technical specifications, business plans, strategies, internal policies,» say The Fourth Law and Odd Systems. «Non-compete and active solicitation clauses are also important to us.»
«Our company has a comprehensive security system in place, which covers both information protection and internal regulations for working with data and equipment. All employees are required to sign an NDA, which provides for the non-disclosure of confidential information, technical solutions, and internal processes of the company. Violation of these obligations entails legal consequences stipulated by the contract,» BlueBird says.
WIY Advanced Aerial Systems went further and formulated a separate list of what is prohibited from disclosure: commercial information (financial figures, contracts, partners, suppliers), technical data (drawings, 3D models, code, product architecture, R&D developments, prototypes), internal processes and data about customers and employees. Any information marked as «Confidential» is automatically under an NDA.
A fundamentally important point: the ban is valid not only during work, but also after dismissal — for a certain period specified in the contract. Violation entails disciplinary, civil or criminal liability in accordance with Articles 231-232 of the Criminal Code of Ukraine.
«Simply put: I left the company — the NDA didn’t go anywhere,» says the dev.ua interlocutor. And this often creates difficulties when changing jobs — because the candidate cannot explain to a potential employer what he was doing for the previous few months or years.
A phone in your pocket is already a security risk
If in a regular office a telephone is just a telephone, then in a weapons manufacturer it can be a point of leakage. And the attitude towards it is appropriate.
WIY Advanced Aerial Systems has a direct ban on taking photos and videos in production or R&D areas. Recording screens and work processes is also prohibited. The logic is simple: a photo of a «just interesting stand» may contain information that should not be shown to anyone outside the company.
A similar approach is used for computers. «The use of work equipment and access to information systems are regulated separately,» BlueBird notes, without going into details.
As an IT specialist working at DefTech says, only work devices are allowed at work, no third-party software without permission, no external media — USB, HDD — without the manager’s approval, no file transfers via personal email or messengers. Employees have mandatory corporate accounts, complex passwords, and undergo two-factor authentication. And if a specialist is not on site, the computer is automatically locked so that no one can spy on anything.
A separate line in the regulations of The Fourth Law and Odd Systems is «a direct ban on the use of certain insecure messengers and software, especially if the owners have connections with unfriendly countries.»
The need-to-know principle: you only know what you need to know
One of the basic principles of information security in serious organizations is access minimization. You only have access to what you need for your job.
WIY Advanced Aerial Systems describes this as need-to-know access: each employee sees only their own project and functional area. Actions are logged—who opened and changed what—and data copying and transfer are controlled.
For a developer, this means that they may not know what their colleague in the next department is working on. And this is not a distrust, but a standard: the fewer people who know about a particular product, the fewer potential points of leakage.
Physical security: card entry, escorted guests
Digital security is one aspect. But deftech companies, especially those with manufacturing capabilities, are also serious about physical access.
WIY Advanced Aerial Systems has access by key cards with clear zoning: office, production, R&D — separate zones with separate access levels. Video surveillance. Limited access for third parties. Guests — only accompanied.
That is, if you came for an interview or as a contractor, you will not physically get to where you are not supposed to go.
Background check: pre-employment check
A separate element that is directly stipulated in the WIY Advanced Aerial Systems regulations is the screening of candidates before hiring. Background check is standard. What exactly is being checked is not disclosed in detail. But it is obvious that we are talking about checking possible connections with hostile structures, public activity, and possible risks.
Another layer of restrictions is everything related to public communications. At WIY Advanced Aerial Systems, employees are prohibited from making comments on behalf of the company without approval, publishing photos from production, or disclosing participation in closed projects.
Actually, this explains why so few companies agreed to talk to dev.ua for this article. Most either did not respond at all or refused to comment.
Offer of restrictions and prohibitions
If you’re an IT guy considering a job at a defense company, you should understand that this is a different psychological contract with your employer. You won’t be able to post a proud note on LinkedIn saying «I joined Team X.» You won’t be able to tell people at conferences what you’re working on. You won’t be able to write a specific project name or even a company name on your resume. Your GitHub won’t be populated with public repositories of what you do at work.
Instead, you’ll know exactly why it’s all there. This is probably the only industry where the connection between a line of code and the real result on the front line is not a metaphor. «I know that what I do really helps someone,» says our anonymous interlocutor. «I can’t tell you how. But I know.»
Defense tech is looking for thousands of people but can’t find them. Why is this happening — what are the salaries and what do companies offer besides booking?
Polygraph, office, OSINT check and up to 5 stages of interviews. How IT specialists are hired at BlueBird, General Chereshnya, Himera, Frontline Robotics and other defense companies: a mini-guide for those who want to work in DefenceTech
