Joining Instructions
CSTL-Web App Exam
Please use the instructions below to help you organise your exam day.
Please contact us if you have any queries.
All our exams currently take place at our assessment centres in Cheltenham:
The Cyber Scheme, Eagle Tower, Montpellier Drive, Cheltenham GL50 1TA
Please organise your own accommodation if needed.
There is no on-site parking for candidates. Bath Terrace Car Park (SatNav GL50 2BA) offers reasonable all day parking within a few minutes’ walk. We are able to organise blue badge accessible parking for those who need it – please email us to book.
Our exam rooms are all accessible via lift. Please let us know if you have any accessibility issues.
Exams begin at 9.00am, please check in at Eagle Tower reception at 8.45am. Our invigilator will accompany you to the exam room. Exams are normally completed by 5pm.
Photo-ID
You should bring a recognised photo-id (e.g. Passport or Driving Licence) and have this available throughout the test.
Assessment Outcome
Under normal circumstances, you will be notified of success or failure by email within one working week by The Cyber Scheme.
Non-attendance
Please notify us if you are unable to attend or if you have any enquiries prior to the exam date. Please read our terms and conditions for our cancellation policy.
Please bring:
A laptop (with power supply, HDMI output, RJ45 network interface card, wireless network interface card and administrator rights to add software.)
Hard drives will be erased (or retained) so please be prepared to remove them from your laptop at the end of the session. All drives that are installed in the laptop at the time of the test will need to be wiped.
Refreshments and lunch break
Water is available in the exam room. Please note you will only have a 30 minute lunch break, so we advise you bring your own food with you to save time – however there is a café onsite if you wish to purchase lunch, tea or coffee.
Mobile Phones
You will be asked to put phones / tech on silent and away during exams, you will not be contactable via teams, slack etc during the assessment.
Permitted Materials
The assessment will be open book. You may bring personal copies of textbooks and similar local resources into the assessment environment. You are not allowed to share permitted materials with other candidates. You are advised not to annotate permitted materials during the assessment.
Any annotations that are made will be subject to the persistent storage constraint below.
Resources to be provided by the Candidate
You must supply your own laptop, equipped with the penetration test tools of your choice.
The laptop must have an RJ45 / Ethernet socket that will be used to connect to the test environment. The laptop screen must be mirrored to an external monitor for the duration of the practical engagement with the test environment. The test centre will provide a 1920*1080 monitor with HDMI connection. If your laptop does not support that, please ensure you bring an appropriate adaptor with you as we will not be able to supply one.
Internet Access
Access to the Internet is not permitted from your laptop. Supervised access to the Internet will be permitted from a machine provided by assessment centre.
Persistent Storage
All persistent storage (internal drives, external drives, USB flash storage, written notes etc.) must be wiped at the end of the test. An attempt will be made to forensically wipe digital storage (Your laptop drive may need to be removed for this to happen). Where disk wiping can be verified as successful, the storage device will be returned to you on the day of the assessment. If the drive cannot be wiped it will be retained and returned at a later date (via post). Paper storage, and digital storage where forensic wiping cannot be verified, will not be returned and eventually destroyed. You are strongly advised to use low-cost storage devices for the exams as some can be challenging (and time consuming) to erase to the required standard.
Audio Recording
There are some aspects of the assessment (viva) that will take the form of spoken questions with spoken answers. These will be audio recorded. The recordings will be retained for up to 24 months to ensure consistency across Assessors and candidates. You must be willing to be audio-recorded answering questions concerning the test.
Process Notes
After the practical test has been completed, candidates may be asked about the effects that any of their actions might have had. Such questions may relate to web servers, databases, client data, and times. Candidates should be prepared to record the process of carrying out their penetration test.
Assessment Infrastructure
The practical part of the assessment will be performed within an environment that is predominantly virtualised. Candidates must not attempt to exploit the virtualisation infrastructure.
Assessment Structure
The assessment is structured to simulate a real-world penetration test. It comprises three phases.
Phase 1 – Scoping (15 minutes)
All candidates will share a common scoping briefing. Following the common scoping briefing, individually candidates will have up to 10 minutes to ask questions concerning the scope of the penetration test. During your individual scoping session, the Assessor will play the role of the commissioning client. Your performance during the individual scoping session will form part of the assessment.
Phase 2 – Practical Penetration Test (4 hours)
The candidate’s laptop will be connected to the assessment infrastructure, from which you will perform the practical penetration test, as defined in the scoping session. Connectivity will end after 4 hours. During the final 30 minutes candidates will be advised to prepare for the interviews which follow, specifically in producing a site map.
(Break – 15 minutes)
There will be a 15 minute lunch break during the practical penetration test. During this time candidates will not be permitted to use their computers. This 15 minute break will not contribute towards the 4 hours of the practical assessment. You may take additional breaks for refreshments within the practical test, but no additional time will be allowed for any additional breaks that are taken.
Phase 3 – Interview (30 minutes)
During the interview you will be required to produce a site map on a white board or flip chart. The site map must detail the application’s pages and API functionality, but it does not need to include static assets, such as media or script. The interview is an assessed component of the examination; care should be taken to ensure that the site map reflects your full understanding of the assessment application.
You will also be expected to inform the commissioning client (Assessor) of the significant aspects of your practical penetration test. The Assessor may ask you to explain any aspect of the process that you followed during the practical test.
You will also be expected to inform the commissioning client (Assessor) of the significant aspects of your practical penetration test. The Assessor will ask you to explain any aspect of the process that you followed during the practical test.
Assessment requirements
In order to pass the test, you must demonstrate all of the following:
- appropriate interaction with the commissioning client,
- knowledge of the process of conducting a penetration test including legal and ethical issues,
- core capability to identify and exploit OWASP top 10 vulnerabilities, especially with regard to: injection vulnerabilities e.g. SQL injection, cross-site scripting (XSS) vulnerabilities, privilege escalation vulnerabilities, information disclosure vulnerabilities,
- core capability to produce an accurate site map.
Please note: some of our assessments use proof codes and some do not. If you require clarification on this, please reach out and contact us.
Application details
The application to be tested will be one of three, randomly chosen on the day of the assessment. The candidate should be suitably prepared to assess each of the application types. The three application types are: –
1) A HR application
2) A banking application
3) A government owned recruitment platform.
Inclusion and Accessibility during exams and training
The Cyber Scheme believe everyone should have access to a career in security testing. We are available to discuss any concerns you have and are more than happy to make reasonable adjustments for any candidate who requires them during training and examinations.
These reasonable adjustments are to ensure you are given an equal opportunity to demonstrate the necessary knowledge, skills and behaviours required. We recognise that not all disabilities are visible.
We have a range of reasonable adjustments we can offer depending on what difficulty you might face. If you request an adjustment which we are unable to offer, we will give you a reason why we cannot offer it. This might be because it maps to a key Knowledge, Skill or Behaviour that we have to assess against within the certification. If that is the case, we will tell you which aspect we think would not be properly assessed.
There may be background noise during an assessment. Please bring (or ask for) ear plugs / ear defenders or listen to music if background noise is likely to affect your concentration (please note this doesn’t apply to our training courses).
Mobility
Access to all of our facilities is suitable for people with mobility issues. Should any other special facilities be required please get in touch at time of booking. For some reasonable adjustments, such as access to a disabled parking space, we will need to see supporting documentation around the condition to allow us to apply for this access for you. No information will be retained or stored once the request is validated.
Walking directions to the nearest Pay & Display car park can be found here.
There are two entry points to the Eagle Tower building where our exam rooms are located. Please make your way to the main entrance on Montpellier Drive – look for the large eagle statue outside the revolving doors. When you arrive, please introduce yourself at reception and make your way to the seats shown here, where you will be met by your invigilator.
Our exam rooms are full of natural light, with window blinds and overhead fluorescent lights when needed.
We have drinking water, coffee and tea making facilities in our exam rooms. There is an onsite cafe selling hot and cold food in the ground floor reception area. If you have any allergies please let us know at time of booking.
There are accessible toilets on every floor.
There will be a level of ambient noise due to the proximity of other offices. If needed please supply your own earplugs or ear defenders when taking an exam. Please note this will not be appropriate for our training courses.
Our rooms are designed specifically to allow for maximum interaction between assessor and candidate, within specific guidelines stipulated by NCSC regarding assessor and candidate ratios. These are:
CSTM exam – maximum of 6 candidates plus assessor
CSTL exams – maximum of 6 candidates with assessor plus invigilator
CSTM training – maximum of 12 delegates plus trainer
Advanced Mentoring – maximum of 6 delegates plus trainer