The assessment is structured to simulate a real-world penetration test. It comprises three phases.
Scoping – 15 minutes
All candidates will share a common scoping briefing. Following the common scoping briefing, individually candidates will have up to 10 minutes to ask questions concerning the scope of the penetration test. During your individual scoping session, the Assessor will play the role of the commissioning client. Your performance during the individual scoping session will form part of the assessment.
Practical Penetration Test – 4 hours
The candidate’s laptop will be connected to the assessment infrastructure, from which you will perform the practical penetration test, as defined in the scoping session. Connectivity will end after 4 hours. During the final 30 minutes candidates will be advised to prepare for the interviews which follow, specifically in producing a site map.
(Break – 15 minutes)
There will be a 15 minute lunch break during the practical penetration test. During this time candidates will not be permitted to use their computers. This 15 minute break will not contribute towards the 4 hours of the practical assessment. You may take additional breaks for refreshments within the practical test, but no additional time will be allowed for any additional breaks that are taken.
Interview – 30 minutes
During the interview you will be required to produce a site map on a white board or flip chart. The site map must detail the application’s pages and API functionality, but it does not need to include static assets, such as media or script. The interview is an assessed component of the examination; care should be taken to ensure that the site map reflects your full understanding of the assessment application.
You will also be expected to inform the commissioning client (Assessor) of the significant aspects of your practical penetration test. The Assessor may ask you to explain any aspect of the process that you followed during the practical test.
Under normal circumstances, you will be notified of success or failure within one working week by Cyber Scheme.
In order to pass the test, you must demonstrate all of the following:
- appropriate interaction with the commissioning client,
- knowledge of the process of conducting a penetration test including legal and ethical issues,
- core capability to identify and exploit OWASP top 10 vulnerabilities, especially with regard to:
- injection vulnerabilities e.g. SQL injection,
- cross-site scripting (XSS) vulnerabilities,
- privilege escalation vulnerabilities,
- information disclosure vulnerabilities,
- core capability to produce an accurate site map.
If you have a physical disability or other support requirements when sitting the exam we make allowances for all scenarios in terms of additional time, adaption of exam environment and any cases where you may need personal assistance. Please inform us at time of booking and ensure you speak with your assessor on the day of the exam in order to ensure your needs have been properly addressed.
Contact us here for further details or to book an exam.