Cyber Scheme Team Member (CSTM)
The industry-leading exam for individuals who require formal certification recognising their understanding of the theory and practical elements of cyber security, and the fundamentals of penetration testing.
A pass in this highly regarded technical qualification is one of the mandatory assurance checks undertaken by the National Cyber Security Centre (NCSC) before CHECK Team Member Status can be awarded.* This exam also meets the standard required from NCSC and IASME to operate Cyber Essentials Plus Certification Services. Find out more about becoming an assessor for Cyber Essentials Plus here.
The CSTM (Cyber Scheme Team Member) assessment addresses the requirements stipulated for professional titles. Soft skills, CPD, and the opportunity to explain technical techniques in a face-to-face interview are the best ways to determine a candidate’s understanding of a given topic. The assessment consists of a practical exam, viva (interview) and the creation of an executive summary report.
- The assessment is open book, except the short report writing exercise. We do not allow report writing tools, AI or pre-prepared reports.
- The practical element has infrastructure and application questions, supported by the report.
- The VIVA (interview) will involve being asked some technical questions at the end of the practical review.
Explaining the VIVA
The practical assessment is watched over by an assessor or invigilator to make sure the assessment is fair (in that the network is acting correctly, and the candidate is staying within the rules of the assessment). The assessor or invigilator may make notes and award marks where they can see a valid technique, command and outcome.
The VIVA is a chance for the assessor to make sure they have seen all the commands run and tool output needed to award marks for the practical section, while the candidate is available for questions. The purpose of the questions is to establish if the candidate is aware of the purpose of the commands executed, the risks, the expected outcomes and in some cases the mitigation of the issues found. The assessor will ask to see any written answers (tools, flags, parameters, tool output etc), any screen shots and any vulnerability assessment software output.
The candidate will not be asked to explain every command in detail, but will need to show the practical assessment is their own work and that they have not been coached. In some instances the questions will be used to establish the depth of knowledge around tool selection, use and trade craft.
Further technical questions will be asked to indicate to the assessor that the candidate has a firm grasp of the knowledge domains and the Knowledge, Skills, Abilities and Tasks (KSATs) expected for CSTM (practitioner) level. These knowledge domains are all outlined here for preparation purposes
The marks awarded for the practical section and the VIVA section are linked. For example a candidate who runs a valid tool and can explain why it was run, the risks involved and the expected outcome may be awarded more marks than a candidate who ran a tool but doesn’t know why, what the risks were, what the expected outcome was, they just found it on a cheat sheet and it seemed to work.
The technical skills candidates will be expected to demonstrate include:
Networking
- Understanding common networking protocols such as SMTP, NFS, FTP, DNS
- Service enumeration
- The ability to map a network
- Port scanning
- Identification of valuable hosts on a network.
Web application
- Understanding basic web application vulnerabilities such as SQLi, XSS, LFI/RFI.
Host exploitation
- Understanding of differences between OS’s
- Identification of server vulnerabilities
- Exploitation of server vulnerabilities Basic methods of privilege escalation.
CSTM exam components
Practical (includes a short reporting element) 2 hours 30 minutes
Technical interview preparation time 15 minutes
Technical interview 15 minutes
Wash up / VIVA 20 minutes
Pass criteria
Each question has 100 marks available and a pass for each question is determined as 60 or more marks.
In order to be successful, the candidate must achieve:
Practical and Viva – 6 out of 7
Report Writing – 2 out of 3
Technical Interview – 5 out of 6.
Marks cannot be carried over to other questions or sections, this ensures the breadth of knowledge required at this level. We do not disclose marks beyond pass or fail.
Assessment marking and feedback
Please see below an example of the marking and feedback sheet used by our assessors.
Criteria | FAIL | PASS | Comment |
Practical and Viva |
|
|
|
Application Enumeration | |||
Application Information Disclosure | |||
Application Exploitation and Mitigation | |||
Network Mapping and Associated Protocols | |||
Enumeration and Exploitation of Windows Devices | |||
Enumeration and Exploitation of Linux Devices | |||
Post Exploitation | |||
Report Writing | |||
Business Risks / Implications | |||
Summary | |||
Coherent, Well Written Report Element | |||
Technical Interview | |||
Current Technology | |||
Older Technology | |||
Networking | |||
Protocols | |||
Mitigation | |||
Laws, Ethics, Scope and Risk | |||
Additional notes | |||
Overall: | |||
Important information for Check Team Members
In line with the transition of CTMs to a Professional Title with the UK Cyber Security Council, all Check Team Members will be required to hold a Professional Title at Practitioner Level if they are working on CHECK contracts.
All candidates taking our CSTM exam for the first time, with a view to becoming a CTM, are encouraged to have started the Professional Title Application Form prior to attending their assessment. Please get in touch if you have any questions.
* The Cyber Scheme cannot award CHECK status, but do award certificates recognised by NCSC as confirmation that the necessary technical standard for CHECK has been met.
The Cyber Scheme believe everyone should have access to a career in security testing. We are available to discuss any concerns you have and are more than happy to make reasonable adjustments for any candidate who requires them during examinations.
These reasonable adjustments are to ensure you are given an equal opportunity to demonstrate the necessary knowledge, skills and behaviours required. We recognise that not all disabilities are visible.
We have a range of reasonable adjustments we can offer depending on what difficulty you might face. If you request an adjustment which we are unable to offer, we will give you a reason why we cannot offer it. This might be because it maps to a key Knowledge, Skill or Behaviour that we have to assess against within the certification. If that is the case, we will tell you which aspect we think would not be properly assessed.
There may be background noise during an assessment. Please bring (or ask for) ear plugs / ear defenders or listen to music if background noise is likely to affect your concentration.
Mobility
Access to all of our facilities is suitable for people with mobility issues. Should any other special facilities be required please get in touch at time of booking. For some reasonable adjustments, such as access to a disabled parking space, we will need to see supporting documentation around the condition to allow us to apply for this access for you. No information will be retained or stored once the request is validated.
