CSTM (Cyber Scheme Team Member)
Our flagship exam.
Setting the standard in technical assessments for security testers.
£600 +VAT
These knowledge domains form the core knowledge required to pass a CSTM exam. Click on them to see related topics in detail.
The industry-leading exam for individuals who require formal certification recognising their understanding of the theory and practical elements of cyber security, and the fundamentals of penetration testing.
A pass in this highly regarded technical qualification is a mandatory requirement for the Practitioner Level Professional Title with the UK Cyber Security Council (security testing). This exam also meets the standard required from NCSC and IASME to operate Cyber Essentials Plus Certification Services. Find out more about becoming an assessor for Cyber Essentials Plus here.
The assessment consists of a practical exam, viva (interview) and the creation of an executive summary report. We believe the opportunity to explain technical techniques in a face-to-face interview is the best way to determine a candidate’s understanding of a given topic.
- We do not allow report writing tools, AI or pre-prepared reports.
- The practical element has infrastructure and application questions, supported by the report.
- The VIVA (interview) will involve being asked some technical questions at the end of the practical review. This element is closed book; you can download the question set here.
The practical assessment is watched over by an assessor or invigilator to make sure the assessment is fair (in that the network is acting correctly, and the candidate is staying within the rules of the assessment). The assessor or invigilator may make notes and award marks where they can see a valid technique, command and outcome.
The VIVA is a chance for the assessor to make sure they have seen all the commands run and tool output needed to award marks for the practical section, while the candidate is available for questions. The purpose of the questions is to establish if the candidate is aware of the purpose of the commands executed, the risks, the expected outcomes and in some cases the mitigation of the issues found. The assessor will ask to see any written answers (tools, flags, parameters, tool output etc), any screen shots and any vulnerability assessment software output.
The candidate will not be asked to explain every command in detail, but will need to show the practical assessment is their own work and that they have not been coached. In some instances the questions will be used to establish the depth of knowledge around tool selection, use and trade craft.
Further technical questions will be asked to indicate to the assessor that the candidate has a firm grasp of the knowledge domains and the Knowledge, Skills, Abilities and Tasks (KSATs) expected for CSTM (practitioner) level. These knowledge domains are all outlined here for preparation purposes
The marks awarded for the practical section and the VIVA section are linked. For example a candidate who runs a valid tool and can explain why it was run, the risks involved and the expected outcome may be awarded more marks than a candidate who ran a tool but doesn’t know why, what the risks were, what the expected outcome was, they just found it on a cheat sheet and it seemed to work.
Networking
- Understanding common networking protocols such as SMTP, NFS, FTP, DNS
- Service enumeration
- The ability to map a network
- Port scanning
- Identification of valuable hosts on a network.
Web application
- Understanding basic web application vulnerabilities such as SQLi, XSS, LFI/RFI.
Host exploitation
- Understanding of differences between OS’s
- Identification of server vulnerabilities
- Exploitation of server vulnerabilities
- Basic methods of privilege escalation.
- Practical (includes a short reporting element) 2 hours 30 minutes
- Technical interview preparation time 15 minutes
- Technical interview 15 minutes.
Each question has 100 marks available and a pass for each question is determined as 60 or more marks.
In order to be successful, the candidate must achieve:
Practical and Viva – 6 out of 7
Report Writing – 2 out of 3
Technical Interview – 5 out of 6.
Marks cannot be carried over to other questions or sections, this ensures the breadth of knowledge required at this level. We do not disclose marks beyond pass or fail.
Assessment marking and feedback
Please see below an example of the marking and feedback sheet used by our assessors.
Criteria | FAIL | PASS | Comment |
Practical and Viva |
|
|
|
Application Enumeration | |||
Application Information Disclosure | |||
Application Exploitation and Mitigation | |||
Network Mapping and Associated Protocols | |||
Enumeration and Exploitation of Windows Devices | |||
Enumeration and Exploitation of Linux Devices | |||
Post Exploitation | |||
Report Writing | |||
Business Risks / Implications | |||
Summary | |||
Coherent, Well Written Report Element | |||
Technical Interview | |||
Current Technology | |||
Older Technology | |||
Networking | |||
Protocols | |||
Mitigation | |||
Laws, Ethics, Scope and Risk | |||
Additional notes | |||
Overall: | |||
The Cyber Scheme is now an Approved ELCAS Provider
ELCAS provides financial support to eligible armed forces members for higher-level learning, offering up to £2,000 annually over three claim years.
All of our assessments, including our CSFL Foundation Level and our flagship Technical Assessment, Cyber Scheme Team Member (CSTM), as well as our training programmes from entry to advanced level are now fully ELCAS-eligible. These certifications provide pathways to high-demand cyber careers and meet strict government standards for assurance schemes including CHECK and Cyber Essentials.
Provider ID: 13341. Please click here for more details.
Practical Information
Walking directions to the nearest Pay & Display car park can be found here.
There are two entry points to the Eagle Tower building where our exam rooms are located. Please make your way to the main entrance on Montpellier Drive – look for the large eagle statue outside the revolving doors. When you arrive, please introduce yourself at reception and make your way to the seats shown here, where you will be met by your invigilator.
Our exam rooms are full of natural light, with window blinds and overhead fluorescent lights when needed.
We have drinking water, coffee and tea making facilities in our exam rooms. There is an onsite cafe selling hot and cold food in the ground floor reception area. If you have any allergies please let us know at time of booking.
There are accessible toilets on every floor.
There will be a level of ambient noise due to the proximity of other offices. If needed please supply your own earplugs or ear defenders when taking an exam. Please note this will not be appropriate for our training courses.
Our rooms are designed specifically to allow for maximum interaction between assessor and candidate, within specific guidelines stipulated by NCSC regarding assessor and candidate ratios. These may change but we currently work to:
CSTM exam – maximum of 6 candidates plus assessor
CSTL exams – maximum of 6 candidates with assessor plus invigilator
CSTM training – maximum of 12 delegates plus trainer
Advanced Mentoring – maximum of 6 delegates plus trainer
The Cyber Scheme believe everyone should have access to a career in security testing. We are available to discuss any concerns you have and are more than happy to make reasonable adjustments for any candidate who requires them during examinations.
These reasonable adjustments are to ensure you are given an equal opportunity to demonstrate the necessary knowledge, skills and behaviours required. We recognise that not all disabilities are visible.
We have a range of reasonable adjustments we can offer depending on what difficulty you might face. If you request an adjustment which we are unable to offer, we will give you a reason why we cannot offer it. This might be because it maps to a key Knowledge, Skill or Behaviour that we have to assess against within the certification. If that is the case, we will tell you which aspect we think would not be properly assessed.
There may be background noise during an assessment. Please bring (or ask for) ear plugs / ear defenders or listen to music if background noise is likely to affect your concentration.
Mobility
Access to all of our facilities is suitable for people with mobility issues. Should any other special facilities be required please get in touch at time of booking. For some reasonable adjustments, such as access to a disabled parking space, we will need to see supporting documentation around the condition to allow us to apply for this access for you. No information will be retained or stored once the request is validated.