Cyber Scheme Team Leader (CSTL) Infrastructure Exam


A pass in this technical qualification is one of the mandatory assurance checks undertaken by the NCSC before CHECK Team Leader Status can be awarded. Cyber Scheme cannot award CHECK status, but do award Certificates recognised by NCSC as confirmation that the necessary technical standard for CHECK has been met.

The exam is also suitable for individuals who want formal certification of Expert level understanding of the theory and practical elements of cyber security and Penetration Testing.

In order to pass the CSTL exam, a candidate must demonstrate all of the following:

  • Appropriate interaction with the commissioning client;
  • Knowledge of the process of conducting a penetration test including legal and ethical issues;
  • Core capability to exploit vulnerabilities of MSWindows devices or systems;
  • Core capability to exploit vulnerabilities of Unix devices or systems;
  • Core network mapping capability;
  • Advanced capability to exploit MSWindows OR Unix OR network devices.

The CSTL exam is structured to simulate a real-world penetration test for a client. It comprises three phases:

Phase 1 – Scoping

Candidates will share a common scoping briefing. Following the common scoping briefing, individually candidates will have up to 10 minutes to ask questions concerning the scope of the penetration test. During the individual scoping session, the Assessor will play the role of the commissioning client. The candidate’s performance during the individual scoping session will form part of the assessment.

Phase 2 – Practical Penetration Test

The candidate’s laptop will be connected to the assessment infrastructure, from which they will perform the practical penetration test, as defined in the scoping session. Connectivity will end after 4.5 hours. During the final 30 minutes the candidate will be advised to prepare for the interview which follow.

Phase 3 – Interview

During the interview the candidate will be required to produce a network diagram on a white board or flip chart. The network diagram must logically detail the infrastructures architecture at the network/IP layer (OSI layer 3), clearly showing all hosts, interfaces, subnets, subnet masks, firewalls and routes. The interview is an assessed component of the examination.
A candidate will also be expected to inform the commissioning client (Assessor) of the significant aspects/findings during the practical penetration test they conducted.

Exam Topics

The technical skills candidates will be expected to demonstrate include:


  • Understanding misconfiguration of protocols such as SMTP, NFS, FTP, DNS
  • Advanced methods of information enumeration
  • the ability to map a network
  • port scanning
  • Identification of valuable hosts on a network
  • Traffic analysis
  • Wireless networking weaknesses
  • Pivoting
  • Firewall evasion

Web applications

  • Understanding basic web application vulnerabilities such as SQLi, XSS, LFI/RFI

Host exploitation

  • Understanding of differences between OS’s
  • Identification of server vulnerabilities
  • Exploitation of server vulnerabilities
  • Privilege escalation
  • Breakout techniques

If you have a physical disability or other support requirements when sitting the exam we make allowances for all scenarios in terms of additional time, adaption of exam environment and personal assistance. Please inform us at time of booking and ensure you speak with your assessor on the day of the exam in order to ensure your needs have been properly addressed.

Contact us if you have any queries: