The Cyber Scheme sat down recently with Shaun Peapell, VP of Global Threat Services at Rootshell Security, to discuss his recent achievement: becoming the first person to earn both the new CSRTM (Cyber Scheme Red Team Manager) certification and the Chartered Cyber Security Professional (ChCSP) title, under the Security Testing specialism, using the CSRTM as a measure of technical competency.
Shaun has been a key supporter of the development of CSRTM since its inception and was involved in piloting the assessment. We spoke to him about his motivations, background, and thoughts on the certification’s relevance.
“I’ve been in the security industry for some years now. I started off in the military and then progressed into various aspects of IT security including digital forensics. I started pen testing about 2011, and I got the bug. I never looked back from there. What I found interesting was the assimilation of a lot of military terms – terms like weaponise and natural movement were already familiar to me. It all just made sense from the get-go”.
Now leading threat services at Rootshell, Shaun helps guide strategic direction while staying hands-on with Red Team operations. When the CSRTM pilot came up, it piqued his interest.
“I wasn’t planning on re-certifying; my CSSAM had expired, but looking at the CSRTM I realised it aligned perfectly with my current role. Every day I get involved in some kind of red team or simulated attack; I am working with clients on a daily basis, and I really enjoy it. So, the CSRTM just made absolute sense.”
The assessment process stood out to Shaun for its realism and focus on experience over theory.
“I was looking at the way that The Cyber Scheme were addressing the problem of validating skill. It wasn’t just a ‘sit down at a PC and tap away what do I know on that day’, this was very much a validation of ‘what is my experience, how do I deal with things as a manager, how would I look to cope with this, what would be my next step’ – it mimicked real-life pressure; scoping exercises, stakeholder management, legal and ethical considerations. It measured the decisions I make every day. Also, knowing respected leaders were shaping the assessment gave it weight. If I passed, it meant something.
“The day of the assessment was great, the way it was put together flowed really well. We built and presented a plan, were challenged on our thinking, and discussed our decision making in depth. It wasn’t just technical; we explored legal obligations, team dynamics. It was good to have that final interview too; it encourages you to discuss ideas and directions because everyone’s got a different experience. That would just not be possible if this was a straightforward question and answer exam”.
Shaun hopes his experience will encourage others in Red Team management to take the assessment, and align it with a Professional Title .
“If you’re doing this as a day job, then you will find it quite a challenging but enjoyable process. If you know the theory, you’ll get part way. It’s the experience that gets validated. It’s not something that can be brute forced; it’s not something that can be cheated. You’ll need to understand the technical demands, and also those soft skills; running a team, understanding bias, things that you know only come from experience.
You don’t need to be super technical. This is for managers who understand the full picture; leading teams, handling tough situations, and navigating complexity. If you’re doing that, you’re ready.”
Thank you to Shaun for his insights. You can also see a video of him chatting to us about his experience here.
If you’d like to know more about The Cyber Scheme’s Red Team Manager assessment, and how it can lead to a Professional Title, please click here.
