VA+ (Vulnerability Assessment Plus)
£550 +VAT
Remote exam with live assessment
Being able to understand the vulnerabilities in an environment is not as simple as clicking ‘run’ on the vulnerability scanner and hoping for the best.
This comprehensive exam has been developed in conjunction with NCSC and IASME and is a requirement for all Cyber Essentials Plus (CE+) assessors that do not have a Lead Assessor qualification. Find out more here.
VA+ is an assessment designed to meet the standards set by NCSC for the appropriate scanning of the controls necessary for Cyber Essentials Plus Certification. At least one member of staff in a service offer for Cyber Essentials Plus must have undertaken a formal penetration testing skills assessment in order to assure the quality of team members whom have undertaken the VA+ exam. The reason is that his aligns with NCSC guidance to businesses on the use of Vulnerability Scanning tools here .
This states that “Relationship to manual testing: It should be noted that automated vulnerability scanning cannot compare to manual processes such as penetration testing when it comes to the breadth and depth of test coverage.
Instead, automated scanning should be viewed as a cost-effective way of finding and managing common security issues, without needing to employ specialist security testers.
Similarly, by taking care of the ‘low hanging fruit’ through regular vulnerability scanning, penetration testing engagements can more efficiently focus on complicated security issues that are better suited to a human”.
The VA+ standard is regularly reviewed with IASME and the NCSC.
In October 2024, the VA+ assessment was updated to become a more inclusive and relevant assessment of competency, including a technical update and changes to the exam format. It now includes a comprehensive scoping meeting, a practical and a shorter, closed book multiple-choice section. Candidates are able to present their summary of issues found in any way that suits them – a presentation, a long-form written summary, bullet points and a mind map are all examples of accepted answers.
The syllabus has not changed; only the assessment has been updated. The areas of study, knowledge and skills remain the same. Please click here to download the current syllabus.
What you need to know:
Learning Outcomes:
- Provide an overview of the vulnerability assessment process
- Learn about tools used during the vulnerability assessment process
- Understand the underlying concepts of TCP/IP, Ports and Protocols
- Apply critical thinking to solve problems encountered during an assessment.
Apply tools and techniques to assess:
- External facing interfaces.
- Internal interfaces
- The threat of malware (Antimalware solutions, Application whitelisting)
- Assess the threat of common external attacks (Email, SMS etc)
- Assess the threat of common internal attacks (Web Applications, Downloads).
Learning Objectives:
- Understand Information security in the corporate world.
- Understand the laws and regulations involved with vulnerability assessing
- Understand quantifying and measuring risks associated with vulnerabilities
- Understand how to find internal and external vulnerabilities
- Understand how to test hardening measures for malware
- Report and explain vulnerabilities found throughout a project.
The VA+ assessment:
1. Practical Element – two hours, open book
30 mins – Short scoping exercise where you will be briefed on the assessment you are to conduct. You are allowed and expected to ask questions and contribute to the scoping meeting.
1 h 30 mins – Configure and conduct your vulnerability assessment.
Some time to prepare for the wash up meeting (you can write out your answers, create a power point, prepare some bullet points, create a mind map – whatever will help you give a summary of the issues found). Plus some time to prepare your answers to technical questions.
2. Wash up meeting and technical questions – 30 mins – open book
You will be asked to present the result of the vulnerability assessment (verbally or with any media prepared as given above).
You will be asked for your technical answers.
Exam Tips:
If you are asked to produce an executive summary the language should be aimed at non-technical executives and should include organisation specific outcomes and consequences.
If you are asked to produce a technical summary this should be a “summary” not the finding details.
If you are asked for remediation advice you are expected to go beyond the tool output provided.
If you have any assumptions or questions regarding the scenarios either state your assumption in your answer or ask your assessor for guidance.
3. Multiple-Choice Quiz – 30 questions, in 30 minutes. Closed book.
You will be asked a series of questions with a single correct answer from four options.
The multiple-choice element allows the candidate to demonstrate their wider understanding of cybersecurity in terms of knowledge, experience, and skills.
The topics and domains are wide in scope and examine topics from an historic stance as well as looking at current practices.
Multiple Choice Study
The multiple-choice element draws from a number of study domains:
Enumeration
The examination and scrutiny of devices, software, and services available on a network which may give information or indication to further disclose the inner workings, structure, and secrets of an unknown system.
An example might be to question what tools are currently available to gather information from a device offering domain name system (DNS) services.
Encryption / Cryptography
The practice and study of securing communications in the presence of adversaries. An example question might be to describe vulnerabilities in different versions of secure shell (SSH).
Laws
The laws, rules, regulations, best practice, and ethics associated with working in cybersecurity. Clients and customers put a lot of good faith in the operatives involved in cybersecurity engagements including the disclosure of information and the trust that is implied by allowing their systems to be scrutinised. An example might be to question what methods and techniques could be used by a cybersecurity consultant to stay within a scope and which laws, rules, regulations, best practices, and ethics would be called into question if not adhered to.
Linux operating system
The use of the Linux operating system has many benefits for the cybersecurity consultant and being aware of these benefits is important. Furthermore, the Linux operating system is used in many industries and is highly likely to be present in some form at most if not all customer sites. Most of the network devices as well as many servers use a Linux operating system.
Networking
Knowledge and understanding of the protocols used for data in transit is invaluable to the cybersecurity consultant. Even though some of the work can be simplified by the use of automated tools in order to validate results, mitigate issues and troubleshoot problems the consultant requires a solid background in low level computer networking. Networks come in many flavours such as wired ethernet, wireless, local, and wide area. An example might be to explain how network mapping tools can distinguish between open, closed, and filtered TCP ports on a local area network.
Testing
The testing domain is better described as general cybersecurity knowledge and the soft skills required by a penetration tester. Many cybersecurity qualifications require an understanding of security models, frameworks, concepts, and definitions of cybersecurity terms. An example might be to describe the technical controls involved in the DDPRR security model.
Vulnerabilities
The vulnerability topic or domain is knowledge of vulnerabilities both current and historic. Although an emphasis is placed on vulnerabilities which result in exploitation where remote code execution is possible, knowledge of vulnerabilities which result in information disclosure, denial of service and other types are also part of this domain. An example might be to describe how a particular SSL/TLS vulnerability works.
Windows
The Microsoft Windows operating system is extremely popular with users and administrators alike. Over the years vulnerabilities and misconfiguration of the Windows operating system has resulted in companies being compromised. This domain is specifically for Microsoft Windows operating system knowledge relating to cybersecurity. An example might be to question where passwords are typically stored on a specific Microsoft Windows server version.
OSMisc
There are other operating systems in use for example Apple, Android, and Unix which although similar might not be covered by the Windows and Linux Domains. An example question might be to ask about ubiquitous vulnerabilities found on Unix systems.
WebApps
The web application domain covers the testing, auditing and scrutiny of web applications, mobile applications, and application programable application interfaces (APIs). An example question might ask about a vulnerability specifically associated with web application testing such as session fixation.
Inclusion and Accessibility during exams
The Cyber Scheme are available to discuss any concerns you have and are more than happy to make reasonable adjustments for any candidate who requires them during training and examinations.
These reasonable adjustments are to ensure you are given an equal opportunity to demonstrate the necessary knowledge, skills and behaviours required. We recognise that not all disabilities are visible.
We have a range of reasonable adjustments we can offer depending on what difficulty you might face. If you request an adjustment which we are unable to offer, we will give you a reason why we cannot offer it. This might be because it maps to a key Knowledge, Skill or Behaviour that we have to assess against within the certification. If that is the case, we will tell you which aspect we think would not be properly assessed.
FAQs
The following has been provided as further information – you will be emailed a detailed set of joining instructions when you book your exam.
The VA+ certificate is valid for three years, and the exam will need to be retaken at this point in order to renew.
If you would like to book a re-sit please contact us. Please note that the following re-sit criteria applies:
You will need to wait 4 weeks before re-sitting the exam.
The re-sit needs to be taken within 3 months of original date.