Like many industries, cyber security is full of acronyms and abbreviations – and this also extends into qualifications.
We talk to and work with a lot of people who are either trying to break into a career in penetration testing, or who work at a consultancy that delivers services to the UK Government, and they all ask us about whether they need these qualifications and how to obtain them.
How can they prove they have the skills to be a pentester? What are all the different exams and what exactly is the best pathway, process or steps to becoming a CHECK Team Member?
In this blog, we’ll explore junior to mid-tier qualifications and how they relate to the CHECK Scheme.
First off, what is CHECK?
The CHECK Scheme is a UK Government initiative overseen by the National Cyber Security Centre (NCSC) that certifies companies and individuals to conduct authorised penetration testing of public sector and Critical Network Infrastructure (CNI) systems and networks.
There are lots of penetration testing companies on the CHECK scheme – and lots that are not. Being a ‘CHECK company’ simply means that the penetration testing team are authorised and skilled enough to test government systems.
Within a CHECK company, members of the pentesting team will hold either CHECK Team Member (CTM) or CHECK Team Leader (CTL) status. To obtain these standards, testers need to have passed security clearance and also obtained the appropriate qualification from either of the two approved exam bodies (CREST and The Cyber Scheme).
So what exactly are those appropriate qualifications?
- Cyber Scheme Team Member (CSTM)
The Cyber Scheme offers a certification known as Cyber Scheme Team Member (CSTM), which is a junior to mid-tier range qualification. It is focused on building foundational knowledge and understanding of cybersecurity concepts, terminology, and best practices, geared towards delivering penetration testing.
As a consultant, obtaining the Cyber Scheme Team Member certification demonstrates your commitment to professional growth and establishes a solid foundation for further specialisation.
The format of the exam is as follows:
- one-hour 100 question multiple choice exam
- one-hour written paper, covering both theoretical and practical aspects of penetration testing
- two-hour practical assessment
- 15 – 30 minutes viva, where the invigilator will ask for a synopsis of findings from the practical assessment
How much will it cost me?
The cost of the exam from The Cyber Scheme is £600, plus VAT. Depending on where you are located, it is worth noting that there is only one examination centre, at their HQ in Cheltenham.
- CREST Certified Professional for Security Analysts (CPSA) and Crest Registered Tester (CRT)
CREST has broken its junior/mid-tier qualifications into two sections, one covering theory and the other practical aspects.
CPSA is designed to validate the skills and competence of security analysts in conducting vulnerability assessments and penetration testing. The exam itself is completely theory based with a multiple-choice question set. The question set is very broad and picked from a random pool on the day of your assessment.
The CRT is a practical assessment – you must complete a set of hands-on exercises against a lab environment to prove your technical competency.
In terms of format, CPSA is a multiple-choice paper that can be taken at any Pearson Vue centre.
CRT is a practical exam where you will need to complete a practical assessment in the allotted time, which will take place in a CREST approved facility.
How much will it cost me?
The total cost for the exams is £670 plus VAT, made up of £275 for CPSA and £395 for CRT.
What is the difference between these pathways – and which should I take?
Ultimately, this all tends to come down to where you want to work and what their preferred qualifications are. Some companies have a preference, others don’t. And some don’t feel the need to have any of these qualifications.
However, by obtaining either CRT or CSTM, you will have demonstrated the technical skills required to be a CHECK Team Member and will be able to obtain this status once you have security clearance, if you are employed by a CHECK company.
North Green offers a wide range of courses and workshops, including those focussed on building the skills required for these qualifications. To find out more, then get in touch with the team – we’d love to hear from you.
Setting up your own testing lab environment
A HOW TO GUIDE Introduction Welcome to your journey into building a lab environment with VirtualBox! Whether you are an aspiring penetration tester or just someone passionate about cybersecurity, having a safe and controlled environment to practice and experiment is...
How to Start Your Career In Penetration Testing
A HOW TO GUIDE If you want a career in penetration testing but don’t know where to start, this e-book will take you through what you need to know, with plenty of advice and tips throughout. Introduction Let's be honest. The cyber security industry is a mystery to most...
Crack more passwords with custom wordlists
Password cracking is an essential skill for penetration testers. Whether it is being used to crack a hash you’ve got from using responder, gain a first foothold on a device, or attempting to compromise accounts for lateral movement through a network, it is an...
What are JWT Tokens – and how to ‘hack’ them
JSON Web Tokens – or JWTs – are a common method of providing authentication and authorisation to a web application. While they may seem complex, it is possible to look closely and break down the structure of these three-part tokens, to understand the different...