Like many industries, cyber security is full of acronyms and abbreviations – and this also extends into qualifications.
We talk to and work with a lot of people who are either trying to break into a career in penetration testing, or who work at a consultancy that delivers services to the UK Government, and they all ask us about whether they need these qualifications and how to obtain them.
How can they prove they have the skills to be a pentester? What are all the different exams and what exactly is the best pathway, process or steps to becoming a CHECK Team Member?
In this blog, we’ll explore junior to mid-tier qualifications and how they relate to the CHECK Scheme.
First off, what is CHECK?
The CHECK Scheme is a UK Government initiative overseen by the National Cyber Security Centre (NCSC) that certifies companies and individuals to conduct authorised penetration testing of public sector and Critical Network Infrastructure (CNI) systems and networks.
There are lots of penetration testing companies on the CHECK scheme – and lots that are not. Being a ‘CHECK company’ simply means that the penetration testing team are authorised and skilled enough to test government systems.
Within a CHECK company, members of the pentesting team will hold either CHECK Team Member (CTM) or CHECK Team Leader (CTL) status. To obtain these standards, testers need to have passed security clearance and also obtained the appropriate qualification from either of the two approved exam bodies (CREST and The Cyber Scheme).
So what exactly are those appropriate qualifications?
- Cyber Scheme Team Member (CSTM)
The Cyber Scheme offers a certification known as Cyber Scheme Team Member (CSTM), which is a junior to mid-tier range qualification. It is focused on building foundational knowledge and understanding of cybersecurity concepts, terminology, and best practices, geared towards delivering penetration testing.
As a consultant, obtaining the Cyber Scheme Team Member certification demonstrates your commitment to professional growth and establishes a solid foundation for further specialisation.
The format of the exam is as follows:
- one-hour 100 question multiple choice exam
- one-hour written paper, covering both theoretical and practical aspects of penetration testing
- two-hour practical assessment
- 15 – 30 minutes viva, where the invigilator will ask for a synopsis of findings from the practical assessment
How much will it cost me?
The cost of the exam from The Cyber Scheme is £600, plus VAT. Depending on where you are located, it is worth noting that there is only one examination centre, at their HQ in Cheltenham.
- CREST Certified Professional for Security Analysts (CPSA) and Crest Registered Tester (CRT)
CREST has broken its junior/mid-tier qualifications into two sections, one covering theory and the other practical aspects.
CPSA is designed to validate the skills and competence of security analysts in conducting vulnerability assessments and penetration testing. The exam itself is completely theory based with a multiple-choice question set. The question set is very broad and picked from a random pool on the day of your assessment.
The CRT is a practical assessment – you must complete a set of hands-on exercises against a lab environment to prove your technical competency.
In terms of format, CPSA is a multiple-choice paper that can be taken at any Pearson Vue centre.
CRT is a practical exam where you will need to complete a practical assessment in the allotted time, which will take place in a CREST approved facility.
How much will it cost me?
The total cost for the exams is £670 plus VAT, made up of £275 for CPSA and £395 for CRT.
What is the difference between these pathways – and which should I take?
Ultimately, this all tends to come down to where you want to work and what their preferred qualifications are. Some companies have a preference, others don’t. And some don’t feel the need to have any of these qualifications.
However, by obtaining either CRT or CSTM, you will have demonstrated the technical skills required to be a CHECK Team Member and will be able to obtain this status once you have security clearance, if you are employed by a CHECK company.
North Green offers a wide range of courses and workshops, including those focussed on building the skills required for these qualifications. To find out more, then get in touch with the team – we’d love to hear from you.
An A-Z of pentesting terms and abbreviations – Part 2
In this blog post, we continue our A-Z glossary of common pentesting abbreviations, acronyms and terms, from N-Z. Get ready for the likes of OSINT, RFI, YubiKeys and more. And don’t forget, you can catch up on any terms you missed in part one (A-M) here. N – Nmap One...
How to identify and exploit XSS vulnerabilities
What is Cross-site scripting (XSS)? Cross-site scripting (XSS) is a web security vulnerability in which an attacker is able to inject malicious scripts into vulnerable sites and compromise the interaction between the user and the site. Cross-site scripting is what we...
An A-Z of pentesting terms and abbreviations – Part 1
The tech industry is synonymous with abbreviations, and cyber security is no different. TLAs (three letter abbreviations), acronyms, other abbreviations and unfamiliar names or terms are the norm. As a result, in this blog we have collated an A-Z glossary for the...
Training, mentoring and the illusion of short-term mentorship
Cyber security is an interesting, fast moving and in demand industry. On the one hand, we are constantly being told there are not enough professionals to fill the need. Yet without clear pathways, it can be challenging to find roles at the beginning of your journey...