Cyber Scheme Team Member (CSTM)

Cyber Scheme Team Member (CSTM)

From the moment candidates enter the class they will be introduced to the highly technical world of penetration testing. Whether you are manipulating network traffic to grab passwords with Ettercap, network mapping with Nmap or seeking out vulnerabilities with Metasploit – you will find yourself in a fascinating and engaging environment that will prepare you for the role of pen tester.

During the CSTM course, candidates are taught the theoretical & practical aspects of penetration testing in a real-life, hands-on scenario. You will take part in a mock penetration test against a fictitious client; however, the tools and techniques used will be real. From the moment candidates enter the class they will be introduced to the highly technical world of penetration testing.

The week ends with a full practical day, allowing candidates to consolidate the skills gained.

NCSC (National Cyber Security Centre) mandates that all government penetration testing work must be conducted by organisations that have achieved CHECK status. NCSC deem the CSTM exam to be equivalent to the standard required for a CHECK Team Member (CTM).

Who is it for?

CSTM – IT professionals in public or private enterprise who are involved in or interested in vulnerability/penetration testing and IT security who wish to test their penetration testing skills to a standard accredited by NCSC/GCHQ.


Successful candidates will receive a ‘Certificate of Attainment’ issued by the Cyber Scheme valid for 3 years. The CSTM is a recognised equivilancy to CHECK Team Member under the NCSC CHECK Scheme and is a requirement to obtain this status, but please note too that CTM status may only be provided by NCSC, subject to status and employment, following successful completion of this examination.


Multiple-choice exam — 1 hour
Multiple-choice examination of 100 questions for which one hour is allocated. This is a closed book assessment.

Written exam — 1 hour
Written examination paper consisting of four questions of which candidates answer two. This is a closed book assessment.

Practical exam — 2 hours
Candidates will sit their practical assessment, for which they have a total of 2 hours to complete the set tasks. Candidates will not be provided with a connection to the Internet and will not be permitted to make use of an Internet connection.

  • Candidates must bring a system capable of conducting network and host discovery and demonstrating or identifying vulnerabilities.
  • Candidates may use any software tools they deem appropriate; however, they must ensure they are appropriately licensed and function correctly.
  • Failure to demonstrate penetration test capabilities due to hardware or software misconfiguration may result in failure.
  • Each candidate will be required to connect their testing system to an external monitor and mirror their screen so that they may be scrutinised during the assessment. If a candidate’s testing system is not capable of performing this action, they may fail the practical element of the test.

Viva exam — ½ hour
On completion of the practical stage, candidates are requested to provide a synopsis of their findings to the examiner in a viva environment lasting no more than 30 minutes.

Once all four stages of the assessment are completed, the examiner will send the examination papers and notes on the practical test and viva for marking and final assessment.


  • Information security in the corporate world
  • Professionalism and communication skills
  • Ethics and the law
  • Core network protocols
  • Network enumeration and network mapping
  • Network device management and exploitation
  • Service enumeration
  • Service topology/dependency mapping
  • Application enumeration and profiling
  • Application and operating system management
  • Application and operating system exploitation

Skills Covered

All learning units are undertaken alongside practical exercises within the Merimetso labs.

  • Knowing the threat actors and their motives
  • Knowing your clients and why they engage your services
  • Supply chains, their impact and your responsibilities to them
  • Basic security monitoring
  • Pen test methodologies
  • Information gathering techniques – OSINT, passive network sniffing, DNS.
  • Computer Misuse Acts
  • GDPR and Data Protection
  • Using KALI
  • NMAP and port scanning tools
  • Metaspolit
  • The OSI Model
  • TCP/IP and UDP protocols
  • ARP, FTP, IPsec, Wireless networking, DNS
  • Introduction to encryption
  • Active directory domains
    o RID and SID
    o LDAP
  • Operating systems and their architectures
  • System memory
  • Access control models and how they apply to operating systems
  • GRC security policies
  • OWASP Top Ten website penetration testing
  • Writing Reports
  • Understanding Risk Rating and Threats
  • Risk Scoring and Ranking
  • Pen Testing ‘Language’ and Terminology
  • Risk Management and Risk Analysis


Candidates undertaking CSTM will be expected to have at least the following:

  • Experience of Windows and Linux operating systems in a networked environment
  • CLI skills, including navigating file systems and manipulating files and directories for both Windows and Linux
  • Ability to interrogate network systems for basic information, such as IP address and MAC address
  • Knowledge of network fundamentals (IP addressing, subnets, routing)
  • Familiarity with TCP/IP stack and OSI model
  • Knowledge of common Internet protocols (HTTP, FTP, DNS etc.)

Course Dates

The Cyber Scheme Team Member examination is currently being provided in a safe face to face setting by the Cyber Scheme at their head quarters in Cheltenham, UK. If you wish to sit the exam a date will be provided for attendance at the Cheltenham examination centre prior to the commencement of your course and is typically within two working weeks of the completion of the course. These measures are currently in place due to social distancing restrictions.

Our training courses run virtually from Mon to Friday. The dates below are available, however should your team require a different date please contact us.

  • 24-28 May 2021
  • 7-11 June 2021
  • 21-25 June 2021
  • 5-9 July 2021
  • 19-23 July 2021
  • 2-6 August 2021

Contact us for availability. All courses are currently run 0930 - 1700 BST.

Course Details

Enquire for price
Course Inclusions
All course materials
Course Length
Other Information
All Merimetso courses are rooted in instructor led mentorship to ensure that no one attending gets left behind in the subject matter and all attendees receive the practical support they need to succeed.
Ready to get started?
Contact us today for a tailored quote
Start Now