At CybaVerse, the quality of our testing comes down to the people doing it, so we're pleased to share that Michael Jepson, our Head of Penetration Testing, has passed the Cyber Scheme Team Leader (CSTL) Web Application exam.
It's a notable milestone, both for Michael and for the wider team. The CSTL sits at the CHECK Team Leader level, the standard the NCSC recognises for leading penetration tests on UK government and critical national infrastructure works and a pass demonstrates the technical standard required on the route towards the Principal title with the UK Cyber Security Council.
In short, it's one of the more demanding technical assessments in UK security testing and it directly strengthens the depth of capability we can offer our clients.
The Cyber Scheme
What makes the CSTL stand out is that it's built to look like a real engagement rather than a multiple-choice exam or Capture the Flag (CTF) lab. The web application assessment runs in three parts: a client scoping session (15 minutes), a practical test of a live application assessment (4 hours) and a debrief interview (30 minutes) where the candidate walks the client (Assessor) through their findings and recommendations for remediation.
That format is deliberate. It tests far more than whether someone can find a vulnerability. Candidates have to scope sensibly, identify and exploit the common web flaws like SQLi, cross-site scripting, broken access control, information disclosure and then explain their methodology, justify their decisions and communicate clearly under exam conditions. As you'd expect at this level, there's no publicly documented route to follow; the scenarios are realistic enough that you have to understand the underlying flaw, adapt and chain issues together to earn the marks. It's an assessment of whether someone can lead a test, not just run one, which is exactly the skill set our clients rely on.
We asked Michael what the preparation came down to. The themes won't surprise anyone who tests web applications for a living, but they're worth repeating.
In the exam, the detail comes out of the scoping interview and working within those boundaries is part of what's assessed; stray outside them and the consequences are severe. That same discipline matters even more in the real world, where the scope is set by the client's written authorisation. Knowing exactly what you're permitted to touch and what's off-limits, isn't red tape; it's what keeps testing legal, safe and trusted and it's how you make sure you never cause disruption the client didn't sign up for. A good tester treats the agreed scope as a hard line and only goes outside it if formally documented and agreed.
Before reaching for anything clever, map the application properly. Use it the way it's meant to be used, proxy every request and response, read the server responses and code, work out how authentication and sessions are handled, then test every input point, forms, parameters, headers, uploads, etc. A methodical map is what turns findings into a genuine attack path and the attack path is what counts.
This is the point Michael stresses most. It isn't enough to recognise the potential vulnerabilities; you have to understand how each one works, how flaws can be chained into an attack pathand how to exploit it manually. At this level, leaning on automated tooling won't get you the marks; automated scanners return noise, half-findings or nothing at all. The marks come from understanding a flaw well enough to find and exploit it yourself, then explaining exactly what you did and why. Automated scanning has its place as a first sweep for coverage, but the finding always has to be proven and understood by hand.
Sustained hands-on manual practise on deliberately vulnerable applications and structured web-security labs is what builds the manual technique that the exam rewards. Michael primarily used Hack The Box (HTB), Try Hack Me (THM) with his favourite being PortSwigger's Web Security Academy.
For us, a CSTL pass is more than a certificate on the wall.
CHECK Team Leader-level capability is part of how we give clients confidence that their testing is being led by people who meet the standard set by the UK's national authority on cyber security. It also reflects something we care about as a business: backing our people to keep developing and holding our own work to a high technical bar.
That investment shows up on every engagement, sharper testing, clearer reporting and findings that genuinely help clients fix the right things before someone with worse intentions finds them first.
For anyone on the team or in the wider community weighing up the CSTL App, Michael's advice is simple: get comfortable with the parts that aren't ethical hacking, scoping conversations, explaining findings out loud, recommendations to remediate or mitigate all carry marks. Cover the legal and ethical side properly. Manage the clock and document as you go. And above all, build the manual skills to find and exploit flaws yourself, chain them together, with the knowledge of bypass techniques, because these combined are what the assessment is really there to measure.
A huge congratulations to Michael from everyone at CybaVerse, a well-earned result.
If you'd like to talk to our team about our CREST-accredited penetration testing service and how it could be suitable for you and your business, we'd be glad to hear from you - Click here to get in contact.
Crest: Security Testing - Penetration Testing badge/logo