Security Testing
Formerly Pen Testing
Role overview
Security Testing (formerly known as Pen testing or Penetration testing) provides Cyber Security assurance by attempting to penetrate existing defences, to feed back on potential vulnerabilities (whether in a system, an application or across the entire IT estate) and co-ordinate the production of a remediation action plan.
Role levels
Typical role expectations
At this role level, you will:
- Support the scoping, conducting and procurement of penetration tests, red team exercises, vulnerability assessments of IT assets, and other tests to assess the robustness of a system, product or technology
- Disseminate the implications of test findings, relaying the potential business impact if vulnerabilities are exploited
- Engage with internal and external stakeholders to provide appropriate Cyber Security assurance in accordance with policy and regulations
- Report potential issues and mitigation options to appropriate stakeholders or governance forums
- Contribute to the review and interpretation of reports and contribute to remediation action plan production
Typical role expectations
At this role level, you will:
- Scope, conduct and procure penetration tests, red team exercises, vulnerability assessments of IT assets, and other tests to assess the robustness of a system, product or technology
- Disseminate the implications of test findings and explain the potential business impact if vulnerabilities are exploited
- Co-ordinate engagement with internal and external stakeholders to manage and provide appropriate Cyber Security assurance to the required standard and in accordance with policy and regulations
- Advise on potential issues and mitigation options to appropriate stakeholders or governance forums
- Review and interpret reports and co-ordinate and manage remediation action plan production
Typical role level expectations
At this role level, you will:
- Lead large-scale, cross-functional or highly complex penetration tests, red team exercises, vulnerability assessments of IT assets, and other tests to assess the robustness of a system, product or technology
- Disseminate the implications of test findings and explain the potential business impact if vulnerabilities are exploited to senior level leadership across government
- Lead engagement with senior internal and external stakeholders to manage and provide appropriate Cyber Security assurance to the required standard and in accordance with policy and regulations
- Advise on complex issues and mitigation options to appropriate stakeholders or governance forums, acting as an SME across government, the public sector, and industry
- Be the key decision maker on reports, overseeing the remediation of vulnerabilities post-penetration testing
Skills
| Skill | Associate | Lead | Principal |
|---|---|---|---|
| Penetration testing | Working | Practitioner | Expert |
| Information risk assessment and risk management | Working | Practitioner | Expert |
| Protective security | Awareness | Working | Practitioner |
| Threat Understanding | Awareness | Working | Practitioner |
Core learning
Entry level
CREST Practitioner Security Analyst
Foundation Certificate in cyber security
CompTIA IT Fundamentals
Associate level
Tiger Scheme Qualified Security Core Team Member (QSTM)
CompTIA Cybersecurity Analyst (CySA+)
CREST Registered Penetration Tester
SEC560: Network Penetration Testing and Ethical Hacking
GIAC Certified Penetration Tester (GPEN)
Lead level
CREST Certified Infrastructure Tester
(ISC)2 Certified Information Systems Security Professional Training (CISSP) incl Exam
Advanced Infrastructure Hacking
Principal Level
CREST Certified Simulated Attack Specialist
CompTIA Advanced Security Practitioner (CASP+)
SEC699: Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection
Accreditation
UK Cyber Security Council: Standard of Professional Competence and Commitment: Security Testing