Disclaimer
Good afternoon, or morning, or whatever time it is for you, wherever you may be. I'm not your scheduler.
This is my first ever blog, so it might be a little rough around the edges. But if you're a junior pentester, student, or someone figuring out what to do with your life... then the CSTM is the answer to all your worries, because you'll forget about everything else and gain one single, massive source of stress instead.
Also, I decided to write this entire blog in raw HTML. So formatting it? That’s my favourite pastime.
But seriously, I hope you get something useful out of this.
Where It Began
Imagine this. It's January 2025. You’ve just graduated uni a few months earlier, still blissfully unaware of how much student debt you've racked up. And somehow, by some miracle, you land a job.... Associate Security Consultant.
Sounds sick, right? It was. Everything I thought I wanted. A job straight into pentesting. I didn’t have to sell my soul at the helpdesk or crawl through the SOC trenches.
For months before that, people told me it couldn’t be done. “You have to start in support,” they said. “Nobody just starts in pentesting.”
But there I was, and let me tell you, I was comically unprepared. I knew what Nmap was, sure, but in my interview I completely fumbled a basic question like "What is the difference between a reverse and bind shell?"
I walked into this job with the technical confidence of a wet flannel.
But I worked hard. I got a lot of things wrong. A few things right. And in just four months, I went from almost zero practical experience to comfortably passing the CSTM.
This blog is about that journey, and the advice I’d give to anyone starting from the same place.
Phase 1: Bootstrapping
Ah.... the panic learning arc. One of the best parts of starting a new job, shortly followed by the imposters syndrom arc.
Niether of which I thoroughly enjoyed. But it isn't about how much you know, it's about how much you're willing to learn.
When you're new in a field like cybersecurity, it really does feel like everyone around you is 10x smarter and you don’t belong. Let that fear and insecurity motivate you to push harder and learn more. (Top Gun theme song starts)
But seriously, it’s not an easy field. You are constantly learning, constantly questioning yourself, and constantly trying to "catch-up". If you’re feeling overwhelmed, good. That means you care.
How I Taught Myself (fast)
So let’s get into the nitty gritty of how I actually taught myself what I needed to pass the exam. Before I dive in though, it’s worth saying, I was in a lucky position. The company I work for gave me the chance to shadow real engagements and do hands on testing against actual external infrastructure and web apps. So I wasn’t just working through labs, I was getting real world exposure alongside my self study.
Web Application Testing
Right, there’s no debate when it comes to web app labs. The king of the castle is PortSwigger. If you’re not using their Web Security Academy, then honestly... you’re behind. The labs are comprehensive, well-explained, constantly updated, and most importantly, free.
That said, there is a caveat. If you’re taking web testing seriously, Burp Suite Professional is a must. You can try to get by with the Community Edition, but you’ll hit limitations fast. Just bite the bullet and invest, it pays for itself in confidence and speed and if you are a bug bounty hunter, it may pay itself off with your first finding! Seriously! I knew a guy who bought the license, and using the active scan (for a bug bounty programme) found a misconfig which immediately paid the license off for the software.
Anyway, my advice? Study hard. Depending on how much time you’ve got, you should be aiming for at least one lab a day once you’ve learned the OWASP Top 10. And I mean actually learned it, not just skimmed it. The biggest trap is learning web, switching to infrastructure for weeks, and forgetting it all. Don’t do that. Keep up with the labs. Mix in some of the "mystery" labs on PortSwigger too, they’re great for testing what you actually know.
The core advice for learning web apps is this: enumeration and sh*t loads of notes. Make loads of notes. Build your own cheat sheets. Got a list of XSS payloads? Great. Stored it in a way you’ll actually use? Even better. Your notes are your backup system, the bedrock. When everything goes wrong, and your brain goes "" mid exam, you want something solid to fall back on. That sweet, comfy safety net.
Infrastructure
Infrastructure is a little different to web when it comes to what labs are considered the best, and honestly, it’s a bit of a controversial topic. But generally, if you’re just starting out, HTB or TryHackMe is perfectly fine.
Both platforms offer solid learning paths. HTB Academy and TryHackMe have beginner to advanced modules, and you’ll find value in both. Broadly speaking, you need good foundational knowledge of common services. FTP, SMB, NFS, SNMP, and so on. You need to understand how to enumerate them quickly and perform common attacks or misconfig exploit chains.
You also need to understand what you’re looking at and be able to justify why you used a specific tool or flag to meet a particular objective. The exam isn’t just about what worked, it’s about why it worked.
My advice? Learn all the basics. Build a strong mental map of each service — what ports they run on, how they behave, and how to break them. More importantly, create solid personal cheat sheets with the key commands and flags for each one. Because in the exam, your brain will forget something. But if your cheat sheet is solid, you’ll have multiple fallback methods.
And then there’s privilege escalation. The dreaded privilege escalation, especially on Windows. But it’s not as bad as you think. Learn the basics first, work through paths and modules at your own pace, and make notes. Everything will start to click, but only if you keep pushing.
Some tools I’d recommend you’re familiar with:
- enum4linux-ng
- Nessus (or at least basic vulnerability scanning with Nmap scripts)
- smbclient
- Metasploit
- dig
This isn’t an exhaustive list or a gurantee that you'll need it for the exam, but it should give you a general idea of the tools you’ll want to understand before your exam.
Report Writing
Okay, this will be a short and easy section. But let me be clear... do not sleep on report writing.
I know someone who passed the technical portion of their exam but only wrote two sentences for the executive summary... and they failed.
The best thing you can do? Write mock reports for vulnerable labs on TryHackMe or Hack The Box. Treat them like the real dealio, include an executive summary, technical breakdown, and findings. Take it seriously, then ask a senior colleague to review and give feedback.
Don’t just focus on pwnage. Make sure you can actually explain what you did and why it matters and what the fixes are. If you can't do that, you’re not done.
Phase 2: Mindset & Feelings
Wow... that last section was a heavy one. Hopefully it didn’t mentally wear you out, because that’s a real issue I faced while preparing for my exam. I got seriously burnt out.
Because of the timescale, I had to cram a lot of information into my tiny pea brain in a short space of time. And yeah, it broke me a bit.
I can’t give you universal advice here. I’m not a psychologist, and everyone handles stress differently. But for me, exercise helped a lot. Running and indoor climbing gave me something to switch off with, and kept me fresh for the next day of training.
Now let’s talk mindset, specifically, the exam mindset.
Again, this is personal. But I walked in with this thought: “I’ve prepared as much as I can. I can’t change anything now. I just need to trust what I’ve learned.” And that helped me stay calm and avoid the classic exam flapping (panicking).
You do not want to flap in the exam. Seriously. If your nerves get the best of you, it spirals fast, especially under time pressure. If you hit something you don’t know, flag it, move on, and come back later if you can. It’s not a test of pride. It’s a test of control and time management.
Phase 3: Exam Debrief
Okay, so you’ve done the exam. Now you’re stuck in limbo, no idea if you’ve passed or not. Don’t panic, that’s exactly how everyone feels.
The usual post-exam feeling is: “Ahh... it’s 50/50.” Totally normal.
The main thing to remember is this, you probably did better than you think. And even if you didn’t pass, it’s not the end of the world. You can always resit. Loads of brilliant testers didn’t pass first time.
Honestly, the waiting period was harder than the exam itself. For me at least, that part killed me, but it was worth it when the result came in and I found out I passed.
Anyway, thanks for reading. I hope you found something useful in here. If you’ve got any questions or just want to chat about the journey, feel free to reach out on LinkedIn.
All the best,
Ellis