ISTQB Certified Tester Security Test Engineer (CT-STE) Practice Exam
ISTQB Certified Tester Security Test Engineer (CT-STE) Practice Exam
About ISTQB Certified Tester Security Test Engineer (CT-STE) Exam
The ISTQB Certified Tester Security Test Engineer (CT-STE) is a globally recognized specialist certification that equips testing professionals with the knowledge, skills, and methodologies required to plan, design, and execute security testing activities across complex IT environments. The CT-STE certification addresses the full security testing lifecycle, from understanding security paradigms and risk exposure through to vulnerability reporting and tool selection. It is grounded in internationally recognized standards and best practices, ensuring that certified professionals can operate effectively within diverse organizational and regulatory contexts. By obtaining this certification, professionals demonstrate their ability to contribute proactively to an organization's security posture, creating maximum transparency around effective security risk exposure and enabling the defense of systems
Who should take the exam?
The CT-STE certification is designed for any professional involved in testing the security of IT-based systems. It is particularly suited to the following roles:
- Software Testers and Test Analysts seeking to specialize in security testing
- Test Managers are responsible for overseeing security test activities
- Software Developers who wish to integrate security awareness into their development practice
- Project Managers and Business Analysts requiring a foundational understanding of security testing
- Quality Managers and Software Development Managers oversee quality and security programs
- IT Directors, Operations Team Members, and Management Consultants advising on security posture
Because security is a shared team responsibility, this certification is considered appropriate for all members of a software delivery team who wish to understand, contribute to, or manage security testing activities.
Exam Details
|
EXAMINATION
PARAMETERS |
|
|
Format |
Multiple-choice questions
(single and multiple correct answers) |
|
Number of Questions |
40 |
|
Total Available Points |
43 |
|
Passing Score |
28 points (minimum required to
pass) |
|
Exam Duration |
75 minutes |
|
Extended Time (Non-Native) |
+25% additional time (93
minutes total) |
|
Language Availability |
Multiple languages via ISTQB®
Member Boards |
|
Delivery Mode |
Proctored — via accredited
exam providers |
Exam Prerequisites
Candidates are required to hold the ISTQB® Certified Tester Foundation Level (CTFL) certification prior to sitting the CT-STE examination. This prerequisite ensures that candidates possess a sound foundational understanding of software testing principles before specializing in the security domain.
Holders of the CT-STE certification may choose to progress further within the ISTQB® certification framework. The certification is compatible with continued development across any of the following streams:
- Core Stream — Advanced and Expert Level certifications
- Agile Stream — certifications addressing agile testing practices
- Specialist Stream — additional domain-specific certifications
Skills Required
- Valid ISTQB CTFL certification (mandatory prerequisite)
- Basic knowledge of TCP/IP protocols, firewalls, and technical vulnerabilities (recommended)
- Familiarity with SDLC models — Waterfall, Agile, DevOps
- General software quality assurance and testing experience
- Practical hands-on experience in software testing (recommended)
Knowledge Gained
- Understanding of core security paradigms and their influence on security testing
- Asset classification, security levels, Zero Trust principles, and OSS security risks
- How to plan, design, and execute security tests aligned to risk levels
- Evaluating the effectiveness of existing security controls
- Identifying and classifying vulnerabilities and weaknesses in IT systems
- Building a comprehensive security test strategy including confirmation and regression tests
- Adapting security testing to different organizational structures and regulatory environments
- Aligning security testing with SDLC models (Agile, DevOps, Waterfall, Maintenance)
- Applying international standards and best practices — ISO/IEC 27001, OWASP, and others
- Feeding security test results into an Information Security Management System (ISMS)
- Writing detailed security test reports with findings, evidence, and vulnerability tracking
- Selecting and applying the right security test tools for a given context
Course Outline
The ISTQB Certified Tester Security Test Engineer (CT-STE) Exam covers the following topics -
Domain 1 - Security Paradigm
- Asset Security Levels — classification and risk-based assessment of system assets
- Security Audits — principles and practice of structured security reviews
- The Concept of Zero Trust — applying zero-trust architecture principles to security testing
- Open-Source Software (OSS) — security considerations when incorporating open-source components
Domain 2 - Security Test Techniques
- Applying Security Test Types According to a Test Context
- Applying Security Testing — practical execution of security tests across system components
Domain 3 - The Security Test Process
- The Security Test Process — end-to-end process for planning and governing security tests
- Designing Security Tests — creating test scenarios, cases, and data aligned to risk levels
Domain 4 - Standards and Best Practices
- Introduction to Standards and Best Practices
- Apply Important Standards and Best Practices for Security Testing (e.g., ISO/IEC 27001, OWASP)
- Leveraging Standards and Best Practices to enhance security testing effectiveness
Domain 5 - Adjusting to the Organizational Context
- The Impact of Organizational Structures in the Context of Security Testing
- The Impact of Regulations on Security Policies and How to Test Them
- Analyzing an Attack Scenario — structured analysis of realistic threat and attack patterns
Domain 6 - Adjusting to Software Development Lifecycle Models
- The Effects of Different Software Development Models on Security Testing (Waterfall, Agile, DevSecOps)
- Security Testing During Operations and Maintenance
Domain 7 - Security Testing as Part of an Information Security Management System
- Acceptance Criteria for Security Testing
- Input for an Information Security Management System (ISMS)
- Improving an ISMS by Adjusting Security Testing
Domain 8 - Reporting Test Results
- Security Test Reporting — structure, content, and delivery of security test reports
- Identifying and Analyzing Vulnerabilities — systematic vulnerability discovery and classification
- Close Identified Vulnerabilities — remediation tracking and verification processes
Domain 9 - Security Test Tools
- Categorization of Security Test Tools — understanding tool families and their application
- Applying Security Test Tools — practical guidance on tool selection and deployment
