Certified Security Tester


The ISTQB® Security Tester (CT-SEC) certification focuses on planning, performing, and evaluating security tests from multiple perspectives including risk, requirements, vulnerability, and human factors. It also covers security testing tools and standards.


The Security Tester certification is aimed at people who have some experience in security testing and wish to further develop their expertise in security testing.

Entry requirements

To gain this certification, candidates must hold the Certified Tester Foundation Level certificate and not less than 3 (three) years of relevant academic, practical, or consulting experience.

Course Content

  • The Basis of Security Testing
  • Security Testing Purposes, Goals and Strategies
  • Security Testing Processes
  • Security Testing Throughout the Software Lifecycle
  • Testing Security Mechanisms
  • Human Factors in Security Testing
  • Security Test Evaluation and Reporting
  • Security Testing Tools
  • Standards and Industry Trends

Business Outcomes

Advanced Level testers who have passed the “Advanced Security Tester” module exam should be able to accomplish the following Business Objectives:

  • Plan, perform and evaluate security tests from a variety of perspectives – policy-based, risk-based, standards-based, requirements-based and vulnerability-based.
  • Align security test activities with project lifecycle activities.
  • Analyze the effective use of risk assessment techniques in a given situation to identify current and future security threats and assess their severity levels.
  • Evaluate the existing security test suite and identify any additional security tests.
  • Analyze a given set of security policies and procedures, along with security test results, to determine effectiveness.
  • For a given project scenario, identify security test objectives based on functionality, technology attributes and known vulnerabilities.
  • Analyze a given situation and determine which security testing approaches are most likely to succeed in that situation.
  • Identify areas where additional or enhanced security testing may be needed.
  • Evaluate effectiveness of security mechanisms.
  • Help the organization build information security awareness.
  • Demonstrate the attacker mentality by discovering key information about a target, performing actions on a test application in a protected environment that a malicious person would perform, and understand how evidence of the attack could be deleted.
  • Analyze a given interim security test status report to determine the level of accuracy, understandability, and stakeholder appropriateness.
  • Analyze and document security test needs to be addressed by one or more tools.
  • Analyze and select candidate security test tools for a given tool search based on specified needs.
  • Understand the benefits of using security testing standards and where to find them.

Duration : 4 Days

Format : Classroom / Virtual

Exam Structure

No. of Questions: 45                        Total Points: 80

Passing Score: 52                           Exam Length (mins): 120

(+25% Non-Native Language)

Holders of this certification may choose to proceed to other Core, Agile, or Specialist stream certifications.