Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Web Security Academy engineering team

"We work on the Web Security Academy, the leading free resource to learn and hone your web hacking skills."

Adam P, Technical Product Manager, Web Security Academy

Adam P academy

Key functionality

The Web Security Academy provides hundreds of thousands of custom generated legally-hackable websites each month, covering the whole range of common vulnerabilities you'll find present in the wild. We build and provide interactive labs, and accompanying learning materials, built to the spec of the world's top web hackers.

Additionally, we produce new labs to accompany the exciting techniques unveiled by the PortSwigger Research team. This enables our users to understand the very latest, cutting-edge vulnerability classes, and the associated discovery and exploit techniques.

We also provide the Burp Suite Certified Practitioner exam, along with the mystery lab challenge and practice exam, to allow our extensive Burp Suite Professional user base to test and prove their skills as a pentester at the top of their game.

Finally, we host and maintain the Gin and Juice Shop - the go-to application to allow you to see if your vulnerability scanner is performing correctly, and is therefore worth your time and money!

Problem space

We model many disparate technologies and web app architectures to provide real-world labs for tens of thousands of monthly users to hack. This means that we have to understand those technologies, and be able to determine where the boundaries of that hacking should be. We have to juggle showing off vulnerable technologies while ensuring our platform remains secure, which can get very tricky when we get right down to bytes flowing over the network.


Our core platform has very few third-party dependencies - the whole platform, including our web servers, parsers, and crypto, is written in plain Java. We demonstrate specific vulnerabilities by loading third-party libraries, executables, and even by calling out to other languages like JavaScript, PHP, Python, and Ruby.

Our infrastructure is based around Docker containers. It's hosted in the cloud on AWS via ECS, and is backed by EC2 instances and Fargate. We orchestrate all of this using Cloud Formation.

Day-to-day we employ test-driven development and browser-driven acceptance testing to avoid bugs, and of course make sure that our labs are solvable. We also spend plenty of time making sure to go back and refactor those bits of code that keep us up at night.

What we've been working on

Meet the Swiggers

We are a diverse group of people with a wide range of interests and backgrounds. What Swiggers have in common is that they all love their work and are exceptionally good at what they do.

Jess H

Jess H, Culture Champion

Mike S

Mike S, Software Developer

Mohamed H

Mohamed H, Software Developer