Hints and guidance for retaking the Burp Suite Certified Practitioner exam

The Burp Suite Certified Practitioner exam is challenging, that's why obtaining it is so valuable! That means that not only is there no shame in failing, you're likely to learn something from your failed attempts that will help you be better prepared for next time.

If you haven't already, work through the suggested preparation steps for the exam. Remember that these steps are designed to refresh knowledge and skills you already have, and will not be sufficient if they're the only experience you have of the vulnerabilities and exploit techniques.

You found a vulnerability but couldn't exploit it

When you're testing professionally, finding the vulnerability is only ever half of the battle. After discovery, you should be asking yourself: "What could I do with it?". This might involve chaining it to other vulnerabilities, and being able to demonstrate the actual security impact.

If you're clear on what the vulnerability was, find the learning materials that cover it and read them to get a better understanding on how the exploit works.
Next, see if there's an academy lab that's similar to the vulnerability you encountered and work on that.
Look specifically for any labs that you haven't completed that involve some kind of practical exploitation solution, rather than just a generic PoC.
If you were caught out by a filter, try other labs that involve filters, even in different topics - a lot of filter bypass techniques are generic. Also, check out the page on obfuscating payloads.
Don't get tunnel vision. This sounds over-simplified, but having steps in place to recognize when to move on from testing a particular feature or trying a specific vulnerability class will help you not to make the same mistakes again.

You ran out of time

The time limit on the exam is reminiscent of the pressure you'll experience when testing professionally. Approaching the situation methodically, quickly gaining a clear view of the application, and using Burp Suite Professional's automated features will all help you.

If you spent a lot of time manually probing for vulnerabilities, brush up on your skills with Burp Suite Professional's automation tools. In particular, try using targeted scans to quickly identify vulnerabilities.
Practice with the targeted scanning lab - see if you can create a step by step process to follow so you can replicate the steps quickly during the exam.
Practice mystery labs to get better at identifying vulnerable behavior quickly.
Once you're more comfortable solving mystery labs, try setting a timer to see how quickly you can do them.

You couldn't find a vulnerability at all

Unlike the labs on the Web Security Academy, during the exam you won't have any contextual clues as to what you're looking for. This means you'll need excellent discovery skills to supplement your knowledge of how different vulnerabilities work.

Make sure you've thoroughly mapped all of the available attack surface - this includes making sure you haven't missed any functionality, or places you can access.
Improve your general discovery skills by working through some mystery labs - leave the topic random to challenge yourself further.
If you're less comfortable with some vulnerabilities over others, focus on your areas of weakness and read the learning materials to gain a deeper understanding of how the vulnerability class works.
If you've only done one lab from some topics, go back and try to do additional labs from those topics.
If you haven't already, complete all the prep steps to double-check you're ready to sit the exam.

General advice and guidance

Regardless of your level of experience, there's no substitute for time spent learning. Practicing your techniques, reviewing your processes, and refreshing your knowledge will all help you to be better prepared for your next attempt.

Review your project file from your previous exam attempt to see if you missed any clues.
Read through our exam hints and guidance, as there may be something you missed there that would have helped you during your previous exam attempt.
Select the most challenging-sounding labs in the Web Security Academy and work on those until you can solve them without requiring use of the solutions.

Retaking your exam

Advice from certified users to help you prepare

You found a vulnerability but couldn't exploit it

You ran out of time

You couldn't find a vulnerability at all

General advice and guidance

How the exam works

Take a practice exam

What the exam involves

Buy your BSCP exam