Frequently asked questions

So long as you have access to a valid, active Burp Suite Professional license at the time of your certification exam, you will be able to use it to take the exam.

In addition, we require that you use a project file, which we may request up to a week after you have taken the exam to confirm your certificate or investigate any reported issues.

Burp Suite Professional provides the essential functionality to solve the exam.

Some vulnerabilities are easier to solve with the following third party tools: ysoserial and HTTP Request Smuggler. These tools are used by certain labs at the "Practitioner" level.

We recommend caution when using other tools - they may turn out not to be suitable for your objective.

If you find them helpful, or feel that you benefit from having them, you may use any BApp extension you like to support you in completing the exam.

The Burp Suite Certified Practitioner certification is, first and foremost, an exam designed to test your skills with Burp Suite Professional. It has been designed specifically to test your abilities with this software and, as such, cannot be completed with either Burp Suite Community Edition or any other web application security testing toolkit.

In addition, we require that you use a project file, which we may request up to a week after you have taken the exam to confirm your certificate or investigate any reported issues.

If you have a Burp Suite Professional license, but it is registered under an email domain of the company you work for rather than your personal email address, you will still be absolutely fine, from a technical perspective, to use that license for taking the exam.

So long as you have access to a valid, active Burp Suite Professional license at the time of your certification you will be able to use it to take the exam.

If you have any concerns about using your license because it is registered to a company rather than to you personally, we would suggest taking them up with your employer as they will be best able to advise you.

We've created some resources to help you get ready for your Burp Suite Certified Practitioner exam.

Check out this page for everything you'll need to get prepared for the exam; read through this page to understand the exam process, and all of the system requirements; and take our practice exam as many times as you need before you try the real exam.

We've created a guide to using Burp Scanner during manual testing, to make sure you've got to grips with the full scope of scanning you'll need to perform during the exam. The exam also requires you to be able to adapt your attack methods to bypass broken defenses - specifically - obfuscating attacks using encodings.

There is a one-month grace period before we add new topics to the exam. After that point, you should prepare for the possibility of the topic being included.

The exam is open book - you may use any books, notes, or web resources you find useful.

Here are links to some resources you may want to have to hand when you take the exam:

• Username list.

• Password list.

• XSS Cheat Sheet.

Once you have started the exam timer, there is no option to pause or reset your exam.

If you wish to retake the exam, you will need to purchase another exam and begin the process again.

Part of being a professional is handling responsibility. While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.

As the practice exam is designed to be a test of whether you have the necessary skills required to complete the actual exam, we will not be able to give you hints about how to complete it.

If you need any guidance, please carefully read through all the advice given on the "Hints and Tips" section of our "How the exam process works" page.

Before attempting the Burp Suite Certified Practitioner exam, you should be comfortably able to complete all of the labs within the Web Security Academy labeled "Practitioner" or lower. There is no set time frame for completing the labs, but you must be able to do so without requiring access to the solutions provided.

In addition, we strongly advise that you fully familiarize yourself with the exploiting XSS labs within the XSS topic. To successfully pass the exam, you'll need to be able to capably perform the exploits outlined within those materials.

The exam is priced in three currencies: US dollars, Pounds Sterling, and Euros. If you want to pay using another currency, you can use a credit card denominated in that currency, and the conversion will be handled automatically by your bank.

In order to purchase a certification exam, you will need to create a user account on our website.

Once you have a registered user account, you will be able to purchase a certification exam from the "your account" page.

Please note that the name you provide in your user account is the name that will be displayed on the certificate should you achieve your certification. Please ensure that you set up your user account using your real name, as we will not be able to make any changes to the digital certificate.

The certification exam needs automated proctoring in order to enable us to verify that you yourself have achieved the certification, and that you are exactly who you say you are. By performing an ID check on everybody who takes the exam, we are better able to make sure that nobody is able to cheat or lie in order to gain this qualification.

Once you purchase your Burp Suite Certified Practitioner exam, you have 12 months to use it before it expires.

No - you may only purchase one exam at a time, as you may only have one active exam assigned to your PortSwigger user account at any one time.