Get Burp Suite Certified for $99

How to get your certification

PortSwigger

Ready to take the exam? Here's what you need to know.

The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite skills. By achieving this certification, you can showcase your expertise to potential clients, demonstrate your abilities to prospective employers, and bring accreditation to your personal career development.

Overview

We have created this certification in collaboration with a third-party automated proctoring service, called Examity. The exam itself will follow a process fairly similar to that of the labs within the Web Security Academy, and the practice exam, but in order to take the exam you will first need to go through an automated identity verification process with Examity.

To become a Burp Suite Certified Practitioner, you will need to work through the following steps:

  1. Purchase your certification exam.

  2. Create a user profile with Examity.

  3. Check the system requirements.

  4. Take your certification exam.

  5. Get your certification results.

You'll need a Burp Suite Professional subscription to take the exam.

To undertake the certification exam, you will need access to an active subscription of Burp Suite Professional. Get a subscription to Burp Suite Professional now, if you don't already have access to a separate license.

Purchasing your exam

You can purchase a Burp Suite Certified Practitioner exam from your PortSwigger user account. Once you have purchased your exam, you will need to create a user account with Examity. This is our third-party proctoring platform, who will perform your automated identity verification before your exam starts.

How does an automated proctoring service work?

We have partnered with Examity, an automated proctoring platform, to make your exam experience as secure as possible. The process is very simple, and involves an ID check and security question verification - these are both carried out with an automated proctor. Your ID check and security question verification will be recorded, and you will be unable to pass the exam until Examity have verified your ID check.

Creating a user profile

In order to complete your exam, you will need to create an Examity profile. This is a requirement for taking your certification exam. The things you will need to complete this profile are as follows:

  1. Your phone number and time zone.

  2. A photo of a government-issued photo ID. This can be a driver's license, passport, military identification card, or another form of acceptable ID. Just be sure that your name and photo are visible and that the image is clear and bright enough to be easily read. Please note: you will need to have this ID with you on exam day to verify your identity.

  3. Three "challenge" (security) questions and answers.

Taking the practice exam

Before you take your real exam, we strongly advise that you take our practice exam. The practice exam is designed to simulate the environment of a real test situation, and will cover a variety of vulnerability classes and exploits.

The practice exam is there to allow you to get used to the format the real exam will use. It should also help you to gauge the difficulty level of the exam, and therefore judge for yourself whether you are at the required skill level to gain the certification.

There are no restrictions on the amount of times you may take the practice exam, and you may also quit the test simulation and begin again.

What the exam involves

In order to take the exam, you will first need to log in to your PortSwigger user account. You will find a button labeled "Take exam", which you will be able to use to begin the process of taking your exam. By clicking this button, you will begin the official exam process, including the verification by our automated proctoring service Examity. Once you have successfully completed the automated proctoring session, your unique verification code will be automatically entered by Examity and your exam will begin.

You will have four hours to complete the Burp Suite Certified Practitioner exam. There are two applications, and each application contains deliberate vulnerabilities. This means that each application can be completed in three stages:

  1. Stage 1: Access any user account.

  2. Stage 2: Use your user account to access the admin interface at /admin, perhaps by elevating your privileges or compromising the administrator account.

  3. Stage 3: Use the admin interface to read the contents of /home/carlos/secret from the server's filesystem, and submit it using "submit solution".

There is always an administrator account with the username "administrator", plus a lower-privileged account usually called "carlos". If you find a username enumeration vulnerability, you may be able to break into a low-privileged account using the following username list and password list.

Each application has up to one active user, who will be logged in either as a user or an administrator. You can assume that they will visit the homepage of the site every 15 seconds, and click any links in any emails they receive from the application. You can use exploit server's "send to victim" functionality to target them with reflected vulnerabilities.

If you find an SSRF vulnerability, you can use it to read files by accessing an internal-only service, running on localhost on port 6566.

Host header attacks are fair game, but the _lab and _lab_analytics cookies are part of the core exam functionality - please don't waste your time tampering with them.

To understand the skills required to take this exam, please refer to the prepare for the exam page.

Requirements

The following sections will outline all of the requirements for the exam. Please make sure you have read through these sections thoroughly before purchasing your certification exam.

Identity verification

Before you can begin the Burp Suite Certified Practitioner exam, you will need to go through the proctoring process with our third-party automated proctoring service, Examity. The process follows these steps:

  1. Using a process called automated authentication, the automated proctor will verify that the ID on file matches with the ID you have brought to the test.

  2. The automated proctor will then ask you to provide an answer one of the three "challenge" (security) questions, that you created when you made your user profile with Examity.

When you have successfully completed all of the required automated proctoring stages, you will be given access to the exam.

Exam conditions

You must not communicate or attempt to communicate with anyone during the exam. We advise taking the practice exam under similar conditions in order that you are properly prepared.

Proficiency/skill

In order to successfully attempt the Burp Suite Certified Practitioner exam, you'll need to be capable of completing all labs labeled "Practitioner" or lower within the Web Security Academy, without requiring use of the solutions provided. For more details, please refer to the how to prepare for the exam page.

Language

All exam materials will be presented in English. If you can comfortably read the learning materials within the Web Security Academy, and all of the exam guidance pages, the exam will not present you with any language-based challenges.

System

Operating system:

  • MacOS X 10.5 or higher.

  • Windows Vista or higher.

  • ChromeOS.

Please note that our automated proctoring service, Examity, does not support Linux.

Browser:

  • Google Chrome - please disable your pop-up blocker.

Hardware:

  • Desktop or laptop.

  • Built-in or external webcam.

  • Built-in or external microphone.

  • Built-in or external speakers.

Please note that tablets and mobile devices are not supported.

Internet:

  • An upload and download speed of 2Mbps.

  • Hot spots are not recommended as a reliable internet connection is essential.

Software:

  • Burp Suite Professional. Please note that it will not be possible for you to complete the exam with any software other than Burp Suite Professional.

  • In addition, we require that you use a project file, which we may request up to a week after you have taken the exam to confirm your certificate or investigate any reported issues.

Your exam results

We will notify you by email with your results. If you successfully pass the Burp Suite Certified Practitioner exam, you will receive a link to your certificate by email. If you failed the exam, we will let you know by email. We will also provide you with resources and guidance to help you prepare for re-booking your certification exam.

If you haven't received your results after 48 hours, login to your PortSwigger user account to check the status of your exam.

If you successfully pass the exam, and become a Burp Suite Certified Practitioner, make sure you let the world know! Add your certification status to your social channels and profiles, and let your employers and prospective employers know.

If your employer (or prospective employer) wishes to validate your certification, you will need to share the unique code on your certificate and the link to the validation platform.