Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Get Burp Suite Certified for $99

How to get your certification

PortSwigger

Ready to take the exam? Here's what you need to know.

The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite skills. To pass the certification exam, you are required to demonstrate an in-depth knowledge of a wide range of vulnerability classes, and the Burp Suite functionality required to support you in discovery, understanding, and exploitation.

Overview

We have created this certification in collaboration with a third-party automated proctoring service, called Examity. The exam itself will follow a process fairly similar to that of the labs within the Web Security Academy, and the practice exam, but in order to take the exam you will first need to go through an automated identity verification process with Examity.

To become a Burp Suite Certified Practitioner, you will need to work through the following steps:

  1. Purchase your certification exam.

  2. Create a user profile with Examity.

  3. Check the system requirements.

  4. Take your certification exam.

  5. Get your certification results.

You'll need a Burp Suite Professional subscription to take the exam.

To undertake the certification exam, you will need access to an active subscription of Burp Suite Professional. Get a subscription to Burp Suite Professional now, if you don't already have access to a separate license.

Purchasing your exam

You can purchase a Burp Suite Certified Practitioner exam from your PortSwigger user account. Once you have purchased your exam, you will need to create a user account with Examity. This is our third-party proctoring platform, who will perform your automated identity verification before your exam starts.

How does an automated proctoring service work?

We have partnered with Examity, an automated proctoring platform, to make your exam experience as secure as possible. The process is very simple, and involves an ID check and security question verification - these are both carried out with an automated proctor. Your ID check and security question verification will be recorded, and you will be unable to pass the exam until Examity have verified your ID check.

Creating a user profile

In order to complete your exam, you will need to create an Examity profile. This is a requirement for taking your certification exam. The things you will need to complete this profile are as follows:

  1. Your phone number and time zone.

  2. A photo of a government-issued photo ID. This can be a driver's license, passport, military identification card, or another form of acceptable ID. Just be sure that your name and photo are visible and that the image is clear and bright enough to be easily read. Please note: you will need to have this ID with you on exam day to verify your identity.

  3. Three "challenge" (security) questions and answers.

Preparing for the exam

Before you take your real exam, we strongly advise that you work through our four preparation steps. They have been designed to thoroughly prepare you, by testing the wide variety of both vulnerabilities and skills that you will be required to demonstrate to successfully pass the exam.

The preparation steps should also help you to gauge the difficulty level of the exam, and therefore judge for yourself whether you are at the required skill level to gain the certification.

There are no restrictions on the amount of times you may complete the preparation steps.

What the exam involves

In order to take the exam, you will first need to log in to your PortSwigger user account. You will find a button labeled "Take exam", which you will be able to use to begin the process of taking your exam. By clicking this button, you will begin the official exam process, including the verification by our automated proctoring service Examity. Once you have successfully completed the automated proctoring session, your unique verification code will be automatically entered by Examity and your exam will begin.

You will have four hours to complete the Burp Suite Certified Practitioner exam. There are two applications, and each application contains deliberate vulnerabilities. This means that each application can be completed in three stages:

  1. Stage 1: Access any user account.

  2. Stage 2: Use your user account to access the admin interface, perhaps by elevating your privileges or compromising the administrator account.

  3. Stage 3: Use the admin interface to read the contents of /home/carlos/secret from the server's filesystem, and submit it using "submit solution".

While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.

There is always an administrator account with the username "administrator", plus a lower-privileged account usually called "carlos". If you find a username enumeration vulnerability, you may be able to break into a low-privileged account using the following username list and password list.

Each application has up to one active user, who will be logged in either as a user or an administrator. You can assume that they will visit the homepage of the site every 15 seconds, and click any links in any emails they receive from the application. You can use exploit server's "send to victim" functionality to target them with reflected vulnerabilities.

If you find an SSRF vulnerability, you can use it to read files by accessing an internal-only service, running on localhost on port 6566.

Host header attacks are fair game, but the _lab and _lab_analytics cookies are part of the core exam functionality - please don't waste your time tampering with them.

To understand the skills required to take this exam, please refer to the prepare for the exam page.

Exam conditions

The integrity of the Burp Suite Certified Practitioner exam is what makes it so valuable, so we have a robust system for identifying and banning people who attempt to cheat. Here's what you need to know:

  • Any cheating will result in a permanent ban.

  • You must use a Burp project file for the full period of the exam, and submit that project file for analysis.

  • You must complete the exam without help from anyone.

  • You must not share your exam addresses with anyone.

Requirements

The following sections will outline all of the requirements for the exam. Please make sure you have read through these sections thoroughly before purchasing your certification exam.

Identity verification

Before you can begin the Burp Suite Certified Practitioner exam, you will need to go through the proctoring process with our third-party automated proctoring service, Examity. The process follows these steps:

  1. Using a process called automated authentication, the automated proctor will verify that the ID on file matches with the ID you have brought to the test.

  2. The automated proctor will then ask you to provide an answer one of the three "challenge" (security) questions, that you created when you made your user profile with Examity.

  3. When you have successfully completed all of the required automated proctoring stages, you will be given access to the exam.

Proficiency/skill

To pass the certification exam, you are required to demonstrate an in-depth knowledge of a wide range of vulnerability classes, and the Burp Suite functionality required to support you in discovery, understanding, and exploitation.

To get ready for the challenges you'll face in the certification exam, please refer to the how to prepare for the exam page.

Language

All exam materials will be presented in English. If you can comfortably read the learning materials within the Web Security Academy, and all of the exam guidance pages, the exam will not present you with any language-based challenges.

System

Operating system:

  • MacOS X 10.5 or higher.

  • Windows Vista or higher.

  • ChromeOS.

Please note that our automated proctoring service, Examity, does not support Linux.

Browser:

  • Google Chrome - please disable your pop-up blocker.

Hardware:

  • Desktop or laptop.

  • Built-in or external webcam.

  • Built-in or external microphone.

  • Built-in or external speakers.

Please note that tablets and mobile devices are not supported.

Internet:

  • An upload and download speed of 2Mbps.

  • Hot spots are not recommended as a reliable internet connection is essential.

Software:

  • Burp Suite Professional. Please note that it will not be possible for you to complete the exam with any software other than Burp Suite Professional.

  • In addition, we require that you use a project file, which we may request up to a week after you have taken the exam to confirm your certificate or investigate any reported issues.

Your exam results

We will notify you by email with your results. If you successfully pass the Burp Suite Certified Practitioner exam, you will receive a link to your certificate by email. If you failed the exam, we will let you know by email. We will also provide you with resources and guidance to help you prepare for re-booking your certification exam.

If you haven't received your results after 48 hours, login to your PortSwigger user account to check the status of your exam.

If you successfully pass the exam, and become a Burp Suite Certified Practitioner, make sure you let the world know! Add your certification status to your social channels and profiles, and let your employers and prospective employers know.

Verifying your exam results

If your employer (or prospective employer) wishes to validate your certification, you will need to share the unique code on your certificate and the link to the validation platform.