Follow the steps outlined below to get yourself fully prepared to take your Burp Suite Certified Practitioner exam. Put your focus on truly understanding a vulnerability class or exploit. If there are any steps or processes outlined on this page that you are not 100% comfortable with, we highly recommend that you go back and practice those skills before attempting your certification exam. If you need extra support, please read our exam hints and guidance page.
Work through all of the topics on the Web Security Academy, completing one lab from each topic - make sure the lab you choose to complete is "Practitioner" level. There is no set time frame for completing the labs, but you must be able to do so without requiring access to the solutions provided.
If you're unable to complete the lab you selected, go back to the learning materials and work through all the labs in that topic to make sure you're comfortable with the vulnerability class and exploit techniques it covers.
These labs have been selected because they reinforce core web security testing skills - such as understanding encodings and using them to evade defences, and proficiency in exploiting cross-user attacks. These specific labs support your exam preparation in terms of skill development, but they are in no way a list of the components you'll be expected to solve to complete the exam.
Use the mystery lab challenge below to spin up five practitioner-level randomized lab challenges - you'll have to try and work out how to solve each challenge with no context, exactly as you would when performing recon in a real-world testing environment.
The practice exam is designed to be a realistic test of all your web security skills. It will also allow you to get used to the format the real exam will use. Before you take the practice exam, read through the exam hints and guidance for some tips and advice to help you succeed.
If you are unable to pass the practice exam, we strongly suggest that you work through the steps outlined in this guide again to further hone your skills.
You have two hours to complete the practice exam, which contains one vulnerable application for you to exploit.