Burp Suite Enterprise Edition is now available in our secure Cloud  –  Learn more

Get Burp Suite Certified for $99

Practice exams


Ready to take the exam? Here's what you need to know.

The Burp Suite Certified Practitioner exam is a challenging practical examination designed to demonstrate your web security testing knowledge and Burp Suite Professional skills. It is built and designed by PortSwigger Research, the same minds who brought you the Web Security Academy. Before you get started on a practice exam, make sure you've read all the hints and tips on this page.

How do the practice exams work?

The practice exams are designed to simulate the environment of a real test situation, and will cover a variety of vulnerability classes and exploits.

Each exam contains links to several web applications, from which you must find and exploit the vulnerabilities present.

To progress through stages, you need not only to identify vulnerabilities, but also exploit them. For example, if you identified an XSS vulnerability, triggering "alert" execution won't be enough to get access to the next stage: you need to actually exploit it against one of the simulated users and steal their session. Likewise, for SQL Injection vulnerabilities, you need to extract credentials from the database and use them to access the target account.

Before you start your practice exam ...

Make sure you are comfortably able to do all of the below:

We've created a guide to using Burp Scanner during manual testing, to make sure you've got to grips with the full scope of scanning you'll need to perform during the exam. The exam also requires you to be able to adapt your attack methods to bypass broken defenses - specifically - obfuscating attacks using encodings.

Mystery lab challenge

Unlike when you complete labs on the Web Security Academy, during the exam you'll have no prior knowledge of the type of vulnerability that you need to find and exploit. Use the mystery lab challenge below to spin up a randomized lab that you'll have to try and work out how to solve with no context, just like in the exam.

In some of the labs, you have access to your own account with the credentials wiener:peter. If you can enumerate usernames, you may also be able to brute-force the login using the following username and password wordlists.



Useful resources for your practice exam

As the exam is open book, you'll be able to access all of the below resources during your real exam, but it will help you to be familiar with them during your practice exam so that you're as prepared as possible.

Here are links to some resources you may want to have to hand when you take the exam:

How is the practice exam different to the real exam?

Practice exam:

Real exam:

Make sure that you take the practice exams as many times as is necessary before you attempt the real exam - your revision and preparation are in your hands.

Part of being a professional is handling responsibility. While exploiting each application, you will gain access to powerful functionality. If you use this to delete your own account or a core system component, you may make your exam impossible to complete.

Ready to take a practice exam?

The practice exams are there to allow you to get used to the format the real exam will use. They should also help you to gauge the difficulty level of the exam, and therefore judge for yourself whether you are at the required skill level to gain the certification.

There are no restrictions on the amount of times you may take the practice exams, and you may also quit the test simulation and begin again.

If you're already logged in to your PortSwigger user account, as soon as you hit the button below you'll be directed into the practice exam environment. If you're not yet logged in, when you hit the button below you'll be asked to log in before being directed to the practice exam start page.