Kick-start your penetration test career with this attractive and cheap certification.

Do you need to tick off a box on your CV, or do you actually want to learn penetration testing?

Are you thinking of getting into bug bounty programs?

Do you want to start off strong in the most sought-after specialization within pentesting, Web Pentesting?

Whatever your goal is, this is probably the best certification you can start on, and I’ll tell you why: Burp Suite Certified Practitioner (BSCP)

The article can be seen in video format here:

I recently wrote a Pentest Roadmap to go from Beginner to Hired, where I was rather skeptical about most popular pentesting certifications. This is due to them teaching you what many other pentesters already know (AD, Network Pentesting), and usually being expensive.

The BSCP does not have any of these weaknesses. It is very cheap ($99) and teaches you what is the most purchased pentest type right now: Web.

One open secret about web pentesting: You can have a whole career in web application penetration testing with just one tool: Burp Suite. You can even make do with the free version.

Those just starting out might now know this, but most bug bounty programs revolve around web application penetration tests.

And the best way to land jobs within penetration testing without any previous experience (or spending tens of thousands on certifications) is through bug bounty experience.

While other certifications are losing some value and getting more expensive, like the new OSCP+, the pricing of BSCP has not really changed for as long as I can remember.

So, if your dream is to quickly gain expertise within cybersecurity or pentesting, start earning money, or landing a full-time job within the field, this certification is in my opinion your best shot at that.

Like I talked about in my Pentesting Roadmap, web pentesting is one of the specializations that can really fast-track your career, and make you useful for any pentesting team out there.

The exam is not too long, standing at four hours. If you want any tips on how to perform on exams such as these, I wrote this article for performing on the OSCP, but really many of the same things are true for this exam. I even made it into video form:

So, let’s go through some of the details regarding this certification.

Required Knowledge

Knowledge about how to use the tool Burp Suite is the only thing that is necessary. Anything else (and probably also using the tool) is learned through the learning material.

And even if you don’t know anything about using the Burp Suite tool, it is probably the most widely used pentesting tool in the world, so the time spent on learning how to use it will absolutely not be wasted.

The Learning Material

The learning material for the certification is the PortSwigger documentation on the different topics.

While this may seem like a downside, this documentation is usually great, and doubles as the documentation you would use to look up various functionality and vulnerabilities when using the Burp Suite anyways.

And of course, this learning material is free. You also usually have a couple of YouTube-walkthroughs of the challenges that people have uploaded and linked to the challenge.

While this certification may not land you a job right away, it gives you the set of skills necessary to start diving into Bug Bounty programs. Do this for a while, and you will land a job with this experience.

The LABS

The LABS are the best I have ever experienced for web application testing, and they are FREE. It is called the PortSwigger Web Security Academy, and includes challenges in most of the types of vulnerabilities and misconfigurations you encounter in web pentests.

You choose a challenge, an instance of a web server is spun up for you, and you get a link to paste into your Burp Suite browser. No purchase required, no VPN required, just sign up with a free account.

The Exam

The pricing of the exam sits at $99, which is one of the cheapest price points out there. This is of course because their real goal is to sell Burp Suite Pro and Enterprise, and this certification is probably an efficient funnel for that.

In addition to that, you have the following four requirements to be able to attempt the exam:

The first step requires you to complete a practitioner (intermediate) level lab from every topic. While it may seem from the title that you can freely choose which labs to complete on each topic, it is actually a list of 23 specific labs that you need to complete.

Then, you have another list of specific labs to complete. Weirdly, the last lab in this list is also included in the previous step.

The third requirement is to complete five mystery labs. These are just randomly selected lab at the level you choose, within the category you choose. Even if you are not planning to attempt the exam, this is a great way to test your real skills in web pentesting.

Step four is to pass a practice exam. This is a two-hour practice exam, which gives you a vulnerable application to exploit. Shockingly, even this practice exam is free.

Lastly, here is the link to the Web Security Academy!

Good luck!