Grant Banys

Taking, retaking, and passing the Burp Suite Certified Practicioner exam

To advance my career in cybersecurity, and to hopefully feel a bit more comfortable telling people that I’m technically a hacker, I decided that my next logical step after graduating from university was to begin obtaining practical certifications that demonstrate my technical ability as a security professional. Through my previous experience as a student, intern, and now full-time security engineer, I had been introduced to many broad concepts in the IT realm, but in terms of practical hacking experience, I would still only label myself self-taught, or at the very least taught-on-the-job. This, in my opinion, had to change. Due to my experience interacting with various web application in a security testing scenario, and my prior interest in the web application development (despite my shameless use of WordPress), I felt that Portswigger’s Burp Suite Certified Practitioner was the perfect place for me to start.

The exam appears pretty innocuous on paper: it’s only 4 hours, consists of 2 machines with 3 sequential vulnerabilities apiece, and doesn’t have any report requirement like some other practical certifications of this caliber. It also had an official preparation guide from Portswigger, which meant that my study plan was already partially made for me. So, I went in to my studying thinking I had nothing to fear – which was an opinion that could have been better informed.

Throughout the following blog post, I will go over my exam preparation, the exam attempts (yes, this is unfortunately plural), and my lessons learned after completing the exam and being certified as a BSCP.

Studying for the exam

Studying for the BSCP looks a lot easier on paper than on practice. Overall, Portswigger has something like 280 labs covering all of the different vulnerabilities that could be present on a BSCP exam. Even if all of them don’t show up exactly, these labs cover very important topics in web application security that will make any potential BSCP holder a lot more competent of a web app security analyst, so they are hard to refuse. What they don’t tell you is – for the first 100 or so labs, you will swear you are reading hieroglyphs.

When first starting my approach to the BSCP, I imagined that a fair bit of the labs would overlap with what I saw in existing web app vulnerabilities through school and work – some text fields don’t filter for javascript, some sites have an open redirect, yadda yadda, and that’s all there is to it. Unfortunately, while those topics are still included, that is only the beginning of what a web app vulnerability can look like. After getting re-accustomed to some topics in javascript, web infrastructure, and general HTTP knowledge, or around the lab #125 mark, I was beginning to fall into a rhythm of analyzing vulnerable web apps and thinking critically on how to exploit them. As the study labs ranged in topics from well known ones like SQLi or XSS, Portswigger continuously surprised me by introducing nuanced and research-driven techniques such as deserialization attacks and their golden-child: HTTP Request Smuggling. Topics like these, especially the latter HTTP request smuggling, began to introduce me to what I believe was Portswigger’s intention all along: The skill of being able to see through a web app, just by looking at it.

What do I mean by seeing through a web application? Well, to be honest, it was mostly a thing I kept telling myself to do while diving into different vulnerability labs, to help me keep my priorities straight and not give up right away. If that isn’t a good enough personal explanation, I also thought it sounded rather cool. Practically, however, what I mean by this is that a well-rounded web application security tester should be able to instantly glean as much information about the software frameworks and backend infrastructure as possible, while limited to only an end-user’s level of access to a given application. When I first dove into labs, I believe that the lack of this specific skill is what made them so incredibly frustrating and easy to give up on – I couldn’t even struggle with exploiting vulnerabilities if I couldn’t find them. Leaning further on labs involving scanning for vulnerabilities, understanding what vulnerability identifiers to look out for, and becoming more accustomed to developer tools in the browser/burp suite proxy allowed me to transition in my perspective here, and gain an appreciation for a web developers work strictly from the client-side.

Once I had most of the apprentice and practitioner labs under my belt (I think my account currently has around ~85% completion of all of Portswigger Academy), I felt comfortable enough to move on to mystery labs, which were able to fully coach my perspective to see through a web application as I was looking at one. Once I got those out of the way, and chased them with a few practice exams, I had suddenly felt that it was time to take my shot at the real thing. I sat down to take my first attempt at the BSCP on a cold Friday afternoon near the end of 2025…

The exam

Taking the exam, in a very fast-feeling 4 hours, taught me that textbook knowledge and mystery labs were not going to be my saving grace in obtaining a BSCP. While they are the backbone of any success in the BSCP, they are simply a toolkit that one must refine before completing both sections successfully. To take a step back, the exam includes 2 apps with three sequential vulnerabilities each, but to pass the exam you must identify and exploit all 6 vulnerabilities within the 4 hour time frame, or you automatically fail. While training to identify and exploit each different vulnerability is one part of the training, preparing yourself psychologically to fall into rabbit holes, get back out, stay sharp and analytical, and complete your objectives in 4 hours is another question whatsoever. While in every attempt I took I completed at least one machine fully, I was never able to fit both into a 4-hour block until my final attempt.

When bouncing back between exams, I began connecting to the community of other BSCP holders that also attempted to give back to the community by providing insights on their experience, and advice on what got them over that finish line. What surprised me most by reading and listening to these folks, whom I’m now honored to call my peers, is just how often they reference the psychological toughness and cold, unthinking, logic that has to take over in order to complete this rigorous exam. Looking back, I think the most impactful example for me comes in the form of HexDump’s BSCP Experience video. In it, they site their blog post article in which they often emphasize that completing the actual exam within the time limit is not a measure of knowledge retention or regurgitation, but rather a measure of mental toughness and the continued ability to stay nimble while laser-focusing when needed.

Using these tips, and psyching myself up, I was finally able to complete the BSCP exam and earn my certification last weekend, on April 18th 2026. While I didn’t get it on my first try, videos like HexDump’s and countless other blog posts reinforced the belief that truly passing the BSCP required resilience and persistence, so if anything, I’m glad this is the way it finally happened. Now that I have my BSCP, I can undoubtedly say that I feel extremely prepared for any webapp vulnerability that crosses my desk in the future, and am eager to employ my new skills in upcoming challenges in both my day-job and personal interests.

Grant’s BSCP Resource Recommendations

This would not be a proper blog post about the BSCP if I didn’t also shout out all of the great resources I was able to leverage in order to finally succeed and hold my certification. The following, in no specific order, was what I was able to use to finally pull the whole thing off:

If you are thinking about taking the BSCP, please don’t let my doom-and-gloom scare you too much either: despite the challenge, it is a thorough challenge that rewards anyone who genuinely pursues it in extremely valuable knowledge that feels like it would’ve taken much longer to obtain were it not for the great work done by the Portswigger team.

Signing off,

Grant Banys
BSCP #50D3D73368623A42

grant

Leave a Reply

Your email address will not be published. Required fields are marked *