Already a member?
Login Register
Your cart

Your cart is empty.

Go to checkout

The Cheese Shop / Certified Advanced Web App Pentester (CAWAP)

CAWAP badge

πŸ₯ˆ CAWAP – Certified Advanced Web App Pentester

Run layered exploit chains under pro-level pressure.

CAWAP graduates you from technician to strategist. You will chain exploits across multi-tenant environments, automate evidence capture, and maintain velocity during a 28-hour exam window.

Start CAWAP Download the CAWAP exam SOP
Promo

Lock in your CAWAP challenge

Unlock the advanced CxWAP branch, live lab access, and the 28-hour professional exam window.

€199.99 €15.00

Promotion ends in 24 October 2025 at 01:00 CEST
Book your CAWAP seat

Chained exploits across multi-tenant, automation-heavy attack surfaces.

28-hour exam timer with mid-mission debrief requirements and automation checkpoints.

Advanced reporting pack covering detection bypass notes, stakeholder narratives, and remediation plans.

Operate like a strategist

CAWAP is designed for operators who already cleared CWAP and now need to demonstrate advanced tradecraft, automation readiness, and executive communication.

πŸ‘‰ For practitioners ready to prove they can orchestrate complex web campaigns end to end.

Ready to show you can command an advanced web assessment from recon to remediation?

CAWAP syllabus overview

The refreshed CAWAP programme is a 28-hour advanced assessment that mirrors the current CxWAP branch. You will run chained exploits inside a multi-tenant lab, automate evidence capture, and deliver reports that satisfy stakeholders beyond the SOC.

Delivery format

  • 28-hour exam window with guided checkpoints and mid-mission debrief prompts.
  • Prerequisites: CWAP completion, SOP review, and comfort with automation tooling.
  • Resources: CAWAP workbook, automation packs, CyberCrusade payload lab, and reporting templates.

Objectives

  • Chain exploitation paths that cross roles, tenants, and automation boundaries.
  • Capture repeatable evidence with Autorize, Burp workflows, and scripted probes.
  • Deliver narrative-driven remediation plans backed by reproducible payloads.
  • Demonstrate you can manage time pressure while maintaining stakeholder updates.

Skill coverage

  • Broken access control escalations verified with workbook artefacts and live flags.
  • Injection chains that blend SQLi, template abuse, XXE, and logic flaws.
  • Automation and recon tactics tuned for multi-surface environments.
  • Reporting operations that translate exploit depth into executive clarity.

What to emphasise

  • Stay disciplined with recon and note-taking β€” grading focuses on traceability.
  • Pair every exploit with detection bypass notes and mitigation checkpoints.
  • Show your automation hygiene by documenting payload scripts and tooling configs.
Module breakdown

1 Β· Multi-tenant access control

Dissect role design, enumerate shadow routes, and automate BAC/IDOR validation.

  • Key drills: Autorize-powered diffing, workbook artefacts, incident-ready notes.

2 Β· Data-layer pivots

Blend SQLi, XXE, and deserialisation chains while respecting WAF guardrails.

  • Key drills: Payload mutation labs, WAF fingerprinting, response tampering.

3 Β· Front-end mischief

Weaponise XSS, template abuse, and automation bugs to traverse contexts quickly.

  • Key drills: Burp workflow automation, replayable exploit libraries, mutation packs.

4 Β· Reporting & ops cadence

Ship client-grade briefs while juggling flag submissions, tooling resets, and stakeholder updates.

  • Key drills: Executive summary sprints, mitigation mapping, runbook packaging.

Deliverables

  • Flag report covering 32 required submissions plus two optional side missions.
  • Automation dossier documenting payload scripts, wordlists, and replay workflows.
  • Stakeholder brief with remediation, detection, and communication plans.

Recommended tooling

  • Burp Suite Pro with Autorize, Logger++, and automation macros enabled.
  • RatCerts CAWAP workbook, CyberCrusade payload archive, and reporting templates.
  • Scriptable recon stack (curl, Python, custom transformers) for fast triage.

Participant expectations

Bring discipline, automation hygiene, and storytelling. CAWAP examiners grade how you prioritise, how you communicate, and how you turn exploit depth into actionable plans.

CAWAP student reviews

Stories from professionals who chained their way through CAWAP.

“Level 3 objectives forced me to automate burp workflows and share tools with my crew.”
FuzzingFinch Offensive automation lead
“CAWAP chains felt like live client chaosβ€”perfect rehearsal for real incident calls.”
NullByteNora Appsec consultant

CAWAP frequently asked questions

Answers are coming soon. Check back shortly for more details.