“The challenge cadence kept me sharp and paid for itself with my next report submission.”
The Cheese Shop / Certified Web App Pentester (CWAP)
๐ฅ CWAP โ Certified Web App Pentester
Launch your web exploitation career with a live-fire assessment built for modern SaaS.
CWAP is the starting point for the CxWAP track. The certification mirrors a production-grade platform so you can prove reconnaissance discipline, exploit fundamentals, and reporting habits under a 24-hour clock.
Promo
Reserve your CWAP attempt
Secure lab access, the 24-hour certification window, and the reporting toolkit that keeps you on track.
โฌ199.99 โฌ15.00
Book your CWAP seatRealistic multi-step flags spanning authentication, access control, and injection attack surfaces.
24-hour exam timer with save-state checkpoints so you can plan, execute, and brief like a consultant.
Launchpad into CAWAP and CMWAP with templates, rubrics, and remediation storylines you can re-use.
Why CWAP matters
Clear CWAP and you demonstrate that you can scope, prioritise, and execute an offensive web assessment while communicating findings leadership can action.
๐ Built for early-career operators who want proof they can deliver more than capture-the-flag tricks.
Ready to earn your first CxWAP title and prove you can ship a client-grade report?
CWAP student reviews
Feedback from operators who cleared the CWAP gauntlet.
“CWAP drilled disciplined recon so hard that scoping calls now feel effortless.”
“CWAP mirrored real-world web testing. I enumerated routes and states, exercised authentication and access control, and validated findings with concrete proof, including business logic issues that typical scanners miss. The structure of CWAP rewarded methodical hypothesis โ test โ validate, which is how I deliver high quality results at scale.”
CWAP frequently asked questions
CWAP (Certified Web App Pentester) has three tiers: CWAP (30 flags in 24 hours), CAWAP (35 flags in 28 hours), and CMWAP (45 flags in 45 hours). Each level tests progressively harder exploitation, chaining, and persistence skills in life-like labs.
CWAP includes realistic, life-like applications such as a banking app, webshops, forums, and API-driven systems. Labs feature vulnerabilities like broken access control, XSS, SSRF, blind XSS, CSRF, hidden credentials, and order logic flaws.
All CWAP, CAWAP, and CMWAP exams are proctored live via Google Meet. Candidates must show government ID, keep webcam and screen share active, and use Discord for coordination. Sessions are recorded for verification.
CWAP, CAWAP, and CMWAP certifications do not expire. They are lifetime credentials, though continuing to practice and keep up with new techniques is recommended.
CWAP exams test disciplined recon, exploitation, chaining vulnerabilities, automation, persistence in hostile environments, and clear reporting. Each higher level requires more complex chaining and efficiency.
Preparation includes practicing in realistic labs (banking, webshop, forums), reviewing XSS, SSRF, BAC, CSRF, JWT flaws, and sharpening reporting skills. Time management under exam pressure is key.
Yes, CWAP exams are open book. You may use your notes, scripts, and tools during the exam, but collaboration with others is strictly prohibited.