Passing The GWAPT Exam

Passing The GWAPT Exam

So, I finally went for it and attempted the GIAC GWAPT exam and passed it! I’ve been conducting some pen tests prior to taking the SANS SEC 542 course and the GWAPT exam. The course taught me many new things, and gave me a new perspective, and insight when it comes to web application pen testing. This blog post is to share my experience on how to best prepare for taking the GWAPT exam.

Should I take this exam or challenge the GWAPT ?

Many people will ask themselves this very same question. The best answer really depends on what your career goals are for your future. If you plan on being a pen tester, then this is a must at least if you are new or an intermediate to web pen testing. These days the Internet is filled with web applications, and now with more data and applications placed in the cloud. WebApp pen testing is a skill in demand and will be needed to test anything open to the public via the cloud.


For my exam I studied about 2 months more after taking the 6 week weekly classes through vLive. I spent time after work and on evenings, and basically any chance I got where I could read the books. If you already have some web application pen testing skills, they definitely will help out with general questions. The big thing is to grind out the books at least 2 to 3 times before you attempt the exam.

Expect to have a fairly low key social life while studying for the GWAPT exam. Missing a night or two won’t hurt, but can add up and cause a loss of momentum during exam studying. If you can dedicate time to it even just one hour a night it will make a huge difference. So to start off, set a time line for yourself. I found once the exam was booked, I had a time line of 4 months to challenge the exam. It sets a deadline for you, and the pressure adds on


Read all of the books over and over again. Be sure to build an index along the way, because you will not remember every single keyword. I did about 2 reads of each book and found each time I read it, there little things I started to pick up that I might have overlooked or missed the first time. Also play with the tools mentioned in the book and are not part of the lab. Just because a tool is not used in a lab doesn’t mean you should ignore it or not learn more about it. The tools in the SANS course are there to benefit you on your web pen tests. One of my favourite learned tools is Nikto, which I find hugely beneficial for any pen test.


On the exam, I didn’t use my books too much, and felt I didn’t have the need to for a majority of the questions. But, it does come in handy if you are not 100% sure, or believe you are 99% sure of the answer, but want to verify to be absolutely sure you’re gut feeling has you pinned on the correct answer. I felt most answers personally just came to me. Or, it already made sense where I could decide on a correct answers. There were 5 or 6 questions which I passed on till the end, and that is where the index comes to save the day. So, be sure to make an index of keywords and topics, with the relevant pages. If you take the Sec 542 course, the last book has the index already built for you.


I recommend you redo ALL of the labs you worked on within the course. And, spend extra time learning what you are actually doing and why! I’ve heard people review the labs and follow all of the steps in the book. But, some people don’t understand why they running a certain command, or using the tool beyond what’s written on the book. Remember, the SANS courses are here to build a starting foundation for all of us. It is not made to make everyone security experts overnight. The expectation is the courses provide you enough information for you to dig further on your own and explore the world of Web Application Pen testing some more. So do try to understand the labs, and why things work as they do.

Day Of The Exam

Get some good rest, I had set my exam during the later morning time. It allowed me to get away from the early morning work rush, and still gave me enough sleep and rest to feel fresh for the exam.

The desk assigned to me was very small, it barely had enough room for the keyboard and mouse. Luckily, I was allowed to use another chair as a table to place my books on, so I didn’t have to throw them down on the dirty floor. It was a bit loud, the room was definitely not sound proof as I could hear a instructor teaching a class next door very loudly. I tried to ignore everything around me and stuck through with the questions.

This exam went by VERY fast compared to my last exam (GSEC – 6 hours exam), by the time I knew it the exam was done and over. I had about 2 minutes left out of the 2 hours by the time I answered the last question. Personally for me, I wished there would’ve been another 15 – 20 minutes to this exam. So be sure you time how long your practice exams take you each time.

Waiting For Certificate & Digital Badge

So hopefully you have passed the exam, and all the pressure is now finally off of you. At this point GIAC will mail you a certificate (which usually arrives within 1-2 weeks, GIAC is pretty quick). GIAC will also email a digital badge that you can use and present. And, you can now finally make use of the GWAPT credentials next to your name and signature. It’s a great achievement to obtain and you should be proud to accomplish this achievement.

I hope this guide was helpful, and of course if you have any questions or comments feel free to leave them in the comments section below.

If you’re interested in the SEC 542 – Web Application Pen Testing course, I have made a post about my experience of it here —>


2 Responses to “Passing The GWAPT Exam”

  1. حسين says:


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.