Burp Suite Certified Practitioner: The Ultimate Guide (2026)

If you’re serious about web application security, the Burp Suite Certified Practitioner (BSCP) is one of the most practical, respected ways to prove your skills. Unlike multiple-choice exams, BSCP is fully hands-on. You’ll attack two live, intentionally vulnerable apps under time pressure, using Burp Suite Professional as your primary toolkit. In this guide, you’ll learn exactly what the BSCP is, how the exam works, how to prepare, what it costs, and the strategies that successful candidates use to pass—so you can walk in confident and walk out certified.

What is the Burp Suite Certified Practitioner (BSCP)?

The BSCP is PortSwigger’s advanced, skills‑based certification for web application security professionals who use Burp Suite Professional. It validates that you can find and exploit modern web vulnerabilities end-to-end, under time pressure, and demonstrate impact like a real tester—not just identify issues. Once you pass, your certificate is valid for five years and can be publicly verified with a unique code.

• What it proves:

  • You can discover, prioritize, and exploit vulnerabilities in dynamic web apps.

  • You can chain attacks (for example, from XSS to session hijack, then privilege escalation).

  • You can operate efficiently with Burp tools and extensions.

Actionable takeaway: Set a concrete goal—“I will pass BSCP within 90 days”—and map your weekly practice around PortSwigger’s official prep path so your study time mirrors the real exam.

Who should take BSCP (and what you need first)

The BSCP targets security students, junior testers growing into web app pentesting, bug bounty hunters, and experienced consultants who want a recognized, practical badge tied to Burp Suite. Formally, there are no prerequisites. Practically, PortSwigger recommends you can complete Web Security Academy labs at the “Practitioner” level without using solutions. You’ll also need an active Burp Suite Professional subscription to take the exam.

• Prerequisites in practice:

  • Comfort with XSS exploitation and encoding/obfuscation tactics is essential.

  • You should be able to weaponize common classes (SQLi, auth flaws, access control, SSRF) to demonstrate impact.

  • You need a valid Burp Pro license; Community Edition is not sufficient.

Actionable takeaway: Before scheduling, audit your skills: list 10 core vuln classes and write one “go-to” payload/method for each. If you can’t quickly script or adapt attacks for a class, add focused lab reps that week.

How the BSCP exam works (format, targets, and flags)

The exam is remote, proctored, open-book, and strictly timed. You’ll face two different web applications over four hours total. Each application has three sequential stages; you must complete all six stages to pass.

• The six stages (3 per app):

  1. Gain access to any user account.

  2. Reach /admin (via privilege escalation or admin account compromise).

  3. From an admin context, read /home/carlos/secret and submit the flag.

• Critical environment details:

  • A simulated “active user” will visit each app’s homepage roughly every 15 seconds and will follow certain links you send via the exploit server—this is key for cross‑user attacks like stealing sessions with XSS.

  • SSRF targets: an internal service listens at localhost:6566 for file reads (hint for the later stages). Host header manipulation is in scope, while some cookies are intentionally off-limits to tampering.

  • You must demonstrate impact—not just detection. For example, proving SQL injection generally means extracting credentials or achieving a login, not merely error‑based indicators.

• Timing and submission:

  • Total time: 4 hours, no pauses.

  • You must submit your Burp project file from the exam session; it’s part of the integrity checks.

  • Results typically arrive in 3–5 working days; certificates are publicly verifiable.

Actionable takeaway: Build a predictable “stage playbook.” Allocate ~35–45 minutes per stage, with explicit checkpoints (e.g., “If no user foothold by minute 40, run a targeted scan on the login and account endpoints”).

What tools and resources are allowed?

The BSCP is open book—yes, you can use notes and the web. You can also use third‑party tools and any BApp extensions. PortSwigger explicitly mentions tools like ysoserial and HTTP Request Smuggler as allowed examples.

• Allowed:

  • Your notes, web resources, cheat sheets.

  • Third‑party tools and any BApp extensions.

  • Burp Scanner (especially targeted scans during manual testing).

• Required:

  • Burp Suite Professional (active subscription).

  • Chrome browser, webcam/mic, stable internet (for automated ID/proctor checks).

Actionable takeaway: Create a “BSCP profile” in Burp before exam day: pre‑loaded payload lists, custom scan configurations, your favorite BApps (e.g., Param Miner, JSON Web Token Editor), and quick macros where useful.

Official PortSwigger prep path (don’t skip this)

PortSwigger’s “How to prepare” page lays out a direct, exam‑aligned plan: complete selected Web Security Academy labs (with an emphasis on cross‑user exploitation and bypassing brittle defenses), practice with the official Practice Exam, and sharpen essential skills like targeted scanning and obfuscation.

• The practice exam:

  • 2 hours, one vulnerable app (vs. 4 hours, two apps in the real exam).

  • Designed to simulate the discovery/exploitation rhythm; use it to test your pacing.

• Essential skills to master:

  • Using the Scanner tactically during manual testing to accelerate triage (scan specific requests or insertion points rather than entire sites).

  • Obfuscating attacks via encodings (URL, HTML, Unicode, etc.) to slip through naive filters.

Actionable takeaway: For every lab you solve, write a one‑paragraph “pattern note” (what tipped you off, payload family, why the defense failed). On exam day, this becomes your quick pattern matcher.

A 30/60/90‑day study plan (choose your track)

Pick the timeline that matches your starting point. Each track focuses on reps that build speed, not just knowledge.

30‑day sprint (experienced testers)

• Week 1: Reinforce encodings/obfuscation and DOM‑based XSS; refresh request smuggling and SSRF. Build/update your personal payload library.

• Week 2: Follow PortSwigger’s prep list; do labs that combine cross‑user delivery and privilege steps. Practice Scanner’s “audit selected insertion points.”

• Week 3: 2–3 “mystery labs” daily (no solution hints). Take one practice exam and analyze time sinks.

• Week 4: Simulate a full exam with two hard labs in 4 hours. Tune Burp extensions, autosave, and logging. Freeze your notes.

60‑day builder (some experience)

• Phase 1 (Weeks 1–3): Systematically clear Apprentice → Practitioner labs across auth, access control, XSS, injection. Write pattern notes.

• Phase 2 (Weeks 4–5): Mystery labs + targeted Scanner workflows; aim to get a Stage 1 foothold within 30 minutes consistently.

• Phase 3 (Weeks 6–8): Two practice exams; two full 4‑hour simulations with different lab sets. Debrief each run with a gap list.

90‑day foundation (new to web pentesting)

• Phase 1: Learn Burp’s core tools (Proxy, Repeater, Intruder, Decoder, Comparer) and basic recon/triage flow. Finish Apprentice labs.

• Phase 2: Graduate to Practitioner labs in each vulnerability class; focus on chaining and proof‑of‑impact.

• Phase 3: Add time‑boxed mystery labs and the practice exam. Emphasize mental models and debugging under pressure.

Actionable takeaway: For every practice block, cap exploration with a 10‑minute “retro”: What signal mattered most? What blind alley cost minutes? What single tweak would have shaved time?

Practice like the real thing: Mystery labs and the practice exam

The Practice Exam is your dress rehearsal: two hours, one app, realistic escalation, and a final flag—just like one half of the real test. Pair this with mystery labs (random, no‑context labs) to simulate the exam’s discovery demands. The goal is to walk into the exam with a “cold‑start” process that finds Stage 1 footholds fast.

• Practice exam strategy:

  • Spend 10–15 minutes mapping and checking common weak points.

  • Run one targeted scan when you’re stuck; keep scope tight to avoid noise.

  • Record your time spent per stage; aim for completion with 10–15 minutes buffer.

Actionable takeaway: Build a one‑page “first 20 minutes” checklist: routes to map, parameters to fuzz, auth/session quirks to test, and likely injection points to probe before scanning.

Exam‑day game plan (time, tactics, and triage)

Time evaporates during BSCP. Go in with a plan you’ve rehearsed.

• Opening 20 minutes:

  • Map key endpoints, login/registration, profile, admin hints.

  • Try high‑signal probes (auth bypass, basic SQLi, reflected XSS vectors); watch responses and error behavior.

• If stuck >15 minutes:

  • Pivot to a targeted Scanner pass on a likely insertion point (e.g., a parameterized file read, template field, auth flow).

• Use the exploit server:

  • For cross‑user attacks, deliver payloads to the victim through the exploit server. Time your steps with the ~15‑second visit window.

• End‑stage discipline:

  • For Stage 3, scan for SSRF or internal‑file access patterns; remember the localhost:6566 target where applicable. Confirm the flag read, then move.

• Administrative hygiene:

  • Save your Burp project frequently. Reserve the final 5–10 minutes for uploading the project file and verifying all flags are submitted.

Actionable takeaway: Use a timer with three checkpoint alerts per stage (T‑25, T‑15, T‑5). At each buzz, ask: “Am I learning new signal? If not, what’s my next best pivot?”

Common pitfalls (and how to avoid them)

• Tunnel vision on one vector:

  • Fix: Strict pivot rule—if you’ve had no new signal for 10–15 minutes, choose a different function or run a tightly scoped scan.

• Full‑site scanning:

  • Fix: Only scan targeted requests/parameters. Full audits consume time and flood you with noise.

• Skipping cross‑user delivery:

  • Fix: Practice using the exploit server; many escalations need the victim’s browser.

• Payloads that don’t survive filtering:

  • Fix: Master encodings/obfuscation to dodge naive defenses (URL, HTML, Unicode). Keep a ready list.

• Rushing Stage 3 without admin foothold:

  • Fix: Respect the sequence—complete Stage 1 and Stage 2 first.

Actionable takeaway: Print a two‑column “Pitfalls vs. Counters” card and keep it next to your monitor on exam day.

Costs, scheduling, retakes, and certificate management

• Exam fee: The BSCP launched at $99 per attempt, and recent candidate write‑ups continue to report $99 in 2025–2026 (local taxes may apply). Always confirm the current price at checkout in your PortSwigger account.

• Required software: Burp Suite Professional costs $499 per user/year (as of 2026).

• Scheduling and validity:

  • You have 12 months from purchase to schedule/use your attempt.

  • Results typically arrive within 3–5 working days.

  • Certificate validity: five years; verifiable via PortSwigger’s public portal.

Actionable takeaway: Budget for at least one retake when planning (time and money). If you pass first try—great. If not, your plan already accounts for a second shot.

How to showcase your BSCP (and convert it into opportunities)

• On your resume/LinkedIn:

  • Add “Burp Suite Certified Practitioner (BSCP)” under Certifications with your verification link.

  • Under Skills, emphasize exploitation, chaining, and Burp Suite Pro proficiency.

• In interviews/portfolio:

  • Highlight specific lab patterns you can reproduce under time pressure and how you prioritize under uncertainty.

• In practice:

  • Bring your BSCP approach to client work—quick mapping, targeted scanning, payload adaptation, verified impact.

Actionable takeaway: Create a one‑page “BSCP case study” (sanitized) explaining a typical chain you solved (e.g., XSS → session hijack → admin takeover → file read) and use this in interviews to demonstrate thinking, not just badges.

Real‑world skills mapping: from labs to client work

• Recon → targeted scanning → manual exploitation:

  • This is how many real engagements unfold; BSCP enforces good hygiene by design.

• Cross‑user delivery and social‑technical chaining:

  • The exploit server and simulated victim reflect realistic attack delivery.

• Defense bypassing:

  • Encoding/obfuscation techniques often turn “no” into “maybe”—a skill you’ll use on live apps with brittle filters.

• SSRF and internal pivots:

  • The internal service on localhost:6566 trains your eye for back‑end exposure and data exfiltration paths you’ll meet in practice.

Actionable takeaway: After you pass, turn your pattern notes into a personal “engagement playbook.” Update it after every job to keep sharpening the exact skills BSCP measures.

Insights from recent exam takers (lessons learned)

• Time management wins certs:

  • Successful takers stress moving methodically through the six flags, not rabbit‑holing. Speed comes from lab mileage and targeted scans.

• Prep that pays off:

  • Finish Apprentice + Practitioner labs and use mystery labs to toughen your cold‑start discovery.

• The vibe:

  • Feedback often calls the exam “challenging but fun”—short, intense, and focused on exploitation rather than documentation.

• Process reminders:

  • Save and submit your Burp project; expect randomized app generation across attempts, so breadth beats memorization.

Actionable takeaway: Write a one‑line “if‑stuck” rule on a sticky note: “No new signal in 15? Change function or targeted‑scan next best insertion point.” Follow it religiously.

Final pre‑exam checklist

• Logistics

  • Valid Burp Pro license active

  • Chrome updated; webcam/mic working; quiet space arranged

  • Government ID ready for automated check

• Burp workspace

  • Fresh Burp project; autosave reminders

  • Favorite BApps installed (Param Miner, JWT Editor, Turbo Intruder as needed)

  • Custom wordlists/payload notes loaded

• Reference kit

  • XSS/encoding cheat sheets

  • One‑page “first 20 minutes” checklist

  • Pitfalls vs. Counters card

• Strategy

  • Budget time per stage with three checkpoint alarms

  • Plan one targeted scan per “stuck” event

  • Reserve last 10 minutes for Burp project upload and submission confirmation

Actionable takeaway: Do a dry run 48 hours before the exam with a 2‑hour practice lab and your exact setup—catch configuration snags early.

FAQs

Q1: Is BSCP open book?

Yes. You can use your own notes and the web during the exam.

Q2: Do I need Burp Suite Professional?

Yes. An active Burp Suite Professional subscription is required, and you must submit the Burp project from your session.

Q3: Are BApps and third‑party tools allowed?

Yes. Any BApp can be used, and tools like ysoserial and HTTP Request Smuggler are explicitly permitted.

Q4: How long do I have after purchase to sit the exam?

You have 12 months to use your exam purchase.

Q5: How quickly will I receive my results, and how long does the certificate last?

Results typically arrive in 3–5 working days. The certificate is valid for five years and is verifiable via PortSwigger’s portal.

Q6: What’s different between the Practice Exam and the real exam?

The practice exam is 2 hours and covers one vulnerable app. The real exam is 4 hours and covers two apps (six stages total).

Conclusion:
The Burp Suite Certified Practitioner is a sharp, skills-first credential that proves you can do the work—fast, under pressure, and with impact. If you build your preparation around PortSwigger’s official path, practice targeted scanning plus manual exploitation, and enforce ruthless time discipline, you’ll be positioned to pass with confidence. Set your date, rehearse your playbook, and go earn it.