GWAPT — GIAC Web Application Penetration Tester
GWAPT is the cert that proves web-application pentest depth. SEC542 is widely considered the most thorough taught web-pentest curriculum, and GWAPT is what SANS-trained app-pentesters carry. For OWASP ASVS L2/L3 engagements, OWASP API Top 10 coverage, and SSRF/IDOR/auth-flaw work, GWAPT signals exactly the right specialisation. The CyberLive format means you have actually exploited the bug class — not just answered a question about it.
Deep, web-specific material with a CyberLive component. The breadth of the OWASP attack surface (auth, injection, SSRF, deserialisation, OAuth/OIDC) plus the open-book indexing discipline make it demanding.
Cost, hours and exam shape.
- Vendor
- GIAC (SANS)
- Level
- Professional
- Exam style
- Open-book + CyberLive web VM
- Prep hours (median)
- ~180 hours
- Exam cost (USD)
- $999
- Difficulty
- 4/5
Pursue this if…
- You specialise (or want to) in web and API penetration testing.
- You deliver OWASP ASVS L2/L3 or OWASP API Top 10 engagements and want a credential that proves the depth.
- You are a full-time bug-bounty hunter wanting a syllabus that tracks real payouts.
- Your employer will sponsor SANS SEC542 — the canonical web-pentest curriculum.
What you actually sit.
Proctored exam: 75 questions, 2 hours, 71% cut score. Open-book with an indexed reference. CyberLive questions require live interaction with a target web application via a browser-based VM.
Where you should be before you book.
- →No formal prerequisites; SANS recommends SEC542 (Web App Penetration Testing and Ethical Hacking) or strong web-pentest experience
- →Working knowledge of HTTP, HTML, JavaScript and at least one server-side language
- →Hands-on familiarity with Burp Suite or OWASP ZAP
What is on the exam.
A study plan you can actually follow.
- Build a web foundation
Lock in HTTP, the OWASP Top 10 and Burp Suite Pro daily use. PortSwigger Web Security Academy (free) is the best on-ramp before the cert material.
- Work SEC542 or the WAHH path
Take SANS SEC542 if sponsored; otherwise pair the Web Application Hacker's Handbook, PentesterLab and 200+ hours of lab boxes against the syllabus.
- Index for the open-book exam
Tab and index your notes and courseware. Like all GIAC exams, the quality of your index drives your score on the written questions.
- Drill CyberLive against live apps
Practise exploiting IDOR/BOLA, SSRF, injection and deserialisation live in a browser-based VM, then validate timing with the included practice tests.
Where this cert opens doors.
From the operator side of the desk.
Our web and API pentest stream is led by operators with GWAPT or equivalent depth (OSWE, deep PortSwigger Academy completion + portfolio). GWAPT's emphasis on authentication, session, IDOR/BOLA and SSRF directly maps to the OWASP ASVS and OWASP API Top 10 control sets that we deliver against on every web engagement. Pairing GWAPT-trained leads with Burp Suite Pro is our default setup for application security work.
Questions people ask before booking.
GWAPT vs OSWE — which is the better web-pentest cert?+
OSWE goes deeper on source-code-assisted exploit development (whitebox web pentest). GWAPT is broader — it covers the full OWASP web attack surface from a blackbox/greybox perspective. For bug-bounty hunters and consultants doing blackbox app testing, GWAPT is the better fit. For source-code reviewers and serious exploit-chain developers, OSWE wins. Many senior app-pentesters end up with both.
Will GWAPT help me earn from bug bounty?+
More than most certs. The syllabus tracks closely to what platforms (HackerOne, Bugcrowd, Intigriti) pay out on — IDOR, SSRF, auth flaws, SQLi, deserialisation, OAuth misconfig. GWAPT plus 500 hours on PortSwigger Web Security Academy plus a public write-up portfolio is a credible bug-bounty foundation.
Do I need SANS SEC542 to pass GWAPT?+
Helpful but not required. The course is the canonical prep and most candidates pay for it (USD 8,000+ as part of an employer-funded budget). Self-study is feasible with the WAHH book, PortSwigger Academy, Burp Suite Pro daily use and 200+ hours of practical lab work on platforms like HackTheBox web challenges and PentesterLab.
Is GWAPT enough for OWASP ASVS L3 work?+
It is a strong starting point but ASVS L3 (the highest level — used for high-value, regulated apps) needs more than any cert provides. L3 requires source-code review, threat-modelling, cryptography validation and architecture-level coverage. Pair GWAPT with secure-code-review chops and a working understanding of the ASVS v4.0.3 spec itself.
What is the maintenance cost?+
Four-year cycle. 36 CPE credits plus USD 469 renewal fee. CPEs from SANS courses, conferences, publishing, mentoring or retake. Most working app-pentesters maintain CPEs naturally through ongoing engagements and conference attendance.
Relevant AxVeil services and field notes.
Sibling certifications worth comparing.
Need a qualified team to deliver the engagement?
We can field operators with GWAPT (and the rest of the stack — OSCP, OSEP, CISSP, CISM) on engagements in 5 to 10 working days. Letter of Attestation includes the lead-tester credentials so your auditor can verify.