Pentest Exam (BACPP)
Successfully complete a penetration test and get our pentest certificate: Binsec Academy Certified Pentest Professional (BACPP).
The BACPP certificate shows third parties that you can
- compromise IT systems and develop zero day exploits,
- examine networks and applications for vulnerabilities in a reproducible process,
- list all your findings in a structured report for a client and prioritise them according to their risk,
- professionally carry out a multi-day penetration test.
At the start of the course, our portal provides you with
- access to the digital course materials (information for the exam),
- your OpenVPN access data for the virtual network of "Vulnus Health Inc.".
You will get 5 days access to the IT infrastructure of "Vulnus Health Inc.", which comprises multiple network segments. During this time, your job is to carry out a penetration test of the IT systems and applications. You will note down the results of your penetration test in a final report and send it to us encrypted. If the report is structured, intelligible, logical and complete and if you have identified the most important vulnerabilities of the "Vulnus Health Inc." network, you will receive the BACPP certificate as proof of your achievement.
It goes without saying that you must have a computer to perform penetration tests at the network and application level. This computer must run Linux (e.g. Debian, Ubuntu, Kali Linux), which you can also operate virtualised, e.g. with VirtualBox. We recommend the following hardware:
- min. 6 GB of RAM
- min. 20 GB of free hard disk space
- Internet speed of 1 Mbps or more
To connect to our lab, you need the open source software "OpenVPN". If you use a firewall that restricts outgoing data traffic, e.g. in a corporate network, you may need to enable (or have enabled) the associated TCP port. We will provide you with the port number together with the configuration file for your VPN. For technical reasons, this is not the default port of OpenVPN.
"The BACPP's laboratory, which is based on a real corporate infrastructure, was detailed and diversified. So it was fun to put my skills to the test and gain additional experience while doing so."Florian Struck
"Metaphorically speaking, I had to bang my head against the wall to pass the BACPP exam - they don't make it easy on you, that's for sure. But in the end, it made it easier for me to find work as an IT Security Consultant and it gave me the necessary know-how to carry out a professional pentest."Saed Alavi
"The BACPP exam helped me considerably in understanding the difference between professional pentesting and mere hacking. The "Pentest 101" course from the optional pentest training prepares you excellently for your job and thus for the certification."Niklas Bessler
Below are the most common questions and answers about the exam:
The exam is basically about you performing a penetration test on an unfamiliar IT infrastructure. To ensure that no vulnerabilities are left uncovered, you need a reproducible approach - you should be well familiar with the OWASP Testing Guide for this purpose. It is also a matter of routine for pentesters to stay up to date on (new) technologies, which is why the vulnerability types are not predefined in the exam and may vary from exam to exam. The time required for this pentest is such that a professional penetration tester would take about 2 to 3 days (at 8 hours a day), while you have lab access for 5 days. However, please keep in mind that we place emphasis on performing professional penetration tests: This includes a well-founded, extensive report that you would hand over to the client in the real world.
To prepare for the exam, you can use our Pentest Training to formulate a structured approach, which you can then test on a fictitious company. Once you are able to independently identify vulnerabilities in most applications and systems of Dubius Payment Ltd. without the help of our system, you are ready for the exam. Please be aware that pentesting generally means uncovering all vulnerabilities in an IT system - the exam goes beyond revealing just some vulnerabilities. As a writing exercise, we also recommend that you prepare a complete Pentest Report for the payment gateway (API) of Dubius Payment Ltd. You may optionally send this to us as part of the pentest training, so that we can give you feedback on the structure of your report. Last but not least, please note that the fictitious companies used for the pentest training and the pentest exam are different, which is why the services and applications also differ.
Yes, you may repeat the exam. Contact support to get a voucher for a discount if you failed the exam.