Close Cookies Alert

This website uses cookies to learn and improve. More info in our Privacy Policy.

BSG Web Application Pentester Training

Build your web application security skills with our penetration testing training program. Hack into your cybersecurity career!

Web Application Pentester Training

Learn pentesting online with the BSG Web Application Pentester Training (BWAPT) program. This pentesting course helps web developers, QA engineers, and IT professionals obtain ethical hacker skills and start a career in cybersecurity, penetration testing, or bug hunting.

BWAPT teaches fundamentals of application security and web application pentesting. The program covers modern web application vulnerabilities and attacks and fully covers OWASP Top 10. Students get practical assignments in the online labs through the course. After completing the study, the students can attempt the final examination and get a BSG Web Application Penetration Tester certificate.

Training Details




April-May 2023


8 hours per week for lessons and homework


Online classes in Zoom
Private videos on YouTube.



Practical tasks in the interactive online labs



Certificate of Completion to all students, Certificate of Achievement after successfully passing the exam

Feedback & Support

Feedback & Support

Private Discord chat to interact with trainers during and after the course

How to Learn Web Penetration Testing?

BSG Web Application Penetration Testing online course covers all skills necessary
to conduct high-quality web application penetration tests.

By taking this web application security testing course, you will:

  • Learn web application penetration testing techniques
  • Train to simulate real-world application-level cyber attacks
  • Get familiar with the best web application pentesting tools
  • Boost your career and get access to broader job opportunities
  • Obtain a web penetration testing certification

BWAPT 3.0 Training Program

  • Online classes

    The training course spans over eight lessons, about three hours each. The students have one lesson per week. Classes are taught live in Zoom by the BSG pentesting experts who focus on the related topics. We record all lessons and privately share them on YouTube for your review if you miss a class.

  • Practical assignments

    Our tutors assign students the tasks to solve in the online labs throughout the course. The assignments vary from topic to topic and aim at strengthening the students’ understanding of the material. Tutors guide and support the students in their homework and remain available in a private Discord channel throughout the course.

  • Certification exam

    The course exam is a real-world web application pentest. In the end, students document their findings and prepare an industry-grade pentest report. All students get an attendance certificate and an opportunity to pass the final exam and get a certificate of achievement. Those who successfully pass the exam are awarded a BWAPT certified status.

We are not afraid to share our knowledge. In fact, as part of our mission, we teach ethical hacking. One might say we do it for money; others suspect this is how we find and train new employees. But we just love what we do and wish others could do and enjoy it too.

Vlad Styran


Co-founder & CEO

Prior Knowledge

To learn web app pentesting you should be familiar with the following:


You should know the markup tags (A, INPUT, SCRIPT, etc.) and how to use them.


There is no need to be a JS expert, but knowing the basics is necessary. Knowing how to pop up an alert() in a browser window will be enough.


The basic understanding is necessary; we will teach the rest. You should be familiar with the main SQL verbs like SELECT or INSERT.


You should know the protocol structure and its main elements, such as headers, cookies, request types, and (roughly) response codes.

Training Schedule

Day 1

Introduction to application security and penetration testing.

  • Training introduction and orientation.
  • Web technology fundamentals.
  • Penetration testing methodology.
  • Configuring the testing environment.
  • Introducing Burp Suite Proxy.

#appsec #pentest #burpsuite #http #proxy #www

Day 2

Reconnaissance methodology, tools, and hacks

  • Mapping the penetration testing scope.
  • Automation of assets discovery.
  • Web application enumeration.
  • HTTP host header security issues.
  • Sensitive information disclosure and data leaks.

#recon #scanning #discovery #osint #enumeration #hostheader #dataleaks #aws #s3

Day 3

Access control

  • Identification, authentication, and authorization.
  • Session management issues.
  • Insecure Direct Object Reference (IDOR).
  • Broken Access Control (BAC).
  • BAC discovery automation.

#access #authentication #authorization #idor #bac

Day 4

Server-side attacks. Part 1

  • SQL injection (SQLi).
  • NoSQL injection.
  • OS command injection.
  • Local File Inclusion (LFI).
  • Host header injection.
  • Attacking GraphQL.

#sqli #nosql #injection #lfi #graphql

Day 5

Server-side attacks. Part 2

  • Server-Side Request Forgery (SSRF).
  • Server-Side Template Injection (SSTI).
  • Insecure File Upload (IFU).
  • External XML Entity (XXE).
  • Insecure object deserialization.

#ssrf #ssti #ifu #xxe #deserialization

Day 6

Client-side attacks

  • Cross-Site Scripting (XSS).
  • Cross-Site Request Forgery (CSRF).
  • HTML injections.
  • HTTP response splitting.
  • Insecure open redirect.

#responsesplitting #openredirect #xss #csrf

Day 7

Business logic, crypto, and security misconfiguration

  • Business logic flaws and vulnerabilities.
  • Cryptography in web applications.
  • Security misconfigurations in the environment, headers, and beyond.

#businesslogic #misconfiguration #crypto

Day 8

Reporting, risk management, and negotiations

  • Risk assessment basics.
  • Security issue documentation.
  • Reporting and communication.
  • Presenting the pentest results.
  • Training summary and exam introduction.

#reporting #riskmanagement #communication #exam


We assign classes to the BSG experts who know the related topic the best. All our trainers have day-to-day hands-on experience in web application penetration testing and hold prestigious professional certificates. Besides that, they have vast public speaking experience at cybersecurity conferences and deliver the best training experience.

BWAPT trainers are experts with day-to-day hands-on experience in web application pentesting projects which hold top industry certifications. An expert who is the best fit for the topic teaches it to students.

Besides their technical skills, our trainers deliver the best training experience. We provide corporate training, give practical workshops, arrange webinars, and speak at cybersecurity conferences. Our trainers are at the core of the OWASP Kyiv chapter and NoNameCon – Ukraine’s largest professional cybersecurity conference.

Serhii Korolenko
Serhii Korolenko

Security Consultant, Training Lead


Penetration tester. CTF game master. OWASP Kyiv chapter leader.

Serhii Korolenko
Security Consultant, Training Lead

Serhii is an information security professional with vast experience in Application Security and Penetration Testing. He manages the full spectrum of appsec and pentesting engagements in the BSG portfolio.

As the BSG Training Lead, he is always up to date on the latest security trends and is passionate about organizing conferences and speaking publicly. He presented and volunteered at BruCON, OWASP Ukraine, NoNameCon, and TestingStage, among many others.

Serhii is fond of sports videogames and loves riding the drone and taking footage of his picturesque travels.
Kyrylo Hobreniak
Kyrylo Hobreniak

Security Consultant OSCP, eWPTX

Penetration tester.
Security trainer.
OWASP Kyiv chapter leader.

Kyrylo Hobreniak
Security Consultant

Kyrylo is a cybersecurity consultant specializing in web and mobile Application Security analysis, wired and wireless network Penetration Testing, and Social Engineering security assessments.

His passion for cybersecurity developed from his dedication to technical disciplines and a superpower of accumulating practical knowledge in astronomical amounts. Kyrylo is a talented trainer, and he contributes to the cybersecurity community by volunteering at OWASP Kyiv, OWASP Ukraine, NoNameCon, and other professional movements.
Roman Hunko
Roman Hunko

Security Analyst

Penetration Tester.
Professional community volunteer.

Roman Hunko
Security Analyst

Roman is a cybersecurity engineer focused on the technical aspects of Penetration Testing, Application Security, and Social Engineering assessments.

Roman is working hard to develop his network pentesting skills and trains for the OSCP course and exam in the Hack The Box playground. Meanwhile, he has started sharing his knowledge with the community as the best way to learn something by trying to teach it.

Roman is a dedicated professional events volunteer and a hobbyist basketball player.
Andriy Varusha
Andriy Varusha

Co-founder & COO CISSP

BSG services, operations, and quality leader.
IT auditor and cybersecurity consultant.

Andriy Varusha
Co-founder & COO

Andriy is an accomplished manager with 10+ years of experience in various industry verticals. He has started his IT audit and consulting career and continued in enterprise IT and custom software development services.

Andriy has experience in leading customer relationships within the US, UK, and Western Europe geographies, responsible for distributed teams and permanent engagements of different scales.

Andriy has stood at the root of the Ukrainian cybersecurity professional community and has joined BSG to advance his contribution to the cybersecurity industry's development.
At BSG, Andriy acts the Chief Services Officer and a security consulting practice lead.


What kind of job can I find after the web application pentesting course?

After completing the course and successfully passing the exam, you will fully qualify for a junior Penetration Tester position. Alternatively, you could start in cyber security bug bounty hunting.

How long does it take to become a web application pentester?

The BWAPT online training course lasts for two months. The coursework consists of one three-hour class per week and the homework in the online labs. The weekly load varies between 5 and 8 hours based on the student’s level of prior knowledge.

Does the course include a test or exam?

Yes. This course includes an examination: a realistic pentest of a test web application with real vulnerabilities in a virtual lab. After the certification exam, you will prepare a report of your findings. Your grade will depend on the report’s completeness and quality.

Does the course include a certification?

Yes. You will get a certificate of attendance at the end of the course. After successfully passing the certification exam, you will earn a certificate of achievement and the BSG Web Application Penetration Tester (BWAPT) title.

Can I combine the training with work or studies?

Yes. We have classes starting at 18:00 and finishing around 21:00 on Tuesdays (EET). We record the lessons and share them privately on YouTube for you to watch them later if you miss the class. You will also be able to revisit the videos before and during the exam.

I have never been involved in cybersecurity. Will I succeed?

Yes. However, we recommend starting the course with a basic understanding of HTML, JavaScript, SQL, and HTTP. If you have experience in IT or related fields – it will help a lot. We will teach all security topics in the class.

What languages are the courses in?

The web penetration testing online classes are available in English or Ukrainian, depending on the current group preferences. English is required to deal with documentation and online labs.

Is this course in-person or remote?

BWAPT is an online training course. You take classes in Zoom and have access to the online labs from wherever you want. All classes are being recorded and remain available to you on YouTube.

Will I be able to communicate with tutors?

Yes. We will add you to a Discord server for all out-of-class communications with tutors and other students. You can use this server to get help from the training team and network with other security enthusiasts.