Close Cookies Alert

We use cookies to provide you with the best experience and understand how you use our website. For more information, please visit our Privacy Policy page.

Web Application Pentester Training

Build your web application security testing skills with our professional training program. Hack into your cybersecurity career!

Web Application Pentester Training

Learn the offensive security fundamentals with the BSG Web Application Pentester Training (BWAPT) program. We have created this course to help software developers, QA engineers, and IT professionals obtain ethical hacking skills and even start a cybersecurity career.

The BWAPT program is split into two units: basic and advanced. First, the Basic course teaches application security and web pentesting fundamentals. Then, the Advanced course is a series of deep dives into complex and modern attacks on web apps. Through both courses, students have practical assignments in the freely available online labs. After completing both training units, the students are accepted to the final examination and get a chance to obtain the BSG Web Application Penetration Tester certificate (BWAPT).

Training Details






10 hours per week, including the lessons


Online classes, privately recorded on YouTube



Practical tasks in the interactive online labs



Certificate of Completion to all students
Certificate of Achievement after successfully passing the exam

Feedback & Support

Feedback & Support

Private chat group to interact with trainers during and after the course

How to Become a Web Pentester?

The BSG Web Application Pentester Training program covers the skills required to start a web application security career.

You will benefit from this course if:

  • You are interested in learning web application hacking & penetration testing
  • You are an entry-level security professional looking for job opportunities
  • You are an IT pro looking to advance your skills in creating secure web applications
  • You are a student of tech majors at a Ukrainian university
  • You got bored with your current role in IT, be it QA, programming, DevOps, etc.

BWAPT Training Program

  • Online classes

    The training course spans over 13 lessons, about three hours each. The students have two classes per week. Classes are being recorded and remain available on YouTube, so you can review them if you missed a class. Our tutors are the BSG pentesting experts focusing on the corresponding areas.

  • Practical assignments

    Throughout the course, our tutors assign students the tasks to solve in the online labs. The assignments vary from topic to topic and aim at strengthening the students’ understanding of the material. Tutors guide and support the students in their homework.

  • Exam and certification

    The course exam is a week-long real-world web application pentest. In the end, students document all findings and prepare an industry-grade pentest report. All students get an attendance certificate, but only those who accomplished both units of this course can pass the final test and get a certificate of achievement.

As part of our mission, we teach others how to pentest. One might say, we do it for money, others suspect this is how we find and train new employees. But in fact, we just love what we do and wish others could do and enjoy it as well.

Vlad Styran


Co-founder & CEO

Prior Knowledge

We expect all our students to be familiar with the following:


You should know the markup tags (A, INPUT, SCRIPT, etc.) and how to use them.


There is no need to be an expert, but you should know the basics. If you can pop-up an alert(), you are good to go.


Only the basics, we will teach you the rest. You should know how to use the main verbs like SELECT or INSERT.


You should know the protocol structure and its main elements, such as headers, cookies, request types, and (roughly) response codes.

Training Schedule

Module 1

Day 1

Introduction to application security and penetration testing.

  • Web technology fundamentals.
  • Configuring the testing environment.

#appsec #pentest #burpsuite #http #proxy #www

Day 2

Reconnaissance and enumeration

  • Mapping the penetration testing scope.
  • Automation of assets discovery.

#recon #scanning #discovery #osint #enumeration

Day 3

Access control

  • Identification, authentication, and authorization.
  • Session management.
  • Insecure Direct Object Reference.

#access #authentication #authorization #idor

Day 4

Server-side attacks. Part 1

  • SQL injection.
  • OS command injection.
  • Local file inclusion.
  • Host header injection.

#sqli #injection #lfi

Day 5

Server-side attacks. Part 2

  • Server-side request forgery.
  • Server-side template injection.
  • Insecure file upload.

#ssrf #ssti #ifu

Day 6

Client-side attacks

  • Cross-site scripting.
  • Cross-site request forgery.
  • HTML injections.

#xss #csrf

Day 7

Crypto and the web

  • Cryptography basics.
  • Introduction to cryptanalysis.
  • Crypto in web applications.
  • Common weaknesses and attacks.


Day 8

Business logic

  • Business logic flaws and vulnerabilities.
  • Security misconfigurations in the environment, headers, and beyond.

#businesslogic #misconfiguration

Module 2

Day 9

Attacks on web services

  • Web service security testing approach.
  • API security basics.
  • External XML entity.

#webservice #api #xxe

Day 10

Deep dive in client-side attacks

  • Advanced XSS exploitation.
  • PostMessage attacks.
  • Analyzing WebSockets security.

#xss #postmessage #websockets

Day 11

Deep dive into injection attacks

  • Advanced SQL injections.
  • NoSQL injections.
  • ORM injections.
  • Attacking GraphQL.

#sqli #nosqli #ormi #graphql

Day 12

Pentesting the cloud

  • Cloud security basics.
  • Request smuggling attacks.
  • Insecure object deserialization.

#cloud #smuggling #deserialization

Day 13

Reporting, risk management, and negotiations

  • Risk assessment basics.
  • Issue documentation.
  • Reporting and communication.
  • Presenting the pentest results.

#reporting #riskmanagement #communication


We assign classes to the BSG experts who know the related topic the best. All our trainers have day-to-day hands-on experience in web application penetration testing and hold prestigious professional certificates. Besides that, they have vast public speaking experience at cybersecurity conferences and deliver the best training experience.

Your trainers are the experts who have day-to-day hands-on experience in web application security and penetration testing and have top industry certifications. An expert who is the best fit for the topic teaches it to students.

Besides their technical skills, our trainers provide the best training experience. We provide corporate training, give practical workshops, arrange webinars, speak at cybersecurity conferences, and organize them. Our trainers are at the core of the OWASP Kyiv chapter and the NoNameCon – Ukraine’s largest professional cybersecurity conference.

Serhii Korolenko
Serhii Korolenko

Security Consultant, Training Lead


Penetration tester. Conference speaker. OWASP Kyiv chapter leader.

Serhii Korolenko
Security Consultant, Training Lead

Serhii is a cybersecurity pro with vast experience in both Application Security and Penetration Testing. He manages the full spectrum of appsec assessments and penetration tests from the BSG portfolio.

As a training lead, he is always up to date on the latest security trends and is passionate about organizing conferences and speaking publicly. He presents and volunteers at various events, BruCON, OWASP Ukraine, NoNameCon, and TestingStage, among others.

Serhii is fond of sports videogames and loves riding the drone and take footage of his picturesque travels.
Kyrylo Hobreniak
Kyrylo Hobreniak

Security Consultant OSCP, eWPTX

Penetration tester.
Security trainer.
OWASP Kyiv chapter leader.

Kyrylo Hobreniak
Security Consultant

Kyrylo is a cybersecurity consultant specializing in web and mobile Application Security analysis, wired and wireless network Penetration Testing, and Social Engineering security assessments.

His passion for cybersecurity developed from his dedication to technical disciplines and a superpower of accumulating practical knowledge in astronomical amounts. Kyrylo is a talented trainer, and he contributes to the cybersecurity community by volunteering at OWASP Kyiv, OWASP Ukraine, NoNameCon, and other professional movements.
Anatolii Bereziuk
Anatolii Bereziuk

Security Consultant OSCP, eWPTXv2, eCPPTv2

Penetration tester. Security trainer.
OWASP Kyiv chapter leader.

Anatolii Bereziuk
Security Consultant

Anatolii is an information security professional who got bored with security management and compliance and transformed into a practical cybersecurity expert.

In the BSG team, he leads Penetration Testing and Application Security projects and consults customers on issue remediation.

Anatolii demonstrates a strong expertise in Web Application, Cloud Infrastructure, and Network security. He is an athlete and long-distance runner, and he never stops learning and sharing his knowledge at cybersecurity conferences.
Ihor Bliumental
Ihor Bliumental

Security Consultant,
Application Security Lead

Top 20 bug-hunter on BugCrowd.
Co-founder of OWASP Kyiv & NoNameCon.

Ihor Bliumental
Security Consultant, Application Security Lead

Ihor Bliumental is a world-class application security expert and one of the most successful bug-hunters globally. He was named the BugCrowd MVP multiple times and submitted around 150 vulnerabilities within bug bounty programs of global brands such as MasterCard, Netflix, Upwork, Tesla, and others.

At BSG, Ihor leads, plans, and coordinates all our security assessment projects and coaches the teammates on various cybersecurity aspects.

He is a compulsive book reader and a professional intellectual games team captain.
Vlad Styran
Vlad Styran

Co-founder & CEO OSCP, CISSP, CISA

BSG business and cybersecurity strategist.
Cybersecurity expert, ethical hacker, keynote speaker, trainer, and consultant.

Vlad Styran
Co-founder & CEO

Vlad Styran is an internationally known cybersecurity professional with 15+ years of experience in Penetration Testing, Social Engineering, and Security Awareness. He currently holds OSCP, CISSP, and CISA credentials and was certified as C|EH, ISO27001LA, and many more throughout his career.

Vlad is a co-founder of the OWASP Kyiv chapter and the NoNameCon cybersecurity conference. He is a notable blogger, podcaster, and conference speaker.

At BSG, Vlad is responsible for our growth and customer experience. His involvement allows us to deliver first-rate cybersecurity consulting services in software security, cybersecurity awareness, cybersecurity strategy, and security investment.
Anna Zhmurko
Anna Zhmurko

Security Analyst OSCP, CEH

Penetration Tester

Anna Zhmurko
Security Analyst

Anna is a security professional who focuses on Penetration Testing, web and mobile Application Security, and Social Engineering. She is highly skilled in malware analysis and security code review. Anna is OSCP and CEH certified middle-level security professional.

She is passionate about learning and hangs out and Cybrary and HTB, plays and wins CTF competitions, and solves online challenges.

Anna loves sharing her knowledge with colleagues and customers, she is fond of table games, and she has the most adorable puppy in the world.
Roman Hunko
Roman Hunko

Security Analyst

Penetration Tester.
Professional community volunteer.

Roman Hunko
Security Analyst

Roman is a cybersecurity engineer focused on the technical aspects of Penetration Testing, Application Security, and Social Engineering assessments.

Roman is working hard to develop his network pentesting skills and trains for the OSCP course and exam in the Hack The Box playground. Meanwhile, he has started sharing his knowledge with the community as the best way to learn something by trying to teach it.

Roman is a dedicated professional events volunteer and a hobbyist basketball player.


I have never been involved in cybersecurity. Will I succeed?

Yes! However, we recommend starting the course with prior knowledge and basic HTML skills, JavaScript, SQL, and HTTP. If you have IT or related experience – it will help a lot. We will teach all security-related topics in the class.

Why this penetration testing course is beneficial?

We made this course for those who interested in learning:

  • How to perform penetration tests and application security assessments
  • How to find and demonstrate security vulnerabilities in modern web applications
  • How to secure the software from malicious hackers

Does the course include a test or exam?

Yes! This course includes a week-long exam in the virtual lab. An examination task is a real-world web application penetration test scenario. You will get access to a personal test web application that has real security vulnerabilities. After a week in the lab, you will prepare a report that describes all your findings. Your grade will depend on the completeness of results and the report's quality.

Does the course include a certification?

Yes! You will get a certificate of attendance at the end of the course. After you successfully pass the final exam, you will earn a certificate of achievement and the BSG Web Application Penetration Tester (BWAPT) title.

What is the course workload?

The coursework consists of two three-hour classes per week and the homework in the online labs. From experience, we can say that based on the student’s prior knowledge level, the weekly load varies between 10 and 14 hours.

Can I combine the training with work or studies?

Yes! We usually have classes starting at 16:00 and finishing around 19:00 on Tuesdays and Thursdays. We record the lessons and share them privately on YouTube, so you can watch them later if you miss the class. You will also be able to revisit the videos before and during the exam.

What languages are the courses in?

We teach primarily in Ukrainian. Basic English is required to deal with documentation and online labs.

Is this course in-person or remote?

This training course is entirely remote. You take classes in Zoom and have access to the online labs from wherever you want.

Will I be able to communicate with tutors?

Yes! We will add you to a Discord server for all out-of-class communications with tutors and other students. You can use this server to get help from the training team and network with other security-minded people.

What kind of job can I find after the course?

After completing the coursework and successfully passing the exam, you will be qualified to take a junior penetration tester position or start a security bug bounty hunter career.