Sunday, April 19, 2015

Passed the GWAPT cert

I took the SANS GIAC Web Application Penetration Tester (GWAPT) class back in December of 2014 in Washington DC with Eric Conrad. Have been procrastinating for several months before I had to finally break down and take the certification before my time expired in late April 2015.
Spent a few days going over the books to refresh me on the content that we went over, and took one of the practice exams and actually did not do too well on it. Never taking a SANS cert before I was not sure what to expect, and probably should have actually allowed for the 2 hours to sit the practice test. Rushed though it and guessed a lot of the questions, and did not remember going of half of the info. (Note to self actually read the questions and each answer and not just say that looks good.) Overall I was a little frustrated after the first  practice exam, since I have been doing this for about 3 years now, and many of the questions seemed to be based on opinion, and not actual facts. Several of the questions had more to do with general penetration testing then actually web application testing, like needing to know the TTL from a DNS request for a domain name.
So read the books a few more days before taking the second practice test, which I did much better on, since I had some idea on what to expect on the test.Did rush though it again actually did the entire test in 48 minutes. Which is really not that great, but I just wanted to make sure I had some idea what they real test would be like. Two days later I sat for the actual GWAPT test, and planned to take my time and read every question throughly.
Sat for the exam on April 9, 2015. Finished the test and passed it fairly easily, but was some what perplexed that it had nothing similar to the practice tests. It seemed the the practice exams had nothing to do with the the actual exam. Many of the questions were topics that were in the books, but never brought up in the practice tests. Which frustrated me a little, since I had to spend a little more time looking for some of the answers, that I had not really gone over previously.
So anyone planning on sitting the exam, and that has not taken a SANS cert before, plan accordingly to make sure you know all of the content in the books. Do not expect that the practice exams will actually prepare you for the real test, it might actually make you study information that is never asked on the exam.


  1. Hey just to be curious how much did you score in practice tests, I have my main exam in 5 days and looking at your blog I felt the same I scored 65% but yeah some were rushing mistakes some were silly mistakes, does the main exam reflect the same preview of practice tests? I will take my second test tomorrow after doing some more study.

  2. I think I made a 70 on the first test and an 80 on the second test. Many of the test questions were not on my actual test. Biggest thing is make sure you feel confident about your knowledge of the materials in the books. Take your time and read each question carefully.

    I recommend reading each question at least twice, to make sure you understand what they are looking for.

    Make sure you have tabbed your books, and make a matrix sheet of the topics in the books and page numbers. Also remember there will be questions you will have no clue if they are in the books. I remember about two or three questions I could never find in the books or an answers to.

    The night before, just do some light reading and do not try to cram. If you do not already know most of the materials it will not help trying to cram.

    Good luck...