eWTPXv3: A review and some advice.
I’ve been working in IT/cybersecurity for almost 4 years — most of which has been spent in offensive security. Through the years I’ve done a lot of end-to-end pentesting assessments of all types. However, I’ve always felt that Web App Security was my weak point. To remediate this issue, I took on the eWPTX certification.
TLDR: Just do the Burp Suite Certified Professional certification if you want to get better at web app hacking. If you want a shiny certificate that HR will smile upon, buy the eWPTX exam voucher and do the Portswigger labs as preparation — don’t worry about the eWPTX course (unless you’re a beginner).
Why eWPTX?
There were a few reasons that I chose the eWPTX. Firstly, it was listed on my career growth track plan (I need it if I want to move up the ranks at work). Secondly, it has a pretty good reputation. Thirdly, I did eJPT in 2021 and thought the content was decent and the exam process was nice, so INE was a safe bet. And finally, it’s for those who want to take web app security to the eXtreme (which I did).
The Course
In September of 2025, I got on a call with the company finance guy and he paid for my eWPTX course and exam voucher 🙂 I instantly dove into the content and quickly realised that it wasn’t what I was hoping for. Don’t get me wrong, the content is great, it just wasn’t the eXtreme hacking that I was promised. The course is very broad and covers all the important topics, but it doesn’t go as deep as I would have liked. There are hours and hours of videos and hundreds of slides, but I think the key info could be covered in 25% of the time. I understand that going slow and broad helps people patch any and all knowledge gaps that people have, but it just makes it difficult for slightly more experienced people to make it through the course content (because they would get bored).
The best part of the course is the labs (which is common in my experience). Finishing the labs will prepare you well for the exam. And taking the lab time to get used to the Guacamole browser testing environment helped me, since the exam is taken in the same in-browser testing environment.
The Exam
On the 29th of December 2025, I opened up the INE website and started the exam. The exam doesn’t need to be scheduled, you can just start it whenever you want. You are given 18 hours to finish 45 multiple-choice questions. Many of the questions require you to perform pentesting on the exam lab to find the answer, but other questions just need a quick Google search.
I can’t say too much about the exam lab, but I will say that it is CVE and PoC script heavy. Most of the exam is enumeration, Googling CVEs and scouring GitHub for exploit scripts. There wasn’t any eXtreme hacking required. I passed the exam with 77% within 5 hours (including a trip to the grocery store).
Overall, I enjoyed the exam. It was a chilled and fun experience — just hacking some web apps and pasting some flags, passwords, and keys into the exam question textboxes. Thanks, INE.
My Advice
Do the Portswigger labs (and read the content). The Portswigger course content is amazing and the labs are awesome. In preparation for the eWPTX exam, I suggest the following Portswigger topics and labs.
Specifically focus on the SQL injection, JWT hacking, and API testing. If you do those labs, and you have Google, the exam will be a piece of cake and you’ll add a really nice certification to your name.
However, if you actually want to learn to perform great pentests on web applications, I’d suggest doing absolutely everything on the Portswigger academy and then taking on the BSCP exam. I haven’t done it yet, but it’s on my list for 2026.
Look At My Shiny Certificate
I hope this review helps someone or gives them the confidence to try the eWPTX exam. Anyway, look at my certificate 😎 and have a great day.
