AWAE Frequently Asked Questions

Jump to: General | What’s updated for 2020 | Taking the OSWE exam | OSWE Opportunities


1. What is AWAE and the OSWE?

    1. Advanced Web Attacks and Exploitation (AWAE) is an advanced web application security course, that earns students who pass the exam the Offensive Security Web Expert (OSWE) certification. We recommend it as an option for skills specialization after completing PWK.

      Certified OSWEs have a clear and practical understanding of white box web application assessment and security. They’ve proven their ability to review advanced source code in web apps, identify vulnerabilities, and exploit them.

      OSWEs can: 

      • Perform web app source code auditing
      • Write scripts and exploit web application vulnerabilities
      • Implement complex chained attacks using multiple vulnerabilities
      • Use creative and lateral thinking to determine innovative ways of exploiting web vulnerabilities

      They are able to assist web development teams in creating and maintaining web apps that are secure by design. The course syllabus is available here.

2. How/where can I take AWAE?

    1. We offer AWAE online, with occasional live courses worldwide. If you would like to take AWAE at Black Hat USA, you must register via the Black Hat website. The official AWAE course is only available from OffSec. We list the dates and locations for live courses on the AWAE course page when they are available, so check there first if you’re looking for live training. 

3. How can I register for AWAE and the OSWE exam?

    1. Individuals and those with voucher codes can register for AWAE online. Students who are considering registering as part of a group, business, or organization, as well as managers purchasing for a team, should contact us to learn about our OffSec Flex Program

      If you are already a student and would like to purchase another course or more lab time, please use the purchase link you received when you made your first purchase with OffSec. If you’re an existing student and you attempt to purchase via the online registration process, you will be directed to use the purchase link. If you can’t find your purchase link, you can recover it here.

      To register for the OSWE exam, use the link we provide in your welcome pack after purchasing AWAE. 

4. What are the requirements?

    1. Advanced Web Attacks and Exploitation expects that students have the following before starting the course:
      • Familiarity with coding languages such as: Java, .NET, JavaScript, Python
      • Familiarity with Linux: file permissions, navigation, editing, and running scripts
      • Ability to write simple Python / Perl / PHP / Bash scripts
      • Experience with web proxies, such as Burp Suite and similar tools
      • General understanding of web app attack vectors, theory, and practice (covered in PWK)

      In addition to our recommended prerequisites above, we typically require students to be at least 18 years old to take a course. There are age exceptions however, with rigorous application checks in order to comply with age-related compliance laws, for younger students who wish to apply

      For hardware, we recommend a minimum of 4 GB of RAM installed with at least a dual-core CPU and 20 GB of free hard drive space.

      The connection to the labs is done with OpenVPN using Kali Linux. You should use a stable, high-speed internet connection such as broadband or higher to access the labs, not mobile internet (3G/4G/5G data connection).

5. Can I start the exam immediately after purchase? What if I still have lab time, but feel ready?

    1. It is not possible to schedule your exam before your course start date. You will be provided with an exam scheduling link once your course begins.

      We recommend registering for AWAE at least 10 days prior to your desired course start date. You’ll be able to schedule your exam within 120 days of your AWAE lab ending date.

6. What dates are available to take AWAE?

    1. Available dates can be seen when you register. They typically open for the next few months. If you would like to register for a future course date that isn’t listed, simply complete your purchase with the latest available date and reschedule by contacting our team. Please include your OSID when you contact us.

7. How long is the OSWE certification good for?

    1. Once you’ve earned your OSWE certification, it’s yours. There are no subscriptions, renewals, membership fees, or other requirements to requalify with OffSec.

8. What is the cost?

    1. AWAE starts at $1400 (all prices in USD). There is no price increase for the new 2020 version with 50% more content. This base price includes 30 days of lab access plus the OSWE exam fee. Increasing lab time to 60 or 90 days increases the cost.

      Active AWAE students will receive the new course material for free. They’ll also receive 30 days of bonus lab time, and access to the 7 new machines.

      Alumni can have access to the new materials, new machines, and 30 days of lab time for $99, one time only.

      See “Course Pricing” on the AWAE page for more information, including lab extensions and upgrades to the new course material.

      Please note that these prices are for the online version of the course, purchased via the Offensive Security website. Live courses, including training at Black Hat USA, may have different fees.

9. I already bought the previous course and need a lab extension. Will I have to upgrade to the new course?

    1. No, you are not obliged to upgrade. Active students will receive the new course material for free, by accessing their purchase link and “buying” the upgrade for $0. If approved, they will automatically receive the update. They’ll also receive 30 days of bonus lab time, and access to the 7 new machines. Alumni can purchase the new materials, new machines, and 30 days of lab time for $99.

10. Is this course available live?

    1. Yes, we occasionally offer this course live and list the dates and locations for live courses on the AWAE course page when they are available. When no live courses are available, this course is available online. Dates and locations for the live courses can be found on the AWAE course page.

11. How is this course different from PWK?

    1. PWK is a penetration testing training course designed for information security professionals. It is the foundational course at OffSec; we recommend all students new to our trainings start here. AWAE is for advanced infosec professionals as a skill specialization course on web application security. 

12. What is the difference between AWAE/OSWE and CTP/OSCE?

    1. The Offensive Security Advanced Web Attacks and Exploitation (AWAE) course focuses on advanced web application security for experienced pentesters and web developers. Taking AWAE and passing the exam earns you the Offensive Security Web Expert (OSWE) certification.

      Cracking the Perimeter (CTP) focuses on exploit development, and is for penetration testers looking to advance their pentesting skills after completing PWK. Passing the exam will earn students the Offensive Security Certified Expert (OSCE) certification.


What’s updated for 2020:

13. What has changed with the update?

    1. The new version of AWAE contains 50% more content (150 more pages!), three new custom private lab machines, and three new modules for twelve total machines. For full details, please visit the AWAE course page and the announcement blog post.

14. Does the update affect the exam content?

    1. As noted in the announcement blog post, the OSWE exam, proctoring, and certification procedures will remain the same at this time. Both versions of the AWAE course prepare you for the exam. We do not comment on the content of the OSWE exam, what may/may not be covered, or the pass/fail rate. Both versions of the course will prepare you for the exam, as the exam will remain the same at this time.


Taking the OSWE exam:

15. How do I prepare for the OSWE exam?

    1. We recommend that you be comfortable reading and writing code in at least one language prior to taking the exam, and complete the exercises covered in the lab guide.The extramile exercises proposed in the lab guide are also suggested for a more thorough preparation. 

16. How many points are needed to pass?

    1. Points will be awarded for partial and full completion of the exam objectives. Each specific set of objectives must be met in order to receive full points. You must achieve a minimum score of 85 points to pass the exam. There is a maximum of 100 points available on the exam.

17. What tools can I use during the exam?

    1. You cannot use any of the following on the exam:

      • Source code analyzers
      • Automatic exploitation tools (e.g. db_autopwn, browser_autopwn, SQLmap, SQLninja etc.)
      • Mass vulnerability scanners (e.g. Nessus, NeXpose, OpenVAS, Canvas, Core Impact, SAINT, etc.)
      • Features in other tools that utilize either forbidden or restricted exam limitations

      You may, however, use tools such as Nmap (and its scripting engine), Nikto, Burp Free, DirBuster etc. against any of your target systems.


OSWE Opportunities:

18. What does the OSWE certification demonstrate?  / What jobs or roles does it support? / Who is this course for? 

    1. An OSWE certification shows employers that you understand the web application assessment and hacking process, and have a proven ability to review advanced source code in web apps, identify vulnerabilities, and exploit them.

      Possible careers include:

      • Software engineer
      • Web application developer
      • Full-stack web developer
      • Quality assurance analyst or tester 
      • Information security analyst or engineer 
      • Cybersecurity consultant
      • Penetration tester 

19. Are there networking and community opportunities?

    1. There are a number of ways you can connect with others who are either already OS certification holders, or on their journey: 

      You can also keep up to date with OffSec by signing up to be an OffSec Insider, or on social media:

20. Can I get CPE credits for this course?

    1. The AWAE course qualifies students for up to 40 (ISC)² CPE credits after they submit exercise documentation at the end of the course or pass the certification challenge.
Download the Web Application Security Guide!

Free Download: Web Application Security guide