SANS SEC542: Web App Penetration Testing and Ethical Hacking and GIAC Web Application Penetration Tester (GWAPT) Review


3 min read

I’ve divided the review into five parts:

  1. Course SEC542, five days of sessions

  2. CTF contest (day 6)

  3. GWAPT Exam Preparation

  4. Exam day

  5. Summary

The SEC542 course, 5 days of sessions

Before the start of the course, the printed textbooks were shipped, and the pre-requisite system configuration instructions were emailed. The course was organized roughly according to the syllabus posted on their official website.

The course began with simpler topics and quickly progressed to more challenging ones in the subsequent days. Slack was used to communicate with instructors and monitor the lab progress of students.

Throughout the courses, there was a great balance between theory and practical lab work. The course virtual machine is well-designed and an excellent tool for practice.

CTF contest (day 6)

On day 6, students compete against one another in a web-based CTF challenge to put the new skills to the test.

The CTF’s collaborative atmosphere was enjoyable and provided a great learning opportunity.

SANS Token issued for placing first in the CTF challenges:

GWAPT Exam Preparation

I scheduled the exam immediately following the course and gave myself three weeks to prepare. I began by reading the books and taking notes on each section’s key points in a new notebook.

I also incorporated The Cyber Mentor’s advice from his YouTube video, which you can view here: to quickly navigate to each section by using post-it notes.

I took a practice exam a week before the exam. The test was an exact replica of the actual exam, and it is an excellent way to gauge readiness for the real test. The test result also identifies potential areas for improvement. I felt prepared for the exam after completing the second practice test the day before the exam.

Exam day

I took the test at a nearby testing facility. I brought my handwritten notes and all of the printed SANS books to the test center because the exam had an open-book policy.

Compared to the practice exams, the exam was slightly harder and required close attention to detail.

In retrospect, I wish I had practiced SQL injection more before the exam because I found it to be particularly challenging.

I finished the exam with 30 minutes left and was informed that I had passed.


  • The SEC542 course is an excellent resource for web application penetration testers at the beginner and intermediate levels.

  • The course instructors are seasoned professionals who can share first-hand accounts of their pentesting journeys.

  • The locally available course VM is a fantastic resource for practice.

  • The best way to prepare is to read the books multiple times and take organized notes.

  • The practice tests are a great way to gauge exam readiness.

Overall, I found the course to be quite beneficial and the exam to be moderately difficult. The course is quite expensive, so I appreciate that my employer paid for it. If you find yourself in a similar situation, I recommend enrolling in the course.