PortSwigger Burp Suite Certified Practitioner (BSCP) Practice Test
Prepare for the Burp Suite Certified Practitioner exam with free practice tests focused on Burp Suite Professional workflows, web exploitation logic, and Practitioner-level vulnerability classes.
Mixed Set — BSCP Practice Tests
Practice across the main BSCP skill areas in one sitting. These mixed sets review Burp Suite usage, vulnerability discovery, exploitation flow, and the decision-making needed for PortSwigger-style practical web security challenges.
Domain Wise — BSCP Mock Tests
Target individual BSCP preparation areas with focused practice. PortSwigger does not publish official topic percentage weights for the live exam, so the weights below are study-planning estimates based on the common Web Security Academy areas most relevant to BSCP preparation.
About the BSCP Certification Exam
The Burp Suite Certified Practitioner is a practical certification for web security professionals who want to prove they can use Burp Suite Professional to find, exploit, and validate real application vulnerabilities.
What Is the BSCP?
The Burp Suite Certified Practitioner (BSCP) is PortSwigger's official certification for web security professionals. It validates deep knowledge of web vulnerability classes, the ability to exploit them with the right testing mindset, and practical skill with Burp Suite Professional.
The exam is aimed at penetration testers, application security testers, bug bounty hunters, and security consultants who need hands-on proof of web exploitation ability. It is especially useful for roles such as Web Application Penetration Tester, Application Security Engineer, Security Consultant, Bug Bounty Hunter, and Product Security Analyst.
In the United States, the Bureau of Labor Statistics reports a median annual wage of $124,910 for information security analysts, with the top 10 percent earning more than $186,420. Specialized web application security and penetration testing roles may vary by location, seniority, employer, and consulting experience.
Exam Format (2026)
Testing method: Online practical exam with automated proctoring and identity verification.
Applications: Two intentionally vulnerable web applications.
Duration: 4 hours.
Question types: Hands-on exploitation tasks, not multiple-choice questions.
Objective structure: Each application has three stages: access a user account, access the admin interface, and read the target secret file.
Passing score: PortSwigger does not publish a numeric scaled score; results are practical pass or fail.
Exam fee: The exam price is shown in the PortSwigger account checkout and is available in USD, GBP, and EUR. A valid Burp Suite Professional license is required.
Eligibility Requirements
Formal prerequisites: PortSwigger does not publish a required degree, job title, or years-of-experience prerequisite for BSCP.
Required account: You need a PortSwigger user account to purchase and start the certification exam.
Software requirement: You must have access to an active Burp Suite Professional license at the time of the exam.
Recommended skill level: You should be able to complete all Web Security Academy labs labeled Practitioner or lower without using the provided solutions.
Open book: The exam is open book, but you must complete it independently without help from another person.
Validity: A successful BSCP certificate is valid for five years.
BSCP Study Weights — Web Security Academy Focus Areas
PortSwigger does not publish official BSCP domain percentages. This table uses study weights to help you organize preparation across the vulnerability classes and Burp Suite skills most relevant to the practical exam.
| Area | Topic | Study Weight |
|---|---|---|
| Topic 1 | Fundamental Web Technologies | 10% |
| Topic 2 | Burp Suite Functionality | 15% |
| Topic 3 | Cross-Site Scripting (XSS) | 15% |
| Topic 4 | SQL Injection | 15% |
| Topic 5 | Cross-Site Request Forgery (CSRF) | 8% |
| Topic 6 | XML External Entity Injection (XXE) | 8% |
| Topic 7 | Directory Traversal | 8% |
| Topic 8 | Server-Side Request Forgery (SSRF) | 10% |
| Topic 9 | Adapting Attacks to Bypass Defenses | 11% |
How Our Practice Tests Are Designed
Practical-exam awareness — BSCP is not a traditional multiple-choice exam, so these quizzes do not pretend to duplicate the live test one-to-one. Instead, they strengthen the concepts, tool workflows, and exploit decision-making you need before attempting a hands-on exam.
Blueprint-style topic coverage — Mixed sets combine Burp Suite functionality, web fundamentals, XSS, SQL injection, CSRF, XXE, directory traversal, SSRF, and defense bypass logic. This helps you move between vulnerability classes rather than studying each topic in isolation.
Proportional timer — The real BSCP exam gives you 4 hours for two vulnerable applications and six exploitation stages. Because there is no official question count, each 20-question practice test uses an approximate 30-minute timer to encourage fast analysis while still giving enough time for scenario-based reasoning.
Topic-specific reinforcement — Domain-wise tests let you drill weak areas such as blind SQL injection, XSS exploitation flow, SSRF target selection, or Burp Scanner-assisted testing before returning to mixed practice.
BSCP Exam Preparation Tips
Study Strategy
Master Practitioner labs: PortSwigger recommends being able to complete every Practitioner-level Web Security Academy lab without using solutions. Treat that as the minimum readiness benchmark.
Practice exploitation chains: The exam requires more than finding a bug. You need to turn vulnerabilities into impact, such as stealing a session, extracting credentials, escalating to admin, or reading a target file.
Build payload notes: Keep a personal reference of XSS payloads, SQL injection extraction patterns, XXE structures, SSRF URL tricks, and encoding bypasses so you can move quickly during open-book testing.
Test-Taking Strategy
Follow the stages: Work in order: user access, admin access, then secret-file retrieval. Trying to jump ahead before completing the previous stage can waste valuable time.
Use Burp efficiently: Start with mapping, Repeater testing, targeted Scanner checks, and Collaborator where appropriate. A full application scan is usually not realistic inside the exam time window.
Avoid destructive actions: The exam applications contain powerful functionality. Deleting your own account or breaking core components can make the exam impossible to complete.
Frequently Asked Questions
Ready to Test Your BSCP Knowledge?
Start with a mixed set to check your readiness, then use topic-wise practice to sharpen the vulnerability classes and Burp Suite workflows that need more review.
Start BSCP Practice Test 1 →Authors
-
Security Practice Test Editorial Team is the expert content team at SecurityPracticeTest.com dedicated to producing authoritative cybersecurity certification exam-prep resources. We create comprehensive practice tests, study materials, and exam-focused content for top security certifications including CompTIA Security+, SecurityX, PenTest+, CISSP, CCSP, SSCP, Certified in Cybersecurity (CC), CGRC, CISM, SC-900, SC-200, AZ-500, AWS Certified Security - Specialty, Professional Cloud Security Engineer, OSCP+, GIAC certifications, CREST certifications, Check Point, Cisco, Fortinet, and Palo Alto Networks exams. Our content is developed through careful review of official exam objectives, cybersecurity knowledge domains, and practical job-relevant concepts to help learners build confidence, strengthen understanding, and prepare effectively for certification success.
-
Sudhanshu Thakur: ReviewerEnterprise Technology and Digital Transformation Professional with 18+ years of experience in enterprise software, SaaS, industrial automation, and business consulting. Formerly associated with Rockwell Automation, Tech Mahindra, Emerson, ABB, L&T Infotech, and Hewlett Packard Enterprise.