Oops!... We Did It Again!

Interview with Roldan on his eWPTv1 certification

Blog Oops!... We Did It Again!

| 3 min read

Table of contents

Contact us

Andres Roldan, our Offensive Team Leader, did it again! He earned another certification that proves his expertise as an excellent pentester! If you want to know more about his previous certification, you can check out our post about OSCE.

On this occasion, we are talking about the eLearnSecurity Web application Penetration Tester certification (eWPT). It assesses a cybersecurity professional's web application penetration testing skill. The exam is a skill-based test that requires candidates to perform a real-world web app pentesting simulation.

eWPTv1 is different from conventional certifications because to obtain it, candidates must perform an exam that simulates what professional pentesters do in real life. It urges the tester to use every methodology and tool known to exploit vulnerabilities. At the same time, it is necessary to prove that the candidate perfectly understands what she is doing. That is why it requires a detailed report as an essential part of the exam. In it, testers must provide proof of their findings while writing "a commercial-grade penetration testing report that correctly identifies the weaknesses."

We congratulate Andres on this new achievement, and we want to take some minutes with him to understand his experience taking that exam better. Concurrently, we want to go deeper into some tips that anyone interested in doing this exam should consider.

eWPTv1 Certification

eWPTv1 certification logo by eLearn Security.

Interview

What is the exam about, and why did you decide to take it?

  1. The exam is one hundred percent practical. The goal is to find all vulnerabilities (focused on web ones) in a scope delivered in a letter of engagement. eLearnSecurity says that the evaluation of the test is mainly based on the submitted report, which corresponds to a document with the highest quality. In it, the tester must sort, classify, and detail the vulnerabilities found.

  2. The laboratory where the test is done is available for seven days from the start of the exam. You have an additional fourteen days to submit the report.

  3. As a tip, it is crucial to understand the scope of the delivered document and what it implies (do not try anything different from that scope). In fact, eWPTv1 tests the abilities and knowledge that we achieve in Fluid Attacks. As a red team, we manually search vulnerabilities in a defined target, though we usually support that searching with different types of tools.

Since this test is not multiple-choice questions but involves "to perform an actual penetration test," was the exam preparation different from other exams you have taken?

  1. My best preparation was my experience doing pentesting in Fluid Attacks.

Get started with Fluid Attacks' Penetration Testing as a Service right now

That means you did not prepare yourself with the course given by INE? (Considering that INE “is the premier provider of Technical Training for the IT industry” and owner of eLearn Security.)

  1. I didn't prepare with the INE.

How did you know you were ready to take the exam?

  1. I did not know that. I took the eWPT test to learn about the type of eLearnSecurity exams, and it was a pleasant surprise to find that the experience gained at Fluid Attacks was enough to earn the certification.

What should we expect from the report that needs to be done as part of the test? How did you approach it?

  1. The report must be of the best quality. There it would help if you described every vulnerability found in the evaluation target. You must include screenshots and evidence of exploitation of vulnerabilities and impacts obtained.

Tell us a little about your experience at the time of the exam.

  1. The scan started on May 31, 2021, and I found all vulnerabilities on the same day. June 1, I prepared the report and presented it on June 2 in the morning.

  2. The candidate can use any tool during the exam, yet most vulnerabilities are found manually. Therefore it is vital to know how to use the tools to our advantage and not delegate one hundred percent of the responsibility to them.

Will you have to take any certificate renewal exams?

  1. No, this certification has no expiration.

Any tips for preparing for this particular exam?

  1. If you have more than three years of experience in pentesting, the exam will be a "familiar experience." If you do not have that experience, I recommend doing the training in INE to find the vulnerabilities and generate a quality report.

What’s next after this certification?

  1. After this, I will keep preparing for other certifications, including eWPTX, an advanced version of eWPT.

Thank you, Andres, for your time and your clarifications. Again, at Fluid Attacks, we congratulate you on this achievement!

As we said before, this is not the first certification that Andres Roldan obtains. If you are interested in knowing how our Offensive Team Leader prepared his previous certificate, we recommend reading our post, “A Journey to OSCE.” Since you are there, we also recommend you read our last post, in which we interviewed Óscar Uribe about his experience obtaining the OSED certification.

Finally, we at Fluid Attacks do not stop at our mission to offer the best Red Team to our clients. That’s why we are constantly facing new challenges and strengthening our Ethical Hacking skills.

If you want to know more about the certifications that the members of our Red Team have obtained, you can follow this link.

Table of contents

Share

Subscribe to our blog

Sign up for Fluid Attacks' weekly newsletter.

Recommended blog posts

You might be interested in the following related posts.

Photo by Wilhelm Gunkel on Unsplash

Transparency for fewer supply chain attacks

Photo by Sarah Kilian on Unsplash

Develop bank applications that resist DDoS attacks

Photo by Towfiqu barbhuiya on Unsplash

Ensuring compliance and security in the banking sector

Photo by Andre Taissin on Unsplash

With great convenience comes increased risk

Photo by FlyD on Unsplash

Software supply chain management in financial services

Photo by Robs on Unsplash

Consequential data breaches in the financial sector

Photo by Towfiqu barbhuiya on Unsplash

Data protection in the financial sector, tips and more

Start your 21-day free trial

Discover the benefits of our Continuous Hacking solution, which hundreds of organizations are already enjoying.

Start your 21-day free trial
Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.