HTB CWES Awaiting Approval
Three weeks after passing CPTS, I am awaiting approval on the Hack The Box Certified Web Exploitation Specialist (CWES) exam. This is the experience; what the path covers, how the exam felt, and what I’d tell someone considering it.
What Is CWES
CWES is a hands-on web application security certification from Hack The Box. Same philosophy as CPTS — no multiple choice, fully practical, and you submit a commercial-grade penetration test report at the end. The focus shifts from network and Active Directory penetration testing to web application exploitation specifically.
The exam gives you 10 days plus the report. You need 80 out of 100 points to pass.
Why CWES After CPTS
In my CPTS writeup I was honest about web applications being my weakest area. I could enumerate a web target well enough to find an entry point during a network pentest, but I didn’t have the depth to confidently identify and chain web vulnerabilities the way I could chain Active Directory attacks. CWES was the obvious next step to close that gap.
The Path
I was already at around 60–70% completion when I started because of module overlap with CPTS. The fundamentals — SQL injection basics, basic enumeration, some server-side concepts — were already done. What CWES adds on top is significant though.
The path covers the full spectrum of web application attack classes. You learn about different injection types and how to identify them in the wild — not just “here’s the payload” but understanding why the vulnerability exists in the application logic and how to confirm it. You go deep on server-side attacks, file handling vulnerabilities, authentication and authorization flaws, and how modern web frameworks introduce their own attack surface.
I started focused studying around March 9th and finished the modules by March 20th. In between I had family visiting, so I took some days off from structured studying and spent time on bug bounty programs instead. Different kind of practice but still useful — real applications don’t tell you what vulnerability class you’re looking at.
Speaking of bug bounties — the Sunday before my exam started, I was up at 2am and found what looked like a P1 vulnerability on a public application. Great timing for confidence. Terrible timing for sleep.
The Exam
I started Monday, March 23rd around 2pm CST.
Day one was electric. I was locked in. Everything I’d studied was clicking. I was finding things, chaining them, documenting as I went. I pushed straight through until 7am Tuesday. By then I had most of what I needed to pass.
Then I hit a wall.
Tuesday through Thursday morning was humbling. I had one target left that I needed. I knew the attack surface. I had done significant reconnaissance. I had all the pieces in front of me. And I could not connect them.
I tried everything I could think of. I went deep into rabbit holes. I tried techniques that weren’t even in the course material — advanced stuff I’d read about but never practiced. I was convinced the answer had to be complex because I’d already tried the simple things. Or so I thought.
54 hours on one problem. I’m not exaggerating. I tracked the time.
Thursday 9:30am: I solved it. After finally getting real sleep, I came back, looked at the problem fresh, and the answer was staring at me. It was in the course material. It was a technique I’d learned in the modules. I had even attempted it early on but made a small mistake in how I applied it. The fix took 10 minutes.
I went from stuck to done in the time it takes to drink a cup of coffee.
The Report
I used SysReptor again, same as CPTS. Having written a full pentest report three weeks earlier meant my workflow was fresh. The CWES report came together faster because of that muscle memory.
The exam requires a commercial-grade report — same standard as CPTS. Findings need root cause analysis, step-by-step reproduction, evidence, impact assessment, and remediation recommendations. If you passed CPTS, you know what’s expected. If CWES is your first HTB cert, I’d spend considerable time on the reporting module. I cannot emphasize enough how beneficial that has been for me.
Report submitted Thursday. Pending review now.
What I Learned
Sleep is a penetration testing tool. I spent 54 hours on something that took 10 minutes after a full night of sleeping. The technique was in my notes. My brain couldn’t connect the dots because I was running on caffeine, stubbornness and power naps. If I’d fully slept Tuesday night, I’d have solved it Wednesday morning and saved myself a day and a half of frustration. Take the sleep. Seriously.
Trust the course material. The CWES exam tests CWES material. When I was stuck, I went hunting for exotic techniques outside the curriculum. The answer was something the modules taught me. I just didn’t recognize it in a slightly different context because I was tunnel-visioned on complexity. When you’re stuck on the exam, go back to your notes before you go to Google.
Stay in scope mentally. I have a habit of going too deep. It’s a strength during enumeration and a weakness during exploitation. When the straightforward approach doesn’t work, my instinct is to assume I need something more advanced. On this exam, that instinct cost me two days. Sometimes the answer is the simple technique applied correctly, not the complex technique applied creatively.
Web testing is a different muscle. CPTS rewards wide, horizontal thinking — move through the network, pivot between subnets, chain domain attacks. CWES rewards deep, vertical thinking. Understand one application thoroughly, find how its components interact, and exploit the gaps in that interaction. Both are penetration testing but they exercise different parts of your brain.
Did the Course Material Prepare Me
Yes. Without qualification. Everything I needed to pass was in the modules. My struggle wasn’t a gap in the material, it was a gap in my ability to step back and match what I was seeing to what I’d learned. The modules give you the techniques. The exam tests whether you can recognize when to apply them.
If you’re coming from CPTS, the module overlap saves you time on the path. But don’t skip the web-specific modules thinking you already know enough. The depth CWES goes into on certain attack classes is beyond what CPTS covers. Give those modules the time they deserve.
Recommendations
Log everything in real time. Same advice as CPTS but even more important here. Web exploitation involves a lot of trial and error, payloads that almost work, responses that reveal information indirectly, multi-step chains where step 3 depends on output from step 1. If you’re not logging as you go, you’ll lose track of what you tried and what the results were. I personally log my tmux session as I go. Then when I find a flag, I save it, mark it, start a new window.
Enumerate all applications before exploiting any. I started exploiting the first thing I found. It worked out for me, but the better approach is to enumerate everything first so you have a complete picture of the attack surface. Credentials from one application might be the key to another. Context from one target might change how you approach a different one.
Don’t skip the fundamentals. The advanced modules are exciting but the exam will test whether you understand the basics deeply, not whether you can execute exotic attacks. Make sure your foundation is solid before you chase the advanced material.
Practice the report before the exam. If CWES is your first HTB cert, write a practice report using a retired box or skills assessment. Get comfortable with SysReptor or whatever tool you plan to use. Formatting a professional report under time pressure is a skill that needs practice.
Sleep. I cannot stress this enough. I know the exam window feels short. I know the temptation is to push through. But your brain solves problems during sleep that it cannot solve while exhausted. Build sleep into your exam schedule the same way you’d build in enumeration time. It’s not optional.
What’s Next
CWES closed the web application gap I identified after CPTS. Next is CRTO for Cobalt Strike and red team operations. The foundation is getting solid — network pentesting, web exploitation, and soon adversary simulation.
Two down. More to build.