Tony's Cybersecurity Blog

Hack The Box Certified Web Exploitation Expert (HTB CWEE)

Posted on Apr 25, 2025

Certified Web Exploitation Expert by Hack The Box

​I am a HTB CWEE!

Review: Hack The Box Certified Web Exploitation Expert (CWEE) Certification

The CWEE certification is an extremely challenging path and exam. I hope this review helps readers set better expectations for themselves and avoid any pitfalls I made while taking the exam.

The Training

The training for the CWEE certification was outstanding in many ways; however, it also felt incomplete in other ways. At the time I took the training, I started in late December of 2023 and went until early May of 2024. I started the training as it was actively being released. This was my first mistake because modules ended up changing as I progressed.

You may also notice that from the time I completed my training to my exam, there is almost a year gap. This is because I did the CPTS path, and the BSCP path & exam, then went back to review the CWEE path. While I don’t regret the BSCP path, the time away from the exam material hurt. Bad. This has made me a believer in not waiting too long to take an exam after finishing its proclaimed course. The BSCP path didn’t take me as long, but the CPTS path did, and I should’ve avoided the CPTS path entirely to study more white box material.
Speaking of which, while the course path contained a lot of outstanding information to digest, I do not think it was complete… for me at least. You must consider your skill set when attempting these things. In short, here is my best thought to supplementing the path:

  • Black box: PortSwigger Academy
  • White box: PentesterLab

It is critical to continue understanding how to exploit black box vulnerabilities. At this point, I think most people feel comfortable here if they’re taking this exam.
For the white box, however, I wish I had a better resource to prepare at the time, which that is simply my own fault limiting my exposure. I recently started doing some of the code reviews in PentesterLab, and I should have started it concurrently with the BSCP or CWEE path.

The Exam

The CWEE exam is a nightmare-level exam. To be transparent, at the time of writing I wouldn’t consider myself an “expert” as I know I have a lot more to learn in this field. That said, I would consider myself a mid-level web penetration tester/application security specialist. I’m sure if I continue to spend more time programming and code reviewing from when I took this exam, my difficulty with the exam would change.

Overall

I am beyond thrilled that I was able to pass this exam the CWEE certification. This is a very rewarding path and exam to take that has many challenges. Do not feel ashamed if you fail this exam, as even finishing out the path deserves a great deal of respect.