GWAPT score report came back — 87%, the application mapping section was brutal
Got my GWAPT results back yesterday and ended up with an 87%, which I'm happy with, but I definitely left some points on the table in the application mapping section. I'd been doing web app pentesting professionally for about 3 years before sitting, which helped a lot with the hands-on material, but the exam asks you to apply methodology in very specific GIAC-approved ways that don't always match what you'd do on a real engagement.
The test is 82 questions and you've got 2 hours to get through it. I finished in about 75 minutes on my first pass, which left enough time to revisit the 14 questions I'd flagged. The heaviest areas for me were SQL injection variants — especially second-order and blind time-based — and the authentication bypass questions. XSS was more straightforward than I expected, probably because the SEC542 course covers it so thoroughly.
I used the SEC542 books as my primary resource plus a few weeks of Burp Suite labs. The GIAC practice tests are accurate in terms of difficulty level, though the actual exam questions are more application-heavy than the practice ones — you're not just recalling definitions, you're walking through attack scenarios and picking what to do at each step.
One area to really nail down is HTTP request manipulation and specifically how to chain vulnerabilities together. There were at least 6-8 questions that were essentially "you've found X, what do you try next?" and they expect you to think like an attacker, not a defender.
87% is really strong for GWAPT. I passed with a 74% last year and the chained vulnerability questions are exactly what killed me — I kept picking the safe answer instead of the attacker-mindset answer. Once I reframed how I was reading the scenarios it clicked.
How current is the material? I've heard the exam lags behind actual web app attack techniques by a year or two, especially on the client-side exploitation stuff like prototype pollution and modern CORS abuse.
Did you do the in-person SEC542 course or self-study? I'm debating whether the live version is worth the extra cost when I could just buy the on-demand materials.
The second-order SQLi questions tripped me up on every practice exam too. It's one thing to understand it conceptually and another to trace it through when the application logic is buried inside a multi-step scenario description.
Congrats on the 87%, that's a solid pass! I'm in a similar boat right now -- been grinding through practice tests and just hit 82% on a gwapt planning and scoping set yesterday, which felt decent but I know I've got gaps. Planning to sit the real exam in about three weeks so I'm trying to lock down the weaker areas before then.
The application mapping stuff you mentioned is exactly where I keep losing points too. It's weird because I understand the concepts but the exam wording trips me up sometimes. Did you find any particular resource that clicked for you on that section, or was it mostly just reps?