Certified API Pentester (C-APIPen)

The Certified API Pentester (C-APIPen) exam is an intermediate-level exam designed to test a candidate’s understanding of fundamental API security concepts. Candidates must be able to demonstrate practical knowledge to conduct an API pentest to pass this exam.

Note: The exam details will be sent to you on/before 15 January 2025.

£250.00

Testimonials

Jason Haddix <span class="cFlag">🇺🇸</span>
Jason Haddix 🇺🇸
CEO | Hacker | Trainer at Arcanum Information Security
C-AI/MLPen
Read More
I was really impressed with the exam. The 4 hour long, practical (ctf-style), online exam thoroughly tested me on common LLM vulnerabilities. The labs were carefully designed and the challenges mimicked real world scenarios. From direct/in-direct prompt injection test cases to the RAG poisoning challenge, it had a bit of everything. Including bypassing system prompt firewalls of a 𝘋𝘐𝘍𝘍𝘐𝘊𝘜𝘓𝘛 degree.
Joas A Santos <span class="cFlag">🇧🇷</span>
Joas A Santos 🇧🇷
Red Team | Author of Books
C-AI/MLPen
Read More
The SecOps Group has crafted a rigorous challenge that required extensive research. I passed the exam, although I fell short by 2 out of 8 questions. Congratulations to The SecOps Group Team for creating a certification that not only made me study and research intensively but also highlighted the current content gap in this field. I believe they are pioneers in offering such a test!
Charlie W. <span class="cFlag">🇺🇸</span>
Charlie W. 🇺🇸
Senior Security Analyst - Synack Red Team
C-AI/MLPen
Read More
So I got asked by Sumit Siddharth to check out their certification on AI/ML Pentest. I would highly recommend it. I can't wait to see more of their contents and testing. The test itself is quite fun and hands on. It's not a "bubble in your answer" but a hands on, hacking test. I definitely think The SecOps Group got this right in an emerging space. I finished it and got the certificate with merit.
Shaunak Chattopadhyay <span class="cFlag">🇮🇳</span>
Shaunak Chattopadhyay 🇮🇳
Consultant, KPMG India
C-AI/MLPen
Read More
I am happy to share, that I have obtained the Certified AI/ML Penetration Tester with Merit from The SecOps Group. The exam was pretty challenging and took a real test of my skill. Having solved a few CTFs around prompt Injection I would say this is the best and most unique set of problems I have encountered. Highly recommend who want to delve into the world of AI Security.
Previous
Next
What is the Certified API Pentester (C-APIPen) exam?

The Certified API Pentester (C-APIPen) exam is an intermediate-level exam designed to test a candidate’s understanding of fundamental API security concepts. Candidates must be able to demonstrate practical knowledge to conduct an API pentest to pass this exam.

Who should take this exam?

C-APIPen is intended to be taken by pentesters, application security architects, SOC analysts, red and blue team members and any security enthusiasts, who want to evaluate and advance their knowledge.

What is the format of the exam?

C-APIPen is an intense 4 hour long practical exam. It requires candidates to solve a number of challenges, identify and exploit various vulnerabilities and obtain flags. The exam can be taken online, anytime (on-demand) and from anywhere. Candidates will need to connect to the exam VPN server to access the vulnerable applications.

What are the pass criteria for the exam?

The pass criteria are as follows:

  • Candidates scoring over 60% marks will be deemed to have successfully passed the exam.
  • Candidates scoring over 75% marks will be deemed to have passed with merit.
What is the experience needed to take the exam?

This is an intermediate-level exam. Candidates should have prior knowledge and experience of API pentesting. They should have an understanding of common API security-related topics such as the OWASP Top 10 API Security Risks, commonly identified security misconfigurations, and best security practices. They should be able to demonstrate their practical knowledge of API pentesting by completing a series of tasks on identifying and exploiting vulnerabilities that have been created in the exam environment to mimic real-world scenarios.

Note: As this is an intermediate-level exam, a minimum of two years of professional pentesting/bug-bounty experience is recommended.

What will the candidates get?

On completing the exam, each candidate will receive:

  • A certificate with their pass/fail and merit status.
  • The certificate will contain a certificate number, which can be used by anyone to validate the certificate.
What is the exam retake policy?

Candidates, who fail the exam, are allowed 1 free exam retake within the exam fees.

What are the benefits of this exam?

The certificate will allow candidates to demonstrate their understanding of API security topics. This will help them to advance in their career.

How long is the certificate valid for?

The certificate does not have an expiration date. However, the passing certificate will mention the details of the exam such as the exam version and the date. As the exam is updated over time, candidates should retake the newer version as per their convenience.

Will you provide any training that can be taken prior to the exams?

Being an independent certifying authority, we (The SecOps Group) do not provide any training for the exam. Candidates should carefully go over each topic listed in the syllabus and make sure they have adequate understanding, required experience and practical knowledge of these topics. Further, the following independent resources can be utilised to prepare for the exams.

Company Free/Paid
Portswiggery Free
Kontra Free
TryHackMe Paid
HackTheBox Free/Paid
Pentesterlab Free/Paid
OWASP Free
Node API Goat Free
Rest API Goat Free
Vulnapi Free
Vapi Free
SQLI-Labs Free
Exam Syllabus

The exam will cover the following topics

Using Swagger files to view and interact with API definitions
Import and manage API collections in Postman
Identification and Exploitation of OWASP API Security Top 10 Vulnerabilities
XML External Entity attack
Server Side Template Injection (SSTI)
Server-Side Request Forgery (SSRF)
Injection Attacks
  • SQL Injection
  • NoSQL Injection
  • Code & Command Injection
Authentication related Vulnerabilities
  • Brute force attacks and password spraying
  • Password reset attacks
Authorization and Session Management related flaws –
  • Insecure Direct Object Reference (IDOR)
  • Parameter Manipulation attacks
  • JWT related attacks
Insecure File Uploads
Business Logic Flaws
Directory Traversal Vulnerabilities
Mass Assignment and Rate Limiting related Vulnerabilities
API Enumeration and Fuzzing using scripts
Web Service Description Language (WSDL) Attacks
XML Injection in REST/SOAP APIs
GraphQL Attacks
Bypassing CORS Restrictions
BCommon Security Misconfigurations
Security Best Practices and Hardening Mechanisms
Sample Question?
  • Evaluate the application’s anti-reversing checks. Which of the following statements is true in the context of the Jailbreak Detection?
    1. The Application has a robust Jailbreak Detection implementation.
    2. The Application lacks any Jailbreak Detection implementation.
    3. The Application has insufficient Jailbreak Detection, which can be bypassed.
    4. The Application has implemented Jailbreak Detection, and it can not be bypassed.
Prerequisites:
Host Operating System:

Windows/Linux/MacOS with minimum 8GB RAM (MacOS Preferred).

Physical Device with Minimum iOS Version Supported:

iOS 14 or higher (Jailbroken).

Note: Please make sure you have your iOS pentesting environment ready (Jailbroken Physical Device, Burp Suite, or any similar proxy tool along with Frida, objection and other similar pentesting tools) prior to starting the exam. The IPA build will be distributed via TestFlight.

Certified API Pentester (C-APIPen)

C-APIPen