TL;DR, Passed the HTB Certified Web Exploitation Specialist (CWES) after ~a year in the CBBH path and a focused March 2026 of revision. The exam took 4 days and 9/10 flags before I moved to the report, and the result landed ~24 hours after submission.
Backstory to exam day
First things first, I want to pat myself on the back, because this was a fun and intense journey.
I enrolled in the CWES (CBBH) path over a year ago and had been dreading sitting the exam ever since. What finally pushed me was a friend who offered to pay 50% of the voucher out of his own pocket. I thought: this is my sign. Time to save up and actually go for it.
I dedicated the entire month of March 2026, start to finish, to revising everything I’d forgotten and wrapping up what I’d left unfinished in the path.
Previous knowledge before the exam
Before attempting the exam I’d done a fair number of HTB machines, challenges, and fortresses. Most of them, if not all, teach you methodology and how to apply the concepts you’ve learned. A lot are well outside the exam scope, but they reinforce core concepts and really put your methodology and notes to the test.
I completed the Akerva fortress and attempted the web portions of the other three fortresses. Anything beyond the web section isn’t really necessary prep for CWES, maybe for CPTS.
By the time I sat the exam I’d done over 20 machines, 5 Sherlocks, and 30 challenges across the year. (I know it’s not a lot, but it counts!)
I also worked through some PortSwigger Academy labs, not extensively, but I’d recommend at least the SQLi and XXE modules, as both align well with what’s covered in the CWES path.
Exam time
I bought the voucher on a Friday and watched $210 leave my bank account. That notification stung a little, but it was absolutely worth it.
The plan was to sleep early and start fresh in the morning. Except the excitement got the better of me, I couldn’t sleep, woke up around 1am, and thought: flip it, I’m already up, let’s go.
Timeline
| Date | Hours | Progress |
|---|---|---|
| 30/05/26 | 1am – 4am | Enumeration |
| 30/05/26 | 6pm – 10pm | First 2 flags |
| 31/05/26 | 3am – 10pm | 5 more flags |
| 01/06/26 | 3am – 1pm | 2 more flags |
| 02/06/26 | 7am – 1pm | Report writing & submission |
After getting 9 flags, I hit a wall on the last one and couldn’t crack it. After sitting with it for a while I shifted focus and started writing the report instead. Once that was done I figured: I already had the passing mark, why stress hunting down one last flag? (Okay, I was also a little lazy. I’ll admit it.)
About 24 hours after submitting, a notification landed in my inbox. I was surprised it came back so quickly, but a few people in the HTB Discord had mentioned results under two days, so I half-expected it.
Tips and tricks
1. The path is enough, trust it. After getting close to 100 points, I can confidently say supplementing from resources outside the CWES path isn’t necessary. Everything you need to pass is in the path. Don’t overthink it.
2. Fix your notes. Seriously. This is the most important thing. Structure them so that if you land on a login page mid-exam, you immediately know what to enumerate and what to try. Good notes save you 90% of the time.
3. Do the skill assessments blind. Compile your notes for that module, then attempt the assessment using only those notes. I had a bad habit of checking writeups whenever I got stuck, and honestly that often did more harm than good. It trains you to reach for answers instead of thinking it through. Everything you need is already in the module.
Moving forward
Next up I’m planning to tackle CPTS. I know I said CySA+ would be next after Security+, and I haven’t forgotten, I’ll write CySA+ closer to finishing university. It’s a solid cert with good industry recognition and validates the defensive side of the skillset well. But for now, CPTS has my attention.
