From bug bounty to broader impact: Introducing the Certified Web Exploitation Specialist (HTB CWES)

Exciting news for members and teams on HTB Academy! 

We're giving the HTB Certified Bug Bounty Hunter (HTB CBBH) path and certification a fresh new look — one that better reflects the skills the industry is hiring for right now.

Starting October 1, 2025, the Bug Bounty Hunter job-role path will be renamed to Web Penetration Tester path. Alongside that, the HTB CBBH certification will evolve into the Certified Web Exploitation Specialist (HTB CWES).

If you've already earned your HTB CBBH certification, don’t worry—you’ll be auto-assigned to the new HTB CWES certification within the HTB platforms and on Credly. 

Thinking about taking the current exam or midway through the path? No stress. We've got an FAQ section here covering everything.

Why is this change happening?

The transformation of this path and certification isn’t about ditching the bug bounty ways—it’s about amplifying what those skills can do across a wider range of roles.

Bug bounty, in its own right, is a slice of security full of passion and novel research that molds legendary hackers. This shift is less about the strengths of being a bug hunter, but instead, dives deeper into the nuances of security’s needs for web pentesters. 

Job titles in today’s market don’t say "Bug Bounty Hunter." They say "Web Application Penetration Tester," "AppSec Engineer," or simply "Penetration Tester."

While this switch does not diminish the personal rewards, attention, and POCs bug bounty can bring to one’s life, it accentuates the need for a strong core of skills we have spent time developing. 

We’re amplifying the value of your skills by aligning with modern job roles and the current threat landscape. Same passion. Same hacking spirit. But now with a clearer path to career impact.

Here is an overview of how all our certifications and paths will align in HTB Academy.

Learn more about HTB certifications

This isn’t just a win for individual learners.

Companies looking to train or upskill their cybersecurity teams will get even more value from the new path and certification. It’s packed with the most up-to-date content, hands-on labs, real-world techniques, and everything needed to sharpen web security skills fast.

And with the HTB CWES certification, your team won’t just learn, they’ll prove they’re ready to take on modern web application threats with confidence.

Get a demo for your business

Keeping pace with modern web security
This change isn’t just about aligning with recruiters. It’s also about delivering modern, practical training in web application security.

Most people interested in web exploits have a copy of Web Hackers Handbook (2nd edition). A legendary book for anyone interested, but a significant part of this overhaul recognizes how rapidly web technologies and their attack surfaces have grown over time. 

We’re dealing with complex API-driven systems, single-page applications, GraphQL endpoints, and hybrid mobile/web stacks.

The new Web Penetration Tester path will reflect this. Major portions of the content have been rewritten and restructured to equip you with the knowledge you need to head into today’s problems.

This shift also emphasizes practical outcomes:

• Thinking like a professional penetration tester

• Navigating new, complex technologies confidently

• Discovering vulnerabilities without relying on provided hints

This isn’t a minor patch. We’ve been hard at work updating 50% of the learning path to align with real-world tactics, techniques, and market demands.

Nearly a third of the modules have already been revamped and are live on the platform, including:

• Information Gathering – Web Edition

• SQL Injection Fundamentals

• Server-side Attacks

• Login Brute Forcing

• Broken Authentication

• File Inclusion

Each of these has been rebuilt to reflect modern attack surfaces, current tooling, and practical exploitation techniques—because you shouldn't be training for yesterday’s web.

And we’re not done yet. With the full shift to the Web Penetration Tester path on October 1, 2025, we’ll be retiring four outdated Modules and replacing them with sharper, more relevant content. These final changes complete the transformation.

You can see the difference between the paths below:

Where can I find the Web Penetration Tester path and HTB CWES?

Like all of our paths and certifications, you will be able to find them by October 1 on HTB Academy (included in the Silver Annual subscription) and HTB Enterprise Platform (available in all business plans). All the modules for the path are already available for learning.

If you’ve taken a break or completed the previous version of this path, this might be the perfect time to reconnect. Explore fresh content, capture new flags, and align your skills directly with industry expectations.

Whether your roots are in bug bounty, web development, or if you're just starting out, the Web Penetration Tester path and the HTB CWES certification are designed to take you further.

Start learning on HTB Academy

Got questions? We’ve got answers

Whether you’ve already started the Bug Bounty Hunter path, are prepping for your HTB CBBH exam, or proudly hold the certification, here’s what you need to know:

I already have the HTB CBBH certification. What happens now?

You’re good to go! From the end of August until October 1st, all HTB CBBH certifications will be upgraded to the new HTB CWES; no action is needed. This update will reflect on your HTB Academy account, HTB Enterprise Platform, and Credly badge. You will also have the new Web Penetration Tester path, along with all new modules, unlocked for you for free.

What about the physical certificate and kit?

From August 14th, new HTB CBBH certified users will already be able to request the new HTB CWES kit. In the near future, we will also open for the previous HTB CBBH certification holders to purchase the new HTB CWES kit if they’d like. If that’s your case, keep your eyes on your inbox in the next weeks.

I’m currently enrolled in the Bug Bounty Hunter path to get certified. What should I do?

Taking the exam before October 1
Go ahead! The HTB CBBH exam will remain available as usual until September 30th. If you pass it before then, you’ll still be auto-awarded the HTB CWES on October 1.

Taking the exam after October 1
From October 1 onwards, only the HTB CWES certification will be available. To take the exam, you’ll need to complete 100% of the new Web Penetration Tester path.

Good news: All the new modules are already live, so you can get a head start now.

What happens to my access to modules? Will I have to buy the new modules again?

Annual subscribers: Nothing changes; your plan gives you access to the full path, including all the new modules.

Monthly subscribers or cube buyers: The cost in cubes remains the same. Whether you're unlocking modules via monthly subscriptions or individual cube purchases, the pricing hasn’t changed.

Already unlocked modules being phased out from the path? You can either complete the current path and take your exam before October 1.

Or, if you want to start with the new path, on October 1st, you will get automatic access to the new replacement modules listed below and be able to continue learning on the updated Web Penetration Tester path.

What if I take my first exam attempt before October 1, but need to retake it after?

Nothing changes; you will be able to continue your second attempt as it was in the first one, without having to complete any extra modules.