.png)
Congratulations to our Security Consultant Subhash Paudel, who has passed the Offensive Security Web Expert (OSWE) exam.
OSWE sits at the senior end of OffSec's certification ladder, and it is one of three credentials (alongside OSEP for advanced penetration testing and OSED for exploit development) that combine to form the OSCE3 designation.
OSWE is a rigorous, hands-on white-box certification with no multiple-choice questions or automated shortcuts. Candidates complete a 47-hour, 45-minute remotely proctored exam against two live web applications, analysing full source code to identify authentication bypasses, achieve remote code execution, and develop scripts that automate the entire attack chain without human intervention.
Following the exam, candidates have 24 hours to submit a professional report documenting their findings and vulnerable code paths. With a pass mark of 85%, a lower historical pass rate than OSCP, and a strict ban on AI tools or external assistance, OSWE is widely recognised as one of the most challenging web application security certifications available.
The OffSec WEB-300 course that prepares candidates for the exam draws from a rotating stack of languages including PHP, .NET (C# and F#), Java with Spring or Tomcat, Node.js, and Python. The vulnerability classes covered are the ones that actually show up in real assessments rather than the ones that demo well: SQL injection, server-side template injection, server-side request forgery, deserialisation, XML External Entity attacks, type juggling, prototype pollution, and authentication bypasses that chain through into remote code execution.
Most of what makes a web application genuinely insecure does not live in the headers, the cookies, or the obvious places a scanner looks. It lives in the application logic, in the way developers chained a framework's defaults together, in the gap between what an authentication function thinks it is checking and what it is actually checking. Finding it takes time, focus, and the ability to read other people's code with an attacker's eye.
That is exactly the skill set OSWE certifies, and it is what clients are paying for when they engage Spartans Security for a serious web application assessment. The certification is not a marketing badge. It is a public answer to the question of whether the consultant on your engagement can actually do the work that an advanced web application test requires, or whether they will run a scanner, copy the output into a template, and call it a report.
Subhash has already demonstrated these capabilities in real-world engagements.
Earlier this year, he identified multiple unauthenticated SQL injection vulnerabilities in a commercial online ordering platform, ultimately leading to the extraction of administrative password hashes and API keys from the backend database. The vulnerability was disclosed through a coordinated process and has since been registered as CVE-2026-24494, receiving a CVSS score of 9.8 (Critical) and inclusion in the National Vulnerability Database.
This independent recognition reinforces the practical, real-world expertise that OSWE is designed to validate.
At Spartans Security, we view professional certifications as a foundation rather than a finish line. The threat landscape, technologies, and attack techniques continue to evolve, and investing in our team's expertise ensures we deliver the highest standard of security outcomes for our clients.
OSWE is a demanding certification, and Subhash's achievement reflects the dedication, discipline, and technical excellence we value across our team.
Congratulations again, Subhash. We look forward to seeing what you uncover next.
References
.png)
.png)
.jpg)