π΄ HTB Academy β Certified Bug Bounty Hunter
(CBBH)
π§ 1. Certification Name and Issuing Body
Full name: HTB Academy Certified Bug Bounty Hunter (CBBH)
Issuing organization: Hack The Box (HTB Academy)
Reputation and global recognition:
HTB is a highly respected platform in the offensive security and ethical hacking community.
CBBH is gaining strong recognition, particularly among professionals focusing on bug bounty hunting, web application security, and offensive security roles. It is newer compared to long-established certs but rapidly building industry value.
π 2. Curriculum and Skills Covered
Covered domains:
Web application security
Bug bounty methodologies
Reconnaissance and information gathering
Exploitation techniques (XSS, SQLi, IDOR, SSRF, etc.)
Reporting vulnerabilities professionally
Post-exploitation and privilege escalation in web apps
Depth of content: Deeply hands-on combined with strong theoretical underpinnings. Heavy focus on practical exploitation and real-world bug bounty techniques.
Technologies and tools included:
Burp Suite
OWASP ZAP
Nmap
Dirsearch, Gobuster
ffuf
Nikto
Subdomain enumeration tools (e.g., Subfinder, Amass)
Custom scripts for exploitation
Relevance in the current job market: Very relevant for roles related to web security, application pentesting, freelance bug bounty hunting, and even internal AppSec teams.
Mapping to frameworks:
OWASP Top 10 (direct coverage)
MITRE ATT&CK for Enterprise (web-related TTPs)
NICE Framework (PR.AC, DE.CM, PR.IP categories)
𧩠3. Prerequisites and Recommended Level
Prior certifications or experience required: No formal prerequisites, but previous pentesting/web security exposure is strongly recommended.
Expected skill level: Intermediate.
Required knowledge:
Good understanding of HTTP/HTTPS protocols
Basic web development knowledge (HTML, JavaScript, basic backend logic)
Familiarity with Burp Suite and Linux command-line
Awareness of common vulnerabilities (OWASP Top 10)
π΅ 4. Cost
Total cost:
Access through HTB Academy Subscription (~$24 USD/month at the Β«VIP+Β» tier).
Additional exam voucher costs around $200 USD (separate from subscription).
Study materials or lab access included: Yes, all labs, course content, and practice targets are included.
Discounts, scholarships, or regional pricing: Occasional discounts on Academy subscriptions and vouchers; no formal regional pricing schemes known yet.
β³ 5. Estimated Preparation Time
Recommended study hours: Roughly 80 to 120 hours depending on your background.
Self-paced or instructor-led: Self-paced.
Learning modes:
Fully self-study with guided labs.
Some unofficial study groups exist in Discord communities.
π― 6. Target Roles and Career Path
Job roles:
Bug Bounty Hunter (freelance or professional)
Web Application Penetration Tester
Application Security Analyst
Offensive Security Consultant
Career goals: Fits perfectly if aiming for careers in ethical hacking focused on web applications or freelance/independent bug bounty hunting.
Technical or managerial: Technical.
π§ͺ 7. Exam Format and Difficulty
Online or in-person: Online.
Theoretical, hands-on, or both: Hands-on only.
Proctored exam or testing center: Not proctored; open-book, practical hacking challenge.
Real-world labs or simulations: Yes, candidates must exploit vulnerabilities in a simulated bug bounty target and submit detailed vulnerability reports.
Length and number of questions:
Typically 48 hours to complete the practical exam and submit findings.
No multiple-choice questions, only practical findings and reporting.
Difficulty level or average pass rate: Moderate to challenging, depending on candidateβs familiarity with web application security. Pass rate is moderate (not as difficult as OSCP but harder than entry-level certs like eJPT).
π 8. Validity and Renewal
Expiration: No expiration. Lifetime certification.
Renewal process: Not applicable. One-time certification.
π§° 9. Study Resources Available
Official documentation:
HTB Academy’s internal course material (Β«Bug Bounty HunterΒ» course).
Recommended books:
Β«Web Hacking 101Β» by Peter Yaworski
Β«The Web Application Hacker’s HandbookΒ» by Dafydd Stuttard and Marcus Pinto
Β«Real-World Bug HuntingΒ» by Peter Yaworski
Online labs or platforms:
HTB Academy Labs
Hack The Box main platform (Starting Point, Easy and Medium boxes)
TryHackMe web security paths (optional)
YouTube channels, community guides:
InsiderPhD (YouTube)
Stoke (YouTube)
NahamSec (YouTube and Twitch streams)
Online communities:
HTB Discord
Bug Bounty Hunters Discord (bbh.wtf)
r/bugbounty (Reddit)
πΌ 10. Industry Value and Demand
Mentioned in job postings: Not formally mentioned yet as a requirement, but great for building a strong portfolio for security-focused jobs.
Boosts profile with recruiters: Definitely, especially if aiming for AppSec, Web Pentesting, or freelance bounty programs.
Recognized by top companies or certain countries: HTB is respected globally, and a CBBH adds a lot of weight when applying to offensive security teams.
Average salary for certified professionals: Salaries for Web App Pentesters and Bug Bounty Hunters can range from $60,000 to $110,000 USD, depending on region and additional credentials.
π§ 11. Related Certifications and Progression
Part of a larger learning path: Yes. It can be part of a progressive roadmap from beginner to professional bug bounty hunter or web app pentester.
Next steps after completing it:
Offensive Security Web Expert (OSWE) by Offensive Security
Certified Web Application Defender (GWAPT) by GIAC
Real-world experience in private/public bug bounty platforms (HackerOne, Bugcrowd)
Comparison or complement: Complements well with CBBH, eWPT (eLearnSecurity Web Penetration Tester), and future preparation for OSWE.
