Let me be upfront: I haven’t taken the CSSLP exam yet.
This post isn’t a “how I passed” story — it’s about how I’m currently studying, the resources I’ve found (and created myself), and why I think this certification is worth pursuing if you’re heading toward AppSec or DevSecOps.
I’m writing this because when I first started looking into CSSLP, Vietnamese-language resources were almost nonexistent. I hope this post helps someone who’s at the same starting point as me.
Web pentesting isn’t just about finding bugs and writing reports — it’s a process of deeply understanding how systems work, how developers think, and discovering the cracks that builders can’t see.
But after spending time doing pentests, I realized: finding bugs is only half the story. The other half is making sure those bugs never come back — and that’s why Application Security exists.
The 5-Phase Roadmap
I’m following a structured roadmap, from mastering hands-on pentesting to building a comprehensive security program:
Back when I was still a student (and a forum lurker), OSCP felt like something impossibly grand. Like looking up at a star in the sky and thinking “yeah, that’s beautiful” — never daring to imagine actually reaching it.
Then I graduated. Got a job. Had some money. One day I opened the OffSec registration page and thought: let’s just give it a shot.
And so it began.
Honestly, I Procrastinated a Lot
Truth is, the gap between when I “started studying for OSCP” and when I actually sat down to study seriously was pretty long. There were many evenings that should have been spent grinding labs but were wasted on pointless stuff instead.