ACP Certification Review - APISec University

ACP - APIsec Certified Practitioner

Overview

The APIsec Certified Practitioner (ACP) exam is APISec University’s more advanced credential. It validates a broad and practical understanding of API security across the full development lifecycle. The exam pulls content from five foundational courses, covering everything from documentation and authentication to securing API infrastructure and understanding OWASP risks.

Whether you’re red team, blue team, or on the dev side, ACP is a strong indicator of your ability to approach API security with a complete perspective.

Exam Format

• Length: 100 multiple-choice questions
• Time Limit: 2 hours
• Passing Score: 80% or higher
• Price: $325 (Retakes: $75)
• Study Material: 5 required courses from APISec University
• Schedule: Self-scheduled, on demand

Preparation

Required Courses

The exam is built around five required courses from APISec University. Each one contributes key topics and context you’ll need to pass.

1. API Security Fundamentals — Taught by Dan Barahona
   Covers why APIs are commonly targeted, walks through major breaches, and introduces core security concepts.

2. OWASP API Security Top 10 and Beyond! — Taught by Corey Ball
   A deep dive into the OWASP API Top 10 and how each category maps to real-world attack surfaces.

3. API Authentication — Taught by Jacob Ideskog
   Explores a wide range of authentication strategies and best practices with a focus on secure implementation.

4. API Documentation Best Practices — Taught by Jason Harmon
   Shows how well-crafted documentation supports both usability and security, and what to watch out for when designing it.

5. Securing API Servers — Taught by Anthony Aragues
   A collection of shorter lessons on securing backend API infrastructure. Topics include CORS, error handling, rate limiting, and more.

If you go through each course thoroughly and take notes, you’ll be well-prepared for the exam.

Skills That Helped

• Taking detailed notes from each course, especially case studies and examples
• Memorizing terminology and specific security practices taught by each instructor
• Understanding how insecure defaults or poor documentation can lead to real-world risks
• Familiarity with the OWASP API Top 10 and related mitigation strategies

Exam Experience

Similar to the CASA exam, there’s no strict enforcement around whether the ACP exam should be taken open- or closed-book. I approached it as closed-book to better test what I actually retained, and I’d recommend others do the same. Especially if you’re preparing for interviews or working in a role where quick recall matters, it’s a good mindset to adopt.

Compared to CASA, the ACP exam leaned more toward memorization. Several questions were pulled directly from case studies and course examples. One question even asked about a specific detail mentioned briefly in a video. If you’re the type to passively watch course videos, you might struggle here. Having solid notes or a strong memory for specifics will help a lot.

I treated the exam as closed-book and scored 87 out of 100. It required more deliberate recall than conceptual thinking and felt like an assessment of your attention to detail across all five required courses.

Final Thoughts

The ACP exam is a solid benchmark for well-rounded API security knowledge. It is especially useful if you’re transitioning into AppSec, working on API-heavy systems, or trying to validate your understanding across both offensive and defensive practices.

One thing I appreciated about the ACP path was that it required completing five separate courses, each covering a different area of API security. Not every topic was equally exciting. Personally, I wasn’t exactly eager to dive into documentation practices, but I’m glad the exam made me go through it. It helped me recognize the importance of areas I may have otherwise ignored and made the certification feel more complete.

That said, I personally preferred the CASA exam. It challenged me to apply what I learned in realistic scenarios rather than recalling specific facts or course details. CASA felt more like a test of comprehension, while ACP leaned more on memory.

If you’re aiming to retain long-term, practical knowledge, CASA may feel more rewarding. If you’re looking for a broader certification that proves you’ve studied all areas of API security, ACP delivers that. Just be ready for more content recall than critical thinking.

Recommended for:

• Security engineers looking to improve their API threat modeling
• Developers who want to implement APIs with security built in
• Pentesters who need more context on how APIs are built and defended

Pros and Cons

✅ Pros

• Covers the full API lifecycle, from documentation to deployment
• Instructor lineup includes experienced voices from the API and security space
• Good focus on misconfigurations, insecure defaults, and design issues
• Five structured courses make studying clear and focused
• Self-paced with flexible exam scheduling

❌ Cons

• No hands-on or lab component
• Exam questions often rely on memorization over applied understanding
• Some material can feel a bit repetitive across the five courses
• Price is on the higher side for a theory-only certification ($325)

Final Score

🧠 Knowledge Depth: ★★★★★
💰 Value for Cost: ★★★★☆
📚 Study Requirements: ★★★☆☆
🧪 Real-World Applicability: ★★★★☆

Overall Rating: 4 / 5

---

Note: AI-assisted editing was used to improve grammar, clarity, and formatting. All technical content and opinions are original.