5-Day Instructor-Led Programme
The XASE Certification Programme is the practitioner standard for application security engineers who secure software throughout the development lifecycle — from threat modelling and secure code review through to DevSecOps pipeline hardening and API security testing. Assessed on Day 6 through a supervised code review, threat modelling exercise, and AppSec assessment — no multiple choice, no exam.
Duration
5 Days
Price
$4,995
Insecure software is the root cause of the majority of enterprise breaches. Organisations need application security engineers who can identify vulnerabilities in code, integrate security into CI/CD pipelines, and work alongside development teams to build security in from the start — not bolt it on at the end. XASE is built for security engineers, developers moving into security, and application security consultants who need to demonstrate practical AppSec capability.
Across six instructor-led days, participants build competency from first principles of secure development through to advanced techniques: threat modelling with STRIDE and MITRE ATT&CK, secure code review across multiple languages, OWASP Top 10 and ASVS application, API security testing, mobile application security, supply chain security, and DevSecOps pipeline integration with SAST, DAST, and SCA tooling. Every session is practical — real code, real vulnerabilities, real remediation.
On Day 6, participants conduct a supervised AppSec assessment: code review of a vulnerable application, threat model development, and API security test. The senior practitioner observes methodology, technical depth, and communication quality. XASE certificate and Practitioner Assessment Report issued together. Aligned with OWASP Top 10 2025, OWASP ASVS, NIST SP 800-218 (SSDF), NCSC Secure Development guidelines, CWE/SANS Top 25, and SLSA supply chain framework.
Hands-on secure code review (Python, JavaScript, Java, Go), SAST/DAST tool integration in CI/CD pipelines, threat modelling with STRIDE and ATT&CK, API security testing, and supply chain security tooling.
Mentor-led sessions reviewing real-world vulnerability patterns, secure design principles, and AppSec integration into engineering culture — framed for security engineers working alongside development teams.
Identify, assess, and remediate application security vulnerabilities across the full SDLC, integrate security tooling into DevSecOps pipelines, and communicate AppSec risk to engineering leadership.
Conduct structured secure code reviews across multiple programming languages using SAST tooling and manual taint analysis methodology
Apply OWASP Top 10 2025 and OWASP ASVS to identify and remediate application security vulnerabilities in real codebases
Design and execute threat models using STRIDE, MITRE ATT&CK, and PASTA methodology for complex application architectures
Integrate SAST, DAST, and SCA security tooling into CI/CD pipelines as part of a DevSecOps programme
Assess API security including REST, GraphQL, and OAuth 2.0 implementations against OWASP API Top 10
Communicate application security risk to engineering teams and leadership with actionable remediation guidance
Minimum 12 months in a software development, security engineering, or penetration testing role
Working knowledge of at least one programming language: Python, JavaScript, Java, Go, or C#
Basic familiarity with web application architecture, HTTP, and API design concepts
Organized by professional domains with comprehensive coverage
Master these in-demand skills through hands-on practice
A clear view of the roles this programme supports, what typically comes next, and where learners progress over time
Choose the learning format that works best for you and your team
Instructor-Led Training
Join live instructor-led sessions from anywhere. Interactive, engaging, and flexible.
Price per person
Group enrolments and early planning options available.
All prices are exclusive of VAT where applicable. Group enrolments and custom packages available on request.
Not everyone learns best in a group. If you want focused guidance, faster clarity, and confidence you can use on the job, our 1-to-1 Fast-Track Training gives you private, mentor-led support tailored to your experience and goals.
"Many learners choose 1-to-1 when they want understanding, not memorisation."
Credential
On successful completion of Xcademia Application Security Engineer, learners receive an Xcademia Certificate of Completion. This standalone certificate is issued directly by Xcademia and recognised by employers across the UK defence and security sector.
Everything you need to know about the certification exams
You will receive an Xcademia certificate of completion based on participation and successful completion of labs and scenario simulations.
Everything you need to know about this course
CASE exists in two separate versions (.NET and Java) — both MCQ exams. You pay twice for two certs covering one language each. XASE is a single 6-day programme covering secure code review across Python, JavaScript, Java, Go, and C#, plus threat modelling, API security, mobile security, and DevSecOps integration. Assessed by a practitioner who reviews your actual code analysis and threat model — not your MCQ answers.
Take the next step in your professional development