OSCP Exam Prep: Complete Study Guide for the Offensive Security Certification

The Offensive Security Certified Professional (OSCP) is one of the most respected practical cybersecurity certifications in the penetration testing industry. Administered by Offensive Security (OffSec), the OSCP is a hands-on, practical credential that tests whether candidates can actually compromise systems — not just answer multiple-choice questions about how attacks work in theory.

The OSCP examination is a 24-hour practical hacking challenge followed by a 24-hour reporting period, in which candidates must compromise a series of vulnerable machines, document their methodology, and submit a professional penetration testing report. This format has made the OSCP the benchmark credential for entry-level to mid-level penetration testers and a required or strongly preferred credential for many security roles at defence contractors, consulting firms, and security operations environments.

The prerequisite for the OSCP examination is the PEN-200 course — Penetration Testing with Kali Linux — which is OffSec's flagship penetration testing training course. PEN-200 covers the full penetration testing lifecycle using the Kali Linux operating system, beginning with information gathering and enumeration and proceeding through vulnerability scanning, exploitation, post-exploitation, and reporting.

The course is delivered as a combination of written materials, interactive labs, and video content, with access to a dedicated online lab environment where candidates practice techniques against intentionally vulnerable machines. The lab environment is time-limited based on the subscription tier purchased, and effective time management in the labs is itself a preparation skill for the exam.

The OSCP exam format consists of five targets worth a total of 100 points: three standalone machines (worth 20 points each — 10 for initial access, 10 for privilege escalation to administrator/root) and one Active Directory set (worth 40 points — consisting of a domain controller and two client machines in a simulated corporate domain environment). A score of 70 or more points is required to pass.

The AD set provides a natural target for candidates to prioritise, since compromising the full domain (all three machines in the AD set) yields 40 points — more than half the passing score on its own. Candidates who complete the AD set and one additional standalone machine are very close to the 70-point passing threshold.

Active Directory is a dominant focus of the current OSCP examination, and it is the content area where candidates who have relied primarily on standalone machine practice often feel underprepared. The AD set tests techniques including initial foothold via a client machine (often through phishing simulation, credential spraying, or service exploitation), lateral movement techniques (Pass the Hash, Pass the Ticket, Kerberoasting, AS-REP roasting), and domain privilege escalation to domain administrator.

OffSec's PEN-200 course includes a dedicated Active Directory module that covers these techniques, and many OSCP candidates supplement PEN-200 with additional AD-focused resources and home lab practice to ensure they are comfortable with the full AD attack chain before attempting the exam.

Buffer overflow exploitation was historically a major focus of the OSCP exam, with a dedicated buffer overflow machine worth 25 points in earlier exam versions. The current OSCP exam format has shifted away from the explicit buffer overflow machine, but buffer overflow techniques remain part of the PEN-200 curriculum and may appear in lab machines and in standalone machines that require binary exploitation.

Candidates who skipped buffer overflow content in preparation for earlier OSCP versions and are now encountering the current exam should review PEN-200's buffer overflow module and practice the technique against intentionally vulnerable applications — the skill remains relevant even if it is no longer a guaranteed standalone exam target.

The reporting component of the OSCP exam is often underestimated by candidates who treat it as an afterthought to the technical hacking challenge. The penetration testing report submitted after the 24-hour exam period must document every attack chain clearly enough for a non-technical reader to understand what was exploited and how, and for a technical reader to reproduce the steps.

OffSec's report template and grading criteria specify that each compromise must be documented with screenshots at key stages of the attack chain (initial access, privilege escalation, proof files), command-line output demonstrating the exploitation, and clear narrative describing the methodology. Reports that are missing screenshots, have unclear step documentation, or fail to include the required proof files are penalised — in some cases enough to push a candidate below the passing threshold even when the technical exploitation was successful.

The OSCP differs from vendor-neutral certifications such as CompTIA Security+ or CEH in one fundamental respect: it requires candidates to demonstrate offensive skills under realistic conditions rather than recognise correct answers from a multiple-choice list. This distinction has shaped the OSCP's reputation in the hiring market.

Security managers who have held the OSCP themselves tend to screen for it specifically, because they understand what passing the 24-hour practical exam actually demands. Candidates who have passed the OSCP have demonstrated that they can enumerate a network, identify exploitable vulnerabilities, chain attack steps together under time pressure, and produce professional documentation — all without assistance from an instructor or walkthrough guide.

Preparation for the OSCP is also preparation for the realities of professional penetration testing engagements. In a commercial pentest, a consultant typically arrives at a client site with limited prior knowledge of the environment, has a defined time window to identify and demonstrate vulnerabilities, and must produce a report suitable for both executive summary review and technical remediation.

The OSCP exam is a compressed simulation of exactly this scenario. Candidates who approach OSCP preparation as professional skills development — rather than certification box-ticking — tend to get significantly more value from the process regardless of their eventual exam outcome. The techniques, enumeration habits, and methodology discipline built during OSCP preparation directly transfer to billable pentest work.

The OSCP certification is awarded upon passing the examination and does not expire. OffSec offers a continuing education pathway through its OSEP, OSED, and OSWE advanced certifications for candidates who wish to demonstrate deeper specialisation in areas such as evasion techniques, exploit development, and web application penetration testing.

Many practitioners hold the OSCP as a foundation credential and pursue one or more advanced OffSec certifications as their career specialisation develops. The non-expiring nature of the OSCP means that practitioners who earned the certification years ago are not required to recertify, though some employers in regulated industries increasingly expect evidence of continued professional development alongside the baseline credential.

Effective OSCP exam preparation follows a structured progression that begins with foundational knowledge and builds toward independent problem-solving under time pressure. The recommended sequence starts with completing the PEN-200 course content — all written modules, exercises, and the dedicated lab exercises — before touching the open lab environment.

Candidates who dive into the lab environment without completing the course content often find themselves stuck on early machines and unable to identify why, because they have not yet developed the enumeration methodology and exploitation knowledge that the lab assumes. The course content is the map; the lab is the territory where you practice navigation.

Enumeration is the most important skill in OSCP preparation, and it is also the skill that most new candidates underinvest in. Experienced OSCP candidates consistently advise: 'enumerate more than you think you need to, then enumerate again.' The OSCP lab and exam machines are designed so that the path to compromise is findable through thorough enumeration — running service-specific scanners, checking all open ports, reviewing all version numbers for known vulnerabilities, checking for common misconfigurations, and exploring all available attack surface before attempting exploitation.

Candidates who rush to exploitation after a partial enumeration frequently hit dead ends that could have been avoided with a more comprehensive initial scan.

The PEN-200 lab environment is the primary training ground for OSCP preparation, but supplemental practice on intentionally vulnerable machines from platforms such as HackTheBox, TryHackMe, and VulnHub significantly accelerates skill development.

HackTheBox retired machines that have been documented with walkthroughs provide a rich source of practice targets at progressively increasing difficulty levels, and working through these machines — attempting them independently first, then reviewing the walkthrough only when stuck — builds the problem-solving pattern recognition that the OSCP exam requires. Many OSCP preparation guides recommend specific lists of HackTheBox and VulnHub machines that use the same techniques tested in the OSCP exam, providing a structured supplement to the PEN-200 labs.

Time management during the 24-hour exam is a distinct skill that candidates must consciously develop before the exam. The most common OSCP failure pattern is spending too many hours on a single machine that is not yielding, losing time that could have been spent progressing on other targets. Experienced OSCP candidates recommend setting explicit time limits — typically 2 to 3 hours — on any single machine before moving to a different target and returning later with fresh eyes.

The AD set is typically recommended as the first focus, given its 40-point value and the structured attack chain that makes it somewhat more predictable than standalone machines. After securing the AD set, attention turns to the standalone machines in estimated order of difficulty.

Note-taking and screenshot capture during the exam are habits that must be built during lab practice, not invented on exam day. The report submission requires screenshots at specific stages of each exploitation chain, and candidates who do not capture these screenshots during the exam — relying instead on memory or having to recreate steps after the fact — risk submitting incomplete documentation that results in lost points.

Tools such as CherryTree, Obsidian, or OffSec's own reporting template help candidates maintain organised notes during the exam. Many experienced OSCP candidates recommend writing rough report notes in real time as each machine is compromised, rather than leaving all report writing for the 24-hour report period — this approach prevents time pressure from degrading report quality.

Mental preparation for the OSCP exam is as important as technical preparation. The 24-hour practical format is physically and mentally demanding — candidates who have not practised sustained focus on a technical problem for 4 to 8 consecutive hours often find the exam more taxing than they expected. Practicing longer lab sessions in the weeks before the exam — deliberately sitting for 4 to 6 hour blocks — builds the endurance and focus required for exam conditions.

Planning exam nutrition, managing caffeine intake, and building in planned short breaks (10 minutes every 2 hours rather than no breaks until exhaustion) are practical strategies that experienced OSCP test-takers consistently recommend for maintaining peak cognitive performance across the full 24 hours.

The psychological challenge of the OSCP exam is underappreciated by candidates who have not simulated exam conditions during lab practice. Spending four hours on a machine that is not yielding any progress — with the clock running and the knowledge that each hour is consuming a finite exam window — creates a cognitive pressure that does not arise during casual lab practice. The standard advice to move on after two to three hours on a stuck machine is easy to state and difficult to follow in the moment.

Candidates who have practised deliberately moving on from a stalled machine during lab sessions — accepting the frustration, logging their current state, and redirecting attention — find the exam transition significantly less psychologically difficult than candidates who have always pushed through until they solved every lab machine before attempting another.

Post-exam report writing is a skill domain that intersects technical knowledge, professional writing ability, and time management. The 24-hour report period begins the moment the exam VPN connection closes. Candidates who begin the report period exhausted after a demanding exam session and attempt to reconstruct exploitation steps from memory alone regularly discover that their notes and screenshots are insufficient to reconstruct the full attack chain in a way that meets OffSec's documentation requirements.

The single most effective habit for report quality is capturing notes and screenshots in real time during the exam, using a structured template that mirrors the expected report format — so that the report writing phase is primarily assembly and editing rather than reconstruction. OffSec publishes a report template and sample report that candidates should review before their exam attempt, not after.

Community resources for OSCP preparation have expanded substantially since the certification launched. OSCP-specific forums, Discord servers, Reddit communities, and YouTube channels provide both guidance and camaraderie for candidates who are navigating the certification journey. The OffSec community Discord includes dedicated channels for PEN-200 content questions and exam preparation discussion.

While candidates cannot discuss specific exam machines or share solutions — doing so violates OffSec's exam policy — the broader discussion of techniques, study strategies, tool configuration, and mental preparation is openly shared. Many successful OSCP candidates credit peer support networks as a significant factor in maintaining motivation through extended preparation periods.

Candidates who pass the OSCP on their first attempt most commonly attribute their success to one factor above all others: consistent, deliberate practice over an extended period rather than cramming in the final weeks before the exam. The OSCP is not a certification that can be crammed for.

The skills it tests — enumeration discipline, lateral thinking under time pressure, adaptability when an expected technique fails — are built through repetition across dozens of practice machines, not through reviewing notes the night before. Starting preparation early, building practice into a weekly routine, and treating every stuck machine as a learning event rather than a failure are the habits that correlate most consistently with first-attempt pass outcomes.