Offensive Security Certified Professional (OSCP) Certification Guide

The offensive security certified professional oscp certification is the cybersecurity industry's most respected hands-on penetration testing credential. Unlike multiple-choice certifications that test what you can memorize, the OSCP forces you to actually break into systems. You get a private lab, a 24-hour exam, and a simple directive that has become legendary in offensive security circles: Try Harder.

Issued by Offensive Security (rebranded as OffSec in 2023), the OSCP isn't just another acronym on a LinkedIn profile. It's a practical proof that you can perform reconnaissance, find vulnerabilities, exploit them, escalate privileges, and pivot through an Active Directory environment, all while documenting your work clearly enough that another engineer could reproduce it. Hiring managers know this. That's why the credential consistently appears in job listings for penetration testers, red team operators, and offensive security engineers across the United States and internationally.

You won't get there overnight. The path runs through PEN-200, a self-paced course covering Linux and Windows privilege escalation, web application attacks, buffer overflows, client-side attacks, Active Directory exploitation, and the discipline of writing a professional penetration testing report. The exam itself is brutal: 24 hours of live hacking against unfamiliar machines, followed by another 24 hours to deliver a polished report. Pass with 70 points out of 100 and you join roughly 80,000 OSCP holders worldwide. Fail, and you pay a retake fee and try again.

This guide walks through everything you need to know before you commit your money, your evenings, and several months of your life to chasing this badge. We'll cover course costs, exam mechanics, the 2023 format shake-up that added Active Directory and bonus points, recertification rules, realistic salary expectations, and the prep resources experienced candidates actually use. By the time you finish reading, you'll have a clear picture of whether the OSCP is right for you and a roadmap for getting through it.

Before we dive into the mechanics, it helps to understand where the OSCP sits in the OffSec credential lineup. OffSec publishes a stack of certifications that climb in difficulty: the OSCP is the entry-level practical penetration testing certification, followed by OSEP (evasion and advanced attack techniques), OSWE (web application exploitation), OSED (Windows exploit development), and OSCE3, which combines OSEP, OSWE, and OSED. Above all of that sits the OSCE in its newer forms and the experienced practitioner badge.

The OSCP is the gateway. You do not need any prior OffSec certification to enroll in PEN-200, and there are no formal prerequisites beyond practical experience. The course assumes you understand TCP/IP networking, basic Linux command-line work, and at least a little scripting (Bash or Python). If you can read a Wireshark capture, write a for loop, and you know what a reverse shell is, you have the baseline. If those concepts are new to you, expect to spend two or three months building those fundamentals before the PEN-200 material clicks.

OffSec rebranded the OSCP exam significantly in early 2023 and refined it again later. The current format weights Active Directory exploitation heavily, scores partial credit for incomplete compromises, and folds in a bonus-point mechanism tied to course exercises. We'll get into the scoring math shortly, but the headline is this: the modern OSCP is closer to a real penetration testing engagement than the older format ever was. You won't just pop a single root flag and move on. You'll need to enumerate a small network, chain attacks across systems, and assemble proof that ties everything together.

The credential itself is delivered as a verifiable digital certificate through OffSec's portal. Employers can confirm validity using your unique OS-ID. There's no paper certificate mailed to your door, no ceremony, no graduation. You'll get an email, a downloadable PDF, and the right to use the OSCP letters after your name for three years before recertification requirements kick in.

You cannot sit the OSCP exam without first registering for PEN-200, OffSec's official course package. The PEN-200 bundle includes course videos, a 900+ page PDF, access to OffSec's online lab network, and one or more exam attempts. As of the current pricing structure, the entry tier sits at $1,599 USD and includes 90 days of lab access plus a single exam attempt. That price has crept up over the years and OffSec periodically adjusts it.

Lab time matters more than you might initially think. The PEN-200 lab is a connected network of vulnerable virtual machines where you practice the techniques covered in the coursework. Most candidates burn through their 90 days well before they feel ready, especially if they have a day job and family responsibilities. OffSec sells extensions, but extensions are not cheap. A more common path is to upgrade to one of the longer subscription tiers from the start.

The mid-tier package extends lab access to 180 days and adds a second exam attempt. The flagship subscription, marketed as Learn One, runs roughly $2,599 and bundles a full year of lab access along with access to OffSec's broader course catalog. Serious candidates frequently choose Learn One because it covers PEN-200 plus complementary OffSec material like KLCP (Kali Linux Certified Professional) and the underlying fundamentals course, and the longer lab window absorbs the inevitable slow weeks when work or life eats your study time.

There's also Learn Enterprise for organizations and Learn Unlimited, OffSec's all-you-can-study tier aimed at career professionals. Neither tier is necessary for the OSCP alone, but if you're plotting a multi-year journey through the entire OffSec stack, the math shifts in their favor quickly.

One important caveat: the lab is not the exam. The PEN-200 lab teaches you techniques and gives you a place to practice. The exam machines are different boxes, not in the lab network, designed specifically for evaluation. Mastering the lab is necessary but not sufficient. Most successful candidates supplement PEN-200 lab time with external practice on platforms like HackTheBox, OffSec's Proving Grounds, and TryHackMe before they sit the exam.

The OSCP exam is 23 hours and 45 minutes of network access, followed by a 24-hour window to submit a written report. You connect over VPN to an exam environment that contains a small Active Directory set and three standalone machines. You will have only one attempt at the exam during the booked window. There is a proctoring component: you're recorded on webcam, your screen is captured, and you check in with a live proctor at the start and during breaks.

Scoring breaks down as follows: the Active Directory set is worth 40 points, awarded only if you compromise the entire chain from initial foothold through domain admin. The three standalone machines are worth 20 points each, with partial credit available for local user access (10 points) versus full root or SYSTEM (20 points). That gives you 100 possible points from machine compromises. You need 70 to pass.

Bonus points are the wild card. OffSec awards 10 bonus points if you complete a sufficient percentage of PEN-200 course exercises and lab machines before sitting the exam. These bonus points are added to your machine score, so a candidate who earns the bonus only needs 60 points from the exam itself to clear the 70-point bar. Practically speaking, almost every successful candidate goes after the bonus. The exercises take time but they're far less stressful than gambling on perfect exam performance.

The Active Directory set is the cornerstone of the modern OSCP. You'll typically land on a client workstation, escalate locally, harvest credentials, pivot to a server, kerberoast a service account, and chain your way to domain admin. There is usually a defined attack path, and the OffSec methodology expects you to follow it. Going off-script with creative exploitation is fine in real engagements but tends to waste time on the exam.

Time management on the exam separates pass from fail. Successful candidates almost universally describe a similar rhythm: a thirty-minute initial enumeration sweep across all targets, an early decision about which machine to tackle first, regular breaks every two to three hours, sleep around hour eight or ten, and a hard cutoff for the technical work with at least two hours of buffer for screenshot review. Burning all 24 hours on hacking and then trying to write the report bleary-eyed is how good candidates fail.

Failing the OSCP is normal. OffSec doesn't publish official pass rates, but community surveys and forum chatter put the first-attempt pass rate somewhere between 30 and 40 percent. The exam is hard. People who get into cybersecurity from an IT operations background often underestimate how much methodical patience the format demands.

If you fail, you can book a retake. The retake fee runs roughly $249 USD on its own, though many of the longer subscription tiers (Learn One, Learn Unlimited) include additional attempts at no extra charge. The retake uses different target machines, so you can't grind the same exam content. You must wait a short cooldown period between attempts, designed to keep you from booking back-to-back tries without addressing whatever caused the first failure.

The most common failure modes are not what you'd expect. Candidates rarely fail because they didn't know how to exploit a particular CVE. They fail because their enumeration was lazy, they got tunnel vision on the wrong machine, they didn't document a critical screenshot, or they ran out of time before pivoting through the Active Directory chain. Mastering enumeration tooling and developing a repeatable methodology beats memorizing dozens of exploits.

Another underappreciated failure mode is the report. People crush the exam, get all 100 points, then submit a report that misses required screenshots or skips a section of the template. OffSec marks reports strictly. If your report doesn't prove your work, the points don't count. Build a report template in your prep phase. Practice writing reports for HackTheBox machines you complete. Don't wait until exam day to figure out what a professional pentest report looks like.

How long does it take to prepare for the OSCP? Honest answer: most candidates report between three and nine months of focused study. The wide spread reflects starting points. Someone with a few years as a penetration tester or red teamer might book PEN-200 and sit the exam within 90 days. Someone moving from helpdesk or sysadmin work usually needs six to nine months, sometimes more, to build the offensive mindset and toolchain familiarity.

A typical study plan looks something like this. Months one and two focus on PEN-200 video lectures, reading the course PDF, and completing the exercises. Months three and four shift to lab machines: working through OffSec's vulnerable network, breaking boxes, and writing internal reports for practice. Month five branches out to HackTheBox, Proving Grounds Practice, and a structured set of TryHackMe rooms targeted at OSCP-style enumeration. Month six is exam prep, where you simulate the exam format with timed practice sessions and final review of weak areas.

Daily commitment varies by life circumstance. The most successful working professionals describe blocks of two to three hours on weeknights and longer weekend sessions of six to eight hours. People who can dedicate full days speed up considerably, but burnout is a real risk. The OSCP punishes burned-out candidates. Plan rest days into your schedule from the start.

Mentorship and community accelerate everything. The OffSec Discord, the r/oscp subreddit, and various Twitter circles host candidates at every stage. Lurking, asking questions when you're stuck on methodology rather than specific exploits, and reading writeups for retired HackTheBox machines compresses your learning curve significantly. Watching IppSec's YouTube walkthroughs of retired boxes is practically a rite of passage.

The OSCP opens doors. In the United States, entry-level penetration tester roles requiring or strongly preferring the OSCP typically advertise base salaries between $90,000 and $115,000. Mid-career roles with three to five years of penetration testing experience and the OSCP plus complementary skills move into the $120,000 to $160,000 range. Senior red team operators and offensive security engineers at FAANG-tier companies, defense contractors, and major financial institutions can exceed $200,000 in base salary, often with substantial bonus and equity on top.

Geography matters. Cybersecurity salaries are dramatically higher in major U.S. tech hubs and federal contracting regions than in mid-size markets. Remote-first hiring has flattened the curve somewhat over the last few years, but companies still anchor salary bands to location data. International salaries vary widely. Western Europe, Australia, and the UAE pay competitively for OSCP holders. Eastern Europe and Latin America trail considerably in base salary but offer increasingly attractive total compensation through remote-first U.S. employers.

Beyond the immediate salary bump, the OSCP positions you for specific career paths. The most common trajectory runs through consulting firms: large players like Mandiant, NCC Group, Bishop Fox, Trustwave SpiderLabs, and dozens of regional boutiques actively recruit OSCP holders. Two to three years in consulting builds breadth of engagement experience, after which many practitioners move in-house to internal red teams, security engineering, or product security roles. Some stay in consulting and progress to principal consultant or partner tracks.

The OSCP also pairs well with related credentials. Pairing OSCP with the CISSP creates a strong management-track profile. Pairing with cloud penetration testing certifications like AWS Security Specialty or OffSec's own cloud course opens cloud red team opportunities. The OSEP, OSWE, and OSCE3 progression keeps you on the deeply technical track and signals continued investment in offensive specialization.

OSCP certifications are valid for three years from the date issued. After that window closes, you have a few options for maintaining the credential. The most direct path is to earn 90 Continuing Professional Education (CPE) credits across the three-year cycle and submit them through the OffSec portal. CPEs accumulate from a wide range of activities: conference attendance, training courses, publishing technical writeups, speaking at events, completing other certifications, and contributing to open-source security tooling.

Alternatively, you can retake and pass any current OffSec certification exam during the cycle. Passing OSEP, OSWE, OSED, or even retaking OSCP itself resets your certification clock. Many practitioners naturally clear the recertification bar by progressing up the OffSec stack and never explicitly manage CPE submissions.

If you let the certification lapse, OffSec does not maintain a separate "expired" status visible to employers. The certification simply ceases to validate when checked against the OffSec portal. You can re-earn it by retaking PEN-200 and the exam, but practically nobody does this. The CPE path is straightforward enough that most certified practitioners stay current.

One nuance worth flagging: pre-2023 OSCP holders received "lifetime" certificates that did not require renewal. OffSec changed this policy for new candidates moving forward. If you're earning the OSCP today, plan on the three-year cycle. The lifetime grandfather clause applies only to the legacy holders.

Outside of PEN-200 itself, three external platforms dominate OSCP prep conversation. HackTheBox is the longest-running and the most diverse. Its retired machines (Easy through Medium difficulty rating) line up well with OSCP-style enumeration and exploitation. The "OSCP-like" lists maintained by community members curate boxes that mimic exam patterns. Active subscribers pay around $20 to $30 monthly for full access; retired boxes are accessible on VIP tiers.

OffSec's own Proving Grounds Practice is the closest thing to official additional lab time. The boxes are designed by OffSec employees and graded by OffSec methodology. Many candidates report that Proving Grounds Practice feels almost identical in difficulty and approach to the exam. Pricing is per-month, typically less than HackTheBox VIP, and you can pause subscriptions when life gets in the way.

TryHackMe sits at a different point on the spectrum. It's friendlier for beginners and offers guided rooms that walk you through techniques rather than dropping you in front of an unfamiliar box. The "Offensive Pentesting" learning path on TryHackMe is a reasonable bridge for someone moving from theoretical study into hands-on work. By the time you're deep in PEN-200, you'll have outgrown most TryHackMe content, but the platform retains value for skill-specific brushing up.

Beyond paid platforms, free resources fill in the gaps. IppSec's YouTube channel walks through retired HackTheBox machines with deep methodology explanations. The 0xdf.gitlab.io writeups document hundreds of boxes in clean prose. The PayloadsAllTheThings GitHub repository is a reference bible for specific attack techniques. The Hacktricks book covers privilege escalation and post-exploitation comprehensively. None of these replace the structured PEN-200 curriculum, but they extend its reach significantly.