The Offensive Security Certified Professional (OSCP) is widely considered the most respected hands-on penetration testing certification in cybersecurity. Unlike most certifications that test knowledge through multiple-choice questions, the OSCP exam is a 24-hour practical challenge where you must compromise a series of machines in a lab environment and document your findings in a professional penetration testing report. That format makes OSCP one of the few certifications that employers treat as direct proof of technical skill.
Getting to that exam requires going through Offensive Security's training ecosystem. The primary pathway is the PEN-200 course โ formerly called PWK (Penetration Testing with Kali Linux) โ which is the official training material for OSCP. Purchasing PEN-200 includes access to the course content, a virtual lab environment populated with deliberately vulnerable machines, and one exam attempt. The cost structure has evolved over the years, and in 2024 Offensive Security transitioned to a subscription model that changes how candidates access training and schedule exams.
This article covers what OSCP training actually costs, what the PEN-200 course includes, how long candidates typically spend preparing, and what free and low-cost supplementary resources are most useful for building the skills the exam requires. Whether you're planning to pursue OSCP in the next few months or just starting to research the certification landscape, understanding the full cost and time commitment upfront lets you plan a realistic preparation strategy.
It's worth noting that OSCP isn't an entry-level certification. Offensive Security explicitly recommends that candidates have experience with networking fundamentals, a working knowledge of Linux and Windows, basic scripting ability (Python or Bash), and familiarity with web application concepts before starting PEN-200. Candidates who start the course without that baseline tend to burn through their lab time trying to fill foundational gaps rather than learning the penetration testing methodology. Building that foundation first โ including time on platforms like TryHackMe or HackTheBox โ is generally better preparation than purchasing PEN-200 before you're ready for it.
In the cybersecurity job market, OSCP carries significant weight specifically because of its practical nature. Hiring managers at security consultancies, penetration testing firms, and in-house red teams know that passing OSCP requires actual exploitation skills โ not just knowledge of attack concepts. This makes it a more reliable signal of competence than certifications that can be passed through memorization alone. Many penetration testing job listings explicitly mention OSCP as a preferred or required qualification, and candidates who hold it consistently report that it opens doors that other security certifications don't.
OSCP is issued by Offensive Security, the same organization behind Kali Linux. OffSec has expanded its certification ladder over the years โ OSCP now sits in the middle of their offensive security pathway, with more advanced certifications like OSEP (Experienced Penetration Tester) and OSED (Exploit Developer) for candidates who want to go deeper after passing OSCP. But for most security professionals entering or advancing in penetration testing, OSCP is the primary milestone that establishes credibility in the field.
The 'Try Harder' philosophy โ Offensive Security's unofficial mantra โ reflects what the certification genuinely demands. The labs and exam are designed to be difficult, and the expectation is that candidates will struggle, get stuck, push through, and develop real problem-solving capability in the process.
Unlike programs that scaffold learners through every step, OSCP deliberately creates situations where you need to figure things out on your own. That philosophy is precisely what makes the certification respected, and it's worth understanding before you commit: OSCP is a substantial investment of time, money, and effort, and the payoff is a hands-on credential that genuinely demonstrates actual real-world technical penetration testing skill rather than the ability to pass a multiple-choice test.
Offensive Security moved to a subscription model in 2023, replacing the previous one-time purchase options. There are currently two main subscription tiers for accessing PEN-200 and OSCP: Learn One and Learn Unlimited (also called OffSec Annual).
Learn One is priced at approximately $1,499 per year and provides access to a single learning path (such as PEN-200) plus one exam attempt. Additional exam retakes are purchased separately at around $249 per attempt. Learn Unlimited (approximately $5,499 per year) provides access to all OffSec courses, unlimited exam attempts within the subscription period, and access to their broader training library. For most candidates focused specifically on OSCP, Learn One is the standard starting point.
Before the subscription model, OffSec offered course bundles based on lab access duration: 30 days, 60 days, or 90 days of lab access. Candidates who purchased these packages owned the course materials for life but had time-limited lab access. If you see references to these pricing tiers in forums or blog posts, they refer to the legacy model. The current subscription model works differently โ you have access as long as your subscription is active, but the materials aren't yours permanently unless you have a legacy purchase.
Beyond the subscription cost, consider these additional expenses in your OSCP budget. First, supplementary training โ if you spend time on TryHackMe or HackTheBox before purchasing PEN-200, budget for their premium tiers ($14/month and $14/month respectively) during your pre-OSCP preparation phase.
Second, exam retakes โ at $249 per attempt, it's worth building that into your financial plan since a significant percentage of candidates don't pass on their first attempt. Third, equipment โ you need a stable machine capable of running Kali Linux either natively or in a VM, which most candidates who are already in IT roles have but worth confirming.
Total cost for most candidates: $1,499 for Learn One (includes first exam attempt) plus $0โ$500 in supplementary training and potential retake fees. Candidates who are well-prepared before starting PEN-200 tend to get more out of their lab time and have better exam pass rates, which makes pre-purchase preparation an investment that pays off in reduced total cost.
Some employers in cybersecurity reimburse OSCP training costs, particularly for penetration testers, red team members, and security engineers. If your employer has a professional development budget, it's worth requesting OSCP funding โ the certification is business-relevant and the cost is modest relative to other technical training. Government contractors and defense-sector employers may cover OSCP costs as part of 8570/8140 compliance efforts, since OSCP meets DoD Approved Baseline Certifications for certain work roles at the appropriate level.
If the upfront cost of Learn One is prohibitive, some candidates break preparation into phases: spend several months building skills on free and low-cost platforms first, then purchase the subscription only when they're confident they're ready to make productive use of the lab time. This approach takes longer but costs less โ you pay for PEN-200 once rather than extending or repurchasing because you weren't ready the first time. The community generally agrees that preparation-before-purchase is the financially smarter approach for most candidates.
PEN-200 is Offensive Security's flagship penetration testing course and the official training for OSCP. The course covers the full lifecycle of a penetration test: information gathering, enumeration, vulnerability identification, exploitation, post-exploitation, and documentation. It's organized as a self-paced learning experience combining PDF/video course modules with hands-on practice in the OffSec lab environment.
The course content covers penetration testing methodology, buffer overflow exploitation (both Windows and Linux), privilege escalation techniques for both operating systems, web application attacks (SQL injection, cross-site scripting, file inclusion, command injection), client-side attacks, tunneling and pivoting through networks, Active Directory attack techniques (a major addition in recent editions), antivirus evasion, and report writing. The Active Directory content was significantly expanded in recent PEN-200 updates to reflect how real-world penetration tests are structured โ most enterprise environments are Windows/AD environments, and understanding how to enumerate and attack AD is critical for the exam and the profession.
The lab environment is what sets PEN-200 apart from theoretical training. The labs are a virtual network of machines spanning different operating systems, configurations, and vulnerability types. Some machines require pivoting through intermediate systems; others require chaining multiple vulnerabilities to achieve full compromise. The offensive security certified professional oscp certification path is built around the assumption that you'll spend significant time in the labs โ not just reading the course material โ before attempting the exam.
Offensive Security recommends completing all module exercises and submitting them for the bonus points. This serves two functions: it ensures you've worked through all the course content systematically, and it adds up to 10 bonus points to your exam score if you also submit 10 proof screenshots from the practice labs. For candidates who are on the borderline between passing and failing, those bonus points can make a meaningful difference. Plan the bonus point work into your schedule from the beginning rather than trying to rush through exercises at the end of your preparation period.
One important PEN-200 content area that surprises candidates from a traditional network security background is the depth of web application coverage. Modern penetration testing engagements frequently include web applications โ internal admin panels, external-facing apps, APIs โ and the OSCP exam reflects this. The web app attack techniques covered in PEN-200 include SQL injection (both manual and tool-assisted), cross-site scripting, directory traversal, file inclusion vulnerabilities, command injection, and SSRF. If your background is primarily network-focused rather than web-focused, spending extra time on web app techniques before the exam is worth the investment.
Report writing is a component that many technical candidates underestimate until they're sitting in front of a blank document with 24 hours to go before the submission deadline. The OSCP report must document every machine you compromised: the scope, the methodology, the enumeration findings, the vulnerability exploited, the exploit walkthrough with screenshots, and remediation recommendations. A poorly written report on otherwise successful exploits can cost you passing points โ Offensive Security evaluates report quality as part of the overall assessment. Practice writing machine walkthrough documentation during your lab period, not for the first time during the actual exam.
Several high-quality free resources help build OSCP prerequisite skills before purchasing PEN-200:
Some paid resources are widely recommended in the OSCP community as valuable supplements to PEN-200:
Typical OSCP preparation timelines vary significantly by experience level:
Beginner (no prior pentesting experience): 6โ12 months total. Plan 3โ6 months building fundamentals on TryHackMe/HTB before starting PEN-200. Then use the full Learn One lab period for PEN-200 work. Don't rush โ starting PEN-200 before you're ready wastes expensive lab time.
Intermediate (some CTF/HTB experience, IT background): 3โ6 months total. 1โ2 months refreshing skills on HTB retired machines + OSCP-specific technique study, then purchase PEN-200 and spend 2โ4 months in the labs.
Experienced (IT/security professional, scripting experience): 2โ4 months total. May be able to start PEN-200 directly and use the lab time efficiently. Still recommend doing some HTB machines and reviewing privilege escalation techniques before the exam.
Most community advice suggests scheduling your exam only when you can reliably compromise 3โ4 machines in the practice labs without hints. The '5 machines in 24 hours' pressure test is real โ time management under stress is a significant factor in exam performance.
The PEN-200 lab environment is the core differentiator of OSCP training โ there's no substitute for hands-on practice against real (deliberately vulnerable) machines. Getting the most out of your lab time requires approaching it systematically rather than randomly hacking machines and hoping skills develop organically.
Start with the course material before touching the labs. It's tempting to jump straight into hacking machines, but the course modules are structured to build skills sequentially, and trying to solve lab machines without the relevant technique knowledge is frustrating and inefficient. Complete each module, do the exercises, then apply what you've learned in the labs. This approach takes longer upfront but produces better retention and better exam performance.
Keep detailed notes from day one. Document every machine you compromise: the enumeration output, the vulnerability you identified, the exploit you used, the commands you ran, and the proof screenshots.
Good notes serve multiple purposes โ they help you build the report-writing muscle you need for the exam, they help you remember techniques when similar situations arise in later machines, and they're the raw material for your exam report if you find a machine on exam day that's similar to one you practiced on. Many OSCP candidates use a note-taking system like CherryTree, Obsidian, or Notion specifically for their lab notes.
Use the hint system strategically. OffSec's forums provide hints for lab machines, and using them isn't cheating โ it's appropriate when you've genuinely exhausted your ideas and are stuck. The goal is learning, not proving you can solve everything without help. That said, when you do use a hint, make sure you understand why the technique works, not just that you applied it. Exam machines won't come with hints, so understanding the underlying reasoning is what transfers to exam performance.
Attempt the machines in order of difficulty if you're new to the labs. The machine descriptions indicate difficulty levels, and starting with easier machines builds momentum and reinforces fundamentals before you encounter more complex chaining scenarios. As your skills develop, working on harder machines becomes more productive because you have more techniques in your toolkit to attempt.
Time management under exam conditions is a distinct skill from technical ability, and the labs can help you practice it. Some candidates set artificial time limits on lab machines โ giving themselves a set number of hours per machine โ to simulate exam pressure. Others practice the report-writing workflow specifically, timing how long it takes to write up a complete machine compromise. Knowing that report writing alone might take 2โ4 hours means budgeting your 24-hour exam window very differently than if you plan to hack right up to the deadline.
The enumeration mindset is what the PEN-200 course builds most importantly, and it takes time to internalize. In early lab attempts, many candidates rush past enumeration to try exploits. Experienced penetration testers know that thorough enumeration is what surfaces the actual attack path โ and that random exploit attempts without solid enumeration waste time.
If you're stuck on a machine, the answer 90% of the time is to enumerate more thoroughly. This lesson โ that the path forward is hidden in plain sight in the enumeration output โ is the core thing that separates candidates who pass OSCP from those who struggle.