This page was written for giving you a summary about my experience in obtaining the infamous OSCP / OSCP+ certification. There are also some tips and tricks for the exam in the end, which I think gives you a better chance for succeeding on it.
Overview#
As there is already so much info and blogs about the OSCP cert, I only include the official description here:
“The Penetration Testing with Kali Linux (PEN-200) course is OffSec’s essential training program for aspiring penetration testers. The course teaches learners how to identify and exploit real-world vulnerabilities across computers, network security, web applications, and basic cloud environments. Emphasizing hands-on, practical learning, PEN-200 provides the core technical skills and mindset required to simulate offensive information security operations—and defend against them. It’s a critical resource for those pursuing roles such as penetration tester, security analyst, security specialist, or certified ethical hacker.
PEN-200 is organized into 20+ modules. Most modules have companion videos for the visually inclined learners. Most modules have hands-on labs to help learners practice the concept and theory taught in that module. After mastering each of the techniques and skills taught in all modules, learners can move on to the 9 challenge labs to practice a combination of skills in one lab, mimicking the real-world penetration test engagement. To help learners get ready for their OSCP+ certification exam, three challenge labs are designed to closely replicate the OSCP+ exam environment.
PEN-200 is suitable for those wishing to embark on a professional pen testing career, or wanting to learn ethical hacking skills possessed by pen testers. Before taking this course, we do suggest having hands-on practical knowledge of Linux and Windows administration, networking, and network scripting.”
The exam contains:
1 AD-Setwith three interconnected machines (40 Points)- Starting as assumed breach (provided low level credentials)
- Includes Network Pivoting
3 Standalone Machines(each 20 Points)- Random selection (Windows & Linux boxes)
24 hour time limit + another 24 hour for reporting. The exam is fully proctored. To pass you need at least 70 out of 100 points. There are no more bonus points, which you can collect during the course beforehand, like in the past.
Since November 2024 you also receive in addition to OSCP the OSCP+ certification. The only difference is, that the latter expires in three years without submitting CPE points, passing another exam or taking a different cert from OffSec. Yes this is only a money grab. But I also think a potential employer absolutely doesn’t care if your certification is expired.
Why did I choose this course?
As it is the best known offensive security certification and with its reputation about a challenging exam, which often is described as a gateway, I just had to do this certification. I also have a passion for offensive security. I didn’t do it to show off or to get a higher paying job (there are so many people writing on the internet, they were just doing this cert to land a specific job), but to truly learn new views, techniques and approaches on the same topic. And yes it was a vastly different experience than on my “home base” HTB (neither worse nor better, just different).
Review#
Course & Challenge Labs#
I would rate the PEN-200 course a 7 / 10. The main point deduction is, that many concepts and techniques are taught only very brief. Due to my knowledge with CPTS + CRTO I easily filled the gaps. But would I have taken this course as a beginner (even with IT background), I think I would’ve not been able to even solve the capstone labs (labs at the end of each modules, which tests your practical skill). In my opinion, if a course does not teach you the skills to master the included labs / exam, not a student is at fault but the teacher / its teaching material. And no you can’t just say "Try Harder", "Do your own research", etc. At least not on a course at this price range.
However there were also some major plus points on the course material over CPTS. The material and labs (f.e. fully Win 11 environments) were mostly very up to date (not looking at you Anti Virus Evasion section) and had many recent tools / exploits included, which I very liked. Short said: the material was good, but just very short in depth. It also included some modules, which were completely new to me like AWS cloud penetration stuff (tough not tested on exam).
The included challenge labs I’d rate 9 / 10. Especially the larger AD-Sets like Relia and Skylark were exceptional. Also the experience with stability and performance on any lab was really good (better then on any HTB Academy lab, esp. windows labs).
What sections / modules did I like the most?
Password Attacks(includesNTLM-RelayingandWindows Credential Guard)- This whole module lead me down into a rabbit hole in bypassing
LSAprotected memory on recent Windows 11 machines (fully AV evaded).
- This whole module lead me down into a rabbit hole in bypassing
PhishingandClient-side Attackmodules- The three AD modules
- Not many new techniques encountered, but I just like Active Directory overall, so that’s already a big plus :).
What sections / modules did I dislike?
Learning Strategies- This module is wasted in my opinion. If you’re at this technical level, you should already know your own working learning methods. I skipped the module completely after a few paragraphs.
Antivirus Evasion- The methods / tools taught are quiet outdated and not really working on up to date machines (f.e. they introduce you to the free version of
Shellter, which only can do 32-bit binaries). I thinkOffSecwould better move this topic altogether to itsPEN-300course. Alternatively they could change it into simple working forms like powershell obfuscation on a simple reverse shell andAMSI- bypasses, which can be taught easy.
- The methods / tools taught are quiet outdated and not really working on up to date machines (f.e. they introduce you to the free version of
I cannot rate the AWS modules right know, as they are not fully done at the time of writing. My approach was to do them after passing the exam.
Time
I was through the course (including challenge labs and exam) and over 100 Proving Ground labs (OffSec’s open lab environment) in about 2 months working on and off (not daily). As I mentioned before, I think you would’ve a hard time to pass the course / exam without other training material like HTB or any previous knowledge.
Exam#
At the end was standing this very infamous known exam, which the whole certification and it’s “legendary” status in the cybersecurity space comes from. How did I fare and what was my experience? - Yes, I did pass on my first attempt (not in the time I thought of tough, I fell in quiet some rabbit holes)
As of the rules of the cert dictates, I cannot go into specifics on the exam. Overall I found it fair on some sections (Active Directory) and completely CTF like on others (Standalone machines). There were a ton of rabbit holes, which I believe you would not encounter on a real environment the forms they appeared. I also had machines, where the exploit path did only properly work after a machine revert. All these experience left some bitter taste. In comparison: the included challenge labs (f.e. OSCP A, B, C) are just too easy and do not prepare you enough for the exam.
The proctoring was completely fine by me, the proctors were very kind and they never really intervened. The VPN connection was also rock solid, even tough in the beginning connection speed was slow and due to it, it came to some timeouts on nmap scans and on other tools (tough I don’t know if it was their or my end, it solved itself after a short amount of time, which was why I did not look further into it).
An absolute strong point was, that I received the result of passing in under 24 hours. That was very unexpected, coming from HTB, where I waited more than 20 business days for CDSA results. My guess is, this is because of the lower report requirements and/or more resources on OffSec’s side.
Conclusion#
Would I do the course / exam again?
I find this question hard to answer. I guess if I had to pay for the course myself, I would say clearly no. The money is so much better spent onto HTB courses. However if the course would be on the same level as HTB cost-wise, I would say yes. OffSec teaches you a completely different view, methodology and approach in terms of enumeration, which is very valid. I just think their course is nowhere the level the exam is.
CPTS vs OSCP#
There is no clear winner, both have their own strong points:
| Point | Cert to approach |
|---|---|
| beginner friendly | CPTS |
| cost wise | CPTS |
| more recent material | OSCP |
| lifetime access to material | CPTS |
| cert recognition | OSCP |
| community (discord f.e.) | CPTS (HTB) |
| vendorsupport | OSCP (OffSec) |
| proctored, fewer / no cheaters | OSCP |
| depth of skillset taught | CPTS |
If you can, I would recommend doing both in the order CPTS -> OSCP. Best doing the latter payed by your employer. |
Tips & Tricks for Exam#
Like always, here is my list, if you want to do the certification yourself:
- Even if you can do all included challenge labs blind, you still might fail. You need to learn the style how
OffSecboxes, with their rabbit holes are built. My guess is, that’s the main reason, why even experienced people, which holdCPTScan fail the exam (there are some reviews out their). Best approach to do this is doingProving Ground Practiceboxes. The style is very similar, I strongly believe the authors of these boxes and the exam boxes are the same. - Initial Access is Key. If you are limited in time, what to learn. Focus on learning Enumeration for Initial Access. If you can’t get initial access you fail the exam, as you are not able to privilege escalate.
- Privilege Escalation is real easy (any privilege escalation I had done in max. 30 minutes)
- The exam is not overly hard, there are just so many misleading points, where you can get lost. There are no custom exploits, no custom script writing, no
WAFor brute force limitation bypassing included. - Take the approach
KISS: Keep it simple and stupid. What services are running, what version are they, what default credentials are known. - Report while you go. Every time you reach a flag, hold on and report to this point, before you go on.
- Reporting was really a cake. I had it done in about 2 hours (I used https://sysreptor.com/). I also did not find one review, where someone mentioned he failed the exam because of reporting. My guess is, if you can overall explain how you compromised the machines, you’re already golden. You don’t have to give
CVSSscores and detailed remediation recommendations like onHTB. - If you get stuck for more than 2 hours, get off your computer to clear your mind and to reassess.
- You have more than enough time for the exam.
- Revert boxes and don’t hesitate to contact support if your machine behaves oddly. Retry exploits / methods again after reverts.
- Learn ligolo-ng it makes the whole pivoting part easy and stable.
- Learn how to debug if an exploit is successful, but you don’t get a reverse shell back (crucial skill). Learn how to bypass firewalls.