I am aware that the internet is full of videos, blog and forum posts, GitHub pages (and the list goes on) about the OffSec Certified Professional (OSCP). However, I have been getting a lot of questions about my journey. Here are a few disclaimers:
I have a fairly strong background in competitive programming. So I have been coding for the better part of two decades. This has nothing to do with the OSCP, however, I was comfortable with computers and IT in general. I have been a Script Kiddie since the times of BackTrack 5 (i.e. pre-2013). I also have a Master’s degree in Cybercrime and Intelligence (not to be mistaken with Cybersecurity). Cybercrime focuses mostly on the socio-technical aspects of crime in cyberspace – the why, the what, and to a lesser extent the how.
My relevant work experience adds up to about three years of Cybersecurity, including a while as a Vulnerability Analyst (running vulnerability scans and doing manual vulnerability assessments), Team Leader (managing a team of cybersecurity professionals, including Vulnerability Analysts, Pentesters, Incident Responders and DevSecOps), and more recently, Penetration Tester. Thus, during my whole professional work experience I have done either penetration testing or work related to penetration testing. Moreover, I have been spending a lot of time on learning platforms such as TryHackMe, OverTheWire, HackTheBox, and on various Bug Bounty Programs.
Do you need this sort of experience for the OSCP? The simple answer is no. I know high school students who have passed the OSCP. The course covers all the information necessary for passing – however, any additional experience helps.
I get this question a lot. Before the OSCP, I have taken the eJPT , eWPT, and CAP. Did I really need them for the OSCP? Not really… People ask me – do I need CEH, Pentest+, PNPT, or a multitude of other certifications? No. As discouraging as it may sound, OSCP is a foundational penetration testing course, and although any previous experience or knowledge helps, you do not necessarily need it. Really, the techniques presented in the course are quite straightforward, but the most important lesson from it is to Try Harder.
This depends. The exam was updated in 2022 to make it more relevant by:
On one hand, the OSCP is widely recognized in the industry. It is included in thousands of job ads and it is often a HR-filter bypass. Additionally, the methodology that you build during the course may transfer into your work as a penetration tester, and passing the exam indicates that you are able to exploit several machines and report your findings under the pressure of a tight deadline.
On the other hand, the OSCP lacks realism in the sense that the aim is to reach high-privilege access on all systems (ideally), whereas in the real-world you would focus on findings all vulnerabilities in the systems, regardless of their severity. Also, one may argue that the OSCP tests endurance more than competence, due to the tight deadlines (24 hours for testing and 24 hours for reporting). I do not fully agree with this take, as I think that during the exam you will run out of ideas before you run out of time. Also, during many work engagements you may experience tight deadlines, so the OSCP does give you some transferable skills in this regard.
Overall, I would say that the relevancy of the OSCP depends on your circumstances. Considering that I already was doing penetration testing work, I do not think I needed this certification. Nevertheless, I wanted it as a milestone.
In terms of the “hard”/technical skills, I suggest you check the course syllabus here. In terms of other transferrable skills, the following stand out:
The PEN-200 labs are the prime resource in my opinion. Not only are they fun, but they help with building and testing the skills required to pass the exam. The OffSec PEN-200 forum is good for when you get stuck on lab machines. You do not really get a definitive answer, but the forum is good for sanity checks and for making sure you do not get stuck in rabbit holes. Additionally, I suggest practicing reporting while working through the lab.
TryHackMe is one of my favorite resources for learning Cybersecurity. In preparation for the OSCP, I recommend working through the Offensive Pentesting Learning Path and the networks (Holo and Wreath). The networks go above what is needed for the OSCP exam, but there is some hand-holding involved, so don’t worry!
Also, the Practical Ethical Hacking course from TCM Academy is a force to be reckoned with. The value is incredible and I cannot recommend it strongly enough. Actually, I recommend purchasing a few of the courses provided by TCM Academy, as the value is simply unbeatable.
In terms of seeing others doing it, there is no one better (in my opinion) than IppSec. His videos are fantastic and I really appreciate how he talks through failed avenues of attack and not only successful ones. The fact that he exposes his though process in the videos and faces hardship at times is incredibly useful. I learn new stuff from IppSec’s videos every time I watch them. Moreover, IppSec created this utility which allows you to search for specific techniques or technologies and then provides the exact videos and timestamps for them.
This can be a stressful question to ask. I understand the feelings of inadequacy caused by doubting your abilities. Moreover, if you follow other Cyber content creators who give advice about the OSCP, you may end up with the following list:
In my opinion, most of these machines are harder than the OSCP, so do not think that if you can’t solve them all you aren’t good enough. In fact, I would go so far as to say that most Easy machines on HackTheBox are likely harder than the OSCP ones.
If you are not sure whether you’re prepared or not, I would suggest that you just go for it! Jump straight into the “deep” water and adapt from there. It may be stressful, but it is important to remember that not all types of stress are equal. Eustress, the opposite of distress is stress that leads to a positive response. Think about some of the best athletes in the world who are able to perform at their peak with thousands of spectators and huge prizes on the line. If you are able to manage the stress posed by the time constraints and the price of this course (and certification), I think that you will actually end up learning a lot. Think of eustress as a learning multiplier in this context. Moreover, at the end of your OSCP journey you will find that you have increased confidence in your abilities.
Overall, the OSCP is one of the most widely recognized certifications in the field. It is certainly not the most realistic, nor is it the most difficult, but it deserves its place. There is no one-size-fits-all approach to it because it all depends on your personal experience, knowledge and most importantly, the time (and money) that you can afford to spend. I recommend the OSCP to anyone who wants to develop or sharpen their foundational penetration testing skills whilst developing a growth mindset.