OSCP

OSCP: The Cert That Proves You Can Actually Hack

You've been studying for months. You know what a reverse shell is. You can explain the difference between a bind shell and a reverse shell at a dinner party nobody invited you to. You've done TryHackMe rooms, watched IppSec videos, maybe even knocked out eJPT. And now you're staring at the OSCP page wondering if $1,599 is the move or if it's a trap.

Here's the honest answer: it depends on exactly where you are and where you're trying to go. This analysis will tell you which side of that line you're on.

---

Is the OSCP Worth Your Money?

The OSCP costs $1,599. That includes 90 days of lab access and one exam attempt. A retake runs $249. The PEN-200 course materials are included, but let's be real: you're not paying for the course. You're paying for the credential.

So what does that credential actually buy you?

In penetration testing specifically, the OSCP is the closest thing the industry has to a baseline proof of competence. It doesn't guarantee you can do the job, but it proves you can think through a problem without someone holding your hand. That matters in a field where most candidates can recite frameworks but freeze when they're staring at a blank terminal.

The ROI math is uncomfortable but honest. Entry-level pen testers without OSCP typically start between $65,000 and $80,000. With OSCP, that floor moves to $85,000 to $110,000 at most shops, and some boutique firms won't interview you without it. If you're already in a security role and adding OSCP to move into offensive work, the bump is typically $15,000 to $25,000 annually. At $1,599 upfront, that's a reasonable return if you're targeting pen testing specifically.

The problem is the "if." If you're not targeting pen testing or red team work, the OSCP does almost nothing for your career. A SOC analyst with OSCP is still a SOC analyst. A GRC professional with OSCP is still doing compliance work. The cert is narrow in a way that most advanced certs aren't, and that narrowness is both its strength and its limitation.

One more uncomfortable truth: the OSCP doesn't appear on the DoD 8570 approved list. If you're targeting federal work or cleared positions, you'll need GPEN, CEH, or GWAPT alongside it or instead of it. That's not a dealbreaker, but it's a real constraint if government contracting is your target market.

---

Who Should Get It and Who Should Skip It

Get the OSCP if:

You want to work as a penetration tester at a consulting firm, internal red team, or managed security provider. You've already built foundational skills through home lab work, CTF competition, or platforms like Hack The Box or TryHackMe. You can consistently compromise intermediate-level machines on HTB without walkthroughs. You're not in a rush and can dedicate 3 to 6 months of serious prep before you even buy the course.

You're also a good candidate if you're already in a security role and want to move laterally into offensive work. The OSCP gives hiring managers a shortcut: instead of trying to evaluate your home lab writeups and CTF history, they see a credential with a known difficulty floor and move you to the interview pile.

Skip the OSCP if:

You're early in your security career and don't have at least a year of hands-on technical work behind you. The cert will eat your money and your confidence. You'll spend 90 days frustrated instead of building the skills that would have made those 90 days productive.

Skip it if your target is GRC, cloud security, security architecture, or leadership. CISSP, CISM, or CCSP will do more for those paths at lower cost and with broader applicability.

Skip it if you're targeting federal positions as your primary goal. The DoD 8570 gap is real. CEH or GPEN will open more doors in that specific market even though the OSCP is technically harder and more respected by practitioners.

Skip it if you can't afford to fail. The exam is genuinely difficult. Pass rates aren't published by OffSec, but community estimates consistently land between 15% and 20% on first attempt. That's not a reason to avoid it, but it's a reason to be honest with yourself about your readiness before you spend $1,599.

---

What the Exam Actually Tests

The vendor outline will tell you the OSCP tests penetration testing methodology across enumeration, exploitation, post-exploitation, and reporting. That's accurate but incomplete.

What people who've taken it will tell you is different.

The exam is 23 hours and 45 minutes of active testing followed by 24 hours to write and submit your report. You need 70 points to pass. The machines are worth different point values, and there's a standalone Active Directory set worth 40 points that many candidates treat as their anchor. If you can reliably own the AD set, you're already more than halfway there.

The exam tests whether you can enumerate methodically under pressure when nothing is handed to you. The machines don't announce their vulnerabilities. You have to find them. The most common failure mode isn't "I didn't know the exploit." It's "I panicked, stopped enumerating, and started throwing exploits at things hoping something would stick." That's a mindset problem, not a knowledge problem.

The report matters more than most candidates expect. OffSec has failed people who compromised all the machines but submitted a report that didn't meet professional standards. Your report needs to document your methodology, show proof of exploitation with screenshots, and be reproducible. If a client couldn't hand your report to a developer and get actionable remediation steps, it's not a passing report.

The AD component specifically tests whether you understand attack paths through a domain: enumeration with BloodHound, Kerberoasting, AS-REP roasting, pass-the-hash, pass-the-ticket, and lateral movement to domain controller. You don't need to know every Active Directory attack in existence. You need to know the common ones cold and be able to chain them under time pressure.

Buffer overflow used to be a guaranteed 25-point machine on the exam. OffSec updated the exam format in 2022 and removed the standalone BOF machine. If you're using older prep resources, check the date. Anything before mid-2022 may be teaching you for an exam that no longer exists.

---

The Efficient Study Path

Do not buy the course until you're ready for it. This is the most important sentence in this entire analysis.

Phase 1: Build your foundation (8 to 12 weeks before purchasing)

Work through TryHackMe's "Jr Penetration Tester" path if you need to solidify basics. Then move to Hack The Box. Specifically, work through the machines that IppSec has covered on his YouTube channel, starting with retired machines rated Easy and Medium. When you can consistently compromise Easy machines without walkthroughs and Medium machines with minimal hints, you're approaching readiness.

TCM Security's "Practical Ethical Hacking" course ($30 on Udemy) is the most efficient pre-OSCP resource available. It covers the methodology, the tools, and the mindset in a format that's directly applicable to the exam. Many people who passed OSCP on first attempt cite TCM as their primary prep resource.

For Active Directory specifically, TCM's "Practical Active Directory" course and the "AD attacks" section of his PEH course are worth your time. BloodHound, Impacket, and CrackMapExec should feel like familiar tools before you start the labs.

Phase 2: The PEN-200 course and labs (90 days)

When you buy the course, treat the first two weeks as structured learning. Read the course material, do the exercises, and submit the lab report if you want the 10 bonus points (which can be the difference between passing and failing). Those 10 points are free if you do the work.

Then spend the remaining time in the labs. Your goal is to compromise as many machines as possible, document everything, and build the habit of structured enumeration before exploitation. The lab machines are harder than the exam machines on average. If you're consistently owning lab machines, you're in good shape.

Phase 3: Exam simulation

In the final two weeks, run timed practice sessions. Set a timer for 23 hours and 45 minutes and work through a set of HTB machines or OffSec's Proving Grounds (which is specifically designed as exam prep and costs $19/month). Practice writing your report during the session, not after. You need to know what your documentation workflow looks like under fatigue.

Total realistic timeline: 4 to 6 months from starting prep to exam day, assuming you're working full-time and studying 10 to 15 hours per week. People who try to rush this in 8 weeks typically fail and spend another $249 on a retake.

Total realistic cost: $1,599 for the course plus $30 to $50 for TCM courses plus $19/month for Proving Grounds if you use it. Budget $1,800 to $2,000 all in for a first attempt.

---

OSCP vs. the Alternatives

OSCP vs. CEH ($1,199, EC-Council)

CEH is multiple choice. OSCP is hands-on. In the practitioner community, CEH is widely criticized as a memorization exam that doesn't test whether you can actually hack anything. The reason CEH still exists on resumes is DoD 8570 compliance. If you need 8570 approval, CEH gets you there. If you want respect from other pen testers, OSCP is the answer. These are different goals and the certs serve different markets.

OSCP vs. GPEN ($949, GIAC)

GPEN is also DoD 8570 approved and covers pen testing methodology at a high level. It's a multiple-choice exam with a practical component that's less demanding than OSCP's 24-hour format. GPEN is better for federal work. OSCP is better for consulting and private sector red team roles. If you're targeting government contracting, GPEN is the more efficient path. If you're targeting commercial pen testing, OSCP is the differentiator.

OSCP vs. CISSP ($749, ISC2)

These aren't really competing for the same role. CISSP is a management and architecture credential. OSCP is an offensive technical credential. If you're trying to decide between them, the question is whether you want to do the technical work or manage the people doing it. CISSP opens doors to security leadership, architecture, and senior GRC roles. OSCP opens doors to pen testing and red team work. Pick based on where you want to be in five years, not which exam sounds more impressive.

OSCP vs. CASP+ ($494, CompTIA)

CASP+ is DoD 8570 approved and covers advanced security concepts across a broad domain. It's not a pen testing cert. It's a technical generalist cert for senior practitioners who aren't moving into management. If you want to stay technical without specializing in offensive work, CASP+ is worth considering. If you want to specialize in pen testing, OSCP is the right choice and CASP+ won't substitute for it.

---

How the OSCP Is Viewed Outside the US

The OSCP has strong international recognition, particularly in the UK, Australia, Canada, and Western Europe. UK consulting firms, including the major ones doing CHECK-accredited assessments, treat OSCP as a legitimate baseline for junior and mid-level pen testers. In Australia, it's similarly respected in the commercial sector.

In the Middle East and Southeast Asia, OSCP recognition is growing as regional security markets mature. You'll find it listed in job postings from Singapore, UAE, and Saudi Arabia, particularly at firms doing work for financial services and critical infrastructure clients.

In LATAM markets, the OSCP is recognized by multinational firms and companies with US or European parent organizations. Local firms are increasingly aware of it, though the market for dedicated pen testing roles is earlier stage than North America or Europe. The credential travels well internationally because it's performance-based rather than jurisdiction-specific. A passing score means the same thing in Bogotá as it does in Boston.

One practical note: OffSec's pricing is in USD, which creates real affordability barriers in markets where local salaries are significantly lower. Some LATAM and Southeast Asian professionals use geo-arbitrage to their advantage: earning OSCP, building a portfolio, and targeting remote roles with US or European firms at salaries that are competitive locally but below US market rates. That's a legitimate strategy and the OSCP is one of the credentials that makes it work.

---

What Changes After You Pass

The most immediate change is that your resume clears filters it didn't before. Pen testing job postings that list OSCP as "preferred" or "required" will now route you to the review pile instead of the reject pile. That's not a small thing when you're applying to roles that get 200 applications.

The second change is how technical interviews go. With OSCP, interviewers assume a baseline level of competence and ask you to demonstrate depth rather than breadth. "Walk me through how you'd approach an external pen test engagement" is a different conversation than "explain what a port scan is."

Salary data from job postings and community surveys (including the ISC2 2024 Workforce Study and Levels.fyi data for security roles) puts OSCP-holding pen testers at $95,000 to $130,000 at the mid-level in major US markets. Senior pen testers and red team leads with OSCP plus 5 or more years of experience are regularly clearing $140,000 to $180,000 at consulting firms and in-house at large enterprises.

Outside the US, UK pen testers with OSCP typically earn £50,000 to £75,000 at mid-level. Australian equivalents run AUD $90,000 to $130,000.

The less quantifiable change is credibility within the practitioner community. OSCP is one of the few certs that other security professionals respect without qualification. When you mention it in a room full of practitioners, nobody rolls their eyes. That social capital has real career value even when it doesn't show up in a salary calculator.

---

Keeping It Current

The OSCP does not expire. Once you pass, you hold it permanently with no renewal requirements and no CEU tracking. That's genuinely unusual for an advanced certification and it's one of the legitimate advantages over GIAC certifications, which require renewal every four years.

The tradeoff is that OffSec updates the exam periodically, and older OSCP holders may not have been tested on current content. The 2022 update that changed the exam format is the most significant recent example. If you passed before that update, your cert is still valid, but you may want to supplement it with current lab work or additional OffSec courses (OSEP, OSED, OSWE) to demonstrate that your skills are current.

For most people, the no-expiration policy is a genuine benefit. You're not paying $599 every four years to maintain a credential. You're not tracking CPE hours. You pass once and it's yours.

Whether to pursue the advanced OffSec certs after OSCP depends on your specialization. OSEP (Evasion Techniques and Breaching Defenses) is worth it if you're doing red team work against mature security programs. OSED (Exploit Development) is worth it if you're moving into vulnerability research. OSWE (Web Application) is worth it if your pen testing work is primarily web-focused. Each of those is another $1,599 investment, so be deliberate about which direction you're building.

---

The One Action to Take This Week

If you're seriously considering OSCP, don't buy it yet. Create a free Hack The Box account and spend the next two weeks working through Easy-rated retired machines. Use IppSec's videos only after you've spent at least 30 minutes genuinely stuck on a problem.

If you can compromise three Easy machines in two weeks with minimal help, you have the foundation to start building toward OSCP. If you can't, you know exactly what to work on before you spend $1,599.

That's not a gatekeeping exercise. It's the most honest way to calibrate your readiness without spending money to find out.

---

This analysis was produced using the DecipherU Methodology, designed by Julian Calvo, Ed.D. (Learning Sciences). It cross-references real-time labor market data from the Bureau of Labor Statistics, threat intelligence frameworks from MITRE ATT&CK, occupational skill profiles from ONET, and community response data from cybersecurity professionals currently in these roles.*