OSCP
Offensive Security Certified Professional
Hands-on penetration testing — exploitation, privilege escalation, AD attacks.
› Quality score
Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.
› Market signals
public, citable inputs to the recognition scoreEstimate from OffSec community; OffSec doesn't publish exact counts.
› Built for these roles
› Exam format
23-hour, 45-minute hands-on lab exam. Compromise a series of machines and an Active Directory set, then write a professional penetration-test report within 24 hours of finishing the lab. Bonus points for completing the PEN-200 lab exercises before the exam.
Course bundle includes one exam attempt. Retake voucher is $249 separately. No wait period beyond exam scheduling.
› Recertification
Recertify by earning 90 OffSec Continuing Education (CE) credits over the three-year cycle (avg 30/yr) — credits come from re-testing, content contributions, or completing other OffSec courses. No annual maintenance fee.
› NICE Framework work roles
The NIST NICE work-role IDs this cert maps to. NICCS lookup.
› Core domains covered
The 4 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.
Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.
Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.
OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.
AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.
› Also touched
Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.
Static/dynamic analysis, sandbox analysis, assembly/disassembly, packer analysis, YARA rules, malware family classification.
External attack-surface management (EASM), cyber asset attack-surface management (CAASM), continuous threat exposure management (CTEM), attack-path analysis, validation, and remediation orchestration.
› Known coverage gaps
Domains this cert does not meaningfully address. Plan follow-up learning here if your role touches any of them.
› Prerequisites
Strong Linux and networking fluency required. Comfort with CLI, scripting, and reading code. Not for absolute beginners.
- Linux and Windows administration
- Networking and TCP/IP
- Scripting (Bash, Python)
- Active Directory fundamentals
› Progression
requiredrecommendedWhere this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.
No vendor-gated prereqs.
No certs require this one.
› Study materials
Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.
› Version & lifecycle
Active Directory exploitation introduced in 2023 update; course refreshed 2024.
› Salary signal
Penetration tester / red team operator, US, 3–5 years.
Robert Half Salary Guide + Glassdoor 'Penetration Tester' aggregations · 2024 · US base only · p25–p75 range
› How it compares
HackTheBox's CPTS is a more modern lab-first alternative — newer brand but cheaper and arguably broader.
↔ Compare side-by-sideOSCP is hands-on lab-graded; CEH is theory-heavy and widely seen as a checkbox cert.
↔ Compare side-by-side› Careers that commonly pursue this cert
Ethically hack systems to find vulnerabilities before attackers do. Offensive security requires deep technical knowledge.
Owns the end-to-end find → prioritize → fix → verify loop at scale, now increasingly AI-driven.
External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.
See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.