OSCP
Offensive Security Certified Professional
Hands-on penetration testing — exploitation, privilege escalation, AD attacks.
› Quality score
Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.
› Market signals
public, citable inputs to the recognition scoreEstimate from OffSec community; OffSec doesn't publish exact counts.
› Built for these roles
› Exam format
23-hour, 45-minute hands-on lab exam. Compromise a series of machines and an Active Directory set, then write a professional penetration-test report within 24 hours of finishing the lab. Bonus points for completing the PEN-200 lab exercises before the exam.
Course bundle includes one exam attempt. Retake voucher is $249 separately. No wait period beyond exam scheduling.
› Recertification
Recertify by earning 90 OffSec Continuing Education (CE) credits over the three-year cycle (avg 30/yr) — credits come from re-testing, content contributions, or completing other OffSec courses. No annual maintenance fee.
› NICE Framework work roles
The NIST NICE work-role IDs this cert maps to. NICCS lookup.
› Core domains covered
The 4 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.
Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.
Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.
OWASP Top 10, secure SDLC, SAST/DAST/IAST, API security, code review, DevSecOps.
AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.
› Also touched
Present in the blueprint but not the primary focus — you’ll be introduced but shouldn’t expect depth.
Static/dynamic analysis, sandbox analysis, assembly/disassembly, packer analysis, YARA rules, malware family classification.
External attack-surface management (EASM), cyber asset attack-surface management (CAASM), continuous threat exposure management (CTEM), attack-path analysis, validation, and remediation orchestration.
› Known coverage gaps
Domains this cert does not meaningfully address. Plan follow-up learning here if your role touches any of them.
› Prerequisites
Strong Linux and networking fluency required. Comfort with CLI, scripting, and reading code. Not for absolute beginners.
- Linux and Windows administration
- Networking and TCP/IP
- Scripting (Bash, Python)
- Active Directory fundamentals
› Progression
requiredrecommendedWhere this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.
No vendor-gated prereqs.
No certs require this one.
› Study materials
Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.
› Version & lifecycle
Active Directory exploitation introduced in 2023 update; course refreshed 2024.
› Salary signal
Penetration tester / red team operator, US, 3–5 years.
Robert Half Salary Guide + Glassdoor 'Penetration Tester' aggregations · 2024 · US base only · p25–p75 range
› How it compares
HackTheBox's CPTS is a more modern lab-first alternative — newer brand but cheaper and arguably broader.
↔ Compare side-by-sideOSCP is hands-on lab-graded; CEH is theory-heavy and widely seen as a checkbox cert.
↔ Compare side-by-side› Careers that commonly pursue this cert
Ethically hack systems to find vulnerabilities before attackers do. Offensive security requires deep technical knowledge.
Owns the end-to-end find → prioritize → fix → verify loop at scale, now increasingly AI-driven.
External-first role: inventories what an attacker can see, tracks what's new, and drives closure through the org. The outside-in counterpart to vuln management.
› Common exam traps to study
Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.
See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.