ProfessionalVendor-neutralOffSec· issued from US

OSED

Offensive Security Exploit Developer

Official page at OffSec ↔ Compare with another cert

Exam fee

$1,649

Ongoing

$0/yr AMF

Study time

300–600 hrs

Delivery

Online proctored

Validity

3 yrs (renewal cycle)

› Quality score

30.5 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

EXP-301 syllabus: x86 reverse engineering, Windows exploit dev, custom shellcode.

8.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

47-hour fully hands-on exam — debugger, disassembler, custom exploit chains.

9.5/10

Currency & upkeep

How aggressively content is kept current with the field.

Refreshed with newer Windows mitigation classes but cadence trails the kernel-defence space.

6.0/10

Market recognition

How often this signal actually moves a hiring decision.

Recognised in exploit-dev, low-level malware research; narrower than OSCP but respected. [Holders: 2k, 2024-12]

6.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

1,500

as of 2024-12 · source

› Built for these roles

IT Governance ManagerCIO / IT DirectorIT Strategy ConsultantEnterprise Risk ManagerChief Information Security Officer (CISO)

› Exam format

Practical: 47 hours 45 min. hands-on exam (exploit development, ROP, shellcoding) + report. Proctored.

Passing score

Lab points-based (typically 60+/100 with report)

Retake policy

Fee: $249 per attempt

Wait: 0d between attempts

Retake voucher $249 separately. No wait period beyond exam scheduling availability.

› Recertification

Valid indefinitely. No renewal required.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-007

Recognition

Global

Exam languages

› Core domains covered

The 2 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A9Penetration Testing & Red Teaming

Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.

A21Malware Analysis & Reverse Engineering

Static/dynamic analysis, sandbox analysis, assembly/disassembly, packer analysis, YARA rules, malware family classification.

› Prerequisites

Experience

No formal prerequisites. EXP-301 course recommended. Advanced programming skills (C, Python, Assembly) required.

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (1)

OSCPOffSec

OSED

OffSec

Required by (0)

No certs require this one.

Recommended next (2)

OSCE3OffSec OSEEOffSec

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides

EXP-301 Course (WUMED) — included with bundle — OffSec

Training providers

OffSec EXP-301 Windows User-Mode Exploit Development

Practice tests

OffSec Proving Grounds Practice

Free / community

Corelan Exploit Writing Tutorials
FuzzySecurity Windows Exploit Dev tutorials

› Version & lifecycle

Current version

EXP-301 (2024)

Released

2024-04

› Salary signal

Vulnerability researcher / exploit developer, US, 5+ years.

$140K–$215K

median $170K

Robert Half Salary Guide + Glassdoor 'Exploit Developer / Vulnerability Researcher' aggregations · 2024 · US base only · p25–p75 range

› How it compares

GXPN

OSED is deep Windows exploit development; GXPN is broader pentest + exploit-writing methodology.

↔ Compare side-by-side

OSCE3

OSED is one-third of OSCE3 (with OSWE + OSEP).

↔ Compare side-by-side

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications