ProfessionalVendor-neutralOffSec· issued from US

OSEP

Offensive Security Experienced Penetration Tester

The OffSec Experienced Penetration Tester (OSEP) is based on the PEN-300 course and addresses advanced techniques around antivirus evasion, Active Directory attacks, and living-off-the-land methods. The fully practical 48-hour exam (47:45 hrs exam + 24 hrs report) in a simulated enterprise environment is the key difference from knowledge-based certifications—it tests real attack capabilities. OSEP is considered credible proof of high-level offensive competence in red team circles, but requires solid OSCP knowledge. Together with OSED and OSWE, OSEP forms the OSCE³ trio.

Official page at OffSec ↔ Compare with another cert

Exam fee

$1,649

Ongoing

$0/yr AMF

Study time

300–600 hrs

Delivery

Online proctored

Validity

3 yrs (renewal cycle)

› Quality score

32.0 / 40

Four-axis SecProve rubric, each 0–10. SecProve editorial assessment — each axis carries a written justification so you can push back on any single call without dismissing the whole score.

Blueprint rigor

How well-defined and rigorous the exam blueprint is.

PEN-300 syllabus is published; covers EDR evasion, lateral movement, custom payloads.

8.5/10

Practical evidence

Hands-on labs / written reports vs pure MCQ.

48-hour live-network engagement with an AV/EDR-instrumented lab plus a graded report.

9.0/10

Currency & upkeep

How aggressively content is kept current with the field.

PEN-300 refreshed alongside the OffSec evasion content roadmap.

7.0/10

Market recognition

How often this signal actually moves a hiring decision.

Strong in red-team hiring, especially mature internal red teams; second only to OSCP for offensive credibility. [Holders: 2k, 2024-12]

7.5/10

› Market signals

public, citable inputs to the recognition score

Holders worldwide

2,500

as of 2024-12 · source

› Built for these roles

Cloud Security ArchitectCloud Security EngineerIT Security Manager (Cloud Focus)Compliance Manager (Cloud)Enterprise Architect

› Exam format

Practical: 47 hours 45 min. hands-on exam (evasion, AD attacks, advanced exploitation) + report. Proctored.

Passing score

Lab points-based (typically 100/100 across multiple targets in 48hr exam)

Retake policy

Fee: $249 per attempt

Wait: 0d between attempts

Retake voucher $249 separately. No wait period beyond exam scheduling availability.

› Recertification

Valid indefinitely. No renewal required.

› NICE Framework work roles

The NIST NICE work-role IDs this cert maps to. NICCS lookup.

PD-WRL-007

Recognition

Global

Exam languages

› Core domains covered

The 3 domains this cert is centrally about. Passing the exam demonstrates working knowledge of each.

A9Penetration Testing & Red Teaming

Methodology (OSSTMM, PTES), web/network/mobile pentesting, social engineering, purple teaming.

A2Network Security

Firewalls, IDS/IPS, network segmentation, DNS security, SD-WAN, VPN, traffic analysis, wireless security.

A6Identity & Access Management

AuthN/AuthZ, SSO, MFA, PAM, RBAC/ABAC, identity governance, FIDO2/passkeys, plus non-human identity: service accounts, workload identity, agent / plugin identities.

› Prerequisites

Experience

No formal prerequisites. PEN-300 course recommended. OSCP-level knowledge required.

› Progression

requiredrecommended

Where this cert fits in the typical learning path. Required edges are vendor-gated; recommended edges reflect de facto industry progression.

Required prereqs (0)

No vendor-gated prereqs.

Recommended priors (1)

OSCPOffSec

OSEP

OffSec

Required by (0)

No certs require this one.

Recommended next (1)

OSCE3OffSec

› Study materials

Curated starting points. Not exhaustive — vet each against your learning style and the current exam version.

Official guides

PEN-300 Course (ETBD) — included with bundle — OffSec

Training providers

OffSec PEN-300 Evasion Techniques and Breaching Defenses

Practice tests

OffSec Proving Grounds Practice + Endgame

Free / community

Sektor7 + Maldev Academy (paid alternatives)
r/oscp (OSEP threads)

› Version & lifecycle

Current version

PEN-300 (2024)

Released

2024-06

› Salary signal

Red team operator / advanced pentester, US, 5+ years.

$140K–$215K

median $170K

Robert Half Salary Guide + Glassdoor 'Red Team Operator' aggregations · 2024 · US base only · p25–p75 range

› How it compares

OSCP

OSEP is the next OffSec rung after OSCP — focuses on evasion + AD-heavy environments.

↔ Compare side-by-side

OSCE3

OSCE3 (OSWE+OSEP+OSED) is the senior OffSec triple-cert achievement; OSEP is one component.

↔ Compare side-by-side

› Common exam traps to study

Cybersecurity cert exams reuse the same 25 distractor patterns over and over — category confusion, RTO vs RPO, IDS vs IPS, MD5 vs SHA-256, and more. Once you can name the trap, you stop falling for it. Each archetype page covers what it is, the specific pairs candidates confuse, and how to avoid it.

Browse all 25 cert-exam traps Start with: BEST vs correct

See this cert’s domains highlighted on the interactive map, or compare it against the rest of the catalog.

Highlight on the domain map Browse all certifications