OSCP — Offensive Security Certified Professional
OSCP is the industry's de facto hands-on penetration tester credential. CREST, NIST and most procurement teams treat it as a hard floor for paid pentest delivery. A 100% practical exam — no multiple-choice — means a holder can demonstrably exploit and chain real systems, not just describe them. Insurers, SOC 2 auditors and RBI-regulated buyers all recognise OSCP as evidence that the named tester can execute against a live target.
A 24-hour fully hands-on exam with a mandatory Active Directory chain and a graded report. The skills are learnable; the endurance and chaining under time pressure are what break people.
Cost, hours and exam shape.
- Vendor
- OffSec
- Level
- Professional
- Exam style
- Hands-on (24h + report)
- Prep hours (median)
- ~400 hours
- Exam cost (USD)
- $1,649
- Difficulty
- 4/5
Pursue this if…
- You want to deliver paid penetration tests as your actual job, not just describe them.
- You already have Linux, networking and basic scripting under your belt and want the hands-on credential clients recognise.
- You are a SOC, sysadmin or junior tester ready to prove exploitation and privilege-escalation skill end to end.
- You need a CREST- and procurement-recognised floor for VAPT delivery.
What you actually sit.
23h 45m hands-on practical exam against a live lab of 5–6 machines, plus a 24-hour report-writing window. 70/100 points required, plus a structured penetration test report. Active Directory chain is mandatory and worth 40 points.
Where you should be before you book.
- →Working Linux + Bash command-line fluency
- →Comfort with one scripting language (Python preferred)
- →Networking fundamentals (TCP/IP, routing, common services)
- →Familiarity with HTTP and at least one web stack
What is on the exam.
A study plan you can actually follow.
- Build the fundamentals
Lock in Linux, networking and Python/Bash basics. If any of these are shaky, work eJPT's free PTS path or TryHackMe first — OSCP assumes them.
- Work the PEN-200 course end to end
Complete every module and exercise rather than skimming. The exercises feed the optional 10 bonus points and build the muscle memory the exam expects.
- Own 40+ lab and HTB/PG boxes
Grind OffSec Proving Grounds Practice plus the OSCP-like HackTheBox list (TJ Null's list). Volume of varied boxes beats re-reading notes.
- Drill the mandatory AD chain
Kerberoasting, AS-REP roasting, NTLM relay and ADCS ESC1–ESC8 are 40 points. Practise full domain compromise with BloodHound, Rubeus, Certipy, Impacket and NetExec.
- Run two timed mock exams + report
Simulate the 24-hour window and write the report each time. Report formatting and screenshot discipline fail more candidates than missing a flag.
Where this cert opens doors.
From the operator side of the desk.
Every AxVeil VAPT engagement is led by an OSCP-holding operator. We use the cert as our hiring floor for the pentest practice and we publish the lead-tester's OSCP ID in every Letter of Attestation so auditors can verify the credential against OffSec's registry. The mandatory AD chain in the exam maps directly to the internal-network and ADCS attack-paths we exercise on real client engagements.
Questions people ask before booking.
How long does it realistically take to prepare for OSCP?+
Plan on 300–500 hours over 3–6 months. Engineers coming from a SOC, sysadmin or junior pentest background tend to land at 350 hours. People starting from a pure dev background usually need 500+. The most common failure pattern is rushing the lab — skipping machines to chase the exam date. We see better pass rates from candidates who own at least 40 lab boxes and complete two full PEN-200 exercise sets before booking.
Is OSCP enough to run a real VAPT engagement?+
OSCP proves you can break in and chain privilege escalation. It does not teach proposal scoping, threat modelling, client communication, CVSS environmental scoring, or auditor-grade report writing. AxVeil pairs every OSCP holder with a senior consultant for the first three engagements specifically to close that gap. Treat OSCP as your minimum bar, not your finish line.
OSCP vs eJPT vs PNPT — which should I do first?+
eJPT is the on-ramp — affordable, beginner-friendly, no AD. Do eJPT first if you have under a year of hands-on security work. OSCP is the professional cert that pays your rent. PNPT (TCM) is a strong complement focused on a full internal-engagement methodology with AD and report writing. Most working pentesters end up with OSCP + one of (PNPT, OSEP, CRTP) depending on the niche.
Does the 2023 exam refresh change how I should study?+
Yes. The standalone buffer-overflow box was removed and Active Directory was upgraded from optional to mandatory (40 points). Prep accordingly: skip the days of x86 BoF debugging, double the hours on Kerberoasting, AS-REP roasting, ADCS ESC1–ESC8, and tools like BloodHound, Rubeus, Certipy, Impacket and NetExec. Standalone-machine work still matters but now caps at 60 points.
Will OSCP help me land bug-bounty work?+
Indirectly. OSCP teaches network and infrastructure attack chains; bug bounty pays out on application bugs (XSS, IDOR, SSRF, RCE chains, mass assignment, auth flaws). For bounty income, follow OSCP with OSWE (web exploitation) or with deep self-study on Burp Suite Pro, PortSwigger Web Security Academy, and source-code review.
Relevant AxVeil services and field notes.
Sibling certifications worth comparing.
Need a credentialed team to deliver the engagement?
We can field operators with OSCP (and the rest of the stack — OSCP, OSEP, CISSP, CISM) on engagements in 5 to 10 working days. Letter of Attestation includes the lead-tester credentials so your auditor can verify.