OSEP — Offensive Security Experienced Penetration Tester
OSEP is the OffSec credential for operators who already have OSCP and want to prove they can operate against modern defences. EDR, AMSI, ETW, AppLocker, WDAC — the controls that defeat off-the-shelf Metasploit payloads — are the OSEP exam's bread and butter. For red-team-as-a-service and assumed-breach engagements where bypassing CrowdStrike, SentinelOne or Defender for Endpoint is part of the job, OSEP is the cert that proves the operator has done it before.
A 48-hour exam against a hardened, EDR-instrumented AD environment where bypassing modern defences is expected, not optional. Assumes OSCP-level skill as a starting point — the failure rate for under-prepared candidates is brutal.
Cost, hours and exam shape.
- Vendor
- OffSec
- Level
- Expert
- Exam style
- Hands-on (48h + report)
- Prep hours (median)
- ~350 hours
- Exam cost (USD)
- $1,649
- Difficulty
- 5/5
Pursue this if…
- You already hold OSCP (or equivalent) and want to prove you can operate against modern endpoint defences.
- You lead red-team-as-a-service or assumed-breach engagements where EDR/AMSI/AppLocker are in the path.
- You want to write your own loaders and evasion tooling, not lean on off-the-shelf payloads.
- You are moving toward offensive tool development or senior adversary-simulation work.
What you actually sit.
48-hour hands-on practical exam against a hardened, EDR-instrumented Active Directory environment, followed by a 24-hour report window. 100/100 points with secret flag bonuses. Bypass of common AV/EDR controls is expected, not optional.
Where you should be before you book.
- →OSCP-level skill strongly recommended (not formally required)
- →Proficiency in scripting (Python, PowerShell, C#) for evasion and tooling
- →Strong Active Directory and Windows internals familiarity
What is on the exam.
A study plan you can actually follow.
- Confirm OSCP-level baseline
OSEP assumes you can already enumerate, exploit and pivot. Have OSCP (or CRTP plus real AD experience) before booking, or the gap is unrecoverable.
- Work PEN-300 module by module
Complete the official courseware exercises. The challenge labs at the end of each module are the closest analogue to the exam environment.
- Build your own evasion tooling
Write a working C# shellcode loader and an AMSI bypass from scratch. Supplement with Maldev Academy and Sektor7 RED-TEAM-OPS-1 for loader and unhooking depth.
- Drill advanced AD attack-paths
Practise ADCS abuse, delegation chains and cross-forest/trust attacks against EDR-instrumented labs until the OPSEC is second nature.
- Extend the lab, then sit it
The 90-day lab is tight — most extend to 180. Run a timed mock against a hardened range and write the report before the real 48-hour sitting.
Where this cert opens doors.
From the operator side of the desk.
Our red team and adversary-simulation stream is led by OSEP-holding operators. OSCP is the floor for VAPT; OSEP is the floor for any engagement where modern endpoint defences are in the path. The exam's emphasis on writing your own loaders, patching AMSI/ETW and abusing ADCS / delegation chains reflects exactly the techniques we exercise on real assumed-breach work against client EDR stacks.
Questions people ask before booking.
Should I do OSEP without OSCP?+
Technically you can — there is no formal prerequisite — but the failure rate is brutal. OSEP assumes you can already enumerate, exploit and pivot, and spends its time on what happens after that under modern defences. Have OSCP-level skill (or CRTP + significant AD experience) before booking OSEP. Most successful OSEP candidates have 2+ years of working pentest experience post-OSCP.
OSEP vs CRTO — which is the red-team cert to hold?+
Different vendors, different lenses. OSEP is OffSec — practical, exam-heavy, evasion-focused, requires the PEN-300 courseware. CRTO is Zero-Point Security's Red Team Operator cert — focused on Cobalt Strike operator workflow, modern C2 OPSEC and assumed-breach engagement structure. Many senior operators hold both: OSEP for technique depth, CRTO for engagement operator-discipline. If you can only do one and your work is engagement-led, CRTO. If your work is technique-led, OSEP.
Is OSEP enough to bypass real EDR products?+
It teaches the categories of bypass (AMSI, ETW, unhooking, syscall execution, indirect calls) but EDR products evolve constantly. OSEP holders need to keep current on vendor-specific telemetry sources, kernel callbacks, and behavioural detections. Use OSEP as the foundation, then maintain a research practice — Maldev Academy, Sektor7 RED courses, vendor advisories — to stay current.
How long does OSEP take to prepare for?+
300–500 hours over 4–6 months post-OSCP. The official 90-day lab subscription is tight — most candidates extend to 180 days. The Maldev Academy and Sektor7 RED-TEAM-OPS-1 courses are widely used as supplementary prep. Build your own loader in C# and your own AMSI bypass before sitting the exam.
Will OSEP help with malware development as a career?+
Yes — it is the closest mainstream cert to teaching the implant developer's toolkit. For a full malware-dev career consider Maldev Academy, Sektor7 RED courses and zero-to-hero work on real C2 frameworks (Sliver, Havoc, custom in-house). OSEP gets you in the door; the actual job is years of compiler internals, syscall ABI knowledge and OPSEC discipline.
Relevant AxVeil services and field notes.
Sibling certifications worth comparing.
Need a credentialed team to deliver the engagement?
We can field operators with OSEP (and the rest of the stack — OSCP, OSEP, CISSP, CISM) on engagements in 5 to 10 working days. Letter of Attestation includes the lead-tester credentials so your auditor can verify.