The purpose of this article is not to paraphrase the countless resources already available online (GitHub readmes, other prep blogposts, etc.). You won’t find a “0 to hero” guide or influencer routing here. What I’m offering is an honest and direct feedback on how I perceived the OSCP+ certification: the content, the preparation, and the exam. I’ll also share a few concrete technical tips that saved me precious time during the labs and the final exam.
OSCP vs OSCP+: What Changed?
Since November 1, 2024, OffSec replaced the original OSCP exam with an updated version. If you pass this new exam, you earn both the OSCP and the OSCP+ designation. Here’s what actually changed:
Exam Changes
| OSCP (pre Nov 2024) | OSCP+ (post Nov 2024) | |
|---|---|---|
| Active Directory | Standard AD set | AD with “assumed compromise”: you start with a domain user account and must achieve full domain compromise |
| Bonus Points | Up to 10 bonus points from course exercises | Removed. Aligns with all other OffSec exams |
| Course Content | PEN-200 | PEN-200 (unchanged, new AWS module added but not on the exam) |
Certification Validity
This is the key difference:
- OSCP: Valid for life. No expiration, ever. Existing holders are not affected.
- OSCP+: Expires 3 years after issuance. To maintain the ”+” designation, you must complete one of these before expiry:
- Pass a recertification exam (available within 6 months of expiry)
- Pass a qualifying OffSec cert (OSEP, OSWA, OSED, or OSEE)
- Complete OffSec’s CPE program
If you let the OSCP+ expire, you still keep the OSCP. You only lose the ”+” designation.
Note (For existing OSCP holders)
You can take the updated exam to earn the OSCP+ designation. The promotional rate of 799.
Pricing
| Scenario | Cost |
|---|---|
| New learner (exam, course and labs) | $1,699 |
| Existing OSCP holder (after March 2025) | $799 |
| Regular exam retake | $249 |
The OSCP+ essentially adds a “freshness” guarantee on top of the lifetime OSCP. It signals to employers that the holder’s knowledge is current, not just that they passed the exam at some point in the past.
The Course: Breadth vs Depth
The PEN-200 course is undeniably broad. It globally covers the surface of all domains and technologies related to network and system pentesting. The approach is good for covering the attack surface, but don’t expect to go in depth on every concept. That’s perfectly normal given the format and the target audience: junior profiles or career changers looking to professionalize.
The “Try Harder” Myth
Many online resources and community members will repeat OffSec’s mantra: “Try Harder”. The OSCP is often presented as an extremely demanding certification that builds character.
My take is more nuanced. Yes, being persistent (“try harder”) is necessary in cybersecurity, but the course won’t teach you that. It’s a mindset you need to have daily. The course, on the other hand, trains you to adopt a methodology, but it sometimes forces the use of tools that aren’t always the most optimized for the task.
Concrete example: the course sometimes emphasizes web reconnaissance or information gathering tools (Whois, Netcraft) that are a bit dated, or encourages heavy use of Metasploit, where manual understanding or more modern tools would be more effective in real-world situations.
Additionally, the course has a distinctly “American touch” in its approach. Although the certification is regularly updated and the learning quality is excellent, some tool choices or focus on specific attack vectors reflect this.
Managing Your Training Time
Some modules are interesting for general knowledge but redundant if you already have cybersecurity experience. I’m thinking particularly of the modules: Client-side Attacks, The Metasploit Framework, AWS. These chapters can make you lose track of your main learning path. Know that you can perfectly skim them since they aren’t covered in the labs or the exam (if your goal is to pass the exam quickly). Stay focused on what adds value to your practice.
The Exam: Monitored and Time-Constrained
I took my exam on March 14th at 5
PM. I booked the 5 PM slot for lack of a better option. Ideally, a morning slot would have been better to benefit from maximum daytime hours without a potential overnight break, in case the exam dragged on.The process is strictly monitored and proctored from start to finish: screen sharing, camera on, identity verification, room inspection, and initial submission of monitoring command outputs. It’s precisely this rigorous format that makes this certification widely recognized by companies in the field.
Here, it’s not deep expertise in a specific domain that’s valued, but the validation of general skills across the various essential pentest subjects, in a monitored environment where LLMs and automation tools are forbidden. This demonstrates the candidate’s practical ability to operate under time and environmental constraints.
The Report and the Result
For the report, I used a Markdown-to-PDF framework that I’m particularly fond of: Sysreptor. It allows me to paste my notes taken on exam day and efficiently format the report before submission.
I used the OSCP+ template from Sysreptor, installable here: https://docs.sysreptor.com/offsec-reporting-with-sysreptor/, which I modified to fit my needs and my vision of the test on exam day. I submitted the report and received the positive response the next morning!
I am now officially OSCP+ certified.
Is the Certification Worth Its $1,700?
My answer is binary:
- YES, if you’re junior and want to increase your hiring chances. HR departments love the OSCP, “it reassures them”. It also allows a consulting firm to potentially bill you at a higher rate to the end client for a penetration testing engagement.
- NO, if you already have pentest experience or if you’re a regular on Boot-to-Root CTF platforms (I’m thinking particularly of VulnLab, recently merged with HackTheBox). If you’re comfortable on “Medium” difficulty boxes, the OSCP exam will be a formality for you.
Technical Tips to Save Time (Labs & Exam)
The OSCP is a race against the clock. Here are some practical tricks that helped me optimize my time, far from generic advice:
-
Spotting rabbit holes: During the exam you will encounter many leads (listening ports) that seem promising but lead nowhere. Learning to identify them quickly and move on is crucial to avoid wasting precious time. On common web ports, it’s not uncommon to see templates with empty forms (nicepage) specific to the OffSec environment.
-
Use penelope: Penelope lets you upgrade your shell automatically (history, completions…), background your session, push or download files on a remote machine and most importantly, it gives you ready-to-use one-liners in bash and powershell for your reverse shell!
-
Automated scripts: Even though the exam prohibits automated exploitation tools, you can create your own scripts to speed up certain tasks during the labs. For example, a script to automate basic information gathering on a target machine (nmap, enum4linux, etc.) can save you precious time during the reconnaissance phase. As for winPEAS and linPEAS, the output of these tools made me lose more time chasing rabbit holes and false positives than on the actual path leading to privilege escalation on the machine. The course doesn’t necessarily emphasize filesystem enumeration ;p. To that end, the commands below can help you quickly identify an interesting path to dig into:
Terminal window # List writable files and directoriesfind / -path /proc -prune -o -type f -writable -print 2>/dev/nullfind / -path /proc -prune -o -type d -writable -print 2>/dev/nullTerminal window # List writable files and directories in user profilesGet-ChildItem -Path C:\Users -Recurse -ErrorAction SilentlyContinue -Force -
File transfers: Having a quick method to transfer files between your machine and the target saves time. I created a simple Python tool to fill this role.
Conclusion and Perspective
Obtaining the certification didn’t change much in me. I don’t feel particularly “proud”. When I look at the journey so far and compare the OSCP+ to other certifications like the CRTE or the CETP, I realize that the latter are far more complex, dense, and demanding. They especially integrate an important OPSEC dimension with the study of AV/EDR and the various Windows protection mechanisms, along with their bypass.
The OSCP+ is an excellent entry point, an industry standard, but it’s only the beginning of the journey.