OSCP — Complete Guide

Is OSCP Worth It? Honest ROI Analysis

The OSCP sits in a strange position in the certification market: it's one of the most respected credentials in offensive security, yet it's also one of the most expensive, most grueling, and least "required" certifications you'll encounter. So the honest answer to "is it worth it?" is: it depends entirely on whether you want to work in penetration testing specifically.

Here's the financial picture. At $1,599, the OSCP is roughly 2-3x the cost of most CompTIA certifications and more than double the CISM. That fee includes 90 days of lab access and one exam attempt. If you fail and need another attempt, you're looking at additional costs of $249 per retake plus potential lab extensions at around $359 for 30 days. Budget $1,800-$2,200 realistically for your first pass, more if you need multiple attempts.

The salary upside is real but not universal. Penetration testers with OSCP in the United States typically earn between $85,000 and $140,000, with senior roles at specialized firms reaching $160,000+. That's a meaningful premium over general IT security roles, which average closer to $75,000-$110,000. However, that premium reflects the skill set, not just the credential. The OSCP forces you to actually develop those skills — which is the core of its value proposition.

The honest ROI calculation: If you're transitioning into penetration testing from a general IT or security background, the OSCP is likely worth it because it simultaneously builds skills and signals competence to employers who know what the exam demands. If you're already working as a pentester and just want a credential to check a box, the ROI is murkier. If you're in a compliance, management, or blue-team role with no intention of doing offensive work, the OSCP is almost certainly the wrong investment.

One important caveat: the OSCP does not appear on the DoD 8570/8140 approved list, which means it won't satisfy baseline certification requirements for federal contractor or military cybersecurity positions. If government work is your target, this changes the calculus significantly.

---

Who Should Get the OSCP (and Who Shouldn't)

You're a strong candidate if:

• You're actively pursuing a penetration tester or red team role and hitting a wall getting interviews or offers
• You have 1-3 years of IT or security experience and want to make a deliberate move into offensive security
• You've already worked through basic hacking fundamentals — you're comfortable with Linux, basic scripting in Python or Bash, and you understand how TCP/IP actually works
• You've spent time on platforms like Hack The Box or TryHackMe and you're consistently solving medium-difficulty machines

Scenario: You're a network administrator with three years of experience. You've been studying on Hack The Box for six months, you can root most medium-rated Linux boxes, and you've applied to five pentesting roles without getting past the resume screen. Adding OSCP to your resume signals to hiring managers that you've survived a 24-hour hands-on exam — something no multiple-choice certification can replicate. This is the OSCP's core value: it's a credible proxy for real skill.

You should wait or skip if:

• You're new to IT entirely — the OSCP's prerequisite knowledge is substantial, and attempting it without a foundation is expensive and demoralizing
• You can't commit 10-15 hours per week for 3-4 months of preparation
• Your career goals are in GRC, security management, cloud security architecture, or blue-team/SOC work — the OSCP teaches you almost nothing relevant to those paths
• You're primarily targeting federal or DoD positions where 8570 compliance matters more than offensive skills

---

What the OSCP Exam Actually Tests

The OSCP exam is a 23 hours and 45 minutes hands-on practical assessment followed by a 24-hour report writing window. You're given a set of target machines in an isolated network and must compromise them to collect proof files, then document your methodology in a professional penetration testing report.

The current exam format (as of the 2023 update) includes:

Three standalone machines worth 20 points each (60 points total), plus an Active Directory set worth 40 points. You need 70 points to pass. This means you can pass without completing the AD set, but you cannot pass on standalone machines alone — you need at least partial credit somewhere.

What the exam actually measures:

• Enumeration discipline — The OSCP rewards methodical, thorough enumeration above almost everything else. Most exam failures come from rushing past something obvious, not from lacking advanced exploitation knowledge.
• Vulnerability identification and exploitation — You need to identify exploitable services, find or modify public exploits, and chain vulnerabilities together. You won't be doing zero-day research; you're working with known CVEs and misconfigurations.
• Privilege escalation — Both Linux and Windows privesc are heavily tested. You need to know common vectors: SUID binaries, weak service permissions, unquoted service paths, token impersonation, kernel exploits.
• Active Directory attacks — Kerberoasting, AS-REP Roasting, Pass-the-Hash, lateral movement, and basic domain enumeration with tools like BloodHound and PowerView.
• Report writing — OffSec reads your report. A technically successful exam with a poor report can result in a fail. Your documentation needs to be clear, reproducible, and professional.

What it does not test: web application security in depth (that's OSWE), advanced malware development, cloud environments, or social engineering. The scope is intentionally narrow — network and Active Directory penetration testing methodology.

---

Study Strategy: The Efficient Path to OSCP

The biggest mistake candidates make is starting the official PEN-200 course (included with your enrollment) without any preparation. The course is comprehensive but dense, and your 90-day lab clock starts ticking the moment you activate it. Here's how to approach this efficiently.

Phase 1: Pre-Enrollment (8-12 weeks before you buy)

Don't spend $1,599 until you can consistently solve easy-to-medium machines on Hack The Box or TryHackMe. Specifically:

• Complete TryHackMe's "Jr Penetration Tester" learning path (~64 hours) — this covers the fundamentals you need
• Solve at least 20 machines on Hack The Box, including machines tagged with "OSCP-like" (the community maintains lists of these)
• Work through TCM Security's "Practical Ethical Hacking" course ($30 on Udemy) — this is widely considered the best OSCP prep course available and costs 1/50th of the cert itself
• Get comfortable with Metasploit but also practice manual exploitation — the OSCP limits Metasploit use significantly during the exam

Phase 2: PEN-200 Course and Labs (90 days)

Once you activate your enrollment:

• Spend the first two weeks reading the course material and doing the exercises before touching the lab machines. The exercises are tedious but they unlock bonus points (up to 10 points toward your exam score) if you complete them along with a lab report.
• Use the OSCP-like machine lists from TJnull (a well-known community resource) to prioritize which Hack The Box and Proving Grounds machines to practice on alongside your lab work
• Document everything as you go. Use a tool like Obsidian or CherryTree to keep templated notes for each machine. Your exam report will be much easier to write if you've been practicing documentation throughout.
• Spend the final two weeks of your lab time doing full mock exam runs — pick 5 machines, set a 24-hour timer, and write a report afterward

Phase 3: Exam Execution

• Sleep before the exam. This sounds obvious; most people ignore it.
• Start with the Active Directory set. It's worth 40 points and tends to have a logical chain — if you get a foothold, you can often complete the whole set.
• If you're stuck on a machine for more than 90 minutes, move on. Return with fresh eyes.
• Take breaks every 2-3 hours. Cognitive fatigue is a real factor in a 24-hour exam.
• Allocate at least 3-4 hours for report writing after the exam window closes. Do not underestimate this.

Time estimate to be ready: Most candidates with some IT background need 3-6 months of total preparation. Candidates coming in cold from general IT need closer to 6-12 months.

---

OSCP vs. Alternatives: Head-to-Head Comparison

The alternatives listed here — CISSP, CISM, and CASP+ — are not actually competitors to the OSCP in any meaningful career sense. They serve fundamentally different purposes, which is worth being direct about.

| Credential | Cost | Focus | Exam Format | Best For |

|---|---|---|---|---|

| OSCP | $1,599 | Offensive/pentesting | 24-hr hands-on | Pentesters, red teamers |

| CISSP | $749 | Security management/architecture | 125-175 MCQ | Security managers, architects |

| CISM | $575 | Information security management | 150 MCQ | Security managers, CISOs |

| CASP+ | $494 | Advanced security concepts | Performance-based MCQ | Senior security generalists |

OSCP vs. CISSP: These certifications are not interchangeable. CISSP is for people who manage security programs, write policies, and interface with executives. OSCP is for people who break into systems. If you're debating between them, the question is really "what kind of security work do I want to do?" — not "which is better." OSCP vs. CASP+: CASP+ is DoD 8570 approved and costs $1,100 less. If your goal is federal/government security work, CASP+ is the more pragmatic choice. If your goal is commercial penetration testing, CASP+ carries almost no weight with hiring managers at security consultancies. OSCP vs. eJPT/CEH: The eJPT (eLearnSecurity Junior Penetration Tester, ~$200) is a reasonable stepping stone before OSCP. The CEH (Certified Ethical Hacker, ~$1,199) is widely criticized in the pentesting community for being multiple-choice and theory-heavy — most experienced pentesters consider OSCP significantly more credible. If you're choosing between CEH and OSCP for a pentesting career, choose OSCP. True alternatives within offensive security:

• PNPT (Practical Network Penetration Tester) from TCM Security (~$400): A hands-on practical exam that's gaining traction, significantly cheaper, and respected in the community. Not yet as recognized as OSCP by large enterprises, but worth considering if budget is a constraint.
• OSEP (OffSec Experienced Penetration Tester, $1,599): The logical next step after OSCP if you want to specialize in advanced evasion and red team operations.
• CRTO (Certified Red Team Operator, ~$500): Focused on Cobalt Strike and red team tradecraft. Highly regarded in red team circles.

---

Career Impact: What Actually Changes After You Pass

The OSCP does three concrete things for your career:

1. It gets you past resume filters. Many penetration testing job postings list OSCP as "preferred" or "required." Recruiters and hiring managers at security consultancies (think Rapid7, NCC Group, Bishop Fox, smaller boutique firms) use it as a signal that you can actually do the work. Before OSCP, you may be getting filtered out before a human reads your resume. After OSCP, you're more likely to get a phone screen. Scenario: A hiring manager at a mid-sized security consultancy receives 80 applications for a junior pentester role. She has 30 minutes to screen them. Candidates with OSCP go into one pile; everyone else goes into another. The OSCP pile gets reviewed first. This is not hypothetical — it's a pattern reported consistently by hiring managers in the field. 2. It validates your methodology, not just your knowledge. Because the exam is hands-on, passing it signals that you can enumerate, exploit, and document under pressure. This is qualitatively different from passing a multiple-choice exam. Experienced pentesters know this, which is why the credential carries weight with technical interviewers. 3. It opens doors to specific role types. External penetration testing, red team engagements, and vulnerability assessment roles at consulting firms become more accessible. Internal corporate red team positions at larger organizations often list OSCP as a baseline expectation. What it doesn't change:

• It won't automatically get you a senior role. OSCP is increasingly considered a baseline, not a differentiator, at the senior level.
• It won't help you in non-offensive security roles. If you pivot away from pentesting later, the OSCP becomes largely irrelevant on your resume.
• It won't substitute for soft skills in client-facing consulting roles. Communication, report quality, and professionalism still matter enormously.

Salary impact: Candidates who add OSCP while transitioning into pentesting typically see salary increases of $15,000-$30,000 when moving from general IT/security roles into dedicated pentesting positions. This is more about the role change than the credential itself — but the credential enables the role change.

---

Renewal and Maintenance

This is one of the OSCP's genuine advantages: it doesn't expire. Once you pass, you hold the credential permanently with no renewal fees, no CPE requirements, and no re-examination. For a $1,599 investment, this is meaningful — compare it to CISSP's annual maintenance fees and required continuing education hours.

The practical implication: the OSCP you earn today is still valid in 10 years. Whether it's still relevant in 10 years is a different question. The cybersecurity landscape evolves quickly, and a credential earned in 2024 may carry less weight in 2034 if the field has moved on. OffSec periodically updates the PEN-200 curriculum (the 2023 update added more Active Directory content, for example), but your credential reflects the version you passed — not the current version.

Practical maintenance advice:

• Keep your skills current through platforms like Hack The Box, Proving Grounds, and CTF competitions even after passing — the credential signals your baseline, but your actual skills need ongoing development
• Consider OSEP or CRTO as natural progressions if you want to stay current in offensive security
• Document your post-OSCP work (engagements, findings, tools developed) for your portfolio — this matters more than the credential itself as you advance in your career

One final honest note: The OSCP is not a finish line. It's increasingly a starting point for a penetration testing career. The candidates who get the most value from it are those who treat the 90-day lab period as a genuine skills development experience — not a certification sprint. If you approach it that way, the $1,599 is defensible. If you're looking for a credential to passively boost your resume without doing the work, there are cheaper options that will serve you better.