OffSecProfessional Level2026 Updated

Offensive Security Certified Professional

Updated May 1, 202612 min readWritten by Certsqill experts

Quick facts — OSCP (PEN-200)

Exam cost

$1,499 USD (90-day lab + exam)

Questions

Practical exam — 3 standalone machines + 1 Active Directory set

Time limit

23 hours 45 minutes hands-on + 24 hours report writing

Passing score

70/100 points

Valid for

Permanent (no expiry)

Testing

Remote proctored lab

Who this exam is for

The Offensive Security Certified Professional certification is designed for professionals who work with or want to work with OffSec technologies in a professional capacity. It is taken by cloud engineers, DevOps practitioners, IT administrators, and technical professionals looking to validate their expertise.

You do not need extensive prior experience to attempt it, but you will benefit from hands-on familiarity with the subject matter. The exam tests applied knowledge and architectural judgment, not just memorization. If you can reason about trade-offs and real-world scenarios, structured practice will handle the rest.

Domain breakdown

The OSCP (PEN-200) exam is built around official domains, each with a fixed percentage of the question pool. This distribution should directly inform how you allocate your study time.

Domain

Weight

Focus areas

Information Gathering

15%

Passive and active enumeration of target environments, network mapping, service identification, and building an attack surface map before exploitation.

Vulnerability Scanning

10%

Automated and manual vulnerability identification, version-based vulnerability research, and evaluating which vulnerabilities are practically exploitable.

Web Application Attacks

20%

SQL injection, XSS, directory traversal, file inclusion (LFI/RFI), command injection, and authentication bypass in web applications.

Attacks on External Services

15%

Exploiting exposed network services, service-specific vulnerabilities, buffer overflows in network services, and credential-based attacks.

Active Directory Attacks

25%

AD enumeration (BloodHound), Kerberoasting, AS-REP roasting, Pass-the-Hash, Pass-the-Ticket, DCSync, and domain privilege escalation paths.

Post-Exploitation

15%

Local privilege escalation (Windows/Linux), file transfers, pivoting, persistence, and covering tracks after initial compromise.

Note the domain with the highest weight — many candidates under-invest here because it feels conceptual. In practice, this is where the exam is most precise, with scenario-based questions that test specifics.

What the exam actually tests

This is not a memorization exam. Questions require applied judgment under constraints. Almost every question includes a scenario with explicit requirements and asks you to select the most appropriate solution.

Here are examples of the question types you will encounter:

Standalone Machine Compromise

A Linux machine exposes port 80 (Apache 2.4.49) and port 22. Enumerate the web service, identify a vulnerability, exploit it, and escalate privileges to root.

Standalone machines are worth 20 points each (10 for initial access, 10 for root/SYSTEM). You need 70/100 points to pass. Three standalones = 60 points max; AD set = 40 points.

Active Directory Attack Chain

Given access to a domain-joined workstation with low-privilege credentials, enumerate the AD environment and compromise the Domain Controller.

The AD set is worth 40 points and requires compromising a chain: workstation → domain user → domain admin → DC. BloodHound enumeration is essential. Kerberoasting and Pass-the-Hash are the most common attack paths.

Privilege Escalation

You have a shell as www-data on a Linux system. Enumerate local privilege escalation paths and escalate to root.

OSCP tests both Windows and Linux privesc. Key Windows paths: unquoted service paths, weak service permissions, AlwaysInstallElevated, token impersonation. Linux: SUID binaries, sudo misconfigurations, writable cron jobs, kernel exploits.

How to prepare — 4-week study plan

This plan assumes one hour per weekday and roughly 30 minutes of lighter review on weekends. It is calibrated for someone with some relevant experience. If you are starting from zero, add an extra week before Week 1 to familiarise yourself with the basics.

Week 1: PEN-200 Course Fundamentals & Web Attacks

Complete PEN-200 modules 1-10: enumeration methodology, Nmap mastery, and web application attack chapters
Practice LFI/RFI, SQL injection, and command injection on OffSec provided practice machines
Build and practice your enumeration methodology: what you run on every port, in what order
Complete at least 5 lab machines in the PEN-200 labs — document every step

Week 2: Buffer Overflows & Service Exploitation

Master Windows 32-bit buffer overflow from scratch: fuzzing, bad char identification, finding JMP ESP, and shellcode generation
Study service exploitation: identifying version-specific CVEs, using Exploit-DB, and modifying public exploits
Practice privilege escalation on multiple machines: install LinPEAS/WinPEAS and understand their output
Complete 10+ lab machines targeting different vulnerability types

Week 3: Active Directory Attacks

Study AD enumeration: BloodHound/SharpHound data collection, attack path analysis, and domain mapping
Practice Kerberoasting, AS-REP Roasting, Pass-the-Hash, and Pass-the-Ticket attacks in lab environments
Cover DCSync attack, Golden/Silver ticket concepts, and domain persistence mechanisms
Complete OffSec AD lab sets and at least 2 practice AD environments (HTB Pro Labs or similar)

Week 4: Exam Simulation & Report Practice

Attempt a full exam simulation: 24 hours, 3 standalone machines + 1 AD set, completely isolated
Write a complete penetration test report from your simulation — practice executive summary and technical sections
Review all failed attack paths from simulation; identify methodology gaps and weak areas
Ensure you can reliably complete a buffer overflow exploit in under 2 hours and enumerate AD in under 1 hour

Common mistakes candidates make

These patterns appear repeatedly among candidates who resit this exam. Knowing them in advance is worth several percentage points.

Not practicing buffer overflows and Active Directory attacks

Buffer overflows and AD exploitation appear in the OSCP exam. Many candidates spend all their time on web application attacks and fail because they cannot complete the AD set or a service exploit. Allocate at least 30% of lab time to AD attacks.

Skipping the PEN-200 labs

OffSec recommends completing 80% of lab machines before the exam. The labs are not optional reading — they teach the exact methodology and mindset required. Reading the course material without hands-on lab practice is the most common path to failure.

Not having a systematic methodology for unknown targets

Exam machines are unknown. Candidates who rely on checklists for specific exploit types fail when they encounter novel configurations. Practice building and following a port-by-port enumeration methodology that you execute consistently regardless of target.

Poor report writing costing pass points

The OSCP report is due 24 hours after the exam ends and is part of the grade. Reports missing reproduction steps, screenshots, or clear vulnerability descriptions can fail even if you compromised all machines. Practice writing reports during lab time.

Is Certsqill right for you?

Honestly: Certsqill is built for candidates who have already done some studying and want to convert knowledge into exam performance. If you have never touched the subject, start with a foundational course first — then come to Certsqill when you are ready to practice.

Where Certsqill is strong: question depth, AI-powered explanations, and domain analytics. Every question is mapped to the exam blueprint. When you get something wrong, the AI tutor explains why the right answer is right and why each wrong answer fails under the specific constraints in the question.

Where Certsqill is not a replacement: video courses and hands-on labs. Use Certsqill to test and sharpen — not as your first exposure to a topic you have never encountered.

Ready to start practicing?

480 OSCP (PEN-200) questions. AI tutor. 3 mock exams. 7-day free trial.