OSCP (Offensive Security Certified Professional) Training and Challenge

I’m writing this post, as I really feel that this course needs to get more publicity. Over the last few years I have done countless security courses, and exams from some of the top players in this market, and nothing has come close to the OSCP training.

I first signed up for the training in May, as I saw it advertised on the Offensive Security website and thought that it sounded fun. At a first glance, I really wasn’t too sure about the training materials, as you get a Flash based CBT and a PDF, I initially ran thought the CBT side of things in a week, when I actually got around to doing the training, and thought that it needed a bit of work. I think that I wasn’t looking at the training from the right angle, and that’s why I misjudged it, it’s not designed to teach you everything in one sitting, it’s designed to give you enough information to go away and actually spend some time researching the different areas that they cover, and in which case, it’s the best training that I’ve ever taken!

There is no way that a training course could cover everything that they cover without expecting you to go away and do some research yourself, and well to me, doing the research on my own time really paid off, as I feel that I learnt more in the time that I spent either going through the training or researching bits of it, than I have in the last 2 years.

Now on to the actual challenge that you must pass to obtain the certification, this is a live hack of a number of predefined hosts, and you have 24 hours to get through them all. You can pretty much use any publicly available exploits or ever write your own to compromise these hosts, and well let me tell, this has be the most insane 24 hours that I have ever had. It took me 23 hours and 55 minutes, and even then I didn’t manage to fully finish the last question, but I knew that 5 minutes wouldn’t have been enough for me to finish it. throughout the whole 24 hour period, I had 2 hours sleep, and the rest of the time was spent trying to compromise the various hosts. It may not take other people as long as it took me, but “Challenge” is definitely the right choice of words for it. If you don’t know how to exploit systems to a level where you have root/Administrator access then in no way are you ready for the Challenge.

Thankfully I made it through, and if I hadn’t I would have sat it again, but it would have been a while before I did, as it really does take it out of you. From my side though, when I come across another OSCP, I will show them the respect they deserve, as honestly, if you can get through the Challenge, they you should have a pretty good idea about how to conduct a proper penetration test, and no other training that I’ve done has ever been as hands on or in depth.

To anyone thinking about taking the course, do yourself and your employer a favour and sign up for it, you won’t regret it.

  • Joe

    I am also taking this course, as i have wanted to get into the security field / penetration testing. I have read many security/hardening/hacking books, taken courses, even obtained the Ethical Hacker Certification. But this course is just plain balls-to-the-wall, get out and do it. I have never been so addicted to compromising a server, and learning how to do it, as well as stopping OTHERS from doing it. I have yet to take the Challenge, but with what i have learned from the past three months of training, the on-line labs, the IRC chat sessions, and just plain old fashioned research is just invaluable. The guys that put on the training are always available to ask questions, and they dont come out and give the answers, either. They steer you toward your objective, making you do the dirty work, but after you have successfully accomplished your goal, the satisfaction of knowing how you did it, and being able to replicate it, is most satisfying.

  • Daniel

    It’s almost setting a completely new standard with regards to computer security and public awareness of the insecurities of some of the more favored operating systems..

  • david

    as stated by “joe” this course is balls-to-the-wall, and in fact is by far the best training around not only bang for the buck, but in overall knowledge base. i just took my challenge the other day and it took me 22 of the 24 hours, i did take breaks to spend time with the family and eat and such, but still this test is ridiculous and awesomely fun at the same time. being in the security field and holding a couple of security certifications i am significantly more proud of this than any other that i currently posses and i don’t see that changing any time soon.

  • Harshana Fernando.

    This is a great and one of the best exams ever…..

  • John

    Def agree I really enjoyed that challenge. It pushes you to the limit to see what you are made of. I think it all hit me when I broke into the unix box and esc my privileges. I just felt like wow, this is amazing!

  • http://innobuzzonline.com Vicky

    Hmm.. sounds interesting. Live servers are VM machines?

  • Oktain

    Yes the Live machines are VMs. The course is a shared lab with other students, the exam is 100% dedicated. Just passed and got my OSCP. All I can say is that not only was it one of the more enjoyable training experiances I have ever done, but also one of the most content filled.

  • Ron

    I agree with all the commenters. I learned more in one month and 24 hours than I did in 3 years of pro work

  • Kaushal

    Do we need programming skills? I am a system administrator and worked on windows and linux. Just passed CISSP. Any guidance ….

  • Sat

    Does OSCP helps in penetration jobs field than CISSP? I heard CISSP has weight and it is managerial field than practical. I am wondering if CISSP should be done first or OSCP?

  • xyberpix

    Depends what you want to be doing, from a technical point of view the OSCP wins hands down. CISSP is more of a management type high level certification.

    Personally I’d hire an OSCP over a CISSP for a pentesting job anyday.

  • frank

    i’ m curious to understand which kind of O.S they expose..
    windows? linux? both?

  • http://www.xyberpix.com xyberpix

    @frank, to answer your question about OS’s, the simple answer is both.

    @Kaushal, to be honest no programming skills are required for this one, you will need to learn some programming going through the courseware, but there are pointers, etc on which languages. Just take it slow and you’ll be fine. Apologies about the really late reply.

  • http://networkadminsecrets.blogspot.com Craig

    Great post. I recently finished the OSCP as well and found it equally rewarding. If you’re interested in my experience, read about it here: http://networkadminsecrets.blogspot.com/2010/12/offensive-security-certified.html

  • frank

    Hi, just another easy question.
    What is the best environment that one should use during the OSCP exam? I mean a windows O.S with vmware (backtrack vmware imageas as guest) could be the best one?

  • Amol

    Saw some comments here regarding OSCP and CISSP. I have a CISSP and am now doing OSCP (and almost going insane but loving it).
    All i can say is that CISSP can go suck a lollipop in front of OSCP. Its like comparing kindergarten with college. There are many differences : practical 24 hr exam vs multiple choice etc but it basically boils down to this:
    CISSP is for HR to filter you out when you are looking for a job, OSCP is for yourself to make you a better security professional

  • jatin


    thanks for your great article its very help full, as you mentioned above you have cleared OSCP can you give me some idea how they give real time challenge i mean what kind of challenge they give us/

  • Best php profestional training

    Excellent Blog….!!!