Is OSCP Difficult?

An Overview Of This Interview Roundup

The point of this resource is to discover and establish just how difficult the OSCP, and we ask those that have passed it.

We interview a bunch of people that have passed OSCP and ask them for advice.

Here’s a very rough two-second summary of what they said:

  • Learn enumeration;
  • Privilege escalation;
  • Plan your time accordingly;
  • Buffer overflow;
  • and, use pentesting labs!

We’ve been covering Cybersecurity training for many years now and ever since it was launched, we’ve been really fascinated by the OSCP Certification.

The Offensive Security Certified Professional (OSCP) course and certification is the sequential certification to a course called “Penetration Testing with Kali Linux”.

The folks behind Kali Linux are responsible for the OSCP Course (as well as a bunch of other ones).

Here’s why we think the OSCP is the real deal and the bad-ass cybersecurity cert you can achieve: it tests the individual by assessing their penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam!

That’s right. A 24 Hour exam! Pretty awesome!

The end result is that the professional that has passed OSCP has clearly demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report (which is also a requirement).

In this post, we ask current Professional Penetration Testers and Cybersecurity Professionals how they trained for and passed the OSCP Certification.

Certifications we’ve asked for advice from professionals that passed them include:

How Much Does OSCP Cost?

The cost of the OSCP certification is (at the time of writing in 2020) $800.

The price of OSCP includes lab access and an exam voucher.

At the time of writing, you get 30 days of lab access and you’ll have to sit the 24-hour exam within that time frame. Now, of course, you’d be wise to practice on other free labs which you can install on VirtualBox and that’s absolutely something we advise that you.

What’s The Difference Between CEH vs OSCP vs CISSP?

Good question!

The answer is simple.

I passed CEH in 2018 and found it relatively easy but I did do a ton of work before but I haven’t passed the OSCP or CISSP so I can’t accurately compare them. What I can say, however, is that CEH and OSCP have a lot in common in the sense that they are both offensive certifications whilst CISSP is really more of a 360 view aimed at Senior Management.

CEH and CISSP are both multiple-choice based exams. CEH is three hours long whilst CISSP I believe is five hours.

OSCP is practical and very much “hands-on”, you have to try a bunch of skills to hack into a series of boxes, whilst CEH, like CISSP, is a more traditional-based assessment, i.e. multiple choice.

What Do You Have To Do To Pass OSCP?

The OSCP certification is awarded on being able to successfully crack five machines in 24 hours.

One machine (‘box’) will be the most difficult and will hold the maximum points, while the others will address your skills in being able to hack boxes using enumeration, exploitation, and post-exploitation techniques.

The vulnerable boxes are a mix of Linux and Windows systems.

What’s The Benefit Of Passing OSCP?

Being OSCP certified helps your career if you’re interested in becoming a Penetration Tester or Ethical Hacker. The fact that you can pwn machines under a strict time limit shows that you have the necessary knowledge and skills to hack into machines and systems.

Furthermore, another major benefit of passing the OSCP is that increasingly recruiters are requesting that candidates pass or have the OSCP cert, especially for roles that are aimed at Penetration Testing.

We’d absolutely encourage you to take this InfoSec cert if you’re serious about a career in Cybersecurity.

Enough Of Me Talking; Let’s Ask The Experts! The Question We Asked Was:

“What Advice Would You Give Someone Studying For The OSCP?”

(We also have the same resource on advice from professionals that have passed the CEH)

Gavin Lo | OSCP, ECRE

Cybersecurity Expert

Spending endless hours trying to break into certain machines with no success.

Stick to the easier machines first – if a challenge seems too hard for you for a while despite your best efforts, it probably is. Don’t lie to yourself and be overconfident. Also, gather as much information as possible. Don’t take shots in the dark unless absolutely necessary. In my opinion, the buffer overflow machines are easiest. Less luck, more logic.

I also consider myself a decent Python, C, and PHP programmer, though there always is more to learn. Python definitely helped with the exploit development part of the course.

Sandro Zaccarini | OSCP, OSWE, OSCE, NACA, eCPTX, eMAPT

Security Consultant at Maticmind S.p.A.

Don’t overlook the enumeration phase: everything you need is just in front of you, no hint nor question just a good enumeration.

Malkit Singh | OSCP, CREST(CPSA-CRT)

Ethical Hacker (Infosys)

Try Harder, Try Harder till you succeed. Enumerate each bit of the machine to get the next hint.

Obviously hands-on practice with Kali Linux is a must and one should always think about “what next”?

Saravana Kumar | OSCP, CEH, CIPP

Senior Security Engineer at Crypto

Try Harder! And Enumeration is the Key.

Brian Johnson | OSCP, OCCP, CEH, CompTIA N+, CISSP

Security Engineer & Podcaster

Be VERY disciplined about time management. If you’ve got a family and a full-time job like I did, make sure your significant other, kids, etc are supportive of this effort as you’ll likely need to spend many red-eye hours studying and working through the labs.

You’ll probably need to sacrifice personal/family time to succeed and obtaining the OSCP.

Muhammed Bassem | OSCP, OSCE, ISO 27k1 LA, GSEC

Security Engineer at Klarna

You should master the exploit development and privileges escalation techniques, follow the technical blogs for g0tmi1k, security-tube, fuzzy security, c0relan, offensive security, Infosec Institute, SANS reading room, Blackhat/ DEFCON/ Hackinthebox Conferences youtube channels, opensecurity, theamazingking, samsclass, GitHub resources and play CTF.

Martin Voelk | OSCP, OSWP, CCIE

Chief Information Security Officer (CISO) at GigIT, Inc.

Hands-on practice. Theoretical knowledge is not enough and the more lab time you can get the better. The OSCP labs are great.

Grant Boudreau | OSCP, OSWP, CompTIA Server+, CompTIA Security+

Consultant, Cyber Security at MNP

Try to pwn every lab machine.

There is a different skill gained from every machine.

It helped me pass my OSCP exam as two machines were very similar to two of the lab machines.

Yamal Patel | OSCP, CEH

Senior Security Consultant & Team Lead at Synopsys Inc

Try Hard. Try Harder.

Hand On practice is a must. Give dedicated time to exploit each machine in different Lab networks and increase your skillset to do Python scripting along with that.

Don’t lose your concentration throughout the Lab period and stay focused.

Andres Amado | OSCP, eCPTX

Pentester & Security Analyst

Perseverance and effort!

Hamed Farid | OSCP, ITIL, CEH, OSCE, Corelan Advanced

Senior Penetration Testing

Try Harder!

Luka Sikic | OSWE, OSCP

Cybersecurity Professional

Learn privilege escalation.

Kaleem Shaik | OSCP

Senior Security Assurance Analyst at Emirates

Learn buffer overflow and privilege escalation. Do labs well.

Sparsh Owlak | OSCP, CEH

Senior Consultant at EY

Do not underestimate or assume anything. More you’ll try, more you’ll learn

Prem Kumar | OSCP

Vulnerability Analyst at

Be through with your basics.

Ahmed Mohamed | OSCP, CISSP

Enterprise Information Security Consultant at Canon

Get yourself familiar by practicing on the machines at where you will arm yourself with more than the skills you need to pass OSCP.

Naveen Vivek | OSCP, OSCP, CCNA

Penetration tester at Schneider Electric

Try to finish at least 30 machines OSCP lab and then give a try. Then it will be easier to pass OSCP on time.

Ye Yint Min Thu Htut (OSCE, OSCP, CREST CRT)

Offensive Security Engineer

Please do not be discouraged if you failed. Try Again, Try Harder and earn your OSCP Certification.

Choudhary Muhammad Osama | OSCP, 100W OPESEC, 210W CICS

Penetration Tester and Application Security Researcher

Master yourself in privilege escalation and try to work on some vulnerable machines available at “VulnHub” to get the knowledge of privilege escalation.

Ajay Choudhary | OSCP, Crest CRP

Penetration Tester

Keep an Eye on Enumeration.

Ferdi Bak | OSCP

Cyber Security Professional at VHL IT Security Training BV

Strategy, Methodology and Time Management are key. Make up a strategy to avoid rabbit holes, plan your available exam time well and create a battle plan and stick to it.

Nikhil Kumar | OSCP, OSWP, CEH

Information Security Team Lead

Complete at least 30 machines in the lab before trying to tackle the exam. Learn buffer overflow before the exam: Vivek Ramachandran buffer overflow videos were very helpful for me.

Jason Bernier | OSWP, GCIH, MCSE, CEH, RHCSA, VCP5

Senior Penetration Tester at BAE Systems

Sticking with it and putting in the time to get it done. Also, you need to enumerate, enumerate, and enumerate some more!

Herm Cardona | OSCP, OSWP, CompTIA A+, CompTIA Security+, ISACA

Cybersecurity Consultant

The most challenging thing about OSCP was the tremendous amount of supplemental learning required (Python, C, JavaScript, HTML, SQL, PHP, Debugging, Exploit Development), however, the tip I’d give is this: “Never give up! Try harder! Yes, and absolutely!”


Cyber Security Threat Hunter

Know your target and time management.

Passion is the most important thing to pass the OSCP exam.

Penetration testing is the only thing you are doing when you have nothing to do. If you are a proficient (Python and C) programmer, it would help you a lot. Unfortunately, you cannot expect to pass the OSCP exam only with Python skill. You also need to know networking protocols and how are they working.

In Summary

There’s no doubt that employers highly regard the OSCP.

It’s a bit tricky to compare CEH against OSCP because both have their merits and in fact, it also depends on what Cybersecurity role you are looking to get into.

OSCP, like CEH, can be considered as being more offensive, and passing one or both of these certifications would certainly help you to become a Penetration Tester if that is the career path you’re seeking.

Henry "HMFIC"

I'm Henry, the guy behind this site. I've been Growth Hacking since 2002, yep, that long...

8 thoughts on “Is OSCP Difficult?

  1. What are the thoughts on the follow on 48 and 72 hr exams? My view is that if the exam is not tough then it’s not worth doing. I kind of dismissed the CEH when I came across OSCP. I welcome your thoughts folks..

    1. Totally agree with your comments. I tool the CEH and passed it the first time.

      The obvious and main difference is that CEH is multiple choice whereas the OSCP is totally and completely practical. The feeling I get is that the OSCP gets more love from hardcore and more experienced Cybersecurity Professionals whilst CEH was the first-to-market and benefitted from the growing need of InfoSec professionals in the space. If I were you I’d definitely try and get the OSCP. Once you have that then if HR or recruiters also want to see the CEH on your CV then go ahead and take that too. OSCP is more difficult than the CEH there’s no doubt on that.

    1. OSCP is only (I beleive) offered by Offensive Security, the same folks behind Kali Linux. They have a bunch of free InfoSec training content so be sure to go and check them out.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Recent Posts