Is OSCP Difficult?


OSCP is one of the most recognized and respected Cybersecurity Certifications out there. We ask advice from those people that have passed the OSCP!


Share Your Experience!

If You've Passed We'd Love To Share Your Wisdom

Posted by Henry Dalziel  |  December 16, 2019  |   Questions / Comments 6

Is OSCP Difficult?

Regularly updated | Submit your experience!

TL;DR
We interview a bunch of people that have passed OSCP and ask them for advice.

Here's a very rough two second summary of what they said:

- Learn enumeration;
- Privilege escalation;
- Plan your time accordingly;
- Buffer overflow;
- and, use pentesting labs!

An Overview Of This Interview Roundup

The point of this resource is to discover and establish just how difficult the OSCP, and we ask those that have passed it.

We’ve been covering Cybersecurity training for many years now and ever since it was launched, we’ve been really fascinated by the OSCP Certification.

The Offensive Security Certified Professional (OSCP) course and certification is the sequential certification to a course called “Penetration Testing with Kali Linux”.

The folks behind Kali Linux are responsible for the OSCP Course (as well as a bunch of other ones).

Here’s why we think the OSCP is the real deal and the bad-ass cybersecurity cert you can achieve: it tests the individual by assessing their penetration testing process and life-cycle through an arduous twenty-four (24) hour certification exam! That’s right. 24 Hours! Pretty awesome!

The end result is that the professional that has passed OSCP has clearly demonstrated their ability to be presented with an unknown network, enumerate the targets within their scope, exploit them, and clearly document their results in a penetration test report (which is also a requirement).

In this post, we ask current Professional Penetration Testers and Cybersecurity Professionals how they trained for and passed the OSCP Certification.

Certifications we've asked for advice from professionals that passed them include:

How Much Does OSCP Cost?

The cost of the OSCP certification is (at the time of writing in 2020) $800.

The price of OSCP includes lab access and an exam voucher.

At the time of writing, you get 30 days of lab access and you’ll have to sit the 24-hour exam within that time frame. Now, of course, you’d be wise to practice on other free labs which you can install on VirtualBox and that’s absolutely something we advise that you.

What’s The Difference Between CEH vs OSCP vs CISSP?

Good question!

The answer is simple.

I passed CEH in 2018 and found it relatively easy but I did do a ton of work before but I haven’t passed the OSCP or CISSP so I can’t accurately compare them. What I can say, however, is that CEH and OSCP have a lot in common in the sense that they are both offensive certifications whilst CISSP is really more of a 360 view aimed at Senior Management.

CEH and CISSP are both multiple-choice based exams. CEH is three hours long whilst CISSP I believe is five hours.

OSCP is practical.

What Do You Have To Do To Pass OSCP?

The OSCP certification is awarded on being able to successfully crack five machines in 24 hours.

One machine (‘box’) will be the most difficult and will hold the maximum points, while the others will address your skills in being able to hack boxes using enumeration, exploitation, and post-exploitation techniques.

The vulnerable boxes are a mix of Linux and Windows systems.

What’s The Benefit Of Passing OSCP?

Being OSCP certified helps your career if you’re interested in becoming a Penetration Tester or Ethical Hacker. The fact that you can pwn machines under a strict time limit shows that you have the necessary knowledge and skills to hack into machines and systems.

Furthermore, another major benefit of passing the OSCP is that increasingly recruiters are requesting that candidates pass or have the OSCP cert, especially for roles that are aimed at Penetration Testing.

We’d absolutely encourage you to take this InfoSec cert if you’re serious about a career in Cybersecurity.


Enough Of Me Talking; Let’s Ask The Experts! The Question We Asked Was:

“What Advice Would You Give Someone Studying For The OSCP?”

* We put the interesting replies and comments in orange

(We also have the same resource on advice from professionals that have passed the CEH)


Find this useful? Please share! Thanks!


Gavin Lo | OSCP, ECRE
Gavin Lo | OSCP, ECRE

Cybersecurity Expert
LinkedIn Profile

Spending endless hours trying to break into certain machines with no success.

Stick to the easier machines first – if a challenge seems too hard for you for a while despite your best efforts, it probably is. Don’t lie to yourself and be overconfident. Also, gather as much information as possible. Don’t take shots in the dark unless absolutely necessary. In my opinion, the buffer overflow machines are easiest. Less luck, more logic 🙂

I also consider myself a decent Python, C, and PHP programmer, though there always is more to learn. Python definitely helped with the exploit development part of the course.


Sandro Zaccarini | OSCP, OSWE, OSCE, NACA, eCPTX, eMAPT
Sandro Zaccarini | OSCP, OSWE, OSCE, NACA, eCPTX, eMAPT

Security Consultant at Maticmind S.p.A.
LinkedIn Profile

Don’t overlook the enumeration phase: everything you need is just in front of you, no hint nor question just a good enumeration.


Malkit Singh | OSCP, CREST(CPSA-CRT)
Malkit Singh | OSCP, CREST(CPSA-CRT)

Ethical Hacker (Infosys)
LinkedIn Profile

Try Harder, Try Harder till you succeed. Enumerate each bit of the machine to get the next hint. Obviously hands-on practice with Kali Linux is a must and one should always think about “what next?”…


Saravana Kumar | OSCP, CEH, CIPP
Saravana Kumar | OSCP, CEH, CIPP

Senior Security Engineer at Crypto
LinkedIn Profile

Try Harder! And Enumeration is the Key.


Brian Johnson | OSCP, OCCP, CEH, CompTIA N+, CISSP
Brian Johnson | OSCP, OCCP, CEH, CompTIA N+, CISSP

Security Engineer & Podcaster
LinkedIn Profile

Be VERY disciplined about time management. If you’ve got a family and a full-time job like I did, make sure your significant other, kids etc. are supportive of this effort as you’ll likely need to spend many red-eye hours studying and working through the labs. You’ll probably need to sacrifice personal/family time to succeed and obtaining the OSCP.


Muhammed Bassem | OSCP, OSCE, ISO 27k1 LA, GSEC
Muhammed Bassem | OSCP, OSCE, ISO 27k1 LA, GSEC

Security Engineer at Klarna
LinkedIn Profile

You should master the exploit development and privileges escalation techniques, follow the technical blogs for g0tmi1k, security-tube, fuzzysecurity, c0relan, offensivesecurity, Infosec Institute, SANS reading room, Blackhat/ DEFCON/ Hackinthebox Conferences youtube channels, opensecurity, theamazingking, samsclass, github resources and play CTF.


Martin Voelk | OSCP, OSWP, CCIE
Martin Voelk | OSCP, OSWP, CCIE

Chief Information Security Officer (CISO) at GigIT, Inc.
LinkedIn Profile

Hands on practice. Theoretical knowledge is not enough and the more lab time you can get the better. The OSCP labs are great.


Grant Boudreau | OSCP, OSWP, CompTIA Server+, CompTIA Security+
Grant Boudreau | OSCP, OSWP, CompTIA Server+, CompTIA Security+

Consultant, Cyber Security at MNP
LinkedIn Profile

Try to pwn every lab machine. There is a different skill gained from every machine. It helped me pass my OSCP exam as two machines were very similar to two of the lab machines.


Yamal Patel | OSCP, CEH
Yamal Patel | OSCP, CEH

Senior Security Consultant & Team Lead at Synopsys Inc
LinkedIn Profile

Try Hard. Try Harder. Hand On practice is a must. Give dedicated time to exploit each machine in different Lab networks and increase your skill set to do Python scripting along with that. Don’t lose your concentration throughout the Lab period and stay focused.


Andres Amado | OSCP, eCPTX
Andres Amado | OSCP, eCPTX

Pentester & Security Analyst
LinkedIn Profile

Perseverance and effort!


Hamed Farid | OSCP, ITIL , CEH , OSCE, Corelan Advanced
Hamed Farid | OSCP, ITIL , CEH , OSCE, Corelan Advanced

Senior Penetration Testing
LinkedIn Profile

Try Harder!


Luka Sikic | OSWE, OSCP
Luka Sikic | OSWE, OSCP


LinkedIn Profile

Learn privilege escalation.


Kaleem Shaik | OSCP
Kaleem Shaik | OSCP

Senior Security Assurance Analyst at Emirates
LinkedIn Profile

Learn buffer overflow and privilege escalation. Do labs well.


Sparsh Owlak | OSCP, CEH
Sparsh Owlak | OSCP, CEH

Senior Consultant at EY
LinkedIn Profile

Do not underestimate or assume anything. More you’ll try, more you’ll learn.


Prem Kumar | OSCP
Prem Kumar | OSCP

Vulnerability Analyst at Booking.com
LinkedIn Profile

Be through with your basics.


Ahmed Mohamed | OSCP, CISSP
Ahmed Mohamed | OSCP, CISSP

Enterprise Information Security Consultant at Canon
LinkedIn Profile

Get yourself familiar by practicing on the machines at vulnhub.com where you will arm yourself with more than the skills you need to pass OSCP.


Naveen Vivek | OSCP, OSCP, CCNA
Naveen Vivek | OSCP, OSCP, CCNA

Penetration tester at Schneider Electric
LinkedIn Profile

Try to finish at least 30 machines OSCP lab and then give a try. Then it will be easier to pass OSCP on time.


Ye Yint Min Thu Htut (OSCE, OSCP, CREST CRT)
Ye Yint Min Thu Htut (OSCE, OSCP, CREST CRT)

Offensive Security Engineer | OSCP, OSWP, OSCE, eCPTX, CED, Crest CRT Pen
LinkedIn Profile

Please do not be discouraged if you failed. Try Again, Try Harder and earn your OSCP Certification.


Choudhary Muhammad Osama | OSCP, 100W OPESEC, 210W CICS
Choudhary Muhammad Osama | OSCP, 100W OPESEC, 210W CICS

Penetration Tester and Application Security Researcher
LinkedIn Profile

Master yourself in privilege escalation and try to work on some vulnerable machines available at “VulnHub” to get the knowledge of privilege escalation.


Ajay Choudhary | OSCP, Crest CRP
Ajay Choudhary | OSCP, Crest CRP


LinkedIn Profile

Keep an Eye on Enumeration.


Ferdi Bak | OSCP
Ferdi Bak | OSCP

Cyber Security Professional at VHL IT Security Training BV
LinkedIn Profile

Strategy, Methodology and Time Management are key. Make up a strategy to avoid rabbit holes, plan your available exam time well and create a battle plan and stick to it.


Nikhil Kumar | OSCP, OSWP, CEH
Nikhil Kumar | OSCP, OSWP, CEH

Information Security Team Lead
LinkedIn Profile

Complete at least 30 machines in the lab before trying to tackle the exam. Learn buffer overflow before the exam: Vivek Ramachandran buffer overflow videos were very helpful for me.


Jason Bernier | OSWP, GCIH, MCSE, CEH, RHCSA, VCP5
Jason Bernier | OSWP, GCIH, MCSE, CEH, RHCSA, VCP5

Senior Penetration Tester at BAE Systems
LinkedIn Profile

Sticking with it and putting in the time to get it done. Also, you need to enumerate, enumerate, and enumerate some more!


Herm Cardona | OSCP, OSWP, CompTIA A+, CompTIA Security+, ISACA
Herm Cardona | OSCP, OSWP, CompTIA A+, CompTIA Security+, ISACA

Cybersecurity Consultant
LinkedIn Profile

The most challenging thing about OSCP was the tremendous amount of supplemental learning required (Python, C, JavaScript, HTML, SQL, PHP, Debugging, Exploit Development), however, the tip I’d give is this: “Never give up! Try harder! Yes, and absolutely!”


Ethan Kurt | VCP6-DCV, LPIC-1, MCITP, CCNA, CIW, MTCNA, MTCUME
Ethan Kurt | VCP6-DCV, LPIC-1, MCITP, CCNA, CIW, MTCNA, MTCUME

Cyber Security Threat Hunter
LinkedIn Profile

Know your target and time management.

Passion is the most important thing to pass the OSCP exam.

Penetration testing is the only thing you are doing when you have nothing to do. If you are a proficient (Python and C) programmer, it would help you a lot. Unfortunately, you cannot expect to pass the OSCP exam only with Python skill. You also need to know networking protocols and how are they working.


6 responses to “Is OSCP Difficult?”

  1. Nikhil Tyagi says:

    The next is OSCP for me!

  2. Ash Kamas says:

    What are the thoughts on the follow on 48 and 72 hr exams? My view is that if the exam is not tough then it’s not worth doing. I kind of dismissed the CEH when I came across OSCP. I welcome your thoughts folks..

    • Totally agree with your comments. I tool the CEH and passed it the first time.

      The obvious and main difference is that CEH is multiple choice whereas the OSCP is totally and completely practical. The feeling I get is that the OSCP gets more love from hardcore and more experienced Cybersecurity Professionals whilst CEH was the first-to-market and benefitted from the growing need of InfoSec professionals in the space. If I were you I’d definitely try and get the OSCP. Once you have that then if HR or recruiters also want to see the CEH on your CV then go ahead and take that too. OSCP is more difficult than the CEH there’s no doubt on that.

  3. Prabbhu says:

    Hi, could you please tell me any training available for OSCP?

Leave a Question or Comment:

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.