published:

OSCP Exam Review

A full breakdown of my OSCP experience — prep resources, exam strategy, reporting, and whether it is worth the cost.

OSCP Review — Was It Worth It?

The OSCP has been on my radar for a while, and after finally sitting for the exam I figured I’d write up my experience for anyone going through the same process. Hopefully this saves someone some time.

Background

I’ve been in cybersecurity for around five years. Before pursuing the OSCP I had already spent a solid amount of time doing penetration testing and working through Active Directory attack chains, so I wasn’t coming into this completely cold. The methodology, the mindset, the enumeration habits — most of that was already baked in from real work.

I also completed the PNPT (Practical Network Penetration Tester) from TCM Security before registering for the OSCP. That ended up being one of the better decisions I made. The PNPT covers a lot of the fundamentals in a practical, no-hand-holding way, and it gave me a solid baseline to build from before stepping into OffSec’s ecosystem.

Preparation

Even with prior experience, I still put in focused prep before the exam. Here’s what I leaned on:

TCM Security PNPT Course Material — I revisited a good chunk of TCM’s course content during my prep. If you’re newer to this space, I’d honestly recommend going through it before you even open PEN-200. It frames things well and TCM’s teaching style is more approachable than diving straight into OffSec’s material.

TJnull’s NetSecFocus List — The TJnull list is essentially the community standard for OSCP prep boxes. It covers HackTheBox and Proving Grounds machines that are stylistically similar to what you’ll see on the exam. Work through as much of it as you can, and watch IppSec’s videos for the HTB boxes — taking notes from those walkthroughs alone is worth the time.

LainKusanagi’s OSCP-Like List — This one doesn’t get talked about as much, but I found it just as useful. The LainKusanagi list overlaps with TJnull in a lot of places, but it’s been curated to filter out boxes that are too far outside OSCP scope and adds machines from platforms like HackSmarter and Virtual Hacking Labs. It also separates out Active Directory and network scenarios cleanly, which was useful for targeting weak spots in my prep.

General work experience — Honestly, this one carries more weight than people give it credit for. Years of doing actual penetration testing work — writing reports, building attack chains, running engagements end-to-end — translated directly to how I approached the exam. Methodology and critical thinking under pressure aren’t things you pick up from a checklist.

Exam Experience

The exam itself went smoothly. The proctor was on time, the setup process was straightforward, and I didn’t run into any technical issues getting started. No surprises there.

One thing I can’t stress enough: do the practice exams in the PEN-200 course. They aren’t optional in any meaningful sense. The challenge labs in the course are designed to simulate the structure of the actual exam, and if you skip them you’re going in underprepared. After talking to a lot of people who had already sat for the exam, a pattern came up consistently — those who treated the practice exams seriously were the ones who felt confident on exam day.

The other piece of advice that made a real difference for me was starting the exam later in the day. I know the instinct is to start first thing in the morning and grind through, but the exam is 24 hours and your brain has limits. I started at 4:00 PM, which meant I could work through the first stretch of the exam, hit a natural stopping point in the late evening, sleep, and come back in the morning with fresh eyes. Working too many hours straight without a break will have you overlooking things that should be obvious. You start second-guessing yourself, missing low-hanging fruit, and spinning out on rabbit holes. Sleep is not a luxury during the OSCP — it’s part of the strategy.

By managing my time well, I was able to work through the machines and still have time left in the exam window to start on the report. That matters more than most people realize going in.

The Report Is Everything

If there’s one thing I want people to take away from this post, it’s that the report is not an afterthought. You can compromise every machine in the exam and still fail if your documentation doesn’t hold up. OffSec’s standard is clear: anyone reading your report should be able to reproduce every single attack you performed, step by step, without needing to ask you a question. That’s the bar.

That means screenshotting everything — every command, every output, every shell you catch, every privilege escalation step. If you don’t have a screenshot of it, it’s as if it didn’t happen. I got into the habit of over-documenting rather than under-documenting throughout my prep, and that paid off. Take notes in real time, not from memory at the end. By the time you’re writing the report, you do not want to be going back through your terminal history trying to reconstruct what you did three hours ago.

I used the OffSec-provided report template, which I’d recommend sticking with. It’s structured to meet their expectations out of the box, and there’s no reason to reinvent the wheel when you’re already under time pressure. Fill it in as you go, keep your notes organized by target, and don’t wait until the exam window is almost closed to start pulling everything together.

Waiting for Results

After you submit, the wait begins — and honestly, the anticipation is the hardest part of the whole process. It took about 10 days before I got my results. Ten days of checking your email way more than you normally would, replaying decisions from the exam in your head, and trying to convince yourself you documented everything properly. There’s not much you can do about it, but knowing upfront that the turnaround isn’t fast helps manage expectations. Just close the laptop and do something else for a while.

Final Thoughts

The OSCP is a solid certification and one I’d recommend to anyone serious about penetration testing. It’s recognized industry-wide, the exam format is genuinely practical, and earning it means something because it actually requires you to demonstrate skill, not just pass a multiple-choice test.

That said, it’s worth being upfront about the cost. OffSec’s pricing puts the OSCP out of reach for a lot of people, and there are legitimate alternatives that test real skills without the price tag. The PNPT from TCM Security is a strong one — it’s practical, report-based, and respected in the community for a fraction of the cost. The CRTO (Certified Red Team Operator) from Zero-Point Security is another worth considering, especially if you’re interested in more red team-oriented tradecraft, including solid coverage of Active Directory attacks and C2 operations.

Neither of those is a knock on the OSCP. It’s a well-built cert and the brand recognition is real. But if budget is a constraint, know that there are quality paths that don’t require you to spend $1,499 to prove you know how to hack.