Cybersecurity
Offensive Security Certified Professional (OSCP)
Offensive Security Certified Professional
Free OSCP practice questions 30 questions with full answer explanations. No sign-up. Start practice →Overview
The Offensive Security Certified Professional (OSCP) is the certification tied to OffSec's PEN-200 course (Penetration Testing with Kali Linux). It is one of the few security credentials proven entirely by doing: there are no multiple-choice questions. Instead you sit a 24-hour practical exam (about 23 hours 45 minutes of attack time, then a further 24 hours to write and upload your report), attacking machines on a private VPN lab that includes an Active Directory set and three standalone targets in an assumed-compromise model.
OSCP's reputation comes from this difficulty and its hands-on nature. Where some certifications test recognition of concepts, OSCP makes you enumerate, exploit, pivot and escalate against live targets and then document it like a real engagement. That is exactly why hiring managers for penetration-testing roles value it, and why it demands far more lab time than a theory exam. This page is informational only and contains no operational attack instructions.
✓ Who it is for
- People who want a hands-on penetration-testing role and need to prove practical skill
- Candidates comfortable with Linux, networking and scripting who learn by doing
- Those who already understand offensive concepts and want to demonstrate they can apply them
✕ Who it is not for
- Complete beginners without networking and Linux fundamentals (build those first, e.g. Security+ or Network+).
- People who prefer multiple-choice exams or want a quick certification. OSCP is long, practical and demanding.
- Those who only need an HR-recognised baseline rather than demonstrated exploitation skill (CEH may fit that better).
Exam structure
| Active Directory set | A chained AD environment in an assumed-compromise model, worth 40 of the 100 points. |
|---|---|
| Standalone machines | Several independent targets to fully compromise, worth 60 of the 100 points. |
| Enumeration and exploitation | Find services, identify weaknesses and gain initial access on each target. |
| Privilege escalation and reporting | Escalate to higher privileges, then write a professional report uploaded within a further 24 hours. |
Realistic study time
- Strong Linux/networking background 200-300 hours over 3-4 months
- New to hands-on offensive security 400+ hours over 6-12 months
Bars show relative effort, not a guarantee. Your time depends on background and study method.
Turn this into a week-by-week schedule with the Study Plan Generator.
What it really costs
Fees change and vary by region. Confirm the current amount on the official site before you register.
Want your full out-of-pocket figure? Try the Cost Calculator.
Salary & career value
Indicative ranges for orientation only - not surveyed data, and not financial or career advice. Sources and date below.
US penetration testers and offensive-security specialists who hold OSCP commonly report indicative pay around ~$90k-150k, with senior roles higher. OSCP is a hands-on, well-respected credential and tends to sit at the upper end of pentest pay.
Pass rate: OffSec does not publish an OSCP pass rate. The OSCP is not a multiple-choice exam, so there is no percentage to quote: it is a hands-on practical where you attack live lab machines over roughly 23 hours 45 minutes, then write a professional report within a further 24 hours. You pass by scoring 70 of 100 points across an Active Directory set (40 pts) and standalone machines (60 pts). It is widely regarded as one of the harder practical security exams, and many candidates need more than one attempt.
Indicative annual pay (USD), each role's typical band on a shared scale.
Other markets (indicative)
| United Kingdom | ~£45k-85k |
|---|---|
| Germany | ~€55k-85k |
Jobs that often ask for it:
- Penetration Tester
- Red Team Operator
- Offensive Security Engineer
- Security Consultant
- Application Security Engineer
Is it worth it?
Worth it if your goal is a hands-on penetration-testing or red-team role, where OSCP is one of the most respected practical credentials. It is a poor fit if you only need an HR baseline or prefer a knowledge-based exam. In that case a cheaper, theory-based certification may serve you better. Budget serious lab time, not just exam fees.
Not sure this is the right exam for you? Compare your options with the Exam Finder.
Compare OSCP with other exams
Independent, like-for-like comparisons to help you choose the right one.
What to do next
OSCP proves hands-on exploitation skill. If you lack networking or Linux fundamentals, build them first with Security+ or Network+. To move toward seniority and leadership later, CISSP complements the practical skill OSCP demonstrates.
On exam day
A 24-hour proctored practical over a private VPN: roughly 23 hours 45 minutes of attack time against an Active Directory set (40 pts) and standalone machines (60 pts) in an assumed-compromise model, with a further 24 hours to write and upload your report. 70 of 100 points are needed to pass.
Keeping your certification
The classic OSCP has no expiry. The current OSCP+ naming is valid three years: maintain it with 120 CPE credits across the cycle and an annual fee. Confirm which applies to you with OffSec.
FAQ
- Is OSCP hard?
- Yes. It is widely considered one of the harder hands-on security certifications. The 24-hour practical exam requires you to actually compromise live machines and then document them, which is far more demanding than a multiple-choice test.
- How is the OSCP exam structured?
- It is a hands-on practical, not a written exam. You have roughly 23 hours 45 minutes to attack a private VPN lab containing an Active Directory set (40 points) and three standalone machines (60 points) in an assumed-compromise model, then a further 24 hours to write and upload a professional report. You need 70 of 100 points to pass.
- How is OSCP different from CEH?
- OSCP is purely practical: you have to break into real lab machines and prove it. CEH is largely theory and multiple choice. OSCP demonstrates you can do the work; CEH demonstrates you know the concepts and is more HR-recognised.
- Do I need experience or prerequisites for OSCP?
- There are no mandatory prerequisites, but OffSec strongly recommends completing the PEN-200 course first. You should be comfortable with TCP/IP networking, the Linux command line, and basic Bash or Python scripting before attempting it.
- How much does OSCP cost?
- Approximately: the standalone exam is around US$1,699, the PEN-200 course-plus-exam bundle is around US$1,749, and a retake is around US$249. Confirm current pricing with OffSec, as it changes.
- Does OSCP expire?
- The classic OSCP does not expire. The current OSCP+ naming introduces a three-year validity that you maintain with 120 CPE credits and an annual fee. Check OffSec for which version applies to you.
- Can I self-study for OSCP?
- You can build the underlying skills yourself, but most candidates take the PEN-200 course for its structured labs. Either way, the exam is hands-on, so the only real preparation is extensive practice against safe, legal lab machines.
Related exams
- Certified Ethical Hacker (CEH) - EC-Council
- CompTIA Security+ (SY0-701) - CompTIA
- CISSP (ISC2) - ISC2