OSCP is one of the few security certifications proven entirely by doing, and that fact changes everything about how you prepare for it. There are no multiple-choice questions. The exam is a 24-hour hands-on practical in which you compromise live lab machines and then document them like a professional engagement. You cannot study for it the way you study for a knowledge exam, because nothing you memorise will substitute for the ability to actually carry out an attack chain under time pressure and write it up clearly. That is the core difference from a theory-based exam: a theory exam tests whether you recognise offensive concepts, while OSCP tests whether you can apply them against real targets and prove it. This guide is a full self-study course about how to prepare. It teaches the exam’s structure, the methodology that passes it, the skill areas the PEN-200 course covers, and the report and endurance work that decide results, then turns it into a realistic plan. It is original teaching material kept deliberately at a conceptual level. It contains no operational attack instructions and no exam content, and you should always confirm the current structure and rules against OffSec’s own PEN-200 course page before you book.
Chapter 1: What OSCP is and how to use this guide
Why OSCP is different from every theory exam
OSCP measures demonstrated skill, not recall. It is tied to OffSec’s PEN-200 course, Penetration Testing with Kali Linux, and it earns its reputation precisely because it is hard to fake: you have to enumerate, find a way in, escalate, and pivot against machines you have never seen, then document it well enough that someone else could reproduce your steps. This is why hiring managers for hands-on penetration-testing roles value it, and why the only real preparation is extensive practice against safe, legal lab machines. If your instinct from other certifications is to read a book and memorise, you will need to retrain that instinct completely. The work here is in your hands and your methodology, not in flashcards.
How the credential and its renewal work
There are no mandatory prerequisites, but OffSec strongly recommends completing the PEN-200 course first, and you should be genuinely comfortable with TCP/IP networking, the Linux command line, and basic Bash or Python scripting before you attempt the exam. The classic OSCP does not expire. The current naming, OSCP+, introduces a three-year validity that you maintain with continuing-education credits and an annual fee, so check with OffSec which version applies to you. Budget seriously for lab time as well as the exam fee, because the hours of practice are the real cost of this certification, far more than the price of the attempt.
How to use this course
Read the chapters in order, because the methodology built early is what every later skill area depends on. The exam-format chapter comes first after this one, because understanding how points are scored shapes every strategic decision you make. Then the course works through enumeration and methodology, the PEN-200 skill areas, the privilege-escalation and Active Directory work that carries the most points, the report that turns effort into marks, and finally a lab-centred study plan and an exam-day chapter about pacing and endurance. Throughout, the guidance stays conceptual: the aim is to teach you how to structure your preparation and your thinking, not to provide techniques, and the single most important habit it builds is enumeration discipline applied through a fixed, repeatable methodology.
Chapter 2: The exam format and how scoring shapes strategy
Understanding the exam’s structure is not administrative detail for OSCP; it directly determines how you should spend your 24 hours and, before that, how you should prioritise your practice. Internalise the scoring and the strategy follows from it.
The structure of the practical
The exam runs over a private VPN lab. You get roughly 23 hours and 45 minutes of attack time, followed by a further 24 hours to write and upload a professional report. The environment contains an Active Directory set and three standalone machines. The Active Directory portion uses an assumed-compromise model, meaning you begin with a foothold - a standard user account on the domain - and the skill being tested is what you do next: moving through the environment toward full domain compromise, rather than gaining that very first access. You pass by scoring 70 of 100 points.
How the points break down
The points split cleanly and tell you where to focus. The Active Directory set is worth 40 points. The three standalone machines are worth 60 points between them, at 20 points each, and each standalone machine’s 20 points is itself split into 10 points for low-privilege initial access and 10 points for privilege escalation to higher rights. Two consequences follow. First, the Active Directory set is the single largest block of points on the exam, so it is a priority area and never an afterthought. Second, because initial access and privilege escalation are scored separately on the standalone machines, a half-finished machine still earns partial points as long as you documented what you achieved. That changes the maths of a long exam: getting a foothold on several machines and escalating on some can be a more reliable route to 70 points than fixating on completely finishing one difficult box. A note on a past feature: bonus points that used to come from completing course exercises and the lab report were removed from the exam in late 2024, so plan to reach 70 points from the exam machines themselves rather than counting on any cushion.
Letting scoring drive your practice
Because the Active Directory set carries 40 points and uses assumed compromise, your practice should give heavy weight to moving through an AD environment from a foothold - the enumeration, lateral movement, and escalation that chain a domain together - rather than treating AD as a final topic to skim. And because standalone machines reward both access and escalation, privilege escalation on both Linux and Windows deserves relentless practice, since it is half the standalone points and the place many candidates run out of time. The scoring is, in effect, telling you your study priorities; listen to it.
Chapter 3: Enumeration and building a repeatable methodology
If there is one thing that separates candidates who pass from candidates who get stuck, it is enumeration discipline. Most OSCP progress comes from thorough enumeration, not from exotic or clever exploits, and the candidates who stall almost always stalled because they stopped enumerating too soon and started guessing.
Why enumeration is the foundation
Enumeration is the systematic discovery of what a target actually exposes: its live hosts, open ports, running services, and the details that hint at how it might be approached. It is the foundation everything else builds on, because you cannot reason about a weakness you have not found, and the exam’s machines are designed so that the path forward is discoverable by someone who looks thoroughly rather than someone who knows a trick. When a candidate is stuck with no idea what to do next, the cause is nearly always incomplete enumeration: a service not yet found, a port not yet examined, a piece of information not yet noticed. The discipline is to keep looking, methodically and completely, before concluding there is nothing there.
The methodology to internalise
Build a fixed sequence you run on every single machine, the same way every time, so that under exam pressure you fall back on process instead of panic. A sound shape for that sequence is: enumerate fully, identify the most likely weakness from what you found, gain an initial foothold, then escalate privileges, and document throughout. The value of a fixed methodology is that it removes decisions when you are tired and stressed. You are not inventing an approach at hour eighteen of the exam; you are running the same disciplined loop you have run on dozens of practice machines. The methodology is the thing you are really training during all those lab hours, more than any individual technique, because it is what carries you when a machine looks unfamiliar.
Making the methodology automatic
The only way a methodology becomes reliable is repetition until it is automatic. Run your sequence on as many safe, legal practice machines as you can, and resist the urge to skip steps when you think you already see the answer, because the discipline of completeness is exactly what you are building. Practise the habit of, when stuck, returning to enumeration rather than guessing, since that single reflex resolves a large share of the moments where candidates lose hours. As a teaching example of the mindset, not a technique: when a machine seems to offer no way forward, the productive response is almost always to enumerate more thoroughly - to assume something exposed has been missed - rather than to throw untargeted attempts at what you have already found.
Chapter 4: The PEN-200 skill areas
OffSec does not publish percentage weights for individual topics, but the PEN-200 skill areas are well defined, and you should study each one hands-on rather than by reading. The aim of this chapter is to frame what each area is for and how it fits the whole, kept at a conceptual level, so you can structure your lab practice around them.
Exploitation, web, and client-side attacks
Exploitation is identifying a likely weakness in an exposed service and using it to gain that first foothold on a target. Study it conceptually and practise it in a safe, legal lab, always understanding why a class of weakness exists and how a defender would close it. Web application attacks cover the common categories of web weakness that can lead to an initial foothold; focus on understanding why each class of issue arises and how it would be prevented, rather than on any specific payload. Client-side attacks depend on a user interacting with something rather than on attacking a service directly; here too, learn the concept and the defensive countermeasure. Framing each area around what it achieves and why it works keeps your study both effective and ethical, and it is also how you reason on the exam when you have to recognise which kind of approach a machine invites.
Privilege escalation, Active Directory, and pivoting
Privilege escalation is moving from a low-privilege foothold to higher rights, on both Linux and Windows, and it is central to OSCP because it is half the points on every standalone machine. Active Directory attacks involve enumerating and moving through an AD environment from the assumed-compromise foothold the exam gives you, and at 40 points this is a priority area. Port forwarding and tunnelling let you pivot through machines you control to reach hosts you cannot touch directly, which is essential for working through a chained AD set. These three areas carry the most points between them, so they deserve the most lab time, and the next chapter goes deeper into the two that decide the most results.
Metasploit and working within the rules
Metasploit is a widely used exploitation framework, and its use on the OSCP exam is governed by specific rules about where and how often it may be used. The right approach is to understand what the framework does and when it is permitted, rather than leaning on it for everything, because over-reliance on it both runs into the exam’s limits and leaves gaps in the manual skills the exam is really testing. More broadly, always work within OffSec’s rules of engagement and only ever practise against systems you are authorised to test, which is both an ethical baseline and a professional habit the certification is meant to instil.
Chapter 5: Privilege escalation and Active Directory, where the points are
Two areas decide more OSCP results than any others: privilege escalation on the standalone machines and the Active Directory set. Together they account for a large majority of the points, so this chapter looks more closely at how to prepare for them, while staying at the level of strategy rather than technique.
Privilege escalation on both operating systems
Privilege escalation is half the points on every standalone machine - 10 of each machine’s 20 - which means neglecting it caps your standalone score at the access points alone. It also spans both Linux and Windows, and candidates who practise one and neglect the other find themselves stuck on the exam when an unfamiliar operating system appears. The strategic advice is simple to state and hard to do: practise escalation on both Linux and Windows until the enumeration that precedes it is routine. Most escalation paths are found, again, through thorough enumeration of the foothold you have - understanding the system you landed on well enough to see what could lift your privileges - which ties this skill straight back to the methodology of Chapter 3. Treat privilege escalation as a core, repeated drill rather than an occasional topic, because the points and the time pressure both demand fluency.
The Active Directory set and assumed compromise
The Active Directory set is the largest single block of points at 40, and the exam hands you a foothold under the assumed-compromise model, so the skill tested is movement and escalation through the domain rather than initial access. This is good news for your preparation, because it tells you exactly what to practise: enumerating an AD environment from a standard user account, moving laterally between hosts, and working toward broader compromise, all of which depend on the pivoting and tunnelling skills that let you reach hosts you cannot touch directly. A further design point matters for strategy: OffSec allows partial points within the AD set, so you no longer have to fully clear it to earn anything from it. That makes steady, documented progress through the domain valuable even if you do not finish, and it reinforces the theme that documented partial achievement is real points on this exam.
Why these areas reward methodology over tricks
Both of these high-value areas reward the same thing: a disciplined, repeatable approach grounded in enumeration, rather than a memorised catalogue of exploits. The machines are built so that thorough, methodical work finds the path, which is why the candidates who pass are usually the ones with the most lab repetitions behind a fixed methodology, not the ones who memorised the most. Let the points guide your hours toward escalation and AD, and let methodology rather than trick-collection guide how you practise them.
Chapter 6: The report, where earned points become marks
It is possible to compromise enough machines to pass and still fail, and the reason is the report. On OSCP the report is not paperwork after the real work; it is the deliverable that converts what you did into points, and the exam allots a further 24 hours specifically for it. Treating documentation as an afterthought is one of the most painful and avoidable ways to lose a pass.
Why the report is part of the exam
Points only count if they are documented clearly enough for someone else to reproduce your steps. That standard is deliberate, because it mirrors real penetration-testing work, where a finding that cannot be reproduced and understood by the client is of little use. A machine you compromised but documented poorly may not earn its points, which means the report directly determines your score, not just your professionalism. Internalising that the report is part of the exam - not a formality bolted on at the end - is the mental shift that protects the points you worked hard to earn.
Building documentation into your workflow
The way to make the report reliable is to make documentation a habit long before exam day, by writing a short report for every machine you practise on. Capture your steps and the evidence as you go, including the screenshots and proof tokens that show what you achieved, so that on the exam you are assembling a record you have been keeping all along rather than trying to reconstruct twenty hours of work from memory at hour twenty-three. The discipline of documenting as you work also guards against a classic trap: getting absorbed in the attack, achieving access, and moving on without recording how, only to be unable to recreate it later. Note your steps in the moment, every time, on every practice box, until it is automatic.
What good documentation aims at
Aim for a report that is clear, reproducible, and complete: clear enough that a reader can follow your reasoning, reproducible enough that they could repeat your steps, and complete enough that every point you are claiming is evidenced. You do not need literary polish; you need accuracy and reproducibility. Because you will have written a small report for every practice machine, the exam report becomes a familiar exercise rather than a frantic scramble, which is exactly the advantage the habit was building. Always follow OffSec’s current submission requirements for format and proof, since those details are updated over time.
Chapter 7: Study plan and lab strategy
OSCP is won in the lab, not on paper, so the plan front-loads fundamentals and then spends most of its time on hands-on practice and documentation. The shape of the plan matters less than the principle behind it: relentless, methodical practice against safe, legal machines, with a report for each one.
How long it takes and where the hours go
Most candidates need 200 to 400 or more hours over three to six months. People with a strong Linux and networking background may compress that; those newer to hands-on offence should expect the upper end and a longer runway, because they are building fundamentals and offensive skill at the same time. Wherever you start, the hours go into practising against lab machines, not into reading, and the single best predictor of readiness is how many machines you have worked end to end behind a consistent methodology.
A realistic sequence
A balanced plan runs about sixteen weeks at roughly 10 to 15 hours a week. Begin with fundamentals - networking, the Linux command line, and basic Bash or Python - then build your enumeration methodology until it is automatic on every target. From there, work through service exploitation, then web application weaknesses, in a safe lab. Spend substantial time on privilege escalation, first on Linux and then on Windows, since it is half the standalone points. Add client-side concepts and the port forwarding and tunnelling that pivoting requires, then move to the Active Directory set under the assumed-compromise model, practising movement through a domain from a foothold. Finish with full, end-to-end practice machines that mirror the exam, compromising and escalating without hints, and a dedicated stretch on report writing and weak-area revision. People with a strong background can drive a twelve-week intensive at around 20 hours a week; those newer to offence should stretch to twenty-four weeks at a gentler pace and build the fundamentals properly first. To turn whichever timeline you pick into dated weeks for your own start date, use the free study-plan generator.
Lab principles that decide readiness
A few principles matter more than the exact schedule. Adopt a fixed methodology early and repeat it on every machine, so process becomes reflex. Write a short report for every box, so documentation becomes automatic. Prioritise privilege escalation on both operating systems and the Active Directory work, because that is where the points concentrate. And practise full machines end to end as you near the exam, rather than isolated exercises, because the exam is an endurance event and you need the stamina of complete compromises under time. Do not seek out leaked or recycled exam content; the exam is a hands-on practical, such material violates OffSec policy, and because the real test is skill against machines you have not seen, it would not prepare you anyway. If you are not yet solid on networking and Linux, build those fundamentals first - for example through Network+ or Security+ - before the exploitation-heavy material, since attempting OSCP without them wastes both time and money.
Chapter 8: Exam day, pacing, and endurance
The OSCP exam is as much an endurance event as a technical one, and candidates who prepared the technical skills but not the stamina and pacing often underperform what their ability should deliver. This final chapter is about getting the most from the 24 hours.
Treating the day as a managed engagement
Approach the exam as a long, managed engagement rather than a sprint. You have roughly 23 hours 45 minutes of attack time, which is long enough to need real pacing and breaks, not a dash you can power through on adrenaline. Run your fixed methodology on each target the same way you have in the lab, and when you get stuck, return to enumeration rather than guessing, because that reflex - built over months of practice - is exactly what carries you through the hard moments on the day. Take screenshots and notes as you go, every time, so the report is being assembled while you work rather than reconstructed afterward.
Pacing, points, and knowing when to move on
Let the scoring guide how you spend the hours. Because the Active Directory set is 40 points and standalone machines reward both access and escalation, a balanced run that makes documented progress across several targets is usually a more reliable path to 70 points than an obsessive focus on fully finishing one stubborn machine. Know when to move on: if a target is consuming hours with no progress, the disciplined choice is often to bank the points you have documented elsewhere and come back later with a fresh perspective. Manage rest deliberately too - stepping away briefly to reset is a legitimate tactic over a 24-hour window, and tired, tunnel-visioned work is where mistakes and missed enumeration happen. Crucially, leave clear time at the end of the attack window, and within the further 24 hours, to write the report properly, because unprotected points - real compromises you never documented - are the most heartbreaking way to fall short of 70.
The mindset that passes
The candidates who pass are rarely the ones who memorised the most. They are the ones who built a reliable methodology, practised enough lab machines that unfamiliar targets feel approachable, drilled privilege escalation and Active Directory until those high-value areas were routine, and made documentation a habit so the report protected their points. If you have done that work, exam day becomes the application of skills you have rehearsed hundreds of times rather than a leap into the unknown, which is precisely the advantage all those lab hours were building. Confirm the current exam structure, rules, and submission requirements with OffSec before you book, since the details are updated over time.