OSCP is built on OffSec’s PEN-200 course (Penetration Testing with Kali Linux). Unlike some certifications, OffSec does not publish percentage weights for each topic, so this is a plain-English summary of the skill areas the course and hands-on exam cover. The official course page is authoritative.
A note on scoring: the exam is not marked by topic weight but by points. The Active Directory set is worth 40 of the 100 points and the standalone machines are worth 60, and you need 70 to pass.
| # | Skill area | What it covers |
|---|---|---|
| 1 | Enumeration | Systematically discovering hosts, ports and services |
| 2 | Exploitation | Identifying and using a weakness to gain initial access |
| 3 | Web application attacks | Common web weaknesses that lead to a foothold |
| 4 | Client-side attacks | Techniques relying on user interaction |
| 5 | Privilege escalation | Moving from low-privilege access to higher rights |
| 6 | Active Directory attacks | Enumerating and moving through an AD environment |
| 7 | Port forwarding and tunnelling | Pivoting to reach otherwise unreachable machines |
| 8 | Metasploit | Using the framework appropriately within exam rules |
1. Enumeration
The foundation everything else builds on: methodically discovering live hosts, open ports and running services so you know what you are working with before attempting anything. Most OSCP progress comes from doing this thoroughly.
2. Exploitation
Identifying a likely weakness in an exposed service and using it to gain initial access on a target. Studied conceptually and practised hands-on in a safe, legal lab.
3. Web application attacks
Common categories of web weakness and how they can lead to an initial foothold. Focus on understanding why each class of issue exists and how a defender would prevent it.
4. Client-side attacks
Techniques that depend on a user interacting with something rather than attacking a service directly. Understand the concept and the defensive countermeasures.
5. Privilege escalation
Moving from a low-privilege foothold to higher rights, on both Linux and Windows. This is central to OSCP and worth practising until it becomes routine, because it is where many candidates lose time.
6. Active Directory attacks
Enumerating and moving through an Active Directory environment, starting from an assumed-compromise foothold on the exam. At 40 of the 100 points, the AD set is a priority area, not an afterthought.
7. Port forwarding and tunnelling
Pivoting through machines you control to reach hosts you cannot touch directly. Essential for working through the chained Active Directory set.
8. Metasploit
Using the Metasploit framework appropriately and within the exam’s rules. Know what it does and when it is permitted, rather than relying on it for everything.