OSCP After Action
first published: 2023-12-04
last updated: 2023-12-04

I recently completed the OffSec PWK/Pen-200 course and passed the associated OffSec Certified Professional exam. Here are my thoughts/advice/review for any friends considering doing the same course and exam.

I did the version of the course which was overhauled and updated in May 2023. I passed my exam in November 2023 on the first attempt.

The course

I found the course materials pretty good, although there was some rough spots which I attributed to the version of the course being brand new. Most of the materials I found to be pretty good, at least for my learning style. For most techniques or principles, there is a walkthrough with a matching Virtual Machine for you to follow along on, and then usually a second VM that is a little different (but just a little). You can't follow the walkthrough exactly and have to apply what you've learned. At the end of every section there are a few more difficult cumulative exercises that deviate more from the walkthroughs and often require integrating knowledge learned in previous sections. All this worked really well for me.

I got a Learn One subscription, which provides one year of access to the course, and other introductory materials. I spent the year working part time through some of the introductory "100-level" material before starting PEN-200. I was working my regular jobs and trying to get in 10-15 hours per week. However, I ended up having to crunch to finish before my year ran out. If I did it again, I would try to take 3 months off work entirely and study full time, at least for PEN-200 and then practicing for my exam. Spacing things out did not benefit me.

How to approach the course/notes

In terms of doing the course with the exam in mind, the exam covers the course. So focus on every technique and principle taught in the course, and don't worry about mastering CTF-type techniques you'll encounter on HackTheBox or in OffSec's Proving Grounds. Take good notes on each section and technique, whatever cheat-sheet or note reference system works for you. But that really is the basis of the exam. If you learn a bunch of extra stuff, you might get bogged down in rabbit holes on the exam, or overlook techniques that are covered in the course that you didn't prioritize understanding. Be familiar with the course text material itself, it your notes fail you go back and read over the course. The answer is often there.

Exam prep

To prepare for the exam, the end of the course gives you 6 Challenge labs, 3 of which are old exams, and 3 of which are big simulated corporate environments, with a huge number of machines (many more than the exam), many dependencies between machines, etc. The Challenge labs aren't perfectly constructed, but they are great practice. Spending a week or more working on a single interconnected environment is great practice. When doing the Challenge labs avoid going Discord for hints and answers too quickly. Try to solve things yourself, but also recognize when you might be wasting your study time on a useless rabbit hole. Whenever I got really stuck (after several attempts to progress on a box) I would look at all the possible approaches I had left to try and decide what I could try. If it seemed liked some of these approaches would be a potential big time-suck/rabbit hole to nowhere, I would search the Discord carefully, just to get a sense of if I was on the right track or not before sinking a lot of time into nothing. I would avoid just spoiling the entire answer, so that I would still be figuring it out myself, even if I was pretty sure I was on the right track. You should really avoid the temptation to jump to the Discord as soon as you feel stuck. Often if you persist, take a break, work on something else and return to the problem you'll figure it out and that process will help you prepare for the exam. If you always go straight to the hints you won't develop that preparation and you'll be lost when you get stuck on the exam.

Personally, I didn't start practicing with the Proving Grounds Practice (PG Practice) machines until after I had finished the course material and most of the Challenge Labs. You may want to start practicing earlier depending on your background and skill level. There are lots of boxes in PG Practice that are pretty different from what's covered on the exam, just covering typical CTF stuff. Some of them require pretty arbitrary password guessing to get through as well. My advice is to try and focus on boxes that from from OffSec rather than from external contributors, then you'll get ones that are more in line with the PEN-200 material. As above, avoid relying too heavily on the Discord, or hints/walkthroughs unless you really feel like you're falling into an unproductive time sink, or if you think the box might be fucked (it happens). Whenever you finish a box, check the official walkthrough to compare with your own approach.

The actual exam

First, you should get the bonus points. It's worth it to do the requisite amount of the course material + Challenge labs to get them. If you are enough of a pro already that you can just skip that much of the course, then you probably don't need the bonus points anyways. But for most people doing the course, just get the bonus points.

If you look at the points breakdown for the exam (at least as of November 2023), there is a pretty clear approach to the exam IMO. You almost certainly need to the get the AD set to pass. The AD set is also all-or-nothing, you have to get all the boxes in the AD set to get any of the points for it. If you don't get the AD set, you have to get all 3 of the standalone boxes (in addition to your bonus points) to get a passing grade. I think the AD set is usually pretty doable if you are prepared, and the wide variety of possible standalone boxes makes it more likely you will get a standalone box you won't be able to complete. It might just be a hard standalone, something that you miss, something like an SQLi based exploit that just takes too long to figure out manually within the exam time (and under pressure!).

So, assume you might not get all the standalone boxes. Focus on the AD set as your priority, and then the standalone boxes second. Hit the AD set first until you get stuck (if you get stuck on it), then start working on the standalone boxes for a bit if you need a break. But try to get the AD set under your belt first. Then you are pretty well placed to pass with your bonus points and getting full or partial points from some of the standalone boxes.


If you are wondering if the course/certification is worth your money, here is my review/gripes. Mostly I found the course fine, a few quirks and bugs in the material/exercises but overall pretty good. The Challenge Labs had some issues but I still found to be a really cool and useful part of the course. I don't think you'll find such large interconnected simulated environments to practice on from similar training providers. The exam was hard for me, but I passed on the first try.

But I have many gripes. I had a lot of issues with downtime, either the learning portal or the VPN/VMs (and you pretty much need the VPN to be working to work on the course at any stage). A few times this might have been issues on my end, but mostly it was an unplanned outage on OffSec's end, affecting everyone. Because I was working on the course part-time this would be very frustrating for me. I would have one day put aside per week to work on PEN-200 and that would be the day their infrastructure was down. I'd be out of luck until the next time I had scheduled time to work on it. The downtime was usually several hours if not the entire day. Many of my cohort also experienced a lot of frustration at this. Given how expensive the course is, I think the uptime should be a little bit better.

I also hate Discord, and you have to use Discord in order to access certain essential parts of the course (tech support when the VPN is down, hints for the exercises and Challenge Labs). It's hard to search, often you don't end up getting the help you need. Maybe my experience would have been different if I had been doing the course full-time and just hanging out in the Discord all day, every day, chatting with other students and sharing tips. But I didn't have a schedule that allowed for that. Mostly my experience with the Discord was searching for previous posts about a particular box or exercise, and then scanning through replies to see if anyone had answered. Any time I tried to ask for high-level help (soliciting suggestions to tools to try, asking for clarification on a theoretical or technical point) I never got an answer.

The portal itself also kind of sucks. It's slow, it's buggy. I don't see why I should need a very memory-intensive browser tab open just to look at my course material. I found that annoying.

Active Directory (AD) is covered in the course and it's a big part of the exam. It's challenging for me, and for a lot of students in general. Because it's a bit harder to provide practice environments for AD (because it require multiple machines), there are less unique AD sets to practice on in preparation for the exam. There are a few in the PG Practice (that you are expected to stumble upon, and I believe they are still just individual machines), and the Challenge labs have a fair amount. But it's a lot less than some students might need, especially since the AD stuff tends to be challenging for more people.


Overall I think the course/certification is probably fine. My understanding is having the OSCP will help me get a job, although I haven't started looking in earnest. The certification itself is a big part of what you are paying for. If you just want the training, and don't need the certification, HackTheBox and other sites and probably give you similar or better practice/training with structured courses, exercises, and a large selection of boxes to practice on all for a lot less money. But, if you need the piece of paper, then OSCP is probably fine! Running a program with proctored and fairly rigorous exam (and therefore respected/trusted by employers) does cost money, so it makes sense that you have to pay for that vs cheaper learning platforms without a similar exam.

path: index / BLOG / OSCP After Action