OSCP Certification Overview

The Offensive Security Certified Professional (OSCP) is a hands-on penetration testing credential issued by Offensive Security (OffSec) and widely recognized across the cybersecurity industry as a benchmark for demonstrated practical exploitation skills. This page covers the credential's definition, examination structure, qualifying scenarios for pursuit, and the decision boundaries that distinguish it from adjacent certifications. The OSCP occupies a specific position within the penetration testing service sector and is frequently referenced in job requirements for offensive security roles across both private industry and federal contracting.

Definition and scope

The OSCP is a performance-based certification that validates a candidate's ability to conduct structured penetration tests against live, intentionally vulnerable machines in a controlled lab environment. Unlike knowledge-based credentials that rely on multiple-choice examinations, the OSCP requires candidates to compromise a defined number of machines within a 23-hour, 45-minute examination window and submit a professional penetration test report documenting findings and exploitation chains.

The credential is issued by Offensive Security (OffSec), a private training and certification organization that also maintains the Kali Linux distribution — the dominant open-source platform used in penetration testing engagements. The OSCP is associated with the PWK (Penetration Testing with Kali Linux) training course, which serves as the primary preparation pathway.

Within US regulatory and compliance frameworks, the OSCP is not a mandated credential under any specific federal statute. However, the Department of Defense (DoD) 8570.01-M / DoD 8140 framework — which governs cybersecurity workforce qualification requirements across DoD components — lists OSCP as an approved baseline certification for the CSSP Analyst and CSSP Infrastructure Support categories. This makes the credential operationally relevant for personnel supporting federal contracts governed by those workforce requirements.

The scope of skills validated by the OSCP aligns with the penetration testing methodology described in NIST SP 800-115, Technical Guide to Information Security Testing and Assessment, which defines phases including planning, discovery, attack, and reporting. The OSCP examination tests the attack phase directly, requiring active exploitation rather than theoretical enumeration.

How it works

The OSCP certification process follows a structured sequence with discrete phases:

  1. Course enrollment — Candidates register for the PWK course through OffSec, selecting a lab access duration. Lab access packages have historically been offered in 30-day, 60-day, and 90-day increments, with pricing published directly by OffSec.

  2. Lab training — Candidates work through OffSec's PWK course materials, which cover topics including buffer overflow exploitation, active provider network attacks, web application vulnerabilities, post-exploitation techniques, and pivoting. The lab environment contains over 70 machines across isolated network segments as of recent course revisions.

  3. Examination scheduling — After sufficient lab preparation, candidates schedule a 24-hour examination slot. The exam presents a private VPN-connected network containing target machines assigned specific point values.

  4. Examination execution — The examination window is 23 hours and 45 minutes of active testing time. Candidates must accumulate a minimum of 70 points out of 100 available to pass. A standalone buffer overflow machine has historically been worth 25 points; active provider network sets carry 40 points in the current exam format.

  5. Report submission — After the active exam window closes, candidates have an additional 24 hours to submit a professional penetration test report. The report must document each compromised machine with sufficient proof-of-exploitation evidence (typically including local.txt and proof.txt flag values) and must meet OffSec's formatting and technical documentation standards.

  6. Grading and certification — OffSec reviews the submitted report against its grading rubric. Candidates who meet the point threshold and submit an acceptable report receive the OSCP credential. Failure at the report stage — even with sufficient points — results in a non-passing result.

The examination does not permit the use of automated exploitation frameworks that perform automatic exploitation of specific vulnerabilities. Metasploit Framework usage is restricted to a single target machine per exam attempt, a limitation that distinguishes the OSCP from assessments that permit unrestricted tooling.

Common scenarios

The OSCP is pursued across three primary professional contexts within the penetration testing service landscape:

Entry to mid-level offensive security roles — The credential functions as a hiring filter in penetration testing firms, managed security service providers (MSSPs), and internal red team programs. Job postings from organizations including the US federal civilian agencies, defense contractors, and commercial security firms regularly list OSCP as a preferred or required qualification for penetration tester positions.

DoD and federal contractor workforce compliance — Personnel operating under DoD 8140 role requirements in CSSP categories must hold approved baseline certifications. The OSCP satisfies this requirement for specific roles, making it directly relevant to cleared personnel and contractors supporting Defense Information Systems Agency (DISA) or US Cyber Command programs.

Professional differentiation in bug bounty and red team contexts — Independent security researchers and internal red team operators pursue the OSCP to establish documented, third-party-validated competency distinct from self-reported skills. Bug bounty platforms such as HackerOne and Bugcrowd do not require the credential, but penetration testing firms that staff managed red team engagements frequently use it as a baseline qualification threshold.

The credential is less applicable in governance, risk, and compliance (GRC) roles, security architecture positions, or defensive security operations — domains where certifications such as CISSP (issued by ISC2) or CISM (issued by ISACA) carry greater weight.

Decision boundaries

The OSCP occupies a defined position relative to adjacent certifications, and the selection between them follows several classification criteria:

OSCP vs. CEH (Certified Ethical Hacker) — The CEH, issued by EC-Council, is a knowledge-based credential assessed primarily through multiple-choice examination. The OSCP requires live exploitation under time constraints. Hiring managers at penetration testing firms consistently weight OSCP more heavily for hands-on offensive roles; CEH carries more recognition in compliance-oriented environments where documented training hours matter more than demonstrated exploitation.

OSCP vs. GPEN (GIAC Penetration Tester) — The GPEN, issued by GIAC, also uses a proctored examination format but is not a fully hands-on exploitation exam in the same mode as OSCP. GPEN is recognized under the DoD 8140 framework for IAT (Information Assurance Technical) roles; OSCP is recognized for CSSP roles. The choice depends on which DoD role category applies.

OSCP vs. OSEP / OSED (OffSec advanced credentials) — OffSec issues advanced credentials including OSEP (Offensive Security Experienced Penetration Tester) and OSED (Offensive Security Exploit Developer). These require OSCP or equivalent demonstrated experience as a practical prerequisite and represent specialization paths rather than entry-level alternatives.

Three decision factors govern whether OSCP is the appropriate credential to pursue for a given professional context:

  1. Role type — If the target role is active penetration testing (exploitation, red teaming, adversary simulation), OSCP is directly applicable. If the role is primarily compliance auditing, architecture review, or security management, other credentials are more aligned.

  2. DoD workforce requirement — If the position requires DoD 8140 compliance in a CSSP category, OSCP satisfies the baseline requirement. Verification of the exact role requirement should be confirmed against the DoD Cyber Workforce Framework (DCWF) published by the Defense Cybersecurity Assessment Center.

  3. Experience level — The OSCP is designed for practitioners with foundational networking, Linux, and scripting knowledge. Candidates without prior exposure to TCP/IP, basic web application architecture, or command-line environments face a substantially steeper preparation curve. OffSec publishes prerequisite recommendations within its PWK course description that outline the expected baseline.

The resource structure of this provider network provides additional context on how penetration testing credentials intersect with service provider qualification standards across the US market.

 ·   · 

References

Read Next

Penetration Testing Certifications ANA › Professional Services Authority › National Cyber › Penetration Testing Authority Penetration Testing Certifications Penetration... CEH vs. OSCP vs. GPEN: Comparing Certifications ANA › Professional Services Authority › National Cyber › Penetration Testing Authority CEH vs. Penetration Tester Career Path ANA › Professional Services Authority › National Cyber › Penetration Testing Authority Penetration Tester Career Path The penetration...