OSCP Certification Review and Tips
O4C, a group formed in March 2026, is a study/research group focused on the red team — the heart of offensive security.
As the first stepping stone in our learning, O4C set a goal of having all members earn the OSCP certification, and some of us have now succeeded. Through this post, I want to put together a review of the OSCP and the tips I picked up while preparing for it. I hope it helps those of you planning to take the OSCP in the future.
What is the OSCP?
The OSCP (Offensive Security Certified Professional) is a penetration testing certification issued by OffSec, the company well known for developing Kali Linux and running Exploit-DB. It's one of the most widely recognized hands-on penetration testing certifications in the world — so well known that it frequently appears as a preferred or even required qualification in job postings for penetration testers and security consultants. In Korea it was an unfamiliar certification for a while, but with the recent surge of interest in the red team field driven by a string of breach incidents — including corporate personal-data leaks — its recognition has grown to the point where it now shows up as a preferred qualification in related job postings.
The OSCP exam runs for a total of 48 hours. During the first 24 hours (23 hours and 45 minutes, to be exact), you perform penetration and privilege escalation against an Active Directory set (three linked machines) and three independent machines, obtaining the proof files (flags) named local.txt and proof.txt on each system. Over the following 24 hours, you write and submit a penetration test report documenting your solving process.
This entire process is open-book. During the exam, you're free to search the internet for resources or refer to notes and cheatsheets you've prepared in advance.
Unlike other certifications, there are no multiple-choice questions — it's 100% hands-on, so almost no memorization is required and it closely mirrors real-world skills. Personally, that made it a much more appealing certification to me.
Review After Earning It
In terms of difficulty, the problems felt roughly Easy to Medium by HackTheBox standards. They also felt similar to the OSCP A–C challenges in the practice labs OffSec provides.
Because the Active Directory (AD) problem accounts for 40 points, I treated it as essentially impossible to pass without solving it, so I focused on the AD problem right from the start. To save time during the solve, I kicked off only basic scans on the independent machines, then — after finishing the AD set — looked at the scan results and approached them in the order that seemed easiest to get into.
I solved the entire Active Directory set within the first 2–3 hours, one independent machine took about an hour, and another dragged on longer than expected at around 4 hours. All told, I secured my target score in roughly 8 hours.
My final score came out to 40 points (AD) + 20 points (Independent Machine 1) + 20 points (Independent Machine 2), for a total of 80 points.
Overall, I didn't feel the technical difficulty of the exam itself was extremely high. What felt more important, in my experience, was experience and composure. The moment you get stuck on one machine and start flailing, several hours can vanish in an instant — and that directly eats into your exam time. So I came to feel that the OSCP is less a test of "how many difficult techniques you know" and more a test of "how many different environments you've experienced, and how quickly you can find another path when you get stuck."
Preparation Process
Since I'd been doing related work for a while, I wasn't a complete beginner — but given how expensive it is, I prepared from the fundamentals in order to pass on the first attempt.
My preparation followed three main tracks.
First, I skimmed through the OffSec learning modules quickly.
The modules themselves are enormous in volume, but — as I'll discuss again below — rather than pouring time into high-difficulty challenges like the Capstones, I went through them by quickly organizing and practicing only the core concepts and moving on.
Second, I solved as many OSCP-style machines as I could.
Since there's a limit to what you can learn from the modules alone, I invested a lot of time building experience by directly solving machines that are known to resemble the exam problems. Along the way, I organized the commands and solving patterns I used into a cheatsheet as I went.
Third, before the exam I worked through OffSec's challenge labs, the OSCP A–C set, to get a feel for it.
These labs are designed to most closely resemble the actual exam environment, so using them to get oriented before the exam was helpful.
Preparation Tips
1. Skip the Capstone problems in the learning modules
OffSec's OSCP learning modules include, in addition to the regular practice problems, the Capstone challenges — fairly advanced problems that take a lot of time.
Having tackled them myself, I think there's no real need to spend much time here, because problems of this difficulty don't appear on the exam. They certainly help your skills grow, but the learning modules are only accessible for a fixed period and are expensive — so if you want to focus on earning the OSCP quickly, I found it more efficient to build experience by solving more machines rather than doing the Capstones.
2. Experience many machines and build your own cheatsheet
I think machine problems — the OSCP included — are very heavily based on experience.
Just as solving a math problem depends greatly on whether you've encountered that problem type before (which dramatically changes both your solving time and whether you get it right), the perceived difficulty of a machine problem changes greatly depending on whether you've encountered its environment and scenario in advance. Above all, the OSCP doesn't only feature the techniques and environments you learned in the modules, so module study alone clearly has its limits.
The fastest and most effective way to build this experience is, of course, to solve a lot of machines. A quick Google search turns up plenty of documents listing OSCP-style machines on HackTheBox, TryHackMe, and so on. As you solve these, organizing your solving patterns and the commands you used into a cheatsheet means that when you get stuck on the exam or run into a type you feel you've seen before, you can refer to it and solve it easily.
In particular, since LLMs are prohibited during the exam, investing a bit of time in your cheatsheet means less flailing and a much smoother experience.
Also, rather than investing too much time in any single machine, it's a good approach to try solving it on your own for a reasonable while and then refer to a writeup when you get stuck. As I mentioned in Tip 1, I believe experiencing a wide variety of scenarios and environments is more helpful for exam prep, so I think it's better to finish one machine quickly and move on to the next. That said, there's a big difference between typing the commands yourself to experience them and simply reading and noting them visually — so even when you look at a writeup, I strongly recommend you actually type it out by hand.
3. Tackling the Active Directory problem
Because rooting all three independent machines on the OSCP exam only gets you 60 points, solving the AD problem is essentially required to pass.
It's weighted heavily at 40 points, but in my experience the AD difficulty wasn't that high. It tends to feature fundamental techniques like Windows LPE, Kerberoasting, and DACL Abuse, so anyone who has solved a fair number of AD problems can handle it.
Combining my own experience with various reviews I've seen online, the three independent machines on the exam seem to be made up of one easy, one medium, and one hard. Personally, rather than grappling with the hard independent machine and flailing, I found it much smoother to tackle the AD first — it's worth more points and its patterns are relatively standardized.
So I think focusing intensively on Active Directory problems while studying will help a lot.
4. Don't overthink it
This tip is a bit delicate, since the bar shifts depending on each person's skill level. I'm especially cautious because I'm someone who had been doing related work before earning the certification.
It might come across as humblebragging, but I really want to pass it along, because I actually lost a lot of time on the exam flailing precisely over this.
"Overthinking" is a very subjective concept, but if during the exam you see a solving path that looks overly complicated, that path is likely not the answer. The OSCP is, among other things, an entry-level penetration testing certification — so work that goes far beyond the scope of the learning modules and requires a lot of effort, such as analyzing a 1-day in a product with no public PoC to craft a complex exploit script, or targeting a weakness in asymmetric cryptography, is likely not the answer.
Of course, a path you thought was difficult might actually be the answer. But since this is a timed exam, it's better to try the easier, lower-effort paths first.
Watch out for rabbit holes! This is one tip I really want to emphasize.
5. Record in real time
The OSCP exam includes everything up through writing the report after solving the labs. Even if you solve the machines well, you won't get credit for the points unless your solving process is clearly proven in the report.
Because the lab environment closes during the report-writing period after the exam ends, it's important to capture screenshots in real time as you solve, in order to prevent the disaster of missing a solving proof or a flag screenshot.
The best approach is to write at least a rough draft of the report in advance, so you get a sense of which screenshots and records you'll need. If you finish solving early, there's no problem — but if you only start recording from scratch after already burning a lot of time on the solving phase, you can run into trouble with the report.
The OSCP is certainly not an easy exam, but I don't think it's one to be vaguely afraid of either. If you learn the concepts through the learning modules, build experience by solving a variety of machines yourself, create your own cheatsheet, and calmly allocate your time, you can absolutely pass. I hope this review is at least a small help to those of you preparing for the OSCP.