OSCP Exam Guide: How to Approach the 24-Hour Penetration Test
OSCP is the gold standard entry-level offensive security credential — and one of the hardest exams you can take. There are no multiple-choice questions. You have 24 hours to compromise target machines, and another 24 hours to write a professional penetration test report.
Pass Rate
~15–20% (first attempt)
Total Cost
$1,600–$2,200 all-in
Difficulty
Expert
Study Timeline by Background
Estimates for 1–2 hours of daily study.
CTF player / HackTheBox active user
Study Hours
300–500 hours
Timeline
3–6 months
IT/security professional, new to offensive security
Study Hours
500–800 hours
Timeline
6–12 months
Complete beginner
Study Hours
Not recommended yet
Timeline
Build fundamentals first (12–18 months)
What OSCP Actually Is
OSCP (Offensive Security Certified Professional) is OffSec's flagship penetration testing certification. The exam gives you a set of vulnerable machines in an isolated network and requires you to compromise enough of them to accumulate 70 out of 100 points. The exam also includes an Active Directory chain worth 40 points — you need the entire chain to get those points. After the 24-hour hacking window closes, you have another 24 hours to submit a professional-quality penetration test report.
⚠ Watch out
The report is not a formality. Candidates have failed OSCP despite accumulating enough technical points because their report lacked required elements (proof screenshots with specific flags and required commands, proper documentation of each step). Read OffSec's report template before the exam.
Key Tips
- ✓Points breakdown: AD chain = 40 pts (all or nothing), standalone machines = 20 pts each
- ✓You need 70/100 to pass — not all machines must be fully compromised
- ✓A professional penetration test report format is required — not just notes
- ✓The exam is completely self-contained; no internet, no hints, no help
Prerequisites You Actually Need
OffSec says 'basic familiarity with networking and Linux.' This is a massive understatement. If these skills aren't already comfortable, you'll spend your lab time learning fundamentals instead of learning to exploit — and you'll fail the exam.
✓ Pro tip
Complete TryHackMe's 'Jr Penetration Tester' path and HackTheBox's 'Starting Point' machines before buying PEN-200. If those feel comfortable, you're ready. If they feel overwhelming, keep practicing before spending $1,500.
Key Tips
- ✓Linux command line must be second nature: file system, permissions, processes, networking tools (netstat, ss, nmap), text manipulation
- ✓Networking fundamentals: TCP/IP, subnetting, DNS, HTTP/S, common ports and protocols
- ✓Scripting: Python basics for tool customization and automation; Bash for one-liners
- ✓Web application basics: HTTP request/response, cookies, basic OWASP concepts
The OSCP Preparation Path
Most candidates who pass spend 3–12 months preparing before purchasing the PEN-200 course and lab time. Lab time expires — don't buy until you're ready to use it intensively.
Key Tips
- ✓Phase 1 (free): TryHackMe 'Jr Penetration Tester' path + HackTheBox Starting Point
- ✓Phase 2 ($15): TCM Security 'Practical Ethical Hacking' on Udemy — the best pre-OSCP course
- ✓Phase 3: HackTheBox machines rated 'Easy' and 'Medium' that are OSCP-like (Lame, Blue, Legacy, Jerry, Optimum, Bastard)
- ✓Phase 4 ($1,499+): PEN-200 with 90-day lab access — complete as many lab machines as possible
- ✓Aim to complete 50+ machines in the labs before attempting the exam
24-Hour Exam Strategy
The exam is as much about mental stamina and process as it is about technical skill. Candidates fail for two equal reasons: technical gaps and poor time management.
Key Tips
- ✓Start with the Active Directory chain — it's 40 points and you need to attempt it first while fresh
- ✓After 2 hours on any single machine with no progress: move on and return later with fresh eyes
- ✓Take notes in real-time with screenshots — your report is due 24 hours AFTER the hacking window closes
- ✓Take a real break (1–2 hours of sleep or rest) around the 10–12 hour mark — fatigue causes you to miss obvious things
- ✓Document everything: commands run, output received, files found — even if you don't think you'll need it
Common Traps
- ✕Not attempting the AD chain first — many candidates run out of time before reaching it
- ✕Rabbit holes — spending 4+ hours on one path when another path exists. Set a 2-hour time limit per approach.
- ✕Poor documentation — discovering you're missing required report elements with 1 hour left
- ✕Not sleeping — the majority of first-time failures include excessive fatigue-related errors in hour 16–24
Recommended Resources
The OSCP community shares excellent resources. Don't skip the free pre-OSCP work — it dramatically increases your odds.