OSCP Review
Overview
Over the past weekend, I completed the OSCP exam and was awarded the Offensive Security Certified Professional (OSCP) certification. As is tradition with passing this exam, it is my duty to write this review :) However, as I have several years in pentesting under my belt this is not a how-to guide but purely my opinion of the coursework, exam, and state of the certification.
Course Review
I think that to be fair to Offensive Security I need to set some groundwork on what it seems their intention and approach is to learning and how I feel it should be.
Offensive Security's (OffSec) long-time motto is "Try Harder". That's great. I think it has its place in the field for sure. To be successful as an offensive security professional you must be able to motivate yourself to find the answers to solve whatever puzzle is presented to you. This is why I love this part of infosec. OffSec's coursework reflects this mentality. The coursework provides you with enough to get started on a topic but is by no means the end-all-be-all reference guide for pentesting. So, before you jump in planning to be an all-knowing expert at the end be forwarned, you won't.
I feel that the coursework is sufficient to pass the exam but for the price, it doesn't feel quite right. This comes back to the balancing act of teaching students to "try harder" and "I paid a crap load of money for this...where's the beef?" In comparison to other competitors, the coursework is lacking but if you want to flex your Google muscles and "try harder" you will certainly get better at finding your own resources which does provide some value, just not the value I want to pay for.
Exam
The exam consists of a small number of machines, half being an Active Directory domain and the other half being stand-alone machines not joined to the domain. You are given 23 hours and 45 minutes to complete the exam which is more than enough time if you have prepared adequately. I didn't find the exam to have any surprises and was able to complete my exam in 4.5 hours.
I think that OffSec's move in late 2022 to include Active Directory is long overdue and was a great decision. Many internal network penetration tests have an Active Directory component so for this certification to stay relevant to organizations looking to recruit employees that are ready to be deployed to the field this is a must.
Back on the "try harder" thing; the exam restricts toolsets because OffSec's view of the exam is that you are being tested on your knowledge and ability to solve the puzzle presented with that knowledge, not to find the right auto-pwn tool off GitHub and run the script. I agree with this to an extent. When I am mentoring people new to pentesting I always tell them they shouldn't be running scripts or using tools that they don't understand. For one, it is not going to make you any better, and second, it is not safe or fair to your clients. You need to have an understanding of how a vulnerability works, how you can exploit it, why you are exploiting it, and how to fix it. So, the exam does a good job of ensuring this is the case. However, in the real-world use whatever tools you want.
Value of the Certification in 2023
Overall, I think that the OffSec course catalog is overpriced for what you get. I think that their competitors in eLearnSecurity/INE, HackTheBox Academy, and TCM's courses offer more value for the money in terms of learning.
The exam itself is a decent test of your knowledge but at the end of the day mimics a CTF, not a real environment. When I took the eCPPTv2 a few years ago I had to breach the perimeter of the network, establish persistence and pivot multiple times to reach different network segments through the compromised web server in the DMZ. As a hiring manager, I would feel much more comfortable hiring someone with those proven skills than someone who completed a more CTF-style exam.
The real value of OSCP comes from its reputation. I may not be a huge fan of the "try harder" mentality but it has proven itself by building the OSCP's reputation for being a very difficult certification to obtain. So, if you are looking to add a certification that will get you through HR filters, make you more appealing on paper, and overall just give you the confidence of joining the OSCP-holding family I'd say it's well worth the money. If you are looking to learn with a bit more hand-holding, I'd look elsewhere.
Hopefully, this honest review is helpful to anyone with experience under their belt that is looking to take on the exam.
