Exam code: PEN-200
The most respected hands-on penetration testing certification. Prove your ability to identify vulnerabilities and execute attacks in a controlled environment.
$1,749
OSCP (Offensive Security Certified Professional) is widely considered the gold standard for penetration testing certifications. Unlike theory-based exams, OSCP requires you to actually hack into systems during a grueling 24-hour practical exam.
The OSCP motto is "Try Harder", reflecting the determination needed to pass.
The November 2024 split is the change to internalise: passing PEN-200 now hands you both OSCP (lifetime, the brand recruiters still ask for) and OSCP+ (three-year validity, renewable via the OffSec CPE program, a recert exam, or another qualifying OffSec exam). The exam itself is unchanged in 2026 — 23 hours 45 minutes of hands-on hacking, 24 hours to write the report, 70/100 to pass — and the Active Directory set is still mandatory, still worth 40 points, and still has no bonus points to soften a missed AD chain. Pricing is in USD because OffSec bills in USD: the PEN-200 bundle is $1,749 (90 days of labs + one attempt), Learn One is $2,749/year (two attempts), Learn Unlimited is $6,099/year. ZipRecruiter's April 2026 data puts the average US OSCP-tagged salary at $119,895/year, which lines up with the $120K post-OSCP benchmark we use elsewhere in this guide. None of that is the reason to take it — the reason is that the report you write is the closest thing to a junior pentester deliverable you'll have on file.
OSCP is designed for:
Prerequisites: While not required, you should have:
The OSCP exam is a 24-hour practical test:
| Background | Recommended Study Time |
|---|---|
| Active pentester | 3-4 months |
| Security professional | 4-6 months |
| Developer/sysadmin | 6-9 months |
| Beginner | Not recommended (build foundation first) |
The PEN-200 (OSCP) course includes:
| Certification | Style | Difficulty | Best For |
|---|---|---|---|
| OSCP | 100% practical | Advanced | Pentesters |
| CEH | Multiple choice | Intermediate | Broad knowledge |
| PenTest+ | MC + PBQ | Intermediate | Entry offensive |
The OSCP exam is unlike anything in the certification world. You receive a VPN connection pack via email at your scheduled start time. Once connected, you gain access to a network of target machines. You have exactly 23 hours and 45 minutes to compromise as many targets as possible and collect proof files (local.txt and proof.txt) from each. After the hacking phase ends, you get an additional 24 hours to write and submit a professional penetration testing report.
The exam environment is proctored via webcam and screen sharing. You must keep your camera on for the entire 24 hours. You can take breaks for food, coffee, and sleep, but your camera must remain active. The proctor will flag any suspicious activity.
Do not spend more than 2 hours on any single machine during your first pass. Start with the Active Directory set (40 points) because it offers the highest point value and, once you find the initial foothold, the chain of compromise often follows logically. Then move to the stand-alone machines. Aim to have 70+ points within the first 12 to 14 hours so you can spend the remaining time on documentation and any final attempts.
Take a 15 minute break every 3 to 4 hours. Eat real meals. Fatigue is the number one reason candidates fail who had the technical skills to pass. Many successful OSCP holders report sleeping for 3 to 4 hours during the exam and returning with fresh eyes to crack a machine they were stuck on.
The biggest mistake is rabbit-holing: spending 5+ hours on a single machine while ignoring easier targets. Another common failure is poor note-taking. If you cannot reconstruct your exploitation steps from your notes, you cannot write the report, and an incomplete report means lost points even on machines you compromised. Always document commands, screenshots, and output as you go.
The ideal OSCP preparation follows three phases: Foundation (1 to 2 months), where you build core skills in networking, Linux, and scripting; Course (2 to 3 months), where you work through the PEN-200 material and lab machines; and Practice (1 to 2 months), where you sharpen your skills on external platforms.
Included with OSCP:
External platforms (essential supplements):
Books:
| Background | Phase 1 (Foundation) | Phase 2 (Course) | Phase 3 (Practice) | Total |
|---|---|---|---|---|
| Active pentester | Skip | 2 months | 1 month | 3 months |
| Security professional | 1 month | 2 months | 1 to 2 months | 4 to 5 months |
| Developer/sysadmin | 2 months | 3 months | 2 months | 7 months |
Beyond the OffSec labs, build your own practice environment. Use VulnHub (free) to download vulnerable VMs. Set up an Active Directory home lab with at least two Windows machines and a domain controller; AD exploitation is now worth 40% of the exam.
OSCP is the most requested certification in penetration testing job postings. Roles that frequently require or strongly prefer it include: Penetration Tester, Red Team Operator, Offensive Security Engineer, Application Security Tester, and Security Consultant (offensive). At the senior level, OSCP is often the minimum baseline, with OSEP or OSED expected as additional qualifications.
| Region | Before OSCP | After OSCP | Increase |
|---|---|---|---|
| United States | $85,000 | $120,000 | +41% |
| European Union | EUR 55,000 | EUR 78,000 | +42% |
| United Kingdom | GBP 50,000 | GBP 72,000 | +44% |
| Remote (global) | $75,000 | $110,000 | +47% |
In offensive security hiring, OSCP is the single strongest signal on a resume. Recruiters and hiring managers know that an OSCP holder has proven they can independently compromise systems under time pressure. Unlike theory-based certifications, there is no way to pass OSCP without genuine hands-on ability. Many job postings in penetration testing list "OSCP or equivalent practical experience" as a hard requirement.
OSCP opens doors to mid-level and senior penetration testing roles immediately. From there, the typical path is: OSCP (Penetration Tester), then OSEP/CRTO (Senior Pentester/Red Team Lead), then management or specialization (AppSec, Cloud Security, or Red Team Director). Many OSCP holders transition into independent consulting within 3 to 5 years, where day rates range from $1,500 to $3,000.
OffSec updated OSCP pricing in 2025. The bundles available in 2026 are listed below. EUR amounts are approximate (OffSec bills in USD).
| Item | 2026 Cost |
|---|---|
| PEN-200 Course + 90 days lab + 1 exam attempt | ~€1,610 ($1,749 USD) |
| Learn One annual subscription (1 year + 2 exam attempts) | ~€2,530 ($2,749 USD) |
| Learn Unlimited annual subscription | ~€5,610 ($6,099 USD) |
| Additional lab time (30 days, if needed) | ~€330 ($359 USD) |
| Retake exam voucher | ~€230 ($249 USD) |
| Hack The Box subscription (3 months) | ~€39 ($42 USD) |
| Proving Grounds Practice subscription (2 months) | ~€35 ($38 USD) |
| Total (first attempt, minimal) | ~€1,650 to €1,685 |
| Total (with extra lab + retake) | ~€2,245 |
OSCP does not expire. Once earned, you hold it for life with no renewal fees, no continuing education requirements, and no annual maintenance. This is a significant advantage over certifications like CEH or Security+ that require periodic renewal.
With an average salary increase of $35,000 per year and a total investment of approximately $2,000, OSCP delivers a 1,650% return in the first year. For many professionals, OSCP represents the single highest-ROI career investment they will ever make. Even if you need two attempts, the ROI remains extraordinary.
OffSec occasionally runs promotions around Black Friday and during cybersecurity awareness month (October). Eligible US learners can split enrollment into 3 to 4 interest-free payments or finance through Klarna. The Learn One annual subscription (~€2,530 / $2,749 USD) provides access to PEN-200 plus another 200 or 300-level course, the associated labs, and two exam attempts; it is more cost effective if you plan to pursue OSEP, OSWE, or OSWP afterward. Some employers fund OSCP preparation as professional development; present it as an investment that directly improves your organization's security testing capabilities.
OffSec introduced the OSCP+ designation in November 2024. Anyone who passes the OSCP exam after that date is awarded both designations automatically. The two differ only in validity and renewal, not in difficulty or recognition.
| Aspect | OSCP | OSCP+ |
|---|---|---|
| Validity | Lifetime | 3 years |
| Renewal required | No | Yes, before plus expiry |
| Renewal options | n/a | Recertification exam, qualifying OffSec exam, or CPE program |
| Awarded together | Yes (post Nov 2024) | Yes (post Nov 2024) |
Existing OSCP holders who passed before November 2024 keep their lifetime credential. They can opt into OSCP+ by completing one of the renewal paths if they want the more recent designation. If you do not renew OSCP+, the lifetime OSCP credential is retained.
For most working pentesters, the choice is clear: pass once, hold the lifetime OSCP, and decide whether to maintain the plus designation based on whether your employers, clients, or job postings explicitly require it.
OSCP demands prerequisites that are not always in place when career-changers attempt it directly. The Unihackers Cybersecurity Bootcamp builds the foundation that turns OSCP from a wall into a realistic next step:
Graduates who target OSCP typically attempt the exam six to twelve months after the bootcamp, after dedicated lab time on Hack The Box and Proving Grounds. See the security-plus to OSCP pathway for the full progression.
Before purchasing PEN-200, you should be able to:
Schedule your exam only after you have: completed all PEN-200 exercises, compromised at least 40 OffSec lab machines, completed 20+ Hack The Box or Proving Grounds machines, and documented your methodology for each major attack type. If you can root a medium-difficulty Hack The Box machine in under 2 hours, you are likely ready.
OSCP is a test of persistence as much as skill. You will get stuck. You will feel frustrated. That is the point. The "Try Harder" mentality is not about brute force; it is about systematically enumerating every possibility before concluding you have hit a dead end. During the exam, if you feel stuck, walk away, take a break, and come back. Clarity often arrives after rest.
The exam machines are designed to be solvable with the tools and techniques taught in PEN-200. If you find yourself using obscure 0-day exploits or extremely complex attack chains, you are likely overthinking. The intended path is usually simpler than you expect.
Enumeration is everything. At least 80% of your time should be spent on information gathering and enumeration, not running exploits. The candidates who fail are typically the ones who jump to exploitation too quickly without thoroughly understanding what services are running and how they interact.
Your report matters more than you think. OffSec has failed candidates who compromised enough machines for a passing score but submitted inadequate reports. Use screenshots for every significant step. Document the exact commands you ran. Explain your reasoning.
Schedule your exam to start on a Friday or Saturday morning. This gives you the full 24 hours over a weekend when you are less likely to have work obligations. Start at 8:00 or 9:00 AM so your most productive hours align with the beginning of the exam when your energy is highest. Avoid starting in the evening; fatigue will compound as the night progresses.
Stop practicing 48 hours before the exam. Cramming new techniques at the last minute creates confusion. Instead, review your personal notes and methodology cheat sheets. Prepare your snacks, meals, and caffeine supply. Test your VPN client and webcam. Get two full nights of sleep. You have trained for months; trust your preparation.
Average before
€61,000
$85,000
Average after
€86,000
$120,000
Average increase
€25,000 (+41%)
$35,000
Source: Offensive Security Career Survey 2024
OSCP is considered one of the hardest security certifications. It is a 23 hour 45 minute practical exam followed by 24 hours to write a professional report. You must compromise systems, not memorise theory.
Preparation varies: 3 to 4 months for active pentesters, 4 to 6 months for security professionals, 6 to 9 months for developers and sysadmins. Beginners should build foundations first.
For penetration testing roles, yes. OSCP proves practical hacking ability while CEH is theory-based. However, CEH is better for compliance-focused positions.
You can purchase additional exam attempts for ~€230 ($249 USD) each. Many candidates fail their first attempt; it is expected and part of the learning process.
The standard PEN-200 bundle is ~€1,610 ($1,749 USD) and includes the course, 90 days of lab access, and one exam attempt. The Learn One annual subscription is ~€2,530 ($2,749 USD) and includes one year of access plus two exam attempts. Learn Unlimited is ~€5,610 ($6,099 USD) per year. Each retake voucher is ~€230 ($249 USD). OffSec bills in USD; EUR amounts are approximate at May 2026 rates.
OSCP+ was introduced in November 2024. Both designations are awarded together when you pass the exam. OSCP is valid for life. OSCP+ expires after three years and must be renewed via a recertification exam, another qualifying OffSec exam, or completion of the OffSec CPE program. Existing OSCP holders keep the lifetime credential even if they do not renew the plus.
The exam is 23 hours and 45 minutes of practical hacking followed by 24 hours to submit the report. You must compromise 3 standalone machines (20 points each) and 1 Active Directory set (40 points: 10 for initial access plus 10 for each of 3 privilege escalations). Passing score is 70 out of 100.
Foundational bootcamps build the prerequisites OSCP demands: Linux and Windows command-line fluency, networking, basic scripting, and structured penetration testing methodology. The Unihackers Cybersecurity Bootcamp Unit 10 introduces ethical hacking and offensive technique, which is the SOC-side foundation that makes a serious OSCP attempt realistic six to twelve months after graduation.
Authoritative sources for exam objectives, study guides, and hands-on labs.
Course outline, lab access details, and current pricing from OffSec.
Official rules, scoring, AD set, and report submission requirements.
Hands-on path widely used as supplementary OSCP preparation.
Web vulnerability classification used during the exam web component.
Official rules for OSCP+ renewal via CPE credits and annual maintenance.
Reference framework for the initial access techniques you must execute on AD targets.
Methodical web testing checklist that mirrors the web exploitation phase of PEN-200.
Foundation path
OSCP rewards practitioners who already have hands-on defensive or offensive experience. The Unihackers Cybersecurity Bootcamp gives you 360 hours of structured training, CompTIA Security+ as a foundational credential, and the lab depth that makes the next certification realistic to attempt.
EC-CouncilThe world's most recognized ethical hacking certification. Learn to think like a hacker to better defend organizations against cyber attacks.
CompTIAThe intermediate penetration testing certification validating hands-on vulnerability assessment and management skills. A practical stepping stone to OSCP.