From Security+ to OSCP: A Realistic Certification Pathway

Why This Specific Pathway Matters

The certification path from Security+ to OSCP is one of the most asked-about and one of the most poorly executed in cybersecurity. Most candidates either jump too fast and fail OSCP repeatedly, or they over-invest in intermediate certifications that do not actually compound toward offensive depth. The right pathway is bounded, deliberate, and built around lab hours rather than exam dates.

Security+ to OSCP is realistic. Security+ to OSCP in three months is not, for most people. The honest timeline is six to twelve months, depending on how much offensive practice you build alongside the certifications.

Why Security+ Alone Is Not Enough

Security+ is a credible foundation, but it covers concepts at breadth. OSCP demands operational offensive depth across web exploitation, Active Directory abuse, privilege escalation, and report writing under deadline. The gap between Security+ knowledge and OSCP performance is significant and usually closed by hands-on practice, not more certifications.

Skipping the intermediate practice stage is the single most common reason OSCP attempts fail. Candidates know the concepts, but they have not built the muscle memory required to chain techniques under pressure.

The Intermediate Certifications

Two realistic intermediates exist:

PenTest+ from CompTIA. More practical, more directly aligned with OSCP methodology. Cheaper than CEH. Less recognised by traditional employers but more useful as actual preparation.

CEH from EC-Council. More recognised by HR filters, especially in government-adjacent employers. Lighter on practical depth, more conceptual. Useful if your target employers explicitly list CEH.

Most candidates who succeed at OSCP did one of these or built equivalent practical experience. Both are not necessary. Pick one based on your employer pool, then move on.

The Lab Volume That Actually Matters

OSCP rewards methodology and stamina, not raw skill. The methodology comes from volume:

• 80 to 100 TryHackMe rooms covering Linux, Windows, web, and Active Directory paths
• 30 to 50 Hack The Box machines completed without walkthroughs
• The PEN-200 lab environment worked through methodically, not rushed

Document everything. Build a personal cheat sheet of techniques. The exam is faster than the lab, but the techniques you use are the ones you learned in the lab.

Where the Bootcamp Fits

The Unihackers Cybersecurity Bootcamp covers the foundational and SOC-side material that gives Security+ context, plus introductory penetration testing in module m10. For candidates targeting OSCP after the bootcamp, the bootcamp is a defensive-first foundation that complements offensive certification work rather than replacing it. See the curriculum guide for module breakdown or is the bootcamp worth it for the cost-benefit analysis.

Why the Gap Between Security+ and OSCP Is Bigger Than Most People Think

Security+ tests recognition. OSCP tests construction. The Security+ exam asks whether you can identify a SQL injection in a multiple choice question. OSCP asks whether you can find an injection point in a custom application, weaponise it into remote code execution, pivot to a database server, dump credentials, reuse them across hosts, and then escalate to a domain controller, all while writing legible notes and managing time under deadline. These are not the same skill stack.

The cognitive load difference is what trips up most candidates. Security+ rewards memorisation of acronyms and frameworks. OSCP rewards stamina across a 24 hour exam window where every wrong rabbit hole costs points and minutes you cannot recover. The credential gap reflects a real skill gap, not a marketing hierarchy.

Reading the Security+ certification guide and the OSCP certification guide side by side surfaces the difference clearly: one is breadth at recognition level, the other is depth at execution level under time pressure.

The 2024+ OSCP Syllabus: What Changed and What It Means for Your Study Plan

The PEN-200 course was significantly restructured in 2024. The most important changes for planning your study:

• Buffer overflow chapters were removed in 2022. Time previously spent grinding 32 bit stack overflows is now better spent on web exploitation and Active Directory.
• Active Directory weight increased. The exam includes an AD set worth 40 points (three chained machines covering domain user, lateral movement, and domain admin) plus three standalone machines worth 20 points each.
• Web application coverage expanded. Modern PEN-200 covers SQL injection, XXE, file upload bypass, SSRF, and template injection at a working level. The PortSwigger Web Security Academy is the natural complement.
• Client side and AV bypass content was reduced. Antivirus evasion is touched but not the focus.

Translation for your study plan: web exploitation and Active Directory should account for roughly 70 percent of your preparation time. Linux and Windows local privilege escalation are the next priority. Everything else is secondary.

Your Pre OSCP Lab Sequence (THM, HTB Academy, PG Practice)

A sensible pre OSCP lab sequence, in the order most candidates benefit from:

1. TryHackMe Offensive Pentesting path. The friendliest on ramp. Covers enumeration, exploitation, AD basics, and privilege escalation. Plan 60 to 100 hours.
2. HackTheBox Academy CPTS path. Denser and more methodology heavy. The pentesting modules and AD enumeration modules are the most directly relevant to OSCP. Plan 150 to 250 hours for the full path.
3. PortSwigger Web Security Academy. Free, exhaustive, and the gold standard for web exploitation. Complete the apprentice and practitioner labs at minimum.
4. OffSec Proving Grounds Practice. The closest analogue to the OSCP exam machines. Work through the boxes from the Tj_Null OSCP like list. This is the final calibration before the exam.
5. Retired HackTheBox boxes with writeups available. Older boxes such as Lame, Bashed, and Granny illustrate enumeration and chaining patterns even when the CVEs are dated.

The sequence matters. Skipping straight to HTB Academy without TryHackMe context produces frustration. Skipping Proving Grounds before the exam produces a shock on exam day.

eJPT and CPTS as Honest Stepping Stones

Two intermediate offensive certifications are worth considering before OSCP:

eJPT (eLearnSecurity Junior Penetration Tester). Affordable, hands on, and aligned with the basics of methodology. Useful as a confidence builder and a checkpoint that you can pop boxes under exam conditions. Not employer recognised at the same level as OSCP, but a legitimate stepping stone.

CPTS (HackTheBox Certified Penetration Testing Specialist). The closest direct analogue to OSCP in technical depth. Some practitioners argue CPTS is harder than OSCP in places. It is exam plus report based, and the content from HTB Academy directly prepares you for it. CPTS is gaining traction with employers in 2026 but is still less recognised than OSCP for HR filters.

Neither replaces OSCP for most employer searches, but either substantially de risks the OSCP attempt. Pick one if you want a confidence checkpoint between PenTest+ or CEH and OSCP.

Active Directory: The Hardest 60% of Modern OSCP

The AD set on the OSCP exam is worth 40 points and is the single most decisive component. In practice, candidates who do not feel comfortable with Active Directory attack chains do not pass.

The minimum AD attack chain you need to execute fluidly:

1. Initial access. Kerberoasting, AS-REP roasting, password spraying, SMB null sessions, weak credentials on exposed services.
2. Enumeration. BloodHound, ldapsearch, PowerView, manual SMB and LDAP queries. Map the graph before chaining.
3. Lateral movement. Pass the hash, Pass the ticket, abuse of constrained or unconstrained delegation, SeImpersonate via Juicy Potato or PrintSpoofer, abuse of GPO permissions.
4. Domain escalation. DCSync, abuse of ACLs, ESC1 to ESC8 ADCS abuses, Silver and Golden tickets where applicable.

HTB Academy AD modules and the OffSec PEN-200 AD chapters cover the full chain. TryHackMe Wreath, Throwback, and AD oriented rooms are useful for practice. If AD feels uncomfortable a month before your exam date, postpone the exam.

Enumeration Discipline (the difference between pass and fail)

The single most cited reason candidates fail OSCP is poor enumeration discipline. Knowing the exploits is rarely the bottleneck. Finding the right vulnerable surface is.

A workable enumeration discipline:

• Run scans in parallel and read them in full. A masscan plus full port nmap plus vuln script run is a baseline, not a finish line.
• Document every service and version. A target with eight services should have eight sub sections in your notes before you start exploitation attempts.
• Set time boxes per attack vector. 45 minutes on a vector without progress means you missed something earlier in enumeration. Go back, do not push.
• Maintain a checklist per host type. Linux web server, Windows AD member, Windows DC: each has a different default checklist. Build them in advance.

Methodology over tools. Candidates who pass tend to use the same ten tools repeatedly with discipline. Candidates who fail tend to rotate through fifty tools without a flow.

The 24 Hour Exam and the 24 Hour Report

OSCP is a 24 hour technical exam followed by a 24 hour report writing window. Both windows are graded.

Exam window time management.

• First 2 hours: full enumeration of all targets, no exploitation attempts. Build the picture.
• Hours 2 to 16: exploitation, pivoting, escalation. Move on if a box does not break in 90 minutes of focused work, return later.
• Hours 16 to 22: cleanup, screenshots, missing flag verification, reattacks if needed.
• Hours 22 to 24: structured rest, hydration, final flag and proof submission.

Sleep at least four hours during the window. Candidates who push 24 hours awake degrade past the point of useful work after hour 18.

Report window.

The report is graded. A technically successful exam with a sloppy report can still fail. Use the OffSec template, include reproduction steps, screenshots with timestamps, and a clear executive summary. Treat the report like a deliverable for a paying client, because in your future pentester role it will be one.

A Realistic 6 to 9 Month Study Plan

For a candidate with Security+ already earned and 10 to 15 hours per week available:

• Months 1 to 2. TryHackMe Offensive Pentesting path. Light Linux and Windows privilege escalation labs. Optional eJPT.
• Months 3 to 4. HTB Academy CPTS path modules, focus on enumeration, web, and Active Directory. PortSwigger Web Security Academy in parallel.
• Months 5 to 6. OffSec PEN-200 course, full lab environment. Document every box.
• Months 7 to 8. Proving Grounds Practice on the Tj_Null OSCP like list. AD focused boxes. Mock 24 hour exam.
• Month 9. Light review, exam attempt, buffer for retake if needed.

Full time candidates can compress this into four months. Candidates with under eight hours per week realistically need 9 to 12 months. There is no shame in either timeline.

What OSCP Opens (and What It Does Not Open)

OSCP is the most respected entry to mid level offensive security credential in the market. What it opens, in order of frequency:

• Junior to mid penetration tester roles at consultancies and internal red teams
• Application security roles where offensive perspective is valued
• Promotion within SOC, blue team, or detection engineering teams that value attacker perspective
• A salary increase typically in the range of 15 to 30 percent above non OSCP peers in the same role band

What it does not open:

• Senior red team or specialised exploitation roles. Those need OSEP, OSED, or equivalent depth.
• Cloud security architecture roles. OSCP is on prem and AD focused. Cloud requires its own credential stack.
• Roles requiring specific clearances or citizenship, where OSCP is rarely the limiting factor.

For a related path that uses OSCP as the bridge from defensive to offensive work, see the SOC Analyst to Penetration Tester pathway.

Common Stalls

Three patterns explain most stalled Security+ to OSCP journeys:

1. Stacking certifications instead of practising. Three intermediate certifications with zero documented HTB boxes is a sign of exam comfort, not offensive readiness. Lab hours compound. Exam preparation does not.

2. Skipping methodology work. OSCP fails most often because candidates run techniques in random order, not because they do not know techniques. Build a repeatable enumeration-to-exploitation flow before the exam.

3. Treating the first attempt as final. Most successful holders failed once. Plan for it, learn from it, retake.

The pathway is real, the timeline is honest, and the credential is worth the effort if offensive work is your direction. Read the salary guide for the OSCP-driven compensation curve.