OSCP+ Preparation Guide 2026: Complete Roadmap to Pass First Try

🔄 What Changed: OSCP vs OSCP+

In November 2024, OffSec released significant updates to the OSCP certification, rebranding it as OSCP+. These changes reflect the evolution of real-world penetration testing and address gaps in the previous exam format. Understanding these changes is crucial for your preparation strategy.

Active Directory is Now Mandatory

The biggest change: Active Directory exploitation is no longer optional. Previously, candidates could avoid AD entirely and still pass. Now, expect to face AD environments that require you to demonstrate Kerberoasting, Pass-the-Hash, lateral movement, and domain privilege escalation. This reflects real-world pentesting where AD compromise is often the primary objective.

Three-Year Expiration

OSCP+ certifications now expire after three years. The original OSCP was lifetime valid, which meant someone could pass in 2015 and still claim current expertise in 2025. The expiration requirement ensures certified professionals maintain current skills. Plan to recertify or pursue advanced certifications like OSEP or OSED to maintain your credentials.

Low-Privilege Shells Provided

Some exam machines now provide a low-privilege shell as your starting point. This shifts focus toward privilege escalation rather than initial access on certain boxes. You'll need strong enumeration skills to identify escalation vectors from an established foothold.

Updated PEN-200 Course

The PEN-200 course materials received substantial updates to align with the new exam format. Content now covers modern techniques, updated tools, and expanded Active Directory modules. If you have access to older PEN-200 materials, make sure you're studying the current version.

✅ OSCP+ Prerequisites

Before diving into OSCP-specific content, honestly assess your current skill level. Starting OSCP preparation without proper prerequisites is the number one reason candidates fail or burn out. The course assumes foundational knowledge that takes months to build from scratch.

Essential Technical Skills

You should be comfortable with these areas before starting PEN-200:

• Linux command line proficiency Navigate filesystems, manage processes, use pipes/redirects, write basic bash scripts, and troubleshoot permissions issues without constantly googling
• Networking fundamentals Understand TCP/IP, common ports and protocols, subnetting, DNS, routing basics, and how to analyze traffic with Wireshark
• Basic scripting ability Read and modify Python/Bash scripts, automate repetitive tasks, and understand enough code to troubleshoot exploit scripts when they fail
• Web application basics HTTP methods, cookies, sessions, basic HTML/JavaScript, and how web servers handle requests
• Windows fundamentals PowerShell basics, Windows services, registry, user/group management, and Active Directory concepts

Time Commitment

Realistic OSCP preparation requires 10-20 hours per week for 3-6 months. Less than 10 hours weekly makes progress painfully slow; you'll forget material between sessions. More than 20 hours weekly is sustainable only if you're not working full-time. Be honest about your available time when planning your timeline.

Self-Assessment Checklist

Answer honestly - if you can't check most of these, spend 1-3 months on prerequisites first:

• I can SSH into a remote Linux server and navigate without a GUI
• I understand what happens when I type a URL into a browser
• I can write a basic for loop in Python or Bash
• I know the difference between TCP and UDP
• I've used nmap to scan a network before
• I understand what a reverse shell is conceptually
• I can explain what Active Directory does at a high level

If you're missing prerequisites, don't skip ahead. Build your foundation first with reconnaissance techniques and network scanning fundamentals on HackerDNA. Solid foundations make everything else easier.

💰 OSCP+ Cost Breakdown 2026

OSCP certification isn't cheap. Understanding the pricing structure helps you choose the right package and budget appropriately. All packages include course materials and lab access, but differ in duration and additional benefits.

Which Package Should You Choose?

90-day access works if you already have penetration testing experience, can dedicate significant weekly hours, and have completed substantial external practice beforehand. It's tight but achievable for prepared candidates.

365-day access suits most people. It provides buffer time for life interruptions, allows thorough lab completion, and reduces pressure. The extra $900 is worth the reduced stress for most candidates.

Learn One subscription makes sense if you're pursuing multiple OffSec certifications or want access to the full course library. The annual cost includes exam retakes and access to other courses like OSEP preparation materials.

Hidden Costs to Consider

• Supplementary practice platforms ($14-20/month for 3-6 months)
• Potential exam retake if needed (included in some packages, $249+ otherwise)
• Reference books and additional resources ($50-150)
• Virtual machine software and lab infrastructure (often free with VMware/VirtualBox)

Budget approximately $2,000-3,500 total including supplementary resources. Some employers cover certification costs, so ask your company about professional development budgets before paying out of pocket.

📅 Study Timeline Options

Your timeline depends on your background, available hours, and how quickly you absorb new material. Here are three realistic paths based on different situations:

3-Month Intensive (Full-Time Focus)

Best for: Career changers, people between jobs, or those with flexible schedules.
Hours required: 30-40 hours per week

• Month 1: Complete PEN-200 course modules, take detailed notes, build your methodology document
• Month 2: Focus on OffSec labs - aim for 40+ machines. Supplement with external practice
• Month 3: Exam simulations, weak area review, report writing practice, schedule exam for end of month

6-Month Standard (Working Professionals)

Best for: Full-time employees with consistent evening/weekend availability.
Hours required: 15-20 hours per week

• Months 1-2: Complete course modules methodically, one section per week
• Months 3-4: Lab work - complete 30-40 machines from OffSec labs and TJ Null's list
• Month 5: Focus on weak areas (usually AD and privilege escalation), exam simulations
• Month 6: Final review, report practice, exam attempt

This is the most common successful timeline for people balancing work and study.

9-12 Month Extended (Beginners)

Best for: Career changers without IT background, limited weekly availability, or those building prerequisites simultaneously.
Hours required: 10-15 hours per week

• Months 1-3: Prerequisites and fundamentals while beginning PEN-200 modules
• Months 4-6: Complete course materials, begin basic lab machines
• Months 7-9: Intensive lab practice, 50+ machines across multiple platforms
• Months 10-12: Exam preparation, simulations, weak area focus, exam attempt

🛠️ Essential Skills for OSCP+

The OSCP+ exam tests practical exploitation across several domains. You need working proficiency, not theoretical knowledge, in each area. Here's what to master and which tools to learn.

Linux Privilege Escalation

You'll encounter Linux boxes where initial access gives you a low-privilege shell. Escalating to root requires systematic enumeration and understanding of common misconfigurations.

• SUID/SGID binaries: Find binaries with elevated permissions and abuse them via GTFOBins techniques
• Sudo misconfigurations: Check sudo -l output for exploitable entries, including NOPASSWD and wildcards
• Cron jobs: Identify scheduled tasks running as root with writable scripts or path hijacking opportunities
• Kernel exploits: Last resort - identify kernel version and check for known privilege escalation CVEs
• Capabilities: Find binaries with dangerous capabilities like cap_setuid

Essential tools: LinPEAS, linux-exploit-suggester, pspy (for process monitoring), and manual enumeration scripts you understand deeply.

Windows Privilege Escalation

Windows privilege escalation has more vectors than Linux. Service misconfigurations, registry permissions, and token manipulation are your bread and butter.

• Service misconfigurations: Unquoted paths, weak service permissions, writable service binaries
• Token impersonation: SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege (Potato attacks)
• Registry exploits: AlwaysInstallElevated, autorun locations, service registry permissions
• Scheduled tasks: Writable task scripts, missing binaries in scheduled tasks
• Credential harvesting: SAM/SYSTEM extraction, cached credentials, saved passwords

Essential tools: WinPEAS, PowerUp, Seatbelt, accesschk.exe, and manual PowerShell enumeration.

Active Directory Exploitation (Critical for OSCP+)

This is the biggest gap for most candidates. AD wasn't emphasized in older OSCP versions, so many study resources underweight it. For OSCP+, AD is non-negotiable. You must understand domain enumeration, common attack paths, and lateral movement techniques.

• Kerberoasting: Request service tickets for SPNs and crack them offline to reveal service account passwords
• AS-REP Roasting: Target accounts without Kerberos pre-authentication for offline cracking
• Pass-the-Hash: Authenticate using NTLM hashes without knowing plaintext passwords
• Pass-the-Ticket: Use stolen Kerberos tickets for authentication and lateral movement
• DCSync: Replicate domain controller data to extract all password hashes
• BloodHound analysis: Map AD relationships to find attack paths to Domain Admin

Essential tools: BloodHound, Mimikatz, Impacket suite (secretsdump.py, GetUserSPNs.py, psexec.py), Rubeus, and PowerView for enumeration.

Web Application Attacks

Web vulnerabilities provide initial access on many exam machines. You need practical exploitation skills, not just theoretical understanding.

• SQL injection: Manual exploitation, authentication bypasses, data extraction, and command execution
• File upload vulnerabilities: Bypass filters, webshells, extension manipulation
• Local/Remote File Inclusion: LFI to RCE via log poisoning, PHP wrappers, and filter chains
• Command injection: Identify injection points, bypass filters, establish reverse shells
• Authentication bypasses: Default credentials, logic flaws, session manipulation

Practice these attacks hands-on in HackerDNA's web security modules, which cover exploitation techniques with practical exercises.

Password Cracking

You'll extract hashes from various sources and need to crack them efficiently. Understanding hash types, wordlist strategies, and rule-based attacks is essential.

• Identify hash types (hashid, hash-identifier)
• Use appropriate wordlists (rockyou.txt, SecLists)
• Apply effective rules for hashcat/john
• Crack NTLMv2, Kerberos tickets, Linux shadow hashes

Build your password cracking skills with dictionary attack techniques and understand the fundamentals through the password cracking course.

📚 Best Practice Resources

OffSec labs alone aren't enough. Successful candidates supplement with external platforms that provide diverse challenges and different machine styles. Here's what works:

TJ Null's OSCP List

TJ Null maintains a curated list of Hack The Box and Proving Grounds machines that closely mirror OSCP difficulty and style. This list is considered essential preparation by the community. Aim to complete 30-40 machines minimum from this list before your exam attempt.

Find the current list on r/oscp or NetSecFocus. The list gets updated as new relevant machines are released.

Practice Strategy

• Start with easier boxes to build confidence and methodology
• Track your time per machine - aim for 2-4 hours on medium boxes
• Take detailed notes on every machine, even easy ones
• Review walkthroughs after attempting (not before) to learn what you missed
• Redo machines you struggled with after a few weeks

🎯 Exam Day Strategy

The OSCP+ exam is a 23-hour and 45-minute practical test followed by 24 hours to write and submit your report. You need 70 points to pass. Proper exam strategy is as important as technical skills - many technically capable candidates fail due to poor time management.

Point Distribution

The exam typically includes standalone machines worth varying points and an Active Directory set. Understanding point distribution helps prioritize your time:

• Standalone machines: 10-20 points each (low-priv shell partial credit available)
• AD set: 40 points (often all-or-nothing for the full chain)
• Bonus points: Up to 10 points for course exercises and lab report

Strategy: Secure the AD set for 40 points, then focus on machines where you can at least get low-privilege access for partial points. Don't spend 5 hours on one stubborn machine when others might be faster wins.

Time Management

• First 30 minutes: Run initial scans on all machines, review results while they complete
• Hours 1-4: Tackle the AD set first while fresh - it's worth the most points
• Hours 5-12: Work through standalone machines, spend max 2 hours stuck before moving on
• Hours 13-20: Return to machines with partial progress, try alternative approaches
• Hours 21-24: Ensure all screenshots are captured, begin organizing notes for report

Take breaks. Seriously. Step away every 2-3 hours for 10-15 minutes. Eat real meals. Get a few hours of sleep if you need it. Fresh eyes solve problems faster than exhausted grinding.

Screenshot Requirements

Missing screenshots can cost you points you legitimately earned. Document obsessively:

• Screenshot the proof.txt or local.txt content with type proof.txt or cat local.txt
• Include ipconfig or ifconfig output in the same screenshot
• Show the whoami command to prove privilege level
• Capture every significant step in your exploitation chain

Report Requirements

Your report must clearly demonstrate the exploitation path for each machine. Include:

• Enumeration steps that led to vulnerability discovery
• Proof of exploitation with command output and screenshots
• Clear step-by-step reproduction instructions
• Remediation recommendations (shows professional mindset)

Write your report as if someone else needs to reproduce your work. OffSec reviewers follow your instructions - if they can't reproduce your exploitation, you don't get the points.

❌ Common Mistakes to Avoid

Learn from others' failures. These mistakes derail more OSCP attempts than technical skill gaps:

1. Starting Without Prerequisites

Jumping into PEN-200 without solid Linux, networking, and scripting fundamentals wastes your lab time. You'll spend hours learning basics instead of practicing exploitation. Build prerequisites first.

2. Over-Relying on Automated Tools

Running autorecon and waiting for vulnerabilities to appear doesn't build exam-ready skills. Automated tools miss things, produce false positives, and can't adapt to unusual configurations. Learn manual enumeration first, then use automation to speed up what you already understand.

3. Not Documenting Methodology

Every successful candidate has a written methodology they follow. Without documentation, you'll forget steps under exam pressure and miss obvious vectors. Create checklists for enumeration, privilege escalation, and common services.

4. Underestimating Active Directory

AD is now mandatory for OSCP+. Candidates who treat it as "just another topic" fail. Dedicate significant time to understanding AD environments, attack paths, and tooling. Practice full AD chains repeatedly until they're second nature.

5. Skipping Report Practice

Many candidates never write a practice report until exam day. Then they spend 8 hours struggling with formatting instead of sleeping. Write at least 2-3 full practice reports on lab machines before your exam. Develop a template and practice using it under time pressure.

6. Poor Time Management on Exam Day

Spending 6 hours on one machine while ignoring others is a common failure mode. Set time limits per machine, move on when stuck, and return with fresh perspective. Partial points on multiple machines beat zero points on a machine you couldn't fully exploit.

📋 Building Your Methodology

A repeatable methodology is your most valuable asset on exam day. When stress hits and your mind goes blank, your methodology guides you through systematic enumeration and exploitation. Here's a framework to adapt:

Sample Methodology Framework

1. Reconnaissance Initial port scanning, service enumeration, version detection

   Run comprehensive nmap scans (-sC -sV -p-) on all targets. Identify services, versions, and potential attack surfaces. Don't skip full port scans - important services often run on non-standard ports.

2. Enumeration Deep-dive into discovered services using service-specific tools

   HTTP: Directory brute-forcing, technology identification, source code review. SMB: Share enumeration, null sessions, user listing. FTP: Anonymous access, version exploits. Each service has specific enumeration checklists.

3. Vulnerability Identification Map findings to potential exploits and attack vectors

   Research service versions for known CVEs. Identify misconfigurations. Note potential credentials, usernames, or sensitive information found during enumeration.

4. Exploitation Gain initial access through identified vulnerabilities

   Test exploitation hypotheses. Start with most likely vectors. Document failed attempts - knowing what doesn't work helps narrow possibilities. Establish stable shell access.

5. Post-Exploitation Enumerate the compromised system thoroughly

   Run enumeration scripts (LinPEAS/WinPEAS). Check current privileges, local users, running processes, network connections, installed software. Look for credentials, SSH keys, configuration files with sensitive data.

6. Privilege Escalation Escalate to root/SYSTEM/Domain Admin

   Work through your privilege escalation checklist systematically. Don't jump to kernel exploits first - misconfigurations are more reliable. Document your path for the report.

7. Documentation Capture all evidence and write reproducible steps

   Screenshot proofs immediately. Note exact commands used. Organize findings in report template. This happens throughout, not just at the end.

🚀 After OSCP+: What's Next?

OSCP+ opens doors, but it's not the end of your journey. Here's what successful OSCP holders typically pursue:

Career Paths

• Penetration Tester Client-facing assessments, variety of targets, consulting lifestyle
• Red Team Operator Adversary simulation, longer engagements, evasion focus, requires additional skills
• Security Consultant Broader scope including policy, architecture review, and technical testing
• Bug Bounty Hunter Independent researcher, flexible schedule, variable income

Advanced Certifications

After OSCP+, many professionals pursue specialized certifications:

• OSEP (Experienced Penetration Tester): Evasion, custom tooling, advanced techniques
• OSED (Exploit Development): Windows exploit development, reverse engineering
• CRTP/CRTE: Advanced Active Directory attacks, red team operations
• OSWE: Advanced web application exploitation, code review

Choose certifications aligned with your career interests. Red teamers often pursue OSEP; web specialists go for OSWE; those interested in exploit development choose OSED.

❓ Frequently Asked Questions

How long does it take to prepare for OSCP+?

Most successful candidates spend 3-6 months preparing with 15-20 hours weekly. Beginners without IT background may need 9-12 months. Prior penetration testing experience can shorten this to 2-3 months. The key variable is consistent, focused practice rather than total calendar time.

Is OSCP+ worth it in 2026?

Yes, if you're pursuing a career in penetration testing or red teaming. OSCP remains the most recognized practical certification. The + updates make it more relevant to current real-world assessments. However, it's expensive - ensure it aligns with your career goals before investing.

Can I pass OSCP+ without prior security experience?

Yes, but it requires more preparation time. You'll need strong IT fundamentals (networking, Linux, scripting) before starting. Many successful candidates come from sysadmin, network engineering, or development backgrounds. Complete beginners should budget 9-12 months.

What percentage of people pass OSCP?

OffSec doesn't publish official pass rates. Community surveys suggest first-attempt pass rates around 40-50%, but this varies widely based on preparation quality. Candidates who complete 40+ practice machines and develop solid methodologies pass at higher rates.

Is OSCP+ harder than the original OSCP?

The mandatory Active Directory component makes it more challenging for candidates who avoided AD previously. However, the provided low-privilege shells on some machines can actually make initial access easier. Overall difficulty is similar, but the skill distribution required is different.