Last week, an individual started to release solutions to certain challenges in the OSCP certification exam. This led to some discussion on Twitter and made it clear to us that there is a fair amount of misunderstanding about what’s on the exam, how we catch cheaters, how many people attempt to cheat, and what happens when they are discovered. In this post, we would like to shine some light on our certification process.
First off, here is a brief summary of what occurred. An individual claimed that there is a widespread issue where some people that attempt to obtain the OSCP will go online and buy walkthroughs. He also mentioned that the proctoring solution that we deployed does not help with this and that he had reached out to us multiple times to inform us of the situation and was ignored. As such, he felt he had no choice but to publicly release answers to exam challenges in order for us to take action.
Our response to this situation was simple. We simply removed the leaked exam targets from rotation, without disruption or impact to students. In the days that followed, additional exam systems were added to the exam pool.
This is standard operating procedure whenever we find an exam target leak or when exam targets are no longer viable. We have processes for this, as leaks of this nature happen from time to time.
The Reality of Cheating
Over the years, the profile of those taking the OSCP exam has changed. As the OSCP certification became more popular, it has earned the respect of even those that dislike certification programs in general. The hands-on examination process proves practical skills that go far beyond the industry standard multiple choice exam. This increase in popularity means that there are many with the desire to earn the OSCP that don’t have a passion for the topic and instead just want to buy the certification. This in turn leads to a larger amount of cheating attempts.
The Types of Cheating
When most people think of cheating, they think of having an answer sheet. Most often, individuals resort to buying the answers from someone else and just apply them to the exam. When this happens, we have a series of controls to deal with it.
The other, less thought about, type of cheating is individuals simply claiming that they have the certification when they don’t. This one is easier to deal with as individuals just need to validate the certification. Last year, we rolled out our Acclaim Digital Badges, which have been very well received in the community. We also have a documented process on how to work directly with us to validate certifications.
At a high level, there are a number of things we do to detect cheaters.
Community Support – OffSec has a very strong user community, a community that loves the OSCP and will do what they can to help maintain the integrity of the certification. This includes reporting cheaters. However, oftentimes when a report is made, the reporter won’t receive much more from us other than an acknowledgment of the report. This is due to customer privacy, which we take very seriously, even for cheaters. When you sign up for an OffSec course, we agree to protect your privacy and we do so even when you break the rules.
The individual that was posting the walkthrough online claims they contacted us multiple times. Chances are, this exact process is what happened. We can’t provide direct responses as to what specifically happens coming out of a report. We appreciate the reports, but we are sorry we can’t provide direct feedback.
Tracking of Cheating Groups – In many cases it’s actually nice for a known cheating group to stay around where we can track them. If we know what walkthroughs they are selling, it makes it easier for us to catch cheaters. In addition, there are a number of other indicators that help us identify and prevent cheating even before it takes place. So if anyone is confused as to why we don’t take more action to shut these down, this is why.
Updates to the Exam – The exam changes on a regular basis. Sometimes these are minor changes to existing challenges. Sometimes it is wholesale replacement of challenges. In many instances, there will be multiple “versions” of the same challenge. When we do make changes, it helps when we keep systems looking as close as possible to how they were before, so if someone attempts to cheat, they believe they have an open field to do so.
Anti-Cheating Process in the Exam Grading Process – We apologize, but we can’t provide details here. What we can say is we have a number of steps we take after an exam report is turned in that helps find many cheaters. This is highly effective, not well-known, and we would like to keep it that way.
Backwards Looking Processes – As effective and proud of our processes as we are, of course we are going to miss things. It would be a lie to say otherwise. However, we have a number of processes that when a cheater is identified, we also look backwards to past exams to find anyone else that may have used the same process that got missed. So yes, from time to time a cheater will obtain a cert, however that does not mean they are safe forever.
Online Proctoring – This is the most visible of our controls. We have a dedicated in-house team that proctors the exams in a manner to minimize impact to users while acting as a deterrent and detection tool to help identify cheating. These proctors include OffSec employees, as well as Student Admins, our Infrastructure team, and our Content Development group. They all care about the student experience and integrity of the organizations with the same passion.
Serious Consequences – When a cheater is identified, we take action. They have any and all OffSec certifications revoked and are permanently banned from purchasing any product from OffSec again. When conditions make sense, we also take legal action. Over the years, cheaters have lost their certs, paid fines, lost their jobs, and been embarrassed in front of their peers.
We take this topic seriously and as we said last week, we will do everything necessary to ensure the integrity of our exams. Despite the incident last week, our commitment to this hasn’t changed. We’ve had controls and processes for cheating in place for a long time and we constantly improve them. We felt it was important to address this topic as there was obviously a degree of confusion out there about how this process works. However, now that it’s addressed, we don’t intend to make this an ongoing conversation.
If you want to obtain the OSCP or any other Offensive Security certification, the answer is simple: “Try Harder”. Do the work, put in the effort, and earn it.
Protecting the integrity of the certification has always been of the utmost importance to us. We have developed over a decade of experience, tools, and processes in detecting and responding to cheaters. It’s unfortunate however, that this is an area we have a large amount of expertise – likely the most in the certification industry.