OSCP Exam Change

As a leader in the cybersecurity training space, we at Offensive Security are incredibly proud of our flagship course, Penetration Testing with Kali Linux (PWK), and the value it has provided to our students over the years. Consequently, the PWK exam and its certification, the OSCP, have earned a reputation of being one of the most sought-after credentials in the industry. It has been and continues to be one of the few certifications which not only validates one’s technical skills, but also tests their ability to apply critical thinking to the problem-solving process.

While traditionally we have never publicly disclosed any details about the OSCP exam and how it has been changed over the years, its structure has been arguably the worst kept secret in the industry. Everyone interested in our PWK (PEN-200) course and the OSCP exam has known for a long time that the exam consists of 5 machines worth a total of 100 points. It is also a well-known fact that 70 points are needed to pass the exam. Finally, it is no secret that one of the five targets is a traditional buffer overflow machine worth 25 points.

“…the new changes will better reflect the current PWK materials and, most importantly, the skills needed to be a successful information security professional…”

As we have done in the past, we are going to soon change our OSCP exam structure once again. However, this time we have decided to be far more transparent about the changes our students will face, and the rationale behind these changes. One of the primary reasons for this decision is the magnitude of the upcoming changes, and our desire to provide our students with all the necessary information needed to succeed in their goals. Furthermore, the new changes will better reflect the current PWK materials and, most importantly, the skills needed to be a successful information security professional in today’s landscape.

The new OSCP exam will have the following structure:



PointsNumber of machinesNotes
60 points3 independent targets
  • 2-step targets (low and high privileges)
  • Buffer Overflow may (or may not) be included as a low-privilege attack vector.
  • 20 points per machine
    • 10 points for low-privilege
    • 10 points for privilege escalation
40 points2 clients
1 domain controller
  • NEW: Active Directory set.
  • Points are awarded only for the full exploit chain of the domain.
  • No partial points will be awarded.

Additional Changes


In addition to the points-per-machine, there are several changes to the exam that we wish to explicitly call out and explain our reasoning for:

  • The addition and importance of an Active Directory set
  • The decreased value of the Buffer Overflow machine
  • The increased value of bonus points on the exam

Passing Grade

70 points



Total Points
Available

100 points

Bonus Points

Requires completion of at least 10 PWK lab machines along with a detailed report, including all of the PWK course exercise solutions for a total value of 10 Bonus Points.

NEW: The 10 PWK lab machines reported on must include Active Directory targets.



Active Directory

One of the significant differences from the current exam structure is the explicit addition of the Active Directory set. Having workable knowledge of Active Directory is a critical part of any information security professional’s skillset. Therefore, the new point system and its rules make the Active Directory set almost a necessary part of the path to success. The addition of Active Directory also allows us to leverage techniques from the Client-Side Attacks and Port Redirection and Tunneling modules. These topics have so far been absent from the exam due to technical limitations, and their inclusion will lead to a more realistic and comprehensive exam.

An astute reader will notice that it is technically possible to pass the exam without the compromise of the Active Directory set. However, in that case a student would have to successfully complete all other machines on the exam, and submit the full course exercise and lab report. This was a deliberate decision on our part to try and encourage students to focus on Active Directory, since the path without it leaves absolutely no room for failure. Note that the course lab report must now include Active Directory targets including one Domain Controller.

While we are implementing the new Active Directory set, we are also reducing the role of the Buffer Overflow target. At Offensive Security, we love exploit development; we’ve always believed that a strong understanding of exploitation concepts is an important component of becoming a well-rounded Penetration Tester. However, we acknowledge that in today’s environment, it is not likely to face unprotected binary applications vulnerable to vanilla Buffer Overflows, such as that taught in PWK.

Buffer Overflow

Basic exploitation concepts remain a core pillar of the PWK course material because they help foster an important mindset. However, we are going to reduce the relative value of the Buffer Overflow on the OSCP exam, and include it as a low-privilege attack vector. This will help create a more well-rounded machine that tests various aspects of the PWK course material. As such, buffer overflow attacks will simply become a part of 20 point exam machines and will not be guaranteed to be included in every exam set. We hope that this change will allow our students to focus more on the Active Directory set, as well as on the other important remote and local attack vectors featured in PWK.

Bonus Points

Another change worth elaborating on is the increase in the amount of possible bonus points. Because Active Directory will play a prominent role in the exam, we are taking this opportunity to increase the amount of potential bonus points students may receive for completing their course lab and exercise report. The data we previously published clearly indicates that students who spend sufficient time practicing their skills in our PWK labs have a higher success rate of passing the OSCP exam. Increasing the value of the bonus points is our attempt to motivate students to truly embrace their time in our labs effectively.

When will it happen?

The new exam structure will become available for students beginning on January 11, 2022. All scheduled exams for January 11th onward are subject to the new structure. We will continue to accept lab reports that do not contain a fully exploited Active Directory set until March 14, 2022 for the full value of 10 bonus points. Lab reports must include the full exploitation of an Active Directory set (including the Domain Controller) for all exams taken after March 14th in order to be eligible for 10 bonus points. We hope that this level of transparency proves valuable to our students and helps them prepare better for our OSCP exam. As always, we’d love to hear any feedback from our current and potential students. Please feel free to join us on Discord to continue the conversation.