Starting November 1, 2024, the OffSec's current OSCP exam will be replaced with an updated version. The updated exam will feature the following changes:
- Enhancements to the Active Directory portion of the exam
- Removal of bonus points
Why is OffSec doing this?
OffSec’s methodology and pedagogy continue to evolve to better reflect our more modern approach to learning.
As part of our continuous evolution and our desire to more validly and reliably assess our learners’ ability to apply fundamental course learnings in the real world, OffSec is pleased to announce an important change to the OSCP exam format.
As of November 1, 2024, we are updating the Active Directory (AD) portion of the OSCP exam.
This update will make the OSCP exam consistent with all other OffSec certification exams, ensuring the exam reflects the modern penetration testing landscape.
In the past, the AD environment was gated with a compromise unrelated to the AD experience. If a learner was unable to exploit this vulnerability, there would be no way for the learner to demonstrate their AD knowledge and for OffSec to adequately assess the learner’s AD capability. Further, learners would also need to solve all elements of the AD domain to receive any points related to the AD portion of the exam, a significant percentage of the total exam grade (40/100 available exam points). Finally, an unintended consequence was that our bonus point system also allowed (and sometimes encouraged) learners to potentially disregard the AD portion of the OSCP exam.
The OSCP exam update provides learners with the ability to work through an “assumed compromise” where learners start with a standard user account on the AD domain with the goal of full domain compromise. Additionally, OffSec will allow learners to earn partial points within the AD domain removing the requirement to fully clear the AD exam set to receive any AD exam related points.
The OSCP exam format change also enables OffSec to align with industry leading certification bodies and ensures the OffSec OSCP can meet ISO 17024 standards - creating even more value for the OffSec OSCP learner community.
Perhaps most importantly, this new OSCP exam format change reflects feedback from the OffSec Community who have expressed a desire to evolve our OSCP exam format.
What about bonus points?
Bonus points will be removed from the OSCP exam as of November 1, 2024.
- While bonus points were a way to drive engagement and adoption, most learners did not require bonus points to pass the OSCP exam. Rather, the exercises required to earn bonus points better enabled learners to train and prepare for a successful OSCP exam experience;
- No other OffSec exam format includes the ability to utilize bonus points to earn the certification. This created an uneven, inconsistent and arguably unfair experience across our learner community - the OSCP exam was a clear outlier;
- No other ISO 17024 recognized certification exam allows bonus points to be awarded. As a result, many OSCP holders are unable to realize the full benefit of their certification (i.e., recognized by their employer or future employer);
- Finally, removing bonus points eliminates external dependencies from the OSCP exam experience as well as an additional step that could, at times, become a distraction. OffSec’s goal is to use the course materials and training to prepare for the exam, not use the course materials and training as part of the exam.
Simply put, removing bonus points makes the OSCP even more valuable for our learners and ensures our learners have proven they have and are ready to apply their fundamental Penetration Testing skills in the real world.
Note: We still recommend completing the “bonus point” exercises to help train and prepare for a successful OSCP exam experience. Exercise matters. Those completing the recommended exercises will dramatically improve their probability of success.
What are the changes to exam format?
The OSCP exam format change provides learners with the ability to work through an “assumed compromise” where learners start with a standard user account on the Activity Directory (AD) domain with the goal of full domain compromise. OffSec will allow learners to earn partial points within the AD domain removing the requirement to fully clear the AD exam set to receive any AD exam related points. Bonus points will no longer be awarded.
In particular:
- For the Active Directory exam set, learners will be provided with a username and password, simulating a breach scenario;
- Learners may then accumulate points for machines 1, 2 and 3 of the Active Directory exam set - 40 points in total
- 10 points for machine #1
- 10 points for machine #2
- 20 points for machine #3;
- Removal of 10 bonus points.
How will points be allocated / distributed?
OSCP exam points will be allocated as follows:
- 3 stand-alone machines (60 points in total)
- 20 points per machine
- 10 points for initial access
- 10 points for privilege escalation
- 20 points per machine
- 1 Active Directory (AD) set containing 3 machines (40 points in total)
- 10 points for machine #1
- 10 points for machine #2
- 20 points for machine #3
- Possible scenarios to pass the exam (70/100 to pass)
- 40 points AD + 3 local.txt flags (70 points)
- 40 points AD + 2 local.txt flags + 1 proof.txt flag (70 points)
- 20 points AD + 3 local.txt flags + 2 proof.txt flag (70 points)
- 10 points AD + 3 fully completed stand-alone machines (70 points)
When will this occur?
The new exam format (entitled OSCP+) will begin on November 1, 2024 at 10:00 am GMT.
I am still working on completing my PEN-200 course, can I still earn bonus points up until October 31, 2024?
Yes, if you’re able to meet the requirements, i.e., you must submit at least 80% of the correct solutions for every module's lab in the PEN-200 course and submit 30 correct proof.txt hashes from 30 challenge lab machines in the OffSec Learning Platform, and take the OSCP exam not later October 31, 2024.
I have earned the 10 bonus points, will it be applied if I take the OSCP exam before November 1, 2024?
If you have submitted at least 80% of the correct solutions for every module’s lab in the PEN-200 course and submitted 30 correct proof.txt hashes from the 30 challenge lab machines in the OffSec Learning Platform, you gain 10 bonus points and it will remain valid for OSCP exams taken until October 31 2024. Upon passing the certification exam, you will earn your OSCP certification.