OffSec CPE Program and Annual Maintenance Handbook

  • Updated
Follow

Introduction

OffSec certifications are designed to validate practical cybersecurity skills through rigorous, hands-on assessments.  Most OffSec certifications do not expire and remain valid indefinitely. However, the following certifications expire after three years and require renewal:

  • OSCP+
  • OSAI+
  • OSCC-SEC
  • OSCC-SJD
  • OSTH
  • OSIR

To help certification holders stay current with evolving techniques and industry knowledge, certain OffSec certifications now include an expiration period and renewal requirements. The OffSec Continuing Professional Education (CPE) Program allows eligible certification holders to maintain their certifications through ongoing professional development instead of retaking the exam.

Through the CPE program, learners can maintain certification validity by:

This handbook explains how certification maintenance works, how to earn CPE credits, and how AMP and AMF support certification renewal.

What is Continuing Professional Education (CPE)?

Continuing Professional Education (CPE) represents ongoing learning activities that help professionals maintain and improve their skills after earning a certification.

For OffSec certification holders, CPE credits demonstrate continued professional development in cybersecurity and may be earned through:

  • Completing OffSec training and labs
  • Participating in industry events
  • Publishing cybersecurity research
  • Contributing to the cybersecurity community
  • Completing relevant external education or training

CPE credits are awarded only for activities that demonstrate continued professional development through new learning or updated technical content. Repeating identical training modules, labs, or exercises that were previously completed during an earlier certification cycle does not qualify for additional CPE credit. Recertification is intended to confirm that certificates maintain competence and remain current with evolving cybersecurity practices and threats, rather than simply repeating previously mastered material.

CPE credits help ensure certification holders remain engaged with current practices and technologies in the field.

Certification Renewal Overview

OffSec certifications that have an expiration date are valid for three years from the date of issue. To maintain your certification beyond this period, you must complete one of the following renewal methods:

1. Earn the required CPE credits and maintain annual coverage

You must:

  • Complete 120 CPE credits during your three-year certification cycle
  • Maintain annual coverage each year through either AMP or AMF

2. Retake the certification exam

You may renew your certification by:

  • Successfully passing the same certification exam again
  • Maintaining annual coverage through AMP or AMF, where applicable under the program rules

3. Take a higher-level qualifying exam

You may renew your certification by:

Qualifying Exam Table

Certification Category Certification Qualifying Certification Exams
Attack OSCP+ OSWA, OSEP, OSWE, OSED, OSMR, OSEE, OSAI+
 
Defend OSIR OSTH, OSDA
Defend OSTH OSIR, OSDA
 
100 Level OSCC-SEC OSCC-SJD, OSCP, OSWA, OSWP, OSDA, OSTH, OSIR, OSEP, OSED, OSMR, OSWE, OSEE
100 Level OSCC-SJD OSCC-SEC, OSCP, OSWA, OSWP, OSDA, OSTH, OSIR, OSEP, OSED, OSMR, OSWE, OSEE

Annual Membership Program (AMP)

The Annual Membership Program (AMP) is an auto-renewing annual subscription priced at $299/year. It gives learners ongoing access to hands-on labs, rotating CPE-eligible content, and exclusive benefits that help them stay current and keep building their skills. For holders of expiring certifications, AMP also includes annual maintenance fee coverage.

All AMP subscribers receive:

  • Access to a quarterly rotating selection of CPE-eligible content and labs, including Shiny Labs, Grimoires, and OCR/DCR scenarios ranges
  • Proving Grounds Practice with 250+ labs
  • Access to course materials and videos for main courses, if previously purchased (see below)
  • Annual Maintenance Fee coverage ($145 value)

Course materials are available only if the learner previously purchased the course through qualifying purchases such as:

  • Course & Certification Exam Bundle
  • Learn One
  • CyberCore

AMP access begins on the purchase date and lasts one year, renewing automatically unless cancelled.

Who can purchase AMP?

AMP is available only to individual users purchasing directly through the OffSec website. AMP is not available to users with admin permissions.

A learner may be eligible to purchase AMP if they have an eligible OffSec learning account and purchase history, and one of the following applies:

  • They hold an OffSec certification
  • They have attempted an OffSec certification exam, whether they passed or not
  • They previously purchased or were assigned an OffSec training product, including:
    • Course & Certification Exam Bundle
    • Learn Fundamentals
    • Learn One
    • Learn Unlimited
    • Learn Enterprise
    • CyberCore

AMP provides access to learning resources and includes Annual Maintenance Fee coverage for eligible expiring certifications.

Annual Maintenance Fee (AMF)

The Annual Maintenance Fee (AMF) is a non-renewing fee of $145 per year that provides certification maintenance coverage only.

AMF includes:

  • Certification maintenance coverage for eligible expiring certifications

AMF does not include:

  • Rotating CPE-eligible content
  • Course materials
  • Hands-on labs
  • PG Practice labs
  • Other membership benefits available through AMP

AMF coverage begins when purchased and aligns with the expiration cycle of the certification.

Who can purchase AMF?

AMF is available only to individual users purchasing directly through the OffSec website. AMF is not available to users with admin permissions.

The Annual Maintenance Fee is available only to learners who hold eligible OffSec certifications that require renewal through the CPE program.

You may purchase AMF if:

  • You hold an eligible expiring OffSec certification, such as:
    • OSCP+
    • OSTH
    • OSIR
    • OSCC
    • OSAI+
  • Your certification is currently within its three-year maintenance cycle

AMF provides maintenance coverage only and does not include learning content, labs, or course materials.

Certification Maintenance Cycle

To remain eligible for certification renewal through the CPE program:

  • Learners must maintain AMP or AMF coverage for each year of the three-year cycle
  • If coverage begins after the certification was issued, learners must purchase coverage for any missed years

Example

If a certification is earned in 2025 but AMP or AMF is first purchased in 2027, coverage must include:

  • 2025–2026 (Year 1)
  • 2026–2027 (Year 2)
  • 2027–2028 (Year 3)

Maintaining Multiple Certifications

Learners with multiple OffSec certifications need only:

  • One active AMP or AMF per year, regardless of the number of certifications held

Key details:

  • Maintenance cycles align with the first expiring certification
  • Certifications earned later are grouped into the same maintenance cycle
  • Maintaining coverage keeps all supported certifications active

Eligibility and Purchasing

AMP and AMF are available through the Buy More page in the OffSec Learning platform.

Both AMP and AMF are:

  • Available only to individual users
  • Purchased directly through the OffSec website
  • Not available to users with admin permissions

Users with admin permissions cannot purchase AMP or AMF from the website under an admin account.

CPE Credits

Continuous Professional Education credits represent your ongoing education and skill development in cybersecurity. These credits help ensure you maintain the knowledge and skills needed to keep your certification active.

OffSec CPE Credit Requirements

To maintain certification through the CPE program, learners must earn:

  • 120 CPE credits over three years

This averages to approximately 40 CPE credits per year.

CPE credits may be earned through:

  • OffSec learning content
  • External professional activities

Earning CPE Credits Through OffSec

OffSec provides CPE-eligible learning content within the platform.

Examples include:

  • Rotating CPE-eligible modules
  • Hands-on labs
  • PG Practice labs
  • Selected educational content mapped to certifications

CPE credits for OffSec content are automatically tracked when learners complete eligible activities.

CPE Requirements by Certification

Each certification has specific CPE requirements. The CPE program covers the following certifications:

  • OSCP+ (Offensive Security Certified Professional Plus)
  • OSTH (Offensive Security Threat Hunter)
  • OSIR (Offensive Security Incident Responder)
  • OffSec CyberCore Certifications
    • OSCC-SEC (OffSec CyberCore Security Essentials)
    • OSCC-SJD (OffSec CyberCore Java Developer)

Each certification requires approximately 40 CPE credits per year, for a total of 120 credits over the three-year certification period.

External CPE Credits

Learners may also earn CPE credits from external professional development activities, including:

  • Technical presentations at conferences such as Black Hat or DEF CON
  • Published cybersecurity research
  • Industry training or coursework
  • Security webinars and workshops
  • Community contributions to cybersecurity projects

All external submissions must:

  • Occur after the certification was earned
  • Be relevant to cybersecurity and the certification domain
  • Include documentation verifying participation or completion

CPE Content Pool

The OffSec platform includes a single pool of CPE-eligible content that covers multiple certifications. Each piece of content is tagged with the certifications for which it can provide CPE credits.

For example, a module like "Starting and Developing a Career in Cybersecurity" might provide CPE credits for OSCP, OSTH, and OSIR certifications, but not for OSCC-SEC/OSCC-SJD.

The CPE Dashboard will help you track your progress toward meeting the CPE requirements for each of your certifications.

Category CPE Credits Awarded Annual Limit 3-Year Cycle Limit Requirements/Criteria
Courses and Seminars 40 CPEs (30 CPEs for IR-200 and TH-200) 40 CPEs 120 CPEs OffSec Courses: 80% completion of lab exercises. External Courses: Proof/letter of completion
Public Speaking 4 CPEs per event 40 CPEs 40 CPEs Includes prep work and presentation time
Published White Papers 4 CPEs per paper 8 CPEs 24 CPEs Original content, professionally relevant; 750-1000 words minimum. Writing time: 2-4 hours, varies with topic complexity and expertise.
OffSec Lab Submissions (UGC) 20 CPEs for accepted UGC Machines 40 CPEs 120 CPEs Proof of acceptance required
Attending Cybersecurity Webinars 1 CPE per hour 40 CPEs 120 CPEs

Documentation of attendance required.

Note: If you attended a webinar longer than one hour, please submit the CPE request multiple times for the same activity to account for the total duration.

Key points about CPE activities:

  • For courses, each hour generally earns 1 CPE; OffSec awards 40 CPEs for complete courses
  • Speaking engagements include both presentation time and preparation time
  • Writing activities must be original and professionally relevant; a well-researched blog post typically takes 2-4 hours
  • Lab submissions (UGC) earn the same credits regardless of difficulty (monetary rewards may differ by difficulty)
  • All activities must be directly relevant to cybersecurity and your professional development

Submission Process:

  • Submit your CPE activities through the OffSec platform
  • Each submission must include appropriate documentation as proof
  • Submit credits at least once annually to maintain accurate records
  • Activities must be relevant to your certification domain

Non-compliance and Expiry:

  • Failure to earn/submit sufficient CPE credits by your renewal date will result in certification expiry
  • A 90-day grace period after expiration allows you to catch up on missed CPE credits
  • The Annual Maintenance Fee (via membership) must also be paid to maintain certification

External CPE Submissions

In addition to completing OffSec content, you can earn CPE credits by submitting evidence of external cybersecurity learning and contributions.

CPE Submission Process

To submit external CPE activities:

  1. Navigate to the CPE Dashboard.
  2. Click on "Submit CPEs"
  3. Complete the submission form with:
    • Activity date
    • Activity type
    • Description
  4. Submit the form for review. After submission, you will receive an email confirmation from no-reply@offsec.com and a submission ID.
  5. Send the supporting documentation along with your name and submission ID to challenges@offsec.com

Only activities completed after you earned your expiring certification are eligible.

Activities completed before the certification date will not count.

CPE Review and Approval Process

Student Mentors review all external CPE submissions and make decisions based on:

  1. Relevance to your certification domain
  2. Quality and depth of the learning experience
  3. Verification of completion
  4. Appropriate time/effort calculation

You will receive an email notification when your submission is approved (from no-reply@offsec.com) or rejected (from challenges@offsec.com).

Typical processing time is up to 10 business days.

Reconsideration Process

If your submission is rejected, you can request reconsideration by:

  1. Creating a new submission
  2. Including the same information as the original submission
  3. Adding a note in the description that it is for reconsideration
  4. Addressing the reason for the initial rejection

Certification Expiry and Grace Period

If certification renewal requirements are not completed by the expiration date:

  • The certification becomes expired
  • A 90-day grace period begins

During the grace period, learners may still restore certification by:

  • Purchasing missing AMP or AMF coverage
  • Completing required CPE credits
  • Meeting other renewal criteria

If renewal requirements are not completed within 90 days, the certification becomes permanently expired.

To regain certification status after permanent expiration, learners must retake and pass the certification exam.

Frequently Asked Questions

Where can I purchase the AMP or AMF?

Both AMP and AMF are available through the Buy More page in the OffSec Learning platform.

Who can purchase AMP or AMF?

AMP and AMF are available only to individual users. They are not available to users with admin permissions.

Do I need to pay a maintenance fee for each certification?

No. Only one AMP or AMF payment per year is required, regardless of how many certifications you hold.

Do AMP or AMF need to be paid every year?

Yes. Coverage must exist for each year of the certification cycle to remain eligible for renewal through the CPE program. If coverage is purchased later, learners must purchase missing years retroactively.

Does AMF include course materials, labs, or CPE content?

No. AMF provides maintenance coverage only. Additional learning benefits such as labs, rotating content, and course materials are available through AMP.

Do I need to pay the maintenance fee if I renew my certification by retaking the exam?

If you want to extend your existing certification, then yes, you need to pay the AMF regardless of whether you earn CPE credits or retake the exam.

If you're simply seeking a new 3-year certification (not extending the existing one), you can recertify by paying for and passing the recertification exam ($799) without paying the AMF. This will result in a new certification with a new 3-year validity period rather than extending your current certification.

Can I make consecutive purchases to cover multiple years at once?

Yes, consecutive purchases will give you coverage for upcoming years. If you are missing prior payments, consecutive purchases in the same year will cover previous years, not going forward.

What if I have multiple certifications with different anniversary dates?

You only need to pay one AMF or AMP per year, preferably on the anniversary of your first certification. This single payment covers all your certifications.

What happens if I don't purchase the AMF or AMP and my certificate expires?

You will have a 90-day grace period after expiration to pay the missed maintenance fees and complete your renewal requirements. After that, the certification becomes permanently expired.

How many CPE credits do I need to earn each year?

You need to earn approximately 40 CPE credits per year, for a total of 120 credits over the three-year certification period.

Is there a limit to how many external CPE submissions I can make?

No, there is no limit to the number of submissions you can make.

What email address should I use for CPE-related communications?

For questions or concerns about CPE submissions, use challenges@offsec.com.

How long does the CPE submission process take?

It may take up to 10 business days to process the submission.

What happens If I don’t submit the maintenance fee before my certification expires?

Year 1 & Year 2: No Immediate Consequences

Your Certification Remains Valid – Not paying the fee in the first or second year will not revoke or deactivate your certification.

No Changes to the Certification status – You will still have full access to your certification status and resources.

Reminders, No Grace Period – You’ll receive payment reminders, but no penalties will be applied yet.

Year 3: Certification Expiration

🚨 Your Certification Will Expire – If you go three consecutive years without paying the fee, your certification officially expires at the end of Year 3.

🚨 Inactive Status – Your certification will be marked as expired/inactive, and you will no longer be recognized as "certified" in the system.

90-Day Grace Period After Expiration

You Have 90 Days to Reactivate – After expiration, you get a 90-day grace period to make the payment and restore your certification.

⚠️ During This Time: Your certification remains expired, but you can still pay the fee and meet renewal requirements to extend it.

What If You Don’t Pay Within the 90-Day Grace Period?

❌ Permanent Expiration – If the fee is not paid within 90 days, your certification will be permanently expired. Once expired, you’ll have the option to purchase the recertification exam and retake it to regain your certified status.

How to Reactivate During the Grace Period?

To restore your certification before the 90-day window closes, you must:

✔️ Pay the maintenance fee for the missed years.

✔️ Meet additional renewal criteria, such as earning CPE credits, retaking an exam, or passing a higher-level exam.

You’ll receive multiple reminders – OffSec will notify you before and during the grace period so you have every opportunity to renew your certification before it’s lost permanently.

How does the AMP or AMF work for multiple certifications?

If you hold multiple OffSec certifications, you only need to pay one maintenance Fee each year.

Your Annual fee is due on the anniversary of your first certification, regardless of when you earned additional certifications. For example, if you earned your first OSCP+ certification on November 10, 2024, your annual fee will be due every year on November 10, even if you obtain more certifications later.

Paying the fee ensures all your OffSec certifications remain active and in good standing. Plus, it gives you access to valuable membership benefits, such as CPE-mapped content.

What certificates does it cover?

The annual fee covers all active expiring certifications.

  • It applies to individual certifications like OSCP+, OSTH, OSIR, OSCC-SEC, OSJD-SJD, OSAI+.
  • Once paid, the fee ensures that all of the individual’s certifications remain in good standing for the coming year.

Do I need AMP or AMF if my certification doesn't expire?

No. If your OffSec certification does not have an expiration date, you do not need AMP or AMF to keep it valid. Your certification remains valid indefinitely.

However, you can still choose to purchase AMP even if you do not need it for certification maintenance. If you do, you will receive the access and benefits included with AMP, such as rotating hands-on labs, PG Practice, CPE-eligible content, and eligible course materials based on your purchase history. Many learners find it valuable as a way to stay sharp and continue building their skills on the platform, even without an expiring certification.

Contact Support

If you have questions or need assistance with the CPE program or Annual Maintenance, please contact:

For more information, visit the Help Center and ensure you have whitelisted no-reply@offensive-security.com and challenges@offsec.com  in your email settings to receive all CPE-related communications.

Relevant Resources

 

Related articles

Powered by Zendesk