OSCP: Aftermath

6 years, 5 months ago

I finished the OSCP (Offensive Security Certified Professional) certification in December 2016 and have been putting off writing about it until tonight. There are already plenty of blogs accurately describing the experience, the labs, the exam, the difficulty, etc. I'll link a few that helped me as a student.

Here, I'll be addressing how useful it was to someone who had no significant experience in offensive security or the security industry. How hard is it for someone who had my technical background? How effective in the job market can an OSCP on the CV be?

0. Links

Here are a few other blog posts I found useful while I was in the course, specifically just before I took on the exam.

• hakin9
• kaziensecurity
• gnashsec
• justpentest
• securitysift

1. How hard is it? What do you learn?

Depends what you already know.

If you have years of experience in penetration testing, you will not learn as much as someone without that experience. If you have none, you'll learn a plethora of things and despite the reputation it is easily possible to pass first time. Though, that probably depends on your time-management and self-motivation abilities. I don't think anything technical is difficult, it just takes time to build up the foundation to understand. Physics, maths, computer science - it doesn't matter - it just takes time.

The course is, however, far more valuble than any of the scores of university modules I've done. Why? Because failure is easy, because you aren't spoon-fed, because it requires true persistance, true research and there are no fudge-factors as to whether you got a root/SYSTEM shell. The more difficult a certification, the less people obtain it, the more value it has.

Primarily, you get out what you put in - and you won't get anything if you don't try harder. I've just completed OSCE, and the only offensive security certifications left for me are those taught in-person. They seem quite scarce. Although there are plenty of great books and probably some other niche certs that require as much effort, I am a little disappointed I cannot immediatley start another offsec course. The exams and labs themselves are just fun. You like a challenge, right? It's also much cheaper than other certs which end with high-pass-rate multiple-choice-question exams.

2. Job market value

No situation will be exactly like mine. I had no professional experience. I ended up with 4 security industry job offers out of 5 interviews, and the no-offer was a "maybe in a year."-offer. I joined the workforce relatively late in my life due to a lot of time in academia, so I was quite concerned with earning power. In Dublin, Ireland, an OSCP is capable of putting you well above the mean salary. In particular if you get multiple offers and are a confident and intelligent interviewee. That said, I won't be surprised if in some parts of the states you could get over $100k with relative ease.

The people who value OSCP the most are usually those who have tried it - because they know how difficult it is. That said, if a company has required any sort of online webapp testing challenge and you have an OSCP, you will thoroughly crush it.

I could really go on about job hunting. Despite how stressful it can be, pouring effort into it and getting a job you love is always rewarding. To keep it short: The OSCP will get you an interview in any security company, and the knowledge required to get into many jobs.

It's not a magic bullet, but it works.

• OSCP
• education
• review