Passing OSCP... or not?
Having recently passed the OSCP exam a few months ago, I thought I’d make the “obligatory” OSCP review post and share some of my own experience overcoming this milestone. What better way to do it than in our RE:UN10N monthly sharing session? You can find the recording below and the slides to the talk here.
TODO: Update this video when it gets released
This post is to gather some of the thoughts that I initially had planned to share for the talk but did not make it due to time limits or I just forgot.
I made this presentation back in February and planned to do it that month. But through the the power of procrastination, it’s now… the end of April… Better late than never I suppose. :D
Why OSCP?
If you’re in the job market for cybersecurity positions, you’ll certainly come across job requirements that ask for certifications. And for those that want to work in offensive security, the OSCP will be no stranger to you as it’s generally listed as a minimum requirement. I need to emphasise on generally here because I know not all jobs out there demand it from candidates (especially if it’s for a junior position), but 9 times out of 10 when you get interviewed, they’ll question you why you haven’t gotten certified yet.
The Price is Hard to Swallow
The basic 90 days package for the OSCP costs 1749 USD. At the time of writing that converts to a whopping RM 6933.91 (~7.2k during my time) but depending on how the Ringgit strengthens against the USD, you may be able to purchase it for a few hundreds cheaper.
Still, that’s a tough price to swallow for a certification. Even moreso for students that are still in school or just fresh out of school. We students are broke. And if you plan on buying the higher tier plan that grants you 1 year of access, that’s gonna cost you 2749 USD (~RM 10898.41) which costs more than an IPTA degree.
What I Liked and Didn’t Like about OSCP
The good:
- There are no prerequisites to taking the course. This means that someone without any prior knowledge of cybersecurity can take the course, and by the end of it come out with basic competencies that are expected from a junior pentester.
- The course exposes students to a bit of everything from different pentesting domains. Last I heard they’re also planning to add more modules to the course to make it more up-to-date? That’s definitely welcomed because the field is always changing (AI security perhaps?).
- Challenge labs and PG Practice were pretty fun. I learned the most out of these 2 resources and found them to be the most helpful for tackling the exam.
The bad:
- Because the course covers a bit of everything, there isn’t much room to delve deeper into the topics introduced.
- Course content leaves much to be desired. I feel like most parts of the course just had students follow along with commands instead of explaining why certain vulnerabilities occur and how they could be prevented.
- Web security content is a bit lacking. Most of the pentesting work out there will be dealing with web apps and I would’ve preferred that they focused more on this area instead.
- Offsec has their own “style” in designing challenges. So if you’re unfamiliar with their patterns, you may be caught offguard by what they expect you to do. I’d admit it’s somewhat guessy before I got the hang of it.
Would I Recommend Taking It?
Personally, I wouldn’t recommend taking OSCP if I have to pay out of my own pocket. I was fortunate enough to be sponsored by my employer to pursue the certification, but that may not be the case for everyone.
Given the steep price point, I don’t think it’s reasonable to expect candidates (especially those fresh out of school) applying for their first pentest job to be able to afford this. Some other evaluation criteria has to be used for hiring graduates like CTF participation, blogs or personal research. Relying solely on the OSCP ends up gatekeeping a lot of capable candidates who, in my opinion, can bring a lot more to the table than just the cert.
For those already working as a pentesters, I think most will have take the OSCP at some point to further progress in your career. Ideally, your employer values your personal growth and is willing to fund your certification at no cost to you. Otherwise, discuss with them about a reasonable bond that works for both sides so you can get it funded.
And with that, thanks for letting me yap about the OSCP for a bit. I probably won’t be pursuing a new certification anytime soon, so until next time for another certification review. :)