The Offensive Security Certified Professional (OSCP) and its recent OSCP+ extension are popular certifications for penetration testing (pentesting) professionals.
If you’re new to pentesting or looking to advance your skill set, you’ve probably considered taking the OSCP test. Learn the difference between OSCP and OSCP+ and other popular certifications, what they require, and whether they’re worthwhile investments.
OSCP is a pentesting certification that validates hands-on hacking skill and tool mastery. Obtaining the certification requires candidates to take an in-depth training course and pass a test that involves hacking live machines in real-time in a lab environment. Because it demands advanced technical knowledge and practical skill, the OSCP is considered a more challenging certification designed for advanced pentesters.
Cybersecurity industry leaders widely recognize OSCP as a mark of expertise, making it highly sought by security professionals seeking a career in pentesting, red teaming, or offensive security. It’s usually necessary to apply for many different penetration testing jobs, and having an OSCP certification helps secure an interview (especially for individuals new to pentesting). The OSCP certification is the most established because there is no “ISO” like cert, and this is the closest
OSCP is offered by Offensive Security (OffSec), a US-based cybersecurity company that has been in operation since 2006 and is known in the industry for its Kali Linux distribution. Because of this background, the OSCP test places a strong emphasis on tools packaged with Kali Linux and requires knowledge of Linux.
OffSec awards the OSCP as a lifetime certification with an annual fee for the advanced version of OSCP+. Originally, candidates earned the OSCP as a standalone certification. Today, existing OSCP certification holders maintain their lifetime certification, while new candidates receive lifetime OSCP certification when they successfully obtain OSCP+ certification. Certificate holders maintain lifetime OSCP certification regardless of whether they continue renewing their OSCP+ certification after passing the test.
On November 1, 2024, OffSec updated OSCP certification by introducing the OSCP+ certificate. Reflecting recent industry demands for ongoing skill maintenance, the OSCP+ requires recertification every three years to stay current with new content and trends.
To obtain recertification, certificate holders must complete one of three requirements:
OSCP+ Candidates receive lifetime OSCP certification upon achieving OSCP+ certification. Renewing OSCP+ certification is not required to maintain OSCP certification.
The cost of obtaining OSCP+ certification starts at $1,749 as of January 2026. This includes the Penetration Testing with Kali Linux (PEN-200) training course or another 200- or 300-level course, lab access (for 90 days), and one exam attempt. Additional lab hours or exam retakes incur additional fees. A standalone exam for candidates who feel they are already prepared for the test is available for $1,699 without training materials. Existing OSCP holders can take the OSCP+ test at a discount of $199. More expensive packages featuring annual and unlimited subscriptions are available.
OSCP stands in contrast to another popular pentesting certification, Certified Ethical Hacker (CEH), offered by the International Council of E-Commerce Consultants (EC-Council), the world’s largest cybersecurity certification provider. While the OSCP and CEH both have widespread industry recognition as standards of pentesting certification, they differ in some significant respects:
While OSCP requires demonstration of hands-on skill mastery, the CEH offers certificates for passing either a four-hour multiple-choice theoretical exam or a six-hour lab practical exam or both.
Overall, the OSCP has a more specific focus validating on hands-on pentesting skills, while the CEH certifies general cybersecurity knowledge and skills.
OSCP candidates are assumed to have hands-on practical knowledge of Linux and Windows administration, networking, and network scripting. Candidates normally take the OffSec Penetration Testing with Kali Linux (PEN-200) course before attempting the hands-on exam.
The course is intended to impart the essential technical skills and mindset needed to simulate and counter offensive information security operations. It teaches how to identify and exploit real-world vulnerabilities across a variety of environments, including computers, network security, web applications, and cloud infrastructure. It uses a format of over 20 modules to cover:
Most modules include companion videos and hands-on labs. After mastering module content, candidates can progress to nine challenge labs to practice using combined skills in realistic penetration test engagement. Three of the challenge labs emulate the OSCP+ exam environment, providing a rehearsal for the actual test.
The exam itself simulates a live network in a private VPN containing a small number of vulnerable machines. Different instructions accompany each machine target. Candidates must write a professional report describing their exploitation process for each target. The report must document all attack steps, commands, and console output. The resulting pentest report must be thorough enough that a technically competent reader could replicate the attacks.
Machine targets and corresponding exam points are structured as follows:
3 stand-alone machines (60 points total):A total of 100 points are possible. A minimum of 70 is required to pass. Possible scenarios for passing include:
Exams are proctored. Candidates have 23 hours and 45 minutes to complete the test.
The cybersecurity industry is an ever-changing landscape, with AI recently reshaping the industry, and professionals continuously wonder whether OSCP certification remains a sound investment in today’s environment. The answer is a conditional yes.
Yes, OSCP and OSCP+ remain widely recognized industry standards for recognizing offensive security skills, making them valuable for professionals wishing to advance in a pentesting or red teaming career. At the same time, taking the test is expensive, and retaking it incurs additional costs, so it’s prudent to make sure you’re prepared to pass before paying for the test. Before investing your money, make sure you have the background familiarity with Linux and Windows administration, networking, and scripting that you’ll need to succeed.
OSCP and OSCP+ are two of today’s most popular certifications, but today’s cybersecurity industry offers a growing number of alternative certifications and increasing specialization. Which certification is right for you depends on your goals and requirements. Learn more about other cybersecurity certifications by visiting the Cobalt Offensive Security Learning Center.