Ultimate Guide to OSEP (2025): OffSec’s Advanced Penetration Testing Cert
If you’ve mastered the basics of penetration testing and you’re ready to prove you can breach hardened enterprise environments, the Offensive Security Experienced Penetration Tester — better known as OSEP — is a powerful next step. The OSEP certification validates advanced skills in evasion, lateral movement, and Active Directory exploitation. In this ultimate guide, we’ll walk through what OSEP is, how the exam works, the PEN-300 syllabus, preparation strategies, cost, and real-world career value so you can decide if it’s right for you and build a plan to pass on your first attempt.
Note: All facts and policies are based on official OffSec resources and current as of October 15, 2025. Always verify details at checkout and in your learner portal, as they can change over time.
What Is OSEP? Certification Overview
The OffSec Experienced Penetration Tester (OSEP) is an advanced certification awarded after completing PEN-300 (Evasion Techniques and Breaching Defenses) and passing a proctored practical exam. It demonstrates that you can breach mature, defense-in-depth environments and operate stealthily while achieving business-relevant objectives. OSEP does not expire, and it is recognized globally among security teams and hiring managers.
OSEP also fits into OffSec’s advanced trilogy, OSCE³. When you earn OSEP, OSED (EXP‑301), and OSWE (WEB‑300), you receive the OSCE³ designation automatically — there’s no extra exam required.
Actionable takeaway:
If you’re mapping a long-term roadmap, consider targeting OSCE³. Planning your study sequence (e.g., OSEP → OSWE → OSED) can maximize compounding skills while you’re still in “study mode.”
Why OSEP? Purpose and Unique Value
OSEP’s value lies in what it uniquely measures: the ability to bypass modern defensive controls and execute end-to-end breaches across enterprise networks. While OSCP (PEN‑200) proves solid fundamentals — enumeration, exploitation, privilege escalation — OSEP proves you can thrive when blue teams, EDR, and application controls are in your way.
What makes OSEP stand out:
Advanced evasion: AMSI/AV bypass, allow‑listing bypass, and stealthy process injection.
Surviving the perimeter: Working around proxies, IDS/IPS, and HTTPS inspection.
Enterprise tradecraft: AD/forest compromise, Kerberos abuses, SQL Server pivoting, multi‑host chaining.
Actionable takeaway:
Keep a “defense-aware” mindset during practice. Ask: Which control is blocking me? Which technique or path minimizes detection while moving me closer to objectives?
Eligibility and Prerequisites
OffSec recommends OSCP-level competence (PEN-200) or equivalent hands-on experience. You should be comfortable with:
Scripting in PowerShell/Bash/Python, and basic C# skill is a plus.
Windows internals, common vulnerabilities, privilege escalation paths.
Active Directory basics and Kerberos concepts.
Actionable takeaway:
If you haven’t written a basic C# loader or PowerShell dropper, schedule a weekend to build and run one against a local AV — it will pay huge dividends for OSEP.
Exam Structure and Content
Here’s how the OSEP exam works — these details matter for your preparation and time management.
Format and duration: The exam is proctored and delivered over a private VPN into a simulated corporate network. You have 47 hours and 45 minutes for hands-on work plus 24 hours to submit your report. Results arrive within 10 business days of report submission.
Scoring and pass criteria:
You collect points by obtaining proof files (e.g., local.txt/proof.txt), typically worth 10 points each.
You pass by either achieving the main exam objective (validated with secret.txt) or reaching 100 points. There are no “bonus” points from doing course labs.
Targets and reverts:
You’ll face a multi-machine enterprise-style network.
You have 50 reverts for machines, and you can reset that 50 once. Use reverts carefully; they’re a finite resource.
Allowed/prohibited tools and AI policy:
Disallowed: Commercial frameworks such as Cobalt Strike, Core Impact, Burp Suite Pro, Metasploit Pro.
Allowed: Community/custom tools like Metasploit Community, Empire, Covenant, BloodHound, SQLmap — and custom tooling you write.
AI policy: LLM/chatbots (ChatGPT, Gemini, Copilot, OffSec KAI) are prohibited across OffSec exams. Tools with built-in non-interactive AI features (e.g., Notion AI for organizational assistance) are permitted. The OSEE exam is the sole exception to OffSec’s LLM policy.
Reporting requirements:
OffSec expects step-by-step, reproducible documentation that allows the graders to follow your path and confirm flags/objectives.
You must follow precise naming and submission rules (PDF archived to .7z; specific filename format; upload through the portal) within 24 hours of the exam end.
Syllabus alignment:
Client-side attacks and initial access.
Defense evasion: process injection, AMSI/AV bypass, allow‑listing bypasses.
Egress/inspection evasion: DNS tunneling, web proxy navigation, IDS/IPS workarounds, HTTPS inspection evasion, domain fronting.
Windows/Linux lateral movement, credential and Kerberos attacks.
AD and cross-forest compromise, MS‑SQL abuse for pivoting.
Each of these tracks to explicit PEN‑300 modules.
Actionable takeaway:
Build a personal “Exam Runbook” that lists: initial triage checks, foothold techniques, your preferred lateral moves, evasion playbook, and report evidence checklist. Keep it open during the exam to minimize decision fatigue.
Preparation Strategies and Resources
Your prep should mirror the exam: evasion-first thinking, enterprise chaining, steady documentation, and repeatability.
Master the official course (PEN-300)
Work through all modules, then tackle the course challenges. OffSec notes the final challenge is comparable to the exam’s feel. Do it multiple times and try alternate paths to build flexibility.
Build an exam-legal toolkit
Foundation: Metasploit Community, BloodHound, Covenant/Empire, SQLmap.
Custom capability: C# and PowerShell loaders; AMSI bypass variations; minimally noisy enumeration scripts; process injection demos.
Validate legality and reliability in your own lab.
Train on AD tradecraft
Focus on Kerberos (AS‑REP roasting, constrained/unconstrained delegation, S4U, golden/silver tickets), DACL/ACL abuses, cross‑forest attack paths, MS‑SQL lateral movement/pivoting, and stealthy credential access.
Use realistic labs
OffSec Proving Grounds Practice starts at $19/month and offers varied machines to hone post‑exploitation and lateral movement. Complement with your home lab reflecting AV/AMSI, AppLocker, web proxy/inspection, and logging to simulate enterprise friction.
Respect scheduling and policy constraints
Schedule early. Rescheduling is allowed up to 48 hours before the start. If you fail, cooling‑off periods apply (4/8/12 weeks after the 1st/2nd/3rd+ attempt). Retakes, when purchased, are valid for 120 days.
Remember: No LLMs/chatbots and no disallowed commercial tools. Don’t seek help during the exam — OffSec enforces NDAs strictly.
Actionable takeaway:
Before exam day, conduct a “red team dress rehearsal”: set a 6–8 hour timer and attempt an end-to-end breach in your lab from phishing-style initial access to domain compromise with reporting screenshots. Time your steps.
Cost and Investment
Prices vary by plan and can change, so confirm at checkout. As of October 15, 2025:
Learn One (individual): $2,749/year. Includes one primary course (choose PEN‑300), one year of labs for that course, two exam attempts for the chosen course, plus one KLCP and one OSWP attempt.
Learn Unlimited (individual): OffSec documentation shows $6,099/year as a representative price; unlimited exam attempts while the subscription is active.
Course & Cert Exam Bundle (individual): 90 days of course + labs for a single course (e.g., PEN‑300) and one exam attempt; OffSec checkout lists “200+ level courses starting at $1,749.” Actual PEN‑300 bundle price can vary; verify during purchase.
Discounts: The Aspire program reduces Learn One by 10/15/20% if you hold 1/2/3+ OffSec certifications (some exclusions apply).
Retakes: Available and valid for 120 days; cooling-off applies after each unsuccessful attempt. For OSEP, retake pricing isn’t published the same way as OSCP’s standalone exam; check your “Buy More” page in the portal.
Actionable takeaway:
If you plan to pursue additional OffSec certs (e.g., OSWE or OSED) within a year, Learn Unlimited may be more cost-effective due to unlimited attempts during the active subscription window.
Career Value and ROI
Advanced credibility: OSEP signals that you can breach and maneuver within defended enterprise environments, not just exploit lab-style vulnerabilities. This aligns with senior pentester and red team roles where AD and evasion dominate.
Stackable prestige: OSEP counts toward the OSCE³, one of the most respected advanced benchmarks in the industry.
Maintenance synergy: Passing qualifying OffSec certifications like OSEP helps maintain OSCP+ within its three-year cycle.
Actionable takeaway:
Showcase OSEP on your resume with a brief “enterprise attack” bullet (e.g., “Simulated breach of hardened AD forest: Defense evasion, multi-hop lateral movement, objective achievement under time constraints”). This translates exam skills into employer language.
Real-World Application of OSEP Skills
The PEN‑300 syllabus and OSEP exam mirror realistic engagements:
Initial access via client-side techniques with defensive bypass requirements.
Living off the land and quiet lateral movement across Windows/Linux.
Kerberos abuse, credential targeting, and SQL Server pivoting.
Egress and inspection evasion (DNS tunneling, proxies, HTTPS inspection).
Cross-forest compromise and objective-driven operations.
For organizations, OffSec also provides in-house training options to level up entire teams. [In‑House Training FAQ]
Actionable takeaway:
Keep a “detections” diary while practicing. For each technique, note the probable alert sources (EDR, proxy, DNS logs) and what you did to reduce noise.
Exam-Day Playbook: A Quick Checklist
Environment: Test VPN, VM snapshots, and proctoring tools a day before.
Triage: Enumerate broadly, prioritize paths that reduce control friction (e.g., whitelisted script hosts, signed binaries, quiet C2).
Evasion: Be ready with multiple AMSI bypass variants and a fallback loader.
Lateral movement: Favor living-off-the-land and native mechanisms first; pivot via SQL Server and Kerberos when it advances the objective.
Documentation: Screenshot everything; annotate commands; track flags and objectives; maintain a running log that becomes your report.
Reverts: Budget reverts for “stuck” states; avoid knee-jerk resets that cost you time.
Actionable takeaway:
Build a one-page “battle card” with your top 5 foothold techniques, 5 evasions, 5 lateral moves, and 5 data exfil/collection methods you can execute from memory.
FAQs
Q1: Is the OSEP exam proctored?
A1: Yes. You’ll authenticate your identity and be monitored throughout. Follow the setup instructions in your exam email and the Exam Guide.
Q2: How long is the OSEP exam?
A2: You get 47 hours 45 minutes of hands-on time plus 24 hours to submit your report. Expect results within 10 business days after submission.
Q3: How do I pass OSEP?
A3: Either achieve the main objective (proved by secret.txt) or earn 100 points from flags (e.g., local.txt/proof.txt). There are no bonus points from course labs.
Q4: Can I use Cobalt Strike or AI tools like ChatGPT?
A4: No. Commercial frameworks and LLM/chatbots are prohibited. Community tools and custom code are allowed; see the exam guide and AI policy for details.
Q5: How many machine reverts do I get?
A5: You have 50 reverts with a one-time reset option. Use them wisely.
Q6: Does OSEP expire?
A6: No. OffSec certifications generally don’t expire, except OSCP+, OSCC, OSTH, OSIR.
Conclusion: If your goal is to move from “I can find and exploit vulnerabilities” to “I can breach and operate inside a defended enterprise,” OSEP is a strong signal to employers and clients.