OSCP Review and Critique: Great certification that could use some user experience improvements

Before I get too far I want to say that my experience with the Offensive Security Certified Professional (OSCP) helped me develop a ton in the realm of offensive security and broadened my practical knowledge of vulnerabilities, exploits, Linux usage, web app security testing and the practical usage of many security focused applications. I am grateful for this experience and do not regret the time I committed to it, which was from January 2017 until finally passing in October 2018. I do highly suggest it to cybersecurity professionals looking to get into offensive security.

My experience is based on this time-frame, so if improvements have been made, good for Offensive Security. Every person is different and will have a different experience with this certification, so please keep in mind that this is my unique experience and may not apply to others. In the end, I think that the OSCP is an excellent challenge and that Offensive Security has several areas that can be improved to greatly enhance student experiences, and if they don’t then it is only a matter of time before another organization comes along and fills this gap.

Right away I came to experience the same problem shared by everyone who enrolls into Penetration Testing with Kali Linux (PWK). You purchase lab time and are not provided the course study material until the lab time begins. As a new student you are instantly confronted with the unnecessary problem of how to balance studying the material as your lab time ticks down. Since there is a delay for setup time before Offenseive Security grants access it just makes so much more sense and would be much more fair to provide the course study materials prior to having lab access.

Prior to the OSCP I had obtained: A+, Network+, Security+, Certified Ethical Hacker, and CISSP. These are all knowledge based tests, you obtain study materials, study them, and take a multiple choice test to pass/fail, and then are provided feedback. I studied the OSCP course materials, all the way through, multiple times, with over 100 hours (at this point) spent in the lab. With any other certification test I had taken up to this point I would have invested more than enough time into it to pass. As a newcomer to offensive security, it hit me like a bag of bricks after I failed the OSCP the first time to learn that the OSCP study materials were nowhere near enough information for me to pass the exam. This realization was paired with another, just like in actual penetration tests, there is no single source, study guide, or video series that will provide you with success. Instead, you need it all. Success in penetration testing comes from all of the above, lab hours, studying every possible bit of information out there, reading through exploits, reading all of the books out there, and much more. My primary suggestion for an improvement is for Offensive Security to make it explicit from the start by including additional suggested study materials in their course materials.

After taking the exam and learning more about offensive security I came to understand that the course study materials contained superfluous information that added to my confusion during and around the exam. For example, the course has sections dedicated to SQLMap, vulnerability scanning, XSS, and Metasploit. XSS is unnecessary information when it comes to the OSCP labs or exam, and Metasploit has very limited usage for the time that is spent studying it. It is explicit from the start of the course materials that vulnerability scanning and Metasploit are limited. Yes, I am aware that all of these are useful/valuable in an actual penetration testing. I only wish that Offensive Security had either clarified all of this in the study materials instead of separately in the exam restrictions.

An improvement to the course videos would be to teach to similar circumstances that students will experience. Often during the Offensive Security training a GUI is present and rarely in engagements, CTFs or in the labs is a GUI available. My only suggestion would be to alter /add to the training to reflect a more realistic majority of CTF/Pentest experiences and be purely through a terminal. Worst case, include both the GUI and how you would operate without a GUI.

I think the most critical room for improvement is the lack of a feedback loop regarding the exam. If you fail the only information you are provided is that you failed and the same happens if you pass. I greatly appreciate every other certification organization (that I have worked with) that gives you that feedback loop after you pass or fail. Either way they let you know, in detail, the areas that you can approve upon. If you fail and only if you request feedback an Offensive Security rep will provide you with generic tips to pass next time. I was provided with the same generic information all three times that I failed. The strange part is that this generic info should have been provided with the course study materials as additional suggested study information from the start. What would actually be valuable as feedback would be when you pass/fail you receive direct information regarding your attempt. For example: "You were successful at XYZ, meanwhile you failed to enumerate XYZ, during post-exploit you did XYZ successfully, but failed to pursue XYZ, and your report included XYZ, but we were not able to replicate your findings based on your guide. Due to these findings we suggest studying Chapter 2,3,4, reading this guide, and working on XYZ machines in the lab”. I know that this requires a balance, due to the limited number of exam machines, limited number of Offensive Security manpower dedicated to each exam, and not simply providing students the answers. Feedback is essential for personal improvement and not providing feedback provides an unnecessary challenge to students.

Offensive Security isn't entirely to blame, there are definitely things I could have done to improve my own experience:

Found a study buddy or group. I often felt isolated during my OSCP experience and if I could have found another person or a study group to have others to vent to and bounce ideas off of. Most people I interacted within the course forums or over the IRC were often too coy (maybe afraid of revealing TMI).

Started with additional offensive security knowledge. I did have the prerequisites posted on Offensive Security’s FAQ: “Penetration Testing with Kali Linux is a foundational course, but still requires students to have certain knowledge prior to attending the online class. A solid understanding of TCP/IP, networking, and reasonable Linux skills are required. Familiarity with Bash scripting along with basic Perl or Python is considered a plus.” Either way more knowledge and experience with CTF’s would have improved my experience.

Designed a very specific plan of attack for the exam. I had a ton of notes and information that was organized by the attack stages: Recon, Enumeration, Exploitation, and Privilege Escalation. During the final exam attempts I found a lot more success with having my own step by step procedures to guide me during the frantic time of taking the exam.

To borrow from Churchill, the OSCP is the worst certification except for all those others. The OSCP is excellent at how practical it is. The hands-on experience brought me to a whole new level with pentesting, thinking offensively, manually finding vulnerabilities, web app hacking, understanding published exploits, manual exploitation, and creating my own buffer overflow exploit. It is currently the best certification for an entry into practical offensive security.

I highly suggest the OSCP for any cybersecurity professional looking to dive into practical cybersecurity and, more specifically, offensive security. I hope that Offensive Security improves/updates the overall user experience and that other certification organizations see how they can be competitive with the gaps that currently exist. I plan to release my OSCP exam guide next week after I submit it to Offensive Security for approval. Thanks for your time!