Around 70% of OSCP candidates fail on their first attempt. Most of them aren’t short on talent. They failed because they studied for an exam that changed fundamentally in November 2024 – and nobody told them.
This guide covers exactly what changed, how the 2026 exam is scored, and what a realistic study plan looks like. By the end, you’ll know whether you’re ready to book your exam, or whether you need another 3-4 months of focused practice first.
If you’re also thinking about where OSCP fits in the broader Canadian job market, our guide to cybersecurity jobs in Canada breaks down exactly what pen testers earn and what employers actually post in job descriptions.
What Is “Cracking the Perimeter”?
“Cracking the Perimeter” was an official OffSec course – not just a phrase.
The Cracking the Perimeter course (CTP) was OffSec’s advanced training that paired with the OSCE (Offensive Security Certified Expert) certification. It covered manual exploit development, advanced web attacks, custom shellcode encoding, and edge-device exploitation. For years, passing CTP and earning OSCE was the goal for anyone serious about offensive security beyond OSCP.
OffSec retired CTP in October 2020. The content had become outdated as real-world attack environments grew more complex. Three separate courses replaced it:
| Replacement Course | Certification | Focus |
|---|---|---|
| WEB-300 (AWAE) | OSWE | Advanced web exploitation |
| PEN-300 | OSEP | AV evasion, advanced lateral movement |
| EXP-301 | OSED | Windows x86 userland binary exploitation |
Completing all three earns OSCE3 (OffSec Certified Expert cubed), the successor to the original OSCE.
Today, “cracking the perimeter” is used in the OSCP community as shorthand for the whole journey – learning to break past network defences the way attackers actually do. That’s a fair description. OSCP’s entire premise is that you can’t document what you haven’t done. You don’t pass by memorising theory. You pass by compromising machines.
What Is OSCP – and What Changed With OSCP+ in 2026?
OSCP (Offensive Security Certified Professional) is the entry-level offensive security certification from OffSec. It’s paired with the PEN-200 course, which covers the full penetration testing workflow: enumeration, exploitation, privilege escalation, Active Directory attacks, lateral movement, and post-exploitation.
In November 2024, OffSec introduced the OSCP+ designation. Here’s what that means:
| Feature | Legacy OSCP | OSCP+ (November 2024+) |
|---|---|---|
| Expiry | Lifetime | 3 years |
| Active Directory | Optional | Mandatory (40 pts) |
| Bonus points | Up to 10 pts | Eliminated |
| Partial AD credit | No | Yes |
| Exam cost | Same | Same |
If you earn OSCP now, you earn OSCP+. Candidates who passed before November 2024 keep their lifetime credentials. OffSec hasn’t announced a conversion path. Employers recognise both designations equally.
The practical impact: Active Directory is now 40% of your exam score. You can’t route around it. If your AD skills are weak, you won’t pass – regardless of how well you do on the standalone machines.
How the OSCP Exam Is Scored in 2026
This is where most study guides fall short. They describe an older format. Here’s the actual 2026 structure:
Exam window: 23 hours and 45 minutes to hack.
Report window: 24 hours after the exam ends to submit your report.
Pass score: 70 out of 100 points.
Point breakdown:
| Target | Points |
|---|---|
| Standalone machine 1 | 20 pts |
| Standalone machine 2 | 20 pts |
| Standalone machine 3 | 20 pts |
| AD machine 1 | 10 pts |
| AD machine 2 | 10 pts |
| AD domain controller | 20 pts |
| Total | 100 pts |
Standalone machines: 10 points for a low-privilege shell, 10 points for privilege escalation. You get 20 or partial – depending on how far you get.
AD set: You can now earn partial credit within the AD chain. Machines 1 and 2 each give 10 points even if you don’t reach the domain controller. This is a meaningful change from the pre-2024 format, where many candidates skipped AD entirely and relied on bonus points to make up the gap. That path is gone.
One key Metasploit rule: You can only use Metasploit’s exploit modules on one target. One. Pick it carefully, and don’t rely on it as a fallback for everything else.
The pass math: Get all three standalone machines (60 pts) plus one AD machine (10 pts) and you pass. But counting on all three standalone machines to cooperate is a risky plan. Most candidates who pass do it with a mix of standalone progress and meaningful AD chain work.
Your report counts. Owning a machine and not documenting it properly means no points. Write clean, detailed notes during the exam. Don’t wait until the 20-hour mark to start your report.
Who Should Take OSCP?
OSCP has no formal prerequisites. OffSec won’t stop you from signing up with zero experience. That said, most people who pass share a recognisable baseline.
You should be comfortable with:
- Linux command line (permissions, services, file system navigation, basic privilege escalation)
- Basic Windows administration and Active Directory fundamentals
- TCP/IP networking, subnetting, and common protocols (HTTP, SMB, SSH, RDP)
- Python or Bash scripting at a basic level – enough to modify and run exploit scripts
- Tools: Nmap, Burp Suite, Netcat, basic Metasploit
A sensible path before PEN-200:
- CompTIA Network+ or equivalent networking knowledge
- CompTIA Security+ for security fundamentals
- TryHackMe’s “Jr. Penetration Tester” path, or TCM Security’s Practical Ethical Hacking course
- 20-30 easy/medium machines on HackTheBox or OffSec Proving Grounds
If you’re starting from zero, budget 6-12 months before PEN-200. If you’ve been doing CTFs and know your way around a Linux terminal, you might be ready in 2-3 months.
How Long Does It Take to Prepare for OSCP?
It depends on where you’re starting.
| Background | Realistic prep time |
|---|---|
| Working pentester (2+ years) | 2-4 weeks |
| IT/security background, some CTF experience | 2-3 months |
| General IT background, no security specialisation | 3-6 months |
| Starting from scratch | 6-12 months |
Take these figures as a starting point, not a guarantee. Someone with networking experience putting in 3 hours a day moves faster than a professional studying 2 hours on weekends.
A lesson from a real prep mistake: Alex spent four months grinding TryHackMe and HTB machines, felt confident, and booked his exam. He failed with 52 points. The problem wasn’t exploitation – he could root standalone machines consistently. He’d never seriously practised an AD chain. During the 23-hour exam, he spent 11 hours on the AD set and earned only 10 points. Two months of targeted AD practice later, he passed with 80 points. The knowledge gap wasn’t huge. The preparation gap was.
The Best OSCP Study Resources for 2026
Not all practice platforms prepare you equally. Some build confidence. Others specifically train you for the exam.
Tier 1: Closest to the Exam
OffSec Proving Grounds Practice – OffSec employees built these machines. The enumeration patterns, exploitation paths, and overall feel are the closest you’ll find to what shows up on exam day. Start here once you’ve finished the PEN-200 course material.
PEN-200 labs and 9 challenge labs – Don’t skip the challenge labs. Medtech, Relia, and SKYLARK mirror the exam format. Work through all of them before you book your exam date.
Tier 2: Essential Supplements
HackTheBox (TJ Null list) – TJ Null’s curated list of retired HTB machines is the community gold standard for OSCP prep. The machines push you to think creatively rather than follow a single approach – exactly what the exam rewards.
TryHackMe (Offensive Pentesting path) – Better for filling early gaps and getting comfortable with methodology. Solid pre-PEN-200 foundation, especially the “Jr. Penetration Tester” learning path on TryHackMe.
Tier 3: Supporting Resources
TCM Security AD course – Active Directory is now 40% of your score. TCM’s dedicated AD course is one of the best resources available, and it’s considerably cheaper than the time and $249 retake fee you’d spend failing the exam.
IPPSEC on YouTube – Walkthroughs of retired HTB machines. Watch the thought process, not just the commands. IPPSEC explains why each step happens, which is the actual skill the exam tests.
0x4D31/awesome-oscp on GitHub – Community-maintained list of cheatsheets, writeups, and tools. Bookmark it. Use it when you’re stuck.
A 6-Month OSCP Study Plan
This plan suits someone with a general IT or networking background and no serious security experience.
| Month | Focus |
|---|---|
| 1-2 | PEN-200 lectures, PDF, and written exercises. Cover every module. Don’t rush. |
| 3 | PEN-200 lab machines. Complete as many as you can. Take notes on every single machine. |
| 4 | PEN-200 challenge labs (Medtech, Relia, SKYLARK). These are your dress rehearsal. |
| 5 | TJ Null HTB list + Proving Grounds Practice. Mix easy and medium difficulty machines. |
| 6 | Timed practice runs (23h 45m on a set of machines). Report writing practice. Book the exam. |
Daily time investment: 2-3 hours on weekdays, 4-6 hours on weekends. Consistency beats intensity.
Report writing isn’t optional practice. Many candidates spend their exam time hacking and almost no time on documentation. OffSec awards no points for machines you compromised but didn’t document. Practise writing professional penetration testing reports from month 3 onward, not in the final week.
If you want structured, instructor-led training alongside your self-study, SMEnode Academy’s Cybersecurity Bootcamp covers penetration testing fundamentals, live lab practice, and 1-on-1 mentorship – a useful complement to PEN-200 for candidates who want guidance alongside the OffSec material.
4 Mistakes That Sink OSCP Candidates
1. Skipping Active Directory prep
The November 2024 changes made AD mandatory and worth 40 points. Candidates who treated AD as optional in their prep – because it was optional in the old exam – arrive at the exam without the skills to earn those 40 points. If you haven’t practised Kerberoasting, Pass-the-Hash, and lateral movement until they’re second nature, the AD set will cost you the exam.
2. Never training under exam conditions
Plenty of people can solve machines with no time limit and a dozen write-ups open in another tab. Far fewer can solve three machines in 23 hours with no hints and a clock running. Run timed practice sessions before you book. It changes how you think under pressure.
3. Writing the report at the end
Document everything during the exam. Every command, every output, every screenshot with a timestamp. Trying to reconstruct your methodology from memory after 20 hours of active hacking leads to a report with gaps. Gaps mean missing points.
4. Over-relying on Metasploit
Metasploit works on exactly one machine. Every other compromise needs to be manual. Candidates who’ve built their skills around Metasploit runs find themselves stuck during the exam when it’s not an option. Practise manual exploitation from the first month.
What OSCP Is Worth in the 2026 Job Market
OSCP is the most recognised offensive security credential in job postings globally. It signals something specific to employers: you can actually exploit a system under real conditions, not just describe how vulnerabilities work in theory.
Average OSCP-holder salary in the US sits between $117,000 and $151,000 per year. In Canadian cybersecurity roles, the salary premium is comparable. Our guide to cybersecurity jobs in Canada covers salary ranges by role and what Canadian employers are paying for certified pen testers in 2026.
Job titles OSCP opens:
- Penetration Tester
- Red Team Operator
- Security Consultant
- Vulnerability Researcher
- Offensive Security Engineer
A quick example of what a cert can do: Priya had been working as a network administrator in Vancouver for three years when she passed OSCP in early 2025. Two weeks after updating her LinkedIn profile, four recruiter messages arrived. She negotiated a mid-senior penetration tester role at $130K CAD – roughly $40K more than her previous admin salary. The credential didn’t make her a better hacker overnight. It gave employers proof of skills she already had.
OSCP is often described in the community as “a floor, not a ceiling.” Senior red team and exploit development roles increasingly look for OSEP, OSED, or the full OSCE3 stack on top of OSCP. But without OSCP, most of those doors don’t open in the first place.
The $1,749 PEN-200 bundle (90 days of lab access plus one exam attempt) pays back within days once you land the role.
Ready to build the foundational skills before you invest in PEN-200? The SMEnode Academy Cybersecurity Bootcamp combines live instructor-led training with real lab environments, career coaching, and 1-on-1 mentorship from practitioners who’ve been through certification paths like this one.
Building Your Lab Environment
Home lab practice accelerates everything. You don’t need expensive hardware. A basic virtualisation setup lets you run vulnerable machines, practise enumeration, and test exploits without burning through your Proving Grounds credits.
Our guide to setting up a Proxmox homelab walks through building a virtualisation environment from bare metal – the same kind of setup most OSCP candidates use for running VulnHub machines and local Active Directory practice labs.
Frequently Asked Questions
What is “Cracking the Perimeter” in OSCP?
“Cracking the Perimeter” (CTP) was an official OffSec advanced course paired with the OSCE certification. OffSec retired it in October 2020 and replaced it with three separate courses: WEB-300, PEN-300, and EXP-301. Today, the phrase is used informally in the OSCP community to describe the goal of OSCP itself – learning to break through network perimeters the way attackers do.
How hard is OSCP in 2026?
Roughly 70% of candidates fail on their first attempt. The November 2024 changes made the exam harder by eliminating bonus points and making Active Directory mandatory. Candidates with solid AD skills who practise under real timed conditions pass at higher rates. The technical bar is achievable. The preparation bar is where most people fall short.
How much does OSCP cost in 2026?
The PEN-200 bundle (90 days of lab access plus one exam attempt) costs $1,749 USD. The Learn One subscription (12 months of lab access and two exam attempts) costs $2,749 per year. A single exam retake is $249.
Can I take OSCP without prior experience?
Technically, yes. OffSec doesn’t require prior certifications or a degree. In practice, going in without solid Linux, Windows, networking, and basic scripting knowledge significantly lowers your chances. Most people benefit from completing TryHackMe’s “Jr. Penetration Tester” path or TCM Security’s Practical Ethical Hacking course before starting PEN-200.
How long does OSCP certification last?
OSCP+ (earned by new candidates from November 2024 onward) expires after three years and requires renewal. Legacy OSCP holders who earned the cert before November 2024 keep their lifetime credentials.
What happens if I fail OSCP?
You can retake for $249. OffSec allows unlimited retakes. Most candidates who eventually pass do so on their second or third attempt. Treat a failed attempt as a diagnostic – find out which areas cost you points and build a focused 4-6 week remediation plan before retaking.
The Bottom Line
OSCP is genuinely hard. The 70% first-attempt failure rate isn’t arbitrary – it reflects an exam that tests what it claims to test. But most candidates who fail aren’t failing because of talent. They’re failing because they prepared for the wrong exam, skipped Active Directory, or never practised under real time pressure.
The 2026 exam is clear: 70 points to pass, 40 of those points come from Active Directory. Practise enumeration until it’s automatic. Write your report during the exam, not after. Run timed sessions before you book.
If you’re ready to start building the offensive security skills to back up your OSCP prep, the SMEnode Academy Cybersecurity Bootcamp combines live instructor-led training with real lab environments and career support. Check the current schedule and see if it fits your timeline.
