OSCP: A Great Cert Value?


@author Randy Gingeleski

@since 02/19/2017

@see certs, education


As touched upon in a previous post, whether you need certs to work in the infosec realm is negligible. You can teach yourself anything with free resources and time spent trying things out. A cert gives you credibility for getting work – potential employers can look up your certification number instead of interviewing you on subject matter.

But what if you want to use a cert as incentive to learn new content? I can see that, fear of the money you paid for course materials and the exam going to waste.

I have it on good authority that the OSCP cert is one of the better values in our industry. Everything is very hands-on, with the exam itself being 48 hours to work. The first half of the time is to penetrate as many systems as you can on the network. The next 24 hours is to write the pen test report (!).

Co-author Evan and I dream of a world where paid pen test work *just* means testing (“fun”) and not client presentation. 🌈

To me the OSCP cert (the precursor course is “Pen Testing with Kali” by Offensive Security) sounds like the superior offer for hands-on learning.

But what about the value part? Course materials, 90 days’ lab access, and a first exam attempt are about $1150. Retakes are $60. With those prices you won’t have a stroke over test day.

Obviously this is more expensive than the Security+ (about $300) or CSSLP (about $600). But you’ll probably get more out of it than either of those, which have healthy amounts of useless memorization. Stuff like DoD forms call for this or that.

On the content front, it really sounds like the OSCP is a great value. Major universities charge that $1150 per credit hour.

Before you go ordering, though, think about where you want to work. This would hold the most weight for red-teaming positions. Not so much for database security. I’ll go out on a limb and say there’s not a lot of memory forensics content in there either.

Also, the OSCP doesn’t seem to have the popularity or recognition of some of the other certs (yet?). You’d have to have taken it to recognize the accomplishment. So this is probably something that would hold more weight at a smaller firm than a mega-corporation.

For more information see Offensive Security’s site.