⚔️ OSEP
Offensive Security Experienced Penetration Tester

🔑 Certifications focused on advanced pentesting, evasion techniques, realistic exploitation, and red teaming.

🧠 1. Certification Name and Issuing Body

  • Full name: Offensive Security Experienced Penetration Tester (OSEP)

  • Issuing organization: Offensive Security (OffSec)

  • Reputation and global recognition: Highly respected in the offensive security community. Considered the next step after OSCP for those seeking advanced knowledge in Active Directory exploitation, evasion, and red team tactics.

📚 2. Curriculum and Skills Covered

  • Covered domains:

    1. Advanced Windows exploitation and privilege escalation

    2. Active Directory attacks (Kerberoasting, Pass-the-Hash, ACL abuse)

    3. Antivirus and EDR evasion techniques

    4. Client-side attacks and phishing payloads

    5. Lateral movement (e.g., WMI, PSExec, DCOM, PowerShell Remoting)

    6. Command and Control (C2) infrastructure

    7. Custom payload development and obfuscation

    8. Situational awareness, OPSEC, and persistence techniques

  • Depth of content: Deeply technical, scenario-based with a strong focus on adversary simulation and stealth tactics

  • Technologies and tools included: Cobalt Strike (trial), Empire, SharpHound, Covenant, PowerShell, Python, Obfuscation tools, Windows API, AMSI bypasses

  • Relevance in the current job market: Extremely high in red teaming, threat emulation, and adversary simulation roles

  • Mapping to frameworks: Strong alignment with MITRE ATT&CK (Persistence, Defense Evasion, Lateral Movement), NICE Framework (PR, AN, OM), NIST 800-115

🧩 3. Prerequisites and Recommended Level

  • Prior certifications or experience required?: OSCP is highly recommended, but not required

  • Expected skill level: Advanced

  • Required knowledge: Strong grasp of Windows internals, scripting, basic malware techniques, Active Directory structure, and common enterprise defenses

💵 4. Cost

  • Total cost:

    • 90-day lab access + exam: $1,499 USD

  • Study materials or lab access included?: Yes — includes full PDF courseware, video content, labs, and one exam attempt

  • Discounts: Occasional bundles or vouchers; veterans and students may access discounts via institutions

⏳ 5. Estimated Preparation Time

  • Recommended study hours: 150–200+ hours depending on prior experience

  • Self-paced or instructor-led: Self-paced

  • Learning modes: PDF manual, HD videos, and large custom lab environment with AD networks and defensive systems

🎯 6. Target Roles and Career Path

  • Job roles: Red Teamer, Threat Emulation Specialist, Senior Penetration Tester, Adversary Simulation Consultant, Malware Developer

  • Career goals: Ideal for those who want to operate in mature enterprise environments and simulate real-world attacks

  • Type: Offensive security with a strong emphasis on stealth, persistence, and operational security

🧪 7. Exam Format and Difficulty

  • Is the exam online or in-person?: Online, proctored

  • Theoretical, hands-on, or both?: 100% hands-on practical exam

  • Proctored exam or testing center?: Remote proctoring with strict monitoring

  • Length and number of questions: 48 hours to complete a realistic engagement-style exam (compromising an AD environment), + 24 hours for reporting

  • Difficulty level or average pass rate: High — requires solid methodology, stealth skills, and well-written documentation

📜 8. Validity and Renewal

  • Does it expire?: No — lifetime certification

  • Renewal process: None required; OffSec encourages continuing education and new certifications

🧰 9. Study Resources Available

  • Official documentation: OffSec EXP-301 courseware (PDF + videos)

  • Recommended books:

    • Red Team Field Manual

    • Adversarial Tradecraft in Cybersecurity

    • The Hacker Playbook Vol. 3

    • Active Directory Attacks for Red and Blue Teams

  • Online labs or platforms: OffSec labs, Hack The Box (Offensive Pentesting, Red Team Path), CRTO and CRTP labs

  • YouTube channels, community guides: IppSec, HackTricks, Sektor7, 0ffset.net

  • Online communities: Reddit (r/oscp, r/redteamsec), OffSec Discord servers, 0day.rocks, LinkedIn red team groups

💼 10. Industry Value and Demand

  • Is it frequently mentioned in job postings?: Increasingly, especially in senior pentesting and red team roles

  • Does it boost your profile with recruiters?: Significantly — viewed as proof of high technical skill and real-world offensive capability

  • Is it recognized by top companies or certain countries?: Yes — particularly in Fortune 500, defense contractors, and adversary simulation firms

  • What’s the average salary?: $120,000–160,000+ USD/year depending on region and experience

🧭 11. Related Certifications and Progression

  • Is it part of a larger learning path?: Yes — fits into the OSCE³ track alongside OSWE and OSED

  • What can you study after completing it?: OSED (Exploit Dev), CRTO2, Sektor7 courses, Malware Analysis, or purple team training

  • How does it compare or complement other certs?: More realistic and stealth-oriented than OSCP; complements CRTO and CRTP for a full red team skillset