On the Updated OSCP+ Certification

Written By Vidar Frostbjorn

This is my opinion on the changes to the OSCP certification that was recently announced by Offsec. Also, here is my video on the topic:

Personally, while I achieved the OSCP certification almost six years ago, it is still probably the largest milestone in my cybersecurity career. It changed my mindset from thinking about pentesting as something only people smarter than me could do, to realizing this was absolutely achievable if I applied myself to it.

The certification is a challenge, often a very hard one, for people that are starting out in the field. But when I look back at my exam today, the challenge was not that you needed expert knowledge in any specialties within the penetration testing role, but rather that you needed a basic understanding of many of the specialties within the role. Whether that be XSS, SQLi, local privesc on Windows/Linux or modification and compilation of exploit code.

As this is the case, I see no reason to revisit the exam today, as my knowledge today has greatly surpassed what I knew then solely based on years of experience. This is similar to the feeling I’ve had when I renewed my GCIH certification.

Summary of changes and pricing

With this in mind, let us take a look at the changes to the OSCP(+) certification:

  • OSCP+ certification added, with an expiration date of 3 years

  • Passing the updated exam will give both OSCP and OSCP+

  • If OSCP+ is not renewed, it will fall back to a regular OSCP certification

  • This OSCP certification will continue to have no expiration date

  • Prices will stay at the same rate for the course + cert bundle and Learn One (However the prices will probably continue to be raised yearly)

  • The recertification of OSCP+ will cost $799

While this pricing is still cheaper than what SANS demands, the recertification is only $1 cheaper than what I paid for the course, 30 days of LAB and the exam back in 2018.

Let us compare the pricing of OSCP to one of my favorite certifications, Altered Security’s CRTP:

While OSCP has cemented itself as a mid-priced certification in recent years, one of the rows in the above comparison quickly stand out. The newly added recertification fee is priced at even higher levels than the GIAC certifications.

Conclusion - Is it worth it?

This is a quote from Offsec’s own quote on why they are implementing this change:

The OSCP certification has been very important to OffSec, as well as the entire cybersecurity industry. We take our role as caretakers of the OSCP seriously, ensuring it continues to represent the high standards it is known for. The OSCP will continue to play its vital role in offensive security and penetration testing. The new OSCP+ designation will demonstrate not just mastery of the material, but also the timeliness of the knowledge.

While the updates to the exam and the removal of the bonus points could certainly be welcome changes to the certification, the addition of a renewal does not make as much sense to me.

To me an OSEP+ would make much more sense, as the deeper expert knowledge I learned to pass that exam could easily have been forgotten three years after I passed it. I just can’t see any scenario where a pentester with at least 3 years of experience after passing the OSCP would benefit from spending $799 on renewing their OSCP certification instead of taking any other certification to widen or deepen their expertise.

While the pricing is not outrageous, and it is very nice that you still keep your OSCP certification forever, this seems like a strange decision from Offsec. It seems like they are trying to leverage the standing of the OSCP exam to the fullest, which could end badly when so many competitors are trying to deliver quality certifications to the same target audience.

Vidar Frostbjorn
Previous

The 8 Ways You're Getting Hacked
Next

The 2024 Pentesting Roadmap: From Beginner to Hired in 8 Steps