The OSCP+ certification is defined as OffSec’s flagship practical penetration testing credential, requiring candidates to compromise real machines under timed conditions rather than answer multiple-choice questions. The exam runs for 23 hours and 45 minutes, followed by a 24-hour reporting window, and demands a minimum of 70 points to pass. This OSCP study guide covers the full exam format, a realistic preparation timeline, the approved toolset, and exam-day strategy so candidates enter the engagement with a clear methodology and the discipline to execute it.
What is the OSCP+ exam format and point distribution?
The OSCP+ exam awards points across four targets, and understanding the distribution shapes every study decision a candidate makes.

The point structure breaks down as follows:
| Target | Points | Partial Credit |
|---|---|---|
| Standalone Machine 1 | 20 | Yes |
| Standalone Machine 2 | 20 | Yes |
| Standalone Machine 3 | 20 | Yes |
| Active Directory Set | 40 | Yes (updated) |
| Total | 100 | 70 required to pass |

Three standalone machines each carry 20 points, and partial credit is available for low-privilege access even without full root or SYSTEM. The Active Directory set carries 40 points and requires chaining multiple attack techniques across the domain. Partial credit is now available for AD components in the updated OSCP+ format, which changes how candidates should approach a stalled domain chain.
Key restrictions shape tool choices during the exam:
- Metasploit Framework is limited to one use per exam attempt on a single machine
- sqlmap is banned entirely; manual SQL injection is required
- Automated exploitation frameworks beyond approved tools are prohibited
- AI-assisted exploitation tools are not permitted during the exam window
No bonus points are awarded in the updated OSCP+ format. Every point comes from machine compromise within the exam window. The 24-hour report period does not contribute to scoring, but a poorly written report can still cause failure if steps are undocumented or screenshots are missing.
What is a realistic OSCP study plan and timeline?
A structured 16–24 week schedule with approximately 15 hours per week totals at least 240 hours of preparation. That volume is not arbitrary. The OSCP+ tests problem-solving in unfamiliar contexts, and that skill only develops through repeated, deliberate practice across diverse machine types.
The preparation phases follow a logical progression:
-
Weeks 1–6 (Foundation): Complete the PEN-200 course modules. Focus on Linux fundamentals, networking concepts, Bash and Python scripting, and the core exploitation theory. Do not skip the buffer overflow section; mastering the 6-step buffer overflow methodology is non-negotiable for exam readiness.
-
Weeks 7–12 (Lab Practice): Move into intensive lab work. Work through the TJ Null OSCP-like machine list on platforms with retired boxes. Prioritize machines that require manual enumeration, service exploitation, and privilege escalation without automated tools. Dedicate at least two sessions per week exclusively to Active Directory attack chains.
-
Weeks 13–16 (Mock Exams and Reporting): Run at least two full 24-hour mock exams. Practice writing the final report immediately after each mock. This phase builds the endurance and documentation discipline the real exam demands.
-
Weeks 17–24 (Gap Filling): Use this buffer to revisit weak areas. If AD exploitation feels uncertain, spend additional time on Kerberoasting, AS-REP Roasting, DCSync, and lateral movement using BloodHound and CrackMapExec.
Pro Tip: Build your personal cheatsheet from day one. Every command you run during labs belongs in that document. By exam day, it becomes a trusted reference that eliminates hesitation and keeps methodology on track.
Candidates who rely heavily on writeups during lab practice develop a false sense of competence. Reading a solution is not the same as deriving it. Struggle productively before consulting hints, and the exam will feel far more familiar.
What essential tools and methodologies should OSCP candidates master?
The approved OSCP+ toolset rewards candidates who understand why each tool works, not just how to run it.
The core tools every candidate must master include:
- nmap: Full TCP and UDP port scans with service version detection (
-sV) and default scripts (-sC). Run aggressive scans only after initial discovery to avoid missing services. - gobuster / feroxbuster: Directory and file brute-forcing for web targets. Pair with a quality wordlist like SecLists.
- linpeas / winpeas: Automated privilege escalation enumeration for Linux and Windows. Treat output as a checklist, not a solution.
- BloodHound: Active Directory attack path visualization. Ingest data with SharpHound and analyze for shortest paths to Domain Admin.
- CrackMapExec: Lateral movement, credential spraying, and SMB enumeration across the AD environment.
- Metasploit Framework: Reserve for one machine where it provides maximum value, typically a complex privilege escalation or a multi-stage payload.
The core methodology follows five phases: scan, enumerate, exploit, escalate, and document. Enumeration is the detective work of hacking. Candidates should spend 80% of exam time on thorough enumeration before attempting exploitation. That figure surprises most first-time candidates, but incomplete scanning is the leading cause of exam failure.
Manual SQL injection replaces sqlmap entirely. Candidates must practice UNION-based, error-based, and blind injection techniques by hand. The OSCP practice questions available through Cyberservices include web exploitation scenarios that reinforce this skill under realistic conditions.
Pro Tip: Run two nmap scans in parallel: a fast top-1000-port scan for quick wins and a full 65535-port scan running in the background. Services on non-standard ports cause more exam failures than any other single oversight.
How should candidates approach exam day and reporting?
Exam-day success depends on time management and documentation discipline as much as technical skill.
The recommended machine order follows a deliberate logic:
- Complete one standalone machine first. This warms up pattern recognition and builds momentum before tackling the high-value AD set.
- Attack the Active Directory chain next. The AD set carries 40 points. Candidates are freshest in hours 2–8, making this the optimal window for complex chain exploitation.
- Return to remaining standalones. With AD points secured, the pressure on standalone machines decreases, improving decision quality.
- Set a 2-hour timer per machine. Spending more than 2 hours on a single standalone before pivoting wastes the exam window. Move on, document what you found, and return with fresh eyes.
- Begin the report template before the exam ends. Do not wait until the exam window closes to start writing.
Practicing at least two full 24-hour mock exams is the highest predictor of first-attempt success. Mock exams reveal how cognitive performance degrades after 18 hours and force candidates to develop personal fatigue management strategies.
Continuous documentation during exploitation is mandatory. Every command, every output, every screenshot belongs in the notes. OffSec’s reporting standards are strict, and candidates who achieve the required points but submit incomplete reports fail. The report is not an afterthought. It is half the exam.
Pro Tip: Use a note-taking tool like CherryTree or Obsidian during the exam. Structure notes by machine from the start. When the exam window closes, the report almost writes itself.
Starting the report template early in the preparation phase transforms documentation into muscle memory. Candidates who practice writing reports during lab work arrive at exam day with a process, not a panic.
Key Takeaways
Passing the OSCP+ exam requires mastering enumeration discipline, Active Directory attack chains, and rigorous documentation in equal measure.
| Point | Details |
|---|---|
| Exam structure and scoring | Three standalones at 20 points each plus a 40-point AD set; 70 points required to pass. |
| Study timeline | A 16–24 week plan with 15 hours weekly builds the depth the exam demands. |
| Enumeration first | Spend 80% of exam time on scanning and service inspection before attempting exploitation. |
| Mock exams are mandatory | Two full 24-hour mock exams build endurance and reveal fatigue-related decision errors. |
| Report quality determines outcome | Incomplete or poorly structured reports cause failure even when point thresholds are met. |
Why most OSCP candidates fail the first time (and how to avoid it)
The OSCP+ is fundamentally an endurance test. It challenges technical skill, stress management, and reporting aptitude in equal measure. Most candidates who fail do not fail because they lack exploitation knowledge. They fail because they rush enumeration, skip documentation, or run out of cognitive fuel in the final six hours.
The exam tests problem-solving in unfamiliar contexts. Memorizing exploits does not prepare candidates for a machine that requires chaining three obscure misconfigurations. What prepares candidates is the habit of methodical thinking under pressure, built through hundreds of hours of deliberate lab practice.
The most underrated preparation activity is writing reports during lab sessions. Candidates who treat every practice machine as a real exam target, complete with a full written report, arrive at exam day with a process that runs on autopilot. That frees cognitive resources for the hard technical problems.
Structured timeboxing during the exam prevents the spiral that kills so many attempts. When a candidate spends four hours on a single machine, the psychological cost compounds. Set the timer, document what you found, move on. The answer often surfaces after a break and a fresh perspective.
The personal cheatsheet is not a shortcut. It is a distillation of everything a candidate has learned, organized for rapid retrieval under pressure. Build it from day one. Update it after every lab session. By exam day, it reflects the candidate’s actual methodology, not a generic template found online.
— kr4k1
Premium OSCP preparation resources from Cyberservices
Candidates who combine hands-on lab practice with structured study materials consistently outperform those who rely on a single resource. Cyberservices provides premium OSCP exam dumps and methodology guides built to mirror the real OSCP+ exam format, covering standalone machine scenarios, Active Directory attack chains, and reporting templates.

The OSCP study materials available through Cyberservices are structured around the current OSCP+ point distribution and tool restrictions, giving candidates a preparation resource that reflects what the exam actually tests. For candidates targeting the AD set specifically, the AD attack chain guide covers Kerberoasting, lateral movement, and domain compromise techniques step by step.
FAQ
What is the minimum score to pass the OSCP+ exam?
Candidates need a minimum of 70 points out of 100 to pass the OSCP+ exam. Points come from three standalone machines worth 20 points each and an Active Directory set worth 40 points.
How long does OSCP exam preparation typically take?
A structured preparation plan runs 16–24 weeks at approximately 15 hours per week. Candidates with prior penetration testing experience may complete preparation closer to the 16-week mark.
Is Metasploit allowed during the OSCP exam?
Metasploit is allowed but restricted to a single use on one machine per exam attempt. Candidates must rely on manual exploitation techniques for all remaining targets.
What happens if the report is incomplete?
An incomplete or poorly structured report can cause failure even when a candidate achieves the required 70 points. OffSec requires detailed documentation of every exploitation step, including commands, outputs, and screenshots.
What is the best order to tackle machines on exam day?
Complete one standalone machine first to build momentum, then attack the Active Directory set while cognitive performance is at its peak. Return to remaining standalones after securing AD points.
