Big news in the cybersecurity world: OffSec just announced major changes to the Offensive Security Certified Professional (OSCP) certification, now rebranded as OSCP+. Whether you're a current OSCP holder or planning to take the exam in the future, these changes are significant and will impact your certification journey. In this post, I’ll break down the updates, share my unfiltered thoughts, and offer advice to anyone looking to get certified. Let's dive into the details.
Related Video:
What’s Changing with the OSCP?
Starting November 1, 2024, OSCP will become OSCP+.
One of the biggest changes is that OSCP+ will not be a “good for life” certification. OSCP+ will require renewal every three years. However, there’s good news for those who already hold an OSCP: you will remain certified for life.
If you’re planning to get OSCP certified after November 1st, you’ll need to maintain the “plus” designation by renewing it every three years. If you decide not to renew, your certification will revert to a standard OSCP, which remains valid for life, but without the “plus” designation.
OSCP Exam Changes: Active Directory
The structure of the OSCP exam is also changing, particularly in the Active Directory (AD) portion. Previously, candidates started as external attackers, compromising machines and pivoting into the internal network. Now, you'll start inside the internal network with an assumed compromised position, and your goal will be to escalate privileges to Domain Administrator within that network.
Another significant change: partial points for AD. In the past, it was all or nothing. You had to compromise all machines in the AD set to earn points. Now, you can receive partial credit for compromising individual machines, even if you don’t achieve full Domain Admin.
Bonus Points: A Thing of the Past
OffSec is also doing away with bonus points. Previously, you could earn 10 bonus points by completing 80% of the course modules and compromising 40 lab machines. These points could be added to your exam score. This option is no longer available in OSCP+.
How to Renew OSCP+
Once certified as OSCP+, you will have three ways to renew your certification:
Retake the OSCP+ exam.
Pass a qualifying OffSec certification: The OSED (Exploit Developer), OSEP (Experienced Penetration Tester), OSWA (Web Assessor), or OSEE (Exploit Expert).
OffSec CPE: OffSec will introduce a Continuing Professional Education (CPE) program, expected to launch in late 2024 or early 2025. This will provide another option to maintain your certification.
Special Deal for Current OSCP Holders
If you’re already OSCP certified, you can take advantage of a special offer: until March 31, 2025, you can upgrade to OSCP+ for only $199. After that, the price jumps to $799. If you're considering this, November 1st is the date to mark on your calendar, as that’s when the upgrade path will become available.
Why the Changes?
According to OffSec, there are two main reasons for these changes:
Modernizing the exam: Updating the Active Directory portion to be more realistic and better reflect the skills required for real-world internal penetration testing.
Compliance with ISO 17024 standards: OffSec is aligning OSCP+ with ISO 17024, a global standard for the certification of individuals, specifically focusing on the competence of certification bodies.
The move towards ISO 17024 also positions OffSec to potentially get on the U.S. government’s DoD 8570 list, which is a set of required certifications for certain cybersecurity roles in the Department of Defense. This could open new doors for OSCP holders, particularly for those interested in government jobs.
Unfiltered Opinions: The Good, the Bad, and the Price Tag
Now that we’ve covered the facts, let’s talk about my personal thoughts on these changes. As someone who holds the OSCP certification, I had mixed feelings when I first heard the news. The fact that OSCP was good for life was a major selling point. Other certification bodies require yearly or three-year renewals with ongoing fees, and OffSec stood out because once you were certified, you were set for life.
With the introduction of OSCP+, it feels a bit like OffSec is trying to capitalize on their certification holders. The renewal fees and continuing education requirements mirror what we see with other certification bodies, and this feels like a shift away from what made OffSec special. That said, the move to ISO 17024 compliance makes sense from a business perspective.
Additionally, the possibility of aligning with the DoD 8570 standard is a smart move, especially considering how lucrative government contracts can be. While some OffSec cert holders may feel slighted by the changes, this shift could also help open doors to government jobs, which is a massive market that OffSec hasn’t yet fully tapped into.
Concerns for the Future: Will OSCP+ Lose Value?
There is a precedent for certifications losing value after transitioning from “good for life” to renewable models. Take CompTIA’s Security+ as an example. It was once good for life, but now it must be renewed every three years, and those who don’t maintain the updated version of the cert may find themselves less competitive in the job market. My concern is that OSCP+ might follow a similar path.
Will OSCP regular remain relevant, or will employers increasingly demand the OSCP+ designation? Only time will tell, but there’s a chance that the value of the standard OSCP could diminish over time.
The Good News: Better Active Directory Training
One thing that stood out to me as a major positive is the update to the Active Directory portion of the exam. In the past, OSCP didn’t prepare candidates well for real-world internal penetration testing, particularly in AD environments. This was a pain point for many OSCP holders, myself included, when transitioning to actual pentesting jobs. The new AD changes should better equip candidates for internal network assessments, making OSCP+ more aligned with real-world scenarios.
Should You Take OSCP Now or Wait?
This is a big question for anyone currently in the OSCP course. Should you rush to take the exam before November 1st to take advantage of the bonus points, or wait for the OSCP+ rollout?
If you think you need the bonus points, it’s best to take the exam before November 1st. However, if you’re confident in your skills and don’t need the extra points, it may make more sense to wait and take the OSCP+ exam to get the new designation from the start.
For me, I’m still on the fence about whether I’ll go after OSCP+ or focus on other OffSec certs, like the OSWA and OSEP, which I’m currently pursuing. But regardless of my decision, I’ll keep you updated on my learning journey.
The OffSec Community’s Reaction
From what I’ve seen in the OffSec community, the reaction to these changes has been mostly negative. People are upset about the move to renewable certifications, with a lot of money-related emojis like dollar signs, crying faces, and even clown emojis filling the OffSec Discord. It’s clear that many OSCP holders feel like they’re being milked for more money, especially considering OffSec’s reputation for offering expensive courses and exams.
That said, not all of the feedback is negative. Some people recognize the benefits of the new AD training and the potential for increased job opportunities if OSCP becomes DoD 8570 compliant.
Final Thoughts: Is OSCP+ Worth It?
So, is OSCP+ worth pursuing? If you’re already on the OSCP path, the decision depends on your current status. If you’re close to taking the exam, you might want to push to take it before the November 1st changes. But if you’re just starting out, the OSCP+ designation might be a better option for long-term career prospects.
For those like me who already hold OSCP, the decision to upgrade to OSCP+ isn’t easy. The $199 upgrade fee is a decent offer, but after March 2025, the $799 price tag may make some people hesitate.
Overall, the OSCP+ brings some much-needed improvements to the certification but also introduces new challenges, particularly with the recurring fees. Time will tell how these changes affect the OSCP’s standing in the cybersecurity world, but one thing is for sure: OffSec is making moves to stay competitive in an evolving market.
If you're planning to take the OSCP exam soon, check out my How I Passed the OSCP on My First Try blog post. Even with the new changes, these tips will still be relevant to your success!
References: