OSCP vs OSCP+: What New Changes Have Been Made?

The Offensive Security Certified Professional (OSCP) certification has long been considered a benchmark for cybersecurity professionals looking to prove their skills in penetration testing and ethical hacking. Recently, OffSec, the organization behind the OSCP, announced significant changes to the exam format and the introduction of a new certification, OSCP+. This article delves into what these changes entail, why they were made, and how they impact both current and future OSCP holders.

Introduction to OSCP and OSCP+

The OSCP is a well-respected certification that tests a candidate’s ability to perform a range of penetration testing tasks in a controlled environment. It has been a gold standard in the cybersecurity industry for years, helping professionals validate their offensive security skills. With evolving cybersecurity threats and practices, OffSec has updated the OSCP exam and introduced the OSCP+ certification. Starting November 1, 2024, these updates will come into effect, bringing changes to the exam format, scoring system, and certification maintenance requirements.

Overview of OSCP Certification

The OSCP certification is known for its rigorous, hands-on approach that requires candidates to hack into a series of machines within a 24-hour period. Since its inception, the OSCP has been a challenging yet highly rewarding certification, demonstrating a candidate’s ability to perform penetration testing under real-world conditions. The certification has no expiration date and remains valid for life, representing a solid foundation in cybersecurity.

Why Update the OSCP Exam?

OffSec decided to update the OSCP exam to keep pace with the changing cybersecurity landscape and ensure that the certification remains relevant. The new exam format aims to better prepare learners for real-world scenarios, specifically addressing Active Directory (AD) environments—a common target in real-world penetration testing.

Key Changes to the OSCP Exam

Starting from November 1, 2024, the OSCP exam will see two major changes:

1. Enhancements to the Active Directory Portion: The updated exam introduces an “assumed compromise” scenario, where learners start with a standard user account on the AD domain and work towards achieving full domain compromise. This update allows candidates to earn partial points within the AD domain, reflecting a more practical and realistic approach to penetration testing.
2. Removal of Bonus Points: Previously, candidates could earn up to 10 bonus points by completing certain labs and challenges in the PEN-200 course. With the updated exam, bonus points have been removed to create a fairer, more consistent experience across all OffSec certifications.

Detailed Explanation of OSCP+

The OSCP+ is a new designation introduced alongside the updated OSCP exam. When a candidate passes the updated exam, they earn both the OSCP and OSCP+ certifications. However, unlike the OSCP, the OSCP+ certification has an expiration date—three years from issuance. To maintain the “+” designation, candidates must complete one of the three continuing education paths:

1. Take and pass a recertification exam within six months of the OSCP+ expiry date.
2. Take and pass another qualifying OffSec certification exam before OSCP+ expires (e.g., OSEP, OSWA, OSED, or OSEE).
3. Successfully complete OffSec’s new Continuing Professional Education (CPE) program.

Active Directory Enhancements

The changes to the Active Directory (AD) section of the OSCP exam are a significant update. The new “assumed compromise” model allows candidates to start with a standard user account on the AD domain, simulating a real-world breach scenario. This change means that:

• Candidates will earn points for compromising individual machines within the AD set, allowing for partial credit.
• The new format provides a more realistic assessment of a candidate’s ability to navigate and exploit AD environments.

Removal of Bonus Points

Bonus points were previously awarded to encourage learners to complete specific exercises in the PEN-200 course. However, OffSec found that most learners did not need these bonus points to pass the exam. The removal of bonus points aligns the OSCP with other OffSec certifications and complies with ISO 17024 standards, which do not recognize bonus points in certification exams. This move ensures a more standardized and fair approach across all OffSec certifications.

How to Earn the OSCP+ Certification

To earn the OSCP+ certification, learners must pass the updated OSCP exam starting from November 1, 2024. The OSCP+ will automatically be awarded alongside the OSCP upon passing the exam. However, to maintain the OSCP+ designation beyond three years, learners must follow one of the continuing education paths mentioned earlier.

Differences Between OSCP and OSCP+

The primary differences between the OSCP and OSCP+ are as follows:

• Validity: The OSCP certification is valid for life, while the OSCP+ certification is valid for three years.
• Recertification Requirements: The OSCP+ requires periodic recertification or completion of additional education paths to maintain the “+” designation.
• Exam Format and Scenarios: The updated OSCP+ exam includes the new AD scenario and changes to point allocation.

Benefits of Holding an OSCP+

The OSCP+ certification signifies not only a mastery of the material but also a commitment to staying current with the latest industry standards and practices. It reflects a learner’s dedication to continuous learning, which is crucial in the ever-evolving field of cybersecurity.

Impact on Existing OSCP Holders

Current OSCP holders can upgrade to the OSCP+ by taking the new exam after November 1, 2024. OffSec offers a promotional rate of $199 USD for the new exam for those who register between November 1, 2024, and March 31, 2025. After this period, the regular price of $799 USD applies.

Recertification Paths for OSCP+

To maintain the OSCP+ designation, learners can choose from three paths:

1. Recertification Exam: Pass a recertification exam within six months of the OSCP+ expiry date.
2. Additional Certifications: Pass another qualifying OffSec certification exam before the OSCP+ expires.
3. OffSec CPE Program: Complete the Continuing Professional Education (CPE) program (details to be announced in late 2024-early 2025).

OSCP+ for New Learners

New learners aiming for the OSCP+ certification have multiple options for exam preparation:

• Course & Cert Exam Bundle: Includes the PEN-200 course and one OSCP exam attempt.
• Learn One Subscription: Provides access to the PEN-200 course and two exam attempts during the subscription period.
• Learn Unlimited: Offers unlimited access to all OffSec content and unlimited exam attempts.

Pricing and Registration Details

The updated OSCP+ exam will cost $799 USD. However, current OSCP holders can take advantage of a promotional price of $199 USD for a limited period. Registration for the updated exam opens on November 1, 2024.

Frequently Asked Questions (FAQs)

1. I already have an OSCP, does this change my certification? No, your existing OSCP remains valid for life.
2. What happens to the OSCP+ designation after three years? You must recertify or complete other qualifying activities to maintain the OSCP+ designation.
3. Can I get OSCP+ if I earn another OffSec certification after November 1, 2024? No, you must first pass the updated OSCP exam to earn OSCP+.
4. What if I fail my OSCP+ recertification exam? You will need to repurchase the OSCP+ recertification if you wish to attempt it again.
5. What are the changes to the OSCP exam format? The new format allows partial points for AD tasks and removes the need for bonus points.
6. How can I prepare for the updated OSCP+ exam? You can prepare using the PEN-200 course and other OffSec resources, or by self-study.

Conclusion

The introduction of the OSCP+ and the changes to the OSCP exam format reflect OffSec’s commitment to evolving with the cybersecurity landscape. These updates not only enhance the value of the OSCP certification but also provide a clear path for continuous professional development with the OSCP+. For cybersecurity professionals, these changes signify an opportunity to stay current and demonstrate their up-to-date skills and knowledge in the field.