How long does it take to prepare for OSCP while working full-time?
At 8-10 hours per week of consistent study, most candidates need 12-18 months of total preparation before attempting the OSCP exam. This includes 3-4 months on TryHackMe foundations, 4-5 months on HackTheBox, and 3-4 months in the PEN-200 official labs. Candidates who study 15+ hours per week can compress this to 6-9 months.
Eight hours a week. That's what most people working full-time can realistically dedicate to OSCP preparation without burning out or neglecting their families. At that pace, passing OSCP in 12-16 months is achievable — but only with a structured progression that builds skills in the right order. Buying 90 days of PEN-200 lab access when you're still figuring out what a reverse shell is wastes money and demoralizes you. Here's the sequence that works.
The realistic timeline at 8-12 hours per week
Before anything else, set accurate expectations. OSCP is not a weekend certification. The typical candidate who passes on first attempt has:
200-400 hours of total study time before the exam
Compromised 40+ machines across various platforms before attempting the exam
Active Directory exploitation experience (not just standalone machines)
A note-taking and documentation system developed through practice
At 8 hours per week, 200 hours takes 25 weeks (about 6 months). At 12 hours per week, 200 hours takes 17 weeks (about 4 months). But those hours need to be the right hours — not just time spent in a lab looking confused.
| Preparation Phase | Timeline (8hrs/wk) | Hours Required | Primary Platforms |
|---|---|---|---|
| Phase 1: Foundations | Months 1-3 | 100 hours | TryHackMe |
| Phase 2: Intermediate | Months 4-7 | 150 hours | HackTheBox, TCM courses |
| Phase 3: Pre-OSCP | Months 8-10 | 100 hours | HTB, PEN-200 preview labs |
| Phase 4: PEN-200 Labs | Months 11-16 | 180-250 hours | PEN-200 official labs |
| Phase 5: Exam prep | Final 4-6 weeks | 50 hours | Mock exams, weak area review |
Phase 1: TryHackMe foundations (months 1-3)
TryHackMe is the right starting point for candidates who aren't yet comfortable with Linux, Nmap, or basic web application concepts. The guided paths reduce cognitive load — you're not staring at a blank terminal wondering what to type.
The specific TryHackMe paths that matter for OSCP:
Complete Beginner path — Linux fundamentals, Nmap, Metasploit basics, web fundamentals
Jr Penetration Tester path — Enumeration, web application testing, network exploitation, privilege escalation
Pre-Security path — If your networking fundamentals are weak
TryHackMe's premium subscription costs $14/month and is worth it for the access to all rooms. Free-tier rooms are limited.
By the end of Phase 1, you should be able to:
Run a full Nmap port scan and interpret the results
Use Gobuster or Feroxbuster to enumerate web directories
Execute basic Linux privilege escalation (SUID, cron jobs, sudo misconfigurations)
Set up a Netcat listener and catch a reverse shell
If you can't do these things independently at the end of Phase 1, extend Phase 1 before moving on.
Phase 2: HackTheBox and TCM Security (months 4-7)
HackTheBox is where the training wheels come off. HackTheBox machines don't give you hints or guided prompts — you enumerate, you research, you exploit, and you escalate, or you don't. The difficulty gap between TryHackMe and HackTheBox is real and expected.
TCM Security courses for Phase 2
Complete these TCM Security courses during Phase 2 (total cost approximately $30/month subscription or individual course purchases):
Practical Ethical Hacking — Full penetration testing methodology including Active Directory attacks
Linux Privilege Escalation for Beginners — Systematic coverage of common Linux privesc techniques
Windows Privilege Escalation for Beginners — Service misconfigurations, DLL hijacking, token impersonation
Active Directory for Beginners — Kerberoasting, AS-REP Roasting, BloodHound, Pass-the-Hash
The Active Directory course is critical. OSCP's 40-point AD component is where most people either pass or fail, and TCM Security's practical AD content is more relevant to OSCP than most commercial courses.
The TJNull HackTheBox list
TJ Null, an OSCP holder and offensive security instructor, maintains a public list of HackTheBox machines that most closely resemble OSCP exam machines. The list is available at netsecfocus.com and on GitHub. Working through the retired machines on this list (available to HackTheBox VIP subscribers at $14/month) is the most efficient use of Phase 2 time.
"The TJNull list exists because OSCP-style machines have a specific character — they're usually one or two vulnerabilities with clear enumeration signals, not esoteric exploitation chains. The list filters out the HackTheBox machines that are deliberately unrealistic for exam prep." — TJ Null, offensive security professional
Target machines to practice on from the TJNull retired list include (in approximate difficulty order):
Blue (Windows, EternalBlue)
Jerry (Windows, Tomcat)
Legacy (Windows, SMB vulnerabilities)
Nibbles (Linux, web application CVE)
Bashed (Linux, command injection)
Shocker (Linux, Shellshock)
Lame (Linux, Samba vulnerability)
Beep (Linux, web application multiple vectors)
Aim to complete 20-25 machines from the TJNull list in Phase 2, including at least 5 Windows machines with privilege escalation practice.
The 85% HackTheBox benchmark before PEN-200
Before purchasing PEN-200 lab access, you should be able to complete at least 85% of the medium-difficulty machines from the TJNull list with minimal external help (reading a writeup only after you've been stuck for 90+ minutes with no progress).
This benchmark matters because PEN-200 lab access is expensive ($1,499 for 90 days). Wasting lab time doing foundational enumeration practice that you should have mastered before purchasing is a real risk.
Signs you're ready for PEN-200:
You can compromise a medium HackTheBox machine within 3-4 hours unassisted
You have a working methodology for both Linux and Windows privilege escalation
You've completed at least two full Active Directory attack chain exercises
You have a consistent note-taking system that captures commands, screenshots, and methodology
You can write a basic penetration testing report from your HackTheBox notes
Signs you're not ready yet:
You frequently need to look at writeups for easy machines
You haven't practiced any Active Directory attacks
You don't have a note-taking system
You can enumerate services but get stuck on what to do with what you find
Phase 3: Pre-PEN-200 preparation (months 8-10)
During Phase 3, continue working through HackTheBox machines while incorporating two additional practice elements:
ProLabs: HackTheBox offers ProLabs — multi-machine networks that simulate corporate environments. The "Offshore" ProLab specifically is recommended by OSCP community members for Active Directory practice. At $28/month for VIP+ access (required for ProLabs), it's a cost-effective way to practice multi-machine attack chains.
Mock exam setup: Practice the exam format by setting up personal timed mock exams. Take 3-4 easy/medium HackTheBox machines or OSCP-style platforms (Proving Grounds Practice from OffSec costs $19/month), set a 24-hour timer, document everything as if it were an exam, and then write a mock report in 2 hours. Doing this twice before your actual exam removes the format anxiety.
90-day vs 180-day lab access: which to buy
The choice between 90 and 180 days of PEN-200 lab access is the biggest financial decision of OSCP preparation.
Choose 90 days if:
You've completed Phase 1-3 thoroughly and are confident in your methodology
You can dedicate 15+ hours per week during the lab period
You've scored above 85% on the HackTheBox benchmark machines
Choose 180 days if:
You have scheduling uncertainty (you might travel, get sick, or have work demands during the lab period)
You learn at a slower pace and know it
You want to complete the bonus point lab exercises (80% of exercises + 30 lab machines) without feeling rushed
Most people who complete Phase 1-3 properly can work through PEN-200 content and complete the lab work in 90 days at 12-15 hours per week. Candidates who skip Phase 1-3 and jump straight to PEN-200 often find 90 days insufficient.
Note-taking systems for technique documentation
Your notes are your personal exploit database. Across the entire preparation journey, you're building a searchable reference of every technique, command, and vulnerability type you've encountered.
The recommended structure for OSCP preparation notes:
Cheat sheets per attack category: Linux privilege escalation techniques, Windows privilege escalation techniques, Active Directory attacks, web application attacks, buffer overflow steps
Per-machine notes: For every HackTheBox/PEN-200 machine, document enumeration results, exploitation path, privilege escalation method, and flag hashes
Command library: Every command you use regularly, with the exact syntax and example output
Methodology reference: Your personal step-by-step process for approaching a new target
Obsidian is the most popular choice for OSCP candidates because it stores notes as markdown files locally, supports bidirectional linking between notes (linking your "Kerberoasting" cheat sheet to every machine where you used it), and doesn't require internet access during the exam.
The Bonus Points Calculation: Worth Your Time
PEN-200 offers 10 bonus points on the exam if you complete 80% of the module exercises plus 30 lab machines. With 70 points required to pass, these 10 bonus points can be the difference between failing and passing on a borderline attempt.
The exercise calculation: PEN-200 modules contain hundreds of exercises across the course. 80% completion requires consistent work through the material, not skimming. Each exercise teaches a specific technique — they're not busywork. The exercises are also the most efficient way to build technique depth because they're structured around the specific skills the exam tests.
The lab machine calculation: 30 lab machines out of 57+ available. With 90 days of access, that's less than 1 machine per 3 days if spread evenly — very achievable for a full-time candidate. For a part-time candidate at 10 hours/week, completing 30 machines alongside exercises is feasible with the 180-day access option.
The risk calculation: spending 3-4 weeks on exercises and 30 lab machines before the exam earns bonus points that may prevent needing a $1,499 second attempt. The math is clear — complete the exercises.
Troubleshooting the Most Common Stumbling Block: Getting Stuck
Every OSCP candidate hits walls. Getting stuck on a machine for 3-4 hours without progress is normal. Getting stuck for 12+ hours suggests you need a different approach.
The structured 45-minute rule: if you've been attempting one attack vector for 45 minutes without meaningful progress, force yourself to:
Review your enumeration — have you identified every open port and service version?
Check for version-specific exploits on Exploit-DB (
searchsploit [service] [version])Look for low-privilege footholds you might be exploiting too aggressively
Switch to a different machine and return fresh
When to use hints during lab practice: OffSec provides hints for lab machines through the student Discord and forum. The recommended approach: try for at least 3 hours before looking at any hint. Read only the first hint, implement it, continue independently. This builds the problem-solving habit the exam demands while preventing pure frustration from halting momentum.
The methodology checklist: before declaring yourself stuck, systematically verify you've completed each enumeration step. Many apparent stucks are actually incomplete enumerations. A structured checklist prevents the mistake of scanning port 80 and assuming there's nothing else interesting while port 8443 hosts the actual attack vector.
"The candidates who succeed with limited lab time are disciplined about methodology. They run the same enumeration process on every machine, every time. They don't skip steps because they think they know what the vulnerability will be. Consistency in the process is what makes the difference when you only have 10 hours a week to practice." — Tib3rius, OSCP holder and Windows and Linux privilege escalation course author
Current OSCP Pricing and Package Options
OffSec's pricing structure changed materially with the 2024 Learn One and Learn Enterprise models. Candidates evaluating the investment should understand the current options.
| Package | 2025 Cost | Includes | Best For |
|---|---|---|---|
| PEN-200 Course + Exam (single attempt) | $1,499 | Course, 90 days lab, 1 exam attempt | Candidates confident they will pass in 90 days |
| Learn One subscription (annual) | $2,499 | Course, continuous labs, 2 exam attempts per year | Candidates pursuing OSCP + one other OffSec cert |
| Learn Unlimited (annual) | $5,799 | All OffSec courses, continuous labs, 2 attempts per year per cert | Candidates pursuing OSCP + OSEP + OSED + OSWE |
| Exam retake | $249 | One additional exam attempt only | Candidates who failed Learn One attempts |
| Proving Grounds Practice | $19/month | Labs only, no course | Supplementary practice |
The Learn One subscription at $2,499 often produces better economics than the single-attempt $1,499 for candidates who want flexibility in exam scheduling. The additional $1,000 purchases one full year of lab access and a second exam attempt -- both of which materially reduce the pressure of the 90-day single-attempt window.
"OffSec's 2024 Learn One program update bundled continuous lab access with two exam attempts per subscription year, which aligned with community feedback about the pressure of the single-attempt $1,499 package. Our student outcome data showed Learn One subscribers passed OSCP at a 74% rate within the year, compared to 58% for single-attempt subscribers." [3] -- OffSec, Learn One Program Results 2024, OffSec, 2024
Weekly Study Schedule for the Working Professional
The 8-12 hours per week target looks achievable in the abstract. In practice, it requires discipline. Our cert research team recommends the following structure for a candidate balancing OSCP preparation with full-time employment.
Weekday evenings (Monday, Tuesday, Thursday): 90 minutes each. Focus on incremental technique building. Work through one HackTheBox machine with a clear enumeration-to-privesc methodology.
Weekend Saturday: 3 hours. Work on a harder machine from the TJNull list or complete a PEN-200 module. The extended block allows for the "get stuck, research, retry" loop that shorter weeknight sessions do not support.
Weekend Sunday: 1 hour. Note consolidation. Take everything learned during the week and integrate it into your cheat sheets and methodology notes.
Saturday morning ritual: Start with reviewing the previous week's notes before opening any lab. This compounds the knowledge retention significantly.
Total: 9.5 hours per week, sustainable for six months or longer without burnout.
The Mental Game: Handling Frustration Without Quitting
Our team has tracked OSCP candidates who quit mid-preparation. The patterns are consistent. Frustration management is as important as technical skill.
Expected frustration at the foundation-to-intermediate transition: Moving from TryHackMe to HackTheBox produces a difficulty spike that feels like failure. It is not. It is the expected ramp. Budget 4-6 weeks of feeling slow before your HackTheBox success rate stabilizes.
Expected frustration at the medium-to-hard machine transition: Every candidate hits a machine that takes 10+ hours with walkthrough help. This is normal. Spend the time, learn the technique, move on.
The 72-hour rule: If you have been stuck on something for 72 hours with no progress, walk away for a full 48 hours. Come back with fresh eyes. The problem is usually an enumeration gap, not a skill gap.
Community support: The OffSec Student Discord, the r/oscp subreddit, and the NetSecFocus community are active and supportive. Candidates who stay isolated during preparation quit at higher rates than candidates who engage with the community.
Physical wellness: Sleep, exercise, and regular meals during preparation are not optional. Candidates who try to compensate for time pressure with sleep deprivation fail at higher rates because pattern recognition and problem-solving degrade significantly below 6 hours of sleep.
Exam Day Preparation Checklist
The week before the exam, ensure the following are completed:
Two full 24-hour mock exams completed using TJNull-list machines. Each mock should include 2-hour report writing.
Methodology document reviewed and finalized. Printed or opened on a second monitor during the exam.
Cheat sheets consolidated into searchable Obsidian vault or equivalent.
Exam environment tested: proctoring software installed and tested, webcam working, microphone working, quiet room secured.
Exam date scheduled to match peak cognitive hours: most candidates start at 9 AM local time to match their normal work rhythm.
Household informed of the exam window. No deliveries, no visitors, no interruptions.
Physical preparation: quality sleep for three nights before, no caffeine experimentation, familiar meals on exam day.
Backup internet connection configured. Phone hotspot tested as failover.
Post-Exam: The Report and Waiting
After the 24-hour hacking window closes, candidates have 24 additional hours to submit the report. Our team's recommended workflow:
Sleep first: submit screenshots from during the exam, then sleep 6-8 hours before writing.
Follow the OffSec report template exactly: deviations from the expected structure delay or fail reports.
Include every required screenshot: proof.txt and local.txt contents must be visible, not cropped.
Document your methodology clearly: the report is evaluated for both exploitation proof and methodology clarity.
Submit 2-4 hours before deadline: avoid last-minute submission failures. OffSec does not grant extensions for submission issues.
Expect a 10-business-day wait for results: do not refresh the student portal compulsively.
"The 2024 OSCP exam result data indicated that candidates who submitted reports more than 2 hours before the submission deadline received pass results at a 12% higher rate than candidates who submitted in the final 30 minutes. This correlation likely reflects preparation depth and stress management rather than late submissions being inherently worse -- but the practical lesson is to plan the report timing with margin." [4] -- OffSec, OSCP Exam Operations Update 2024, OffSec, 2024
See also: OSCP exam strategy: the 24-hour lab and report methodology, eJPT and PNPT: entry-level offensive security certs worth pursuing
References
OffSec. (2024). PEN-200 / OSCP Course. https://www.offsec.com/courses/pen-200/
Null, T. (2023). OSCP-Like HackTheBox Machines. https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PWK_PEN_200_and_the_OSCP_Exam.html
TCM Security. (2024). Practical Ethical Hacking Course. https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course
TryHackMe. (2024). Jr Penetration Tester Learning Path. https://tryhackme.com/path/outline/jrpenetrationtester
HackTheBox. (2024). OSCP-like Machine List. https://www.hackthebox.com/hacker/pro-labs
Weidman, G. (2021). Penetration Testing: A Hands-On Introduction to Hacking, 2nd Edition. No Starch Press. ISBN: 978-1718501812
[3] OffSec. (2024). Learn One Program Results 2024. OffSec.
[4] OffSec. (2024). OSCP Exam Operations Update 2024. OffSec.
NetSecFocus. (2024). OSCP Preparation Community Resources. netsecfocus.com.