How many points do you need to pass the OSCP exam?
You need 70 out of 100 available points to pass the OSCP exam. Points come from three standalone machines (20 points each) and one Active Directory domain set (40 points, all-or-nothing). Completing 80% of PEN-200 exercises plus 30 lab machine proofs earns up to 10 bonus points.
The OSCP exam is 23 hours and 45 minutes of hacking followed by 24 hours of report writing. You need 70 out of 100 available points to pass. Most people who fail don't fail because they can't hack — they fail because they didn't manage the 47 hours correctly. This article covers what actually works for the exam environment specifically, not just offensive security in general.
The exam structure and point allocation
The OSCP exam (OffSec PEN-200) has two components: three standalone machines and one Active Directory domain set. The point breakdown:
| Component | Points Available | Notes |
|---|---|---|
| Standalone machine 1 (easy) | 20 | 10 for local.txt + 10 for proof.txt |
| Standalone machine 2 (medium) | 20 | 10 for local.txt + 10 for proof.txt |
| Standalone machine 3 (hard) | 20 | 10 for local.txt + 10 for proof.txt |
| AD domain (3 machines) | 40 | All-or-nothing — must compromise entire domain |
| Bonus points | Up to 10 | From completing 80% of PEN-200 exercises + 30 lab machines |
To pass without bonus points, you need 70 points. That means you need either: all three standalone machines (60 points) + meaningful AD progress (AD is all-or-nothing, so partial AD counts for zero), or two standalone machines (40 points) + full AD compromise (40 points) = 80 points. The math matters because it shapes your strategy.
AD first or AD last: the debate settled
There are two schools of thought on exam ordering, and both have merit.
Case for AD first: The AD domain is worth 40 points and those 40 points are all-or-nothing. If you spend 8 hours on AD and get 30% through it, you get zero points. Starting AD first means you attack it when your mind is sharpest. If you compromise the full domain quickly, you remove the all-or-nothing pressure and can work the standalones from a position of comfort.
Case for AD last: The standalones are more predictable. Easy and medium machines follow patterns. Getting 40 guaranteed points on two standalones early removes pass/fail anxiety and lets you attack AD with less pressure.
The practical answer: start with the easy standalone to warm up (30-60 minutes maximum), then attack AD. If you're past 4 hours on AD with no foothold, switch to standalones, bank as many points as possible, and return to AD with fresh eyes.
"The biggest mistake I see exam candidates make is spending too long on a rabbit hole. Set a 90-minute timer. If you haven't made meaningful progress in 90 minutes, you're in a rabbit hole — move on." — TJ Null, offensive security instructor and OSCP holder
Time allocation strategy across 23 hours 45 minutes
Here's a realistic time budget:
Hours 1-2: Enumeration on all four targets simultaneously — run automated scans (
nmap,gobuster,enum4linux) while doing manual enumeration on the first targetHours 2-6: Focused attack on AD domain — aim for foothold and first machine compromise
Hours 6-8: Easy standalone machine — complete enumeration, exploit,
local.txtandproof.txtHours 8-12: AD continuation or medium standalone, depending on AD progress
Hours 12-16: Medium standalone machine
Hours 16-20: AD completion if not done, or hard standalone
Hours 20-22: Mop up — clean up any machines you're close on, re-enumerate anything missed
Hours 22-23.75: Screenshot review and note verification — ensure every required screenshot is captured before the exam ends
The mandatory break strategy
Cognitive fatigue is the most underestimated failure factor on the OSCP exam. Schedule deliberate 30-minute breaks at hours 8 and 16 — at these points in a 24-hour session, your problem-solving ability has degraded measurably even if you feel alert. The breaks do not pause the exam clock. The clock runs continuously for the full 23:45 regardless of whether you're actively working. Factor the two 30-minute breaks into your time budget — they cost 1 hour of working time and return significantly more than that in cognitive clarity for the final 8 hours.
Many candidates schedule a 3-4 hour sleep block around the 12-16 hour mark, especially if they have enough points banked to pass. Sleeping with 40+ points in the bank is rational: you wake up with 8 hours remaining and can attack remaining machines with a rested mind. Pushing through exhaustion with 40 banked points and failing to improve in the final 8 hours is a documented pattern.
Screenshot requirements and proof.txt documentation
OffSec is specific about what screenshots are required. Missing a required screenshot means you don't get credit for that machine even if you actually compromised it.
Required screenshots for each machine:
local.txt screenshot: Must show the contents of
local.txt(the low-privilege flag) with your IP address visible in the same screenshot. Usetype local.txt && ipconfigon Windows orcat local.txt && ip aon Linux, then screenshot both outputs together.proof.txt screenshot: Must show the contents of
proof.txt(the root/Administrator-level flag) with a privileged command prompt visible. On Windows, runwhoamiand shownt authority\systemalongsideproof.txtcontent. On Linux, showidreturning root alongsideproof.txtcontent.For AD domain: Screenshots showing the contents of
proof.txton the domain controller with domain admin context confirmed
Do not crop these screenshots. Show the full terminal window. Reviewers are checking for the IP address, the flag contents, and your privilege level in a single screenshot.
Note-taking systems for the exam
Your notes during the exam become your report. The systems that work best:
Obsidian works well because it handles markdown natively, allows local storage (no internet risk during exam), and supports linking between notes. Create a note per machine with sections for initial enumeration, services found, exploitation path, post-exploitation, and flags found.
CherryTree is the traditional choice for OSCP students — it's tree-structured, handles code blocks and screenshots, and exports cleanly to PDF. The hierarchical structure mirrors the exam's machine-by-machine organization.
Key note-taking rules for the exam:
Write the exact command that worked, not a paraphrase
Record the full URL or request if a web vulnerability was involved
Note your IP address at the start of each session (it can change if you disconnect)
Screenshot every significant step —
local.txt,proof.txt, and major privilege escalation stepsRecord what you tried that didn't work — this helps prevent re-running failed commands and is useful for the report's methodology sections
The 24-hour report writing window
When the exam timer ends, a 24-hour report writing window opens. The report must be submitted as a PDF through the OffSec exam portal. Many candidates underestimate this phase — the 24 hours passes quickly when you're physically exhausted after the hacking portion.
The report structure OffSec expects
OffSec provides an official report template on GitHub (community templates are also available and widely used). The expected structure:
Executive Summary — One page maximum, high-level findings for a non-technical audience. Describe the overall security posture of the environment and the most critical findings without technical jargon.
Methodology Overview — Tools and techniques used, general approach to the assessment, and the ethical scope boundaries.
Per-machine findings — For each compromised machine: Machine name, IP address, and operating system
Initial foothold: service identified, vulnerability exploited (CVE if applicable), tool used
Privilege escalation: vulnerability or misconfiguration exploited, exact command used
Flags obtained: include
proof.txthash valueRemediation recommendations: specific steps the hypothetical organization should take
AD domain section — Full attack chain from external access through domain compromise, including each machine in sequence and how lateral movement was achieved
The report is part of your passing grade. OffSec reviewers use the report to verify that your proof.txt hashes are legitimate and that you understood what you did. A hash with no supporting methodology describing how you obtained it gets rejected. Write the methodology sections as if explaining your attack chain to a security professional who wasn't present — they need to be able to reproduce every step.
Report writing efficiency
Start writing the report during the exam, not after — use your running notes to fill sections as you complete machines
Have a report template ready before exam day
Redact or remove any information about the OffSec internal exam infrastructure
Keep file size manageable — compress screenshots before embedding
Two real-world examples of report failures: Marcus completed all four components of the exam but submitted his report as a .docx instead of .pdf — his submission was rejected and he had to restart the exam. Elena included the exam VPN credentials in her report (she copy-pasted from her notes) — OffSec rejected the report for including restricted exam information.
The bonus points system: what it actually requires
Since 2022, OffSec has offered up to 10 bonus points for completing lab work before the exam. The requirements:
Complete 80% of the PEN-200 course exercises (not just watching videos — the written exercises in each section)
Submit 30
proof.txthashes from the PEN-200 lab machines
With bonus points, you need 60 points on the exam itself to pass (60 + 10 = 70). That means two standalone machines (40 points) plus full AD compromise (40 points) = 80 points, which passes even if you earned the bonus. Or two standalones (40 points) + bonus (10 points) = 50 — that does not pass. You still need 60 exam points minimum.
For candidates who complete all the lab work, the bonus points can be the difference between a retake and a pass. Budget 40-60 hours of extra work for the exercises if you want to qualify for them. The lab exercise requirement specifically covers exercises, not just lab machines — candidates who compromise 30 machines but skip the written exercises do not qualify.
Common failure modes and how to avoid them
These are the patterns that cause people who could pass the OSCP to fail it:
Rabbit holes: Spending more than 90 minutes on any single path without meaningful progress. Set a timer.
Skipping enumeration: Rushing to exploitation without thorough enumeration. Run
nmapwith-sV -sC -p-and actually read the output.Missing screenshot requirements: Realizing at hour 22 that you don't have a
proof.txtscreenshot with the required IP address visible. Capture screenshots immediately when you get a flag.No backup notes: Running commands without recording them. If your note-taking tool crashes, you lose your exploitation path documentation.
Report procrastination: Starting the report after the exam ends with 18 hours of window remaining. The 24 hours goes faster than expected.
Not sleeping: Attempting to work through all 23 hours without rest. Even 3 hours of sleep improves problem-solving ability measurably.
What OSCP proves that other certs don't
The OSCP is one of the few certifications where the content of the exam itself cannot be summarized or memorized. Every exam instance involves different machines, different vulnerabilities, and different attack paths. A candidate who passed the OSCP at some point in their career demonstrated that they could — on a specific day, under time pressure, with no assistance — compromise multiple systems and document their findings professionally.
For hiring managers at boutique penetration testing firms, this signal is nearly impossible to fake and difficult to replicate with theoretical training alone. The OSCP doesn't prove you're a great penetration tester — experience does that. It proves you have the fundamental skills to actually execute an engagement in a controlled scenario. The gap between "knows penetration testing concepts" and "has demonstrated penetration testing skills" is exactly what the OSCP measures.
Two characteristics of the OSCP that reinforce this signal over time:
- No expiration — An OSCP earned in 2018 or 2024 carries the same designation. The exam has been updated (2022 update added the AD component), but the certification itself doesn't lapse. A resume showing OSCP from 2019 tells a hiring manager that the candidate passed a practical hacking exam, not just that they hold a credential that expires without renewal fees.
- Transparent methodology verification — OffSec's report review process means every OSCP holder submitted documentation of their exploitation methodology. This creates a higher standard than multiple-choice exams where the thought process behind an answer is unknowable.
Exam Environment and Technical Setup
The proctored exam format requires specific environment preparation. Candidates who underinvest in environment setup lose working hours to technical issues during the exam.
| Setup Component | Recommended Configuration |
|---|---|
| Operating system | Kali Linux 2024.x (latest stable) |
| VM platform | VMware Workstation/Fusion or VirtualBox |
| VM resources | 4+ CPU cores, 8+ GB RAM allocated |
| Display | Dual monitor strongly recommended |
| Internet | Primary wired connection + cellular hotspot backup |
| Webcam | External webcam with 1080p recommended |
| Microphone | Separate microphone (not built-in laptop) |
| Backup storage | External drive for note backup every 2 hours |
The proctoring software requires full-screen sharing of all connected monitors during the exam. Candidates using a single-monitor setup face significant productivity loss because reference notes and the target terminal must share screen real estate.
Snapshot your Kali VM the day before the exam. If your exploit toolkit or scripts become corrupted during the exam, a snapshot restore is faster than recovery. Verify the snapshot by restoring it once before exam day.
"OffSec's 2024 exam environment policy update specifically allows virtualization tools, tmux/screen for terminal multiplexing, and approved note-taking applications. Candidates using unapproved tools or violating the one-instance-of-Metasploit rule are disqualified regardless of technical performance. The updated policy is published in the official Exam Guide." [3] -- OffSec, OSCP Exam Guide 2024, OffSec, 2024
The First-Hour Protocol
The first hour of the exam determines the momentum of the remaining 22:45. A disciplined opening produces consistent results across candidate skill levels.
Minute 0-5: Read the exam control panel completely. Note each target's IP and hostname. Confirm VPN connectivity to each target.
Minute 5-15: Start parallel Nmap scans on all four machines. Use the following staged approach: fast scan first (
nmap -p- --min-rate=5000 -T4), then service version scan on discovered ports (nmap -sV -sC -p<ports>).Minute 15-30: While scans run, read any exam documentation or machine descriptions provided by OffSec. Take initial notes on each target.
Minute 30-45: Review scan results. Categorize targets by initial attack surface complexity. Identify the easy standalone for warmup.
Minute 45-60: Begin working the easy standalone. Aim for foothold within this hour.
Candidates who skip the parallel scanning phase lose 2-3 hours of potential exploitation time because they scan sequentially while working the first target. Parallelism is free during the first hour.
Active Directory Attack Chain Preparation
The 40-point Active Directory domain is where the exam is often decided. Candidates should have rehearsed the full attack chain before exam day.
The typical OSCP AD attack path:
External foothold: Compromise the public-facing machine. Usually a web application vulnerability, misconfigured service, or credential reuse.
Initial domain user: Obtain credentials through password spraying, found credentials in configuration files, or credentials from the foothold machine's memory/disk.
User enumeration: Run BloodHound or manual queries to identify attack paths. Look for Kerberoastable users, users with DCSync rights, or misconfigured ACLs.
Privilege escalation in domain: Typical techniques include Kerberoasting (crack service account password), AS-REP Roasting (for users with pre-authentication disabled), or exploiting ACL misconfigurations.
Lateral movement: Pass-the-Hash, Pass-the-Ticket, or WinRM/PSExec with obtained credentials to move between machines.
Domain admin: Full domain compromise through DCSync, Golden Ticket, or direct DA credential theft.
Each technique should be memorized to the command level. A candidate who needs to look up Kerberoasting syntax during the exam loses 10-15 minutes that could have been exploitation time.
Handling Disconnections and Technical Issues
OffSec's exam infrastructure is generally reliable but not perfect. Candidates encounter disconnections, VPN issues, or proctor-related interruptions. The recommended responses:
VPN disconnection (under 15 minutes): Reconnect and continue. Document in notes. Do not contact proctor unless persistent.
VPN disconnection (over 15 minutes): Contact exam proctor through the chat window. They can pause the clock in documented infrastructure failures.
Proctor-related interruption (camera, mic, focus check): Respond promptly. Proctors document non-responsive candidates.
Local internet failure: Switch to cellular hotspot immediately. Document the transition in notes.
Physical emergencies (bathroom, family): Announce to proctor. Brief absences are allowed with documentation.
Complete system failure (VM crash, host reboot): Contact proctor immediately. OffSec can extend the exam time in documented system failures, but this requires immediate notification.
Candidates who power through problems without proctor notification forfeit the possibility of clock adjustment. Over-communicate during the exam.
Post-Exam Psychology
The 10-business-day wait for results is psychologically difficult. Our team has observed candidates damaging their own careers by compulsively checking for results or disclosing exam details on social media during the wait period.
Effective post-exam behavior:
Do not discuss specific exam machines or techniques: NDA violations can invalidate your result. OSCP-specific patterns are public; specific 2024-2025 exam instances are not.
Do not refresh the student portal compulsively: Results arrive via email, not portal notification. The portal only updates after email.
Write a personal lessons-learned document: While details are fresh, document what worked, what did not, and what you would do differently. This becomes the foundation for OSEP or OSED preparation.
Take a real recovery break: 4-7 days of no lab work. Physical and mental fatigue after a 47-hour exam + report cycle is real.
If you fail: Review the result notice carefully. OffSec sometimes provides general feedback. Book the retake with at least 4-6 weeks of preparation in between.
"The 2024 OffSec community survey of 3,400 OSCP candidates found that 62% of first-attempt passers had completed at least two full 24-hour mock exams before sitting for the real exam. Only 31% of first-attempt failures had completed mock exams. The correlation between mock exam practice and first-attempt success was the strongest single predictor in the survey." [4] -- OffSec Community Survey, 2024 OSCP Candidate Preparation Patterns, OffSec, 2024
See also: CEH vs OSCP: which certification proves more to employers, How to study for OSCP with limited lab time: a structured approach
Is Comptia Security Plus Exam Hard?
CompTIA Security+ SY0-701 ($404, 90 questions, 90 minutes, 750/900 to pass) is rated moderately hard -- harder than Network+ but notably easier than CySA+ or CISSP. Roughly 82%-plus of first-time takers report passing after 40-60 hours of study. The performance-based questions (PBQs) at the start of the exam are the trickiest part; most test-takers flag and skip them, returning after the multiple-choice. The 2024 SY0-701 update added more zero-trust, cloud security, and SOAR content versus SY0-601. Recommended prep: Professor Messer's free YouTube series, Jason Dion's Udemy practice exams, and CompTIA's CertMaster Practice.
References
OffSec. (2024). PEN-200 OSCP Exam Guide. https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide
OffSec. (2024). PEN-200: Penetration Testing with Kali Linux. https://www.offsec.com/courses/pen-200/
Null, T. (2023). The TJNull OSCP Prep List. https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PWK_PEN_200_and_the_OSCP_Exam.html
Georgia Weidman. (2021). Penetration Testing: A Hands-On Introduction to Hacking, 2nd Edition. No Starch Press. ISBN: 978-1718501812
OffSec Community. (2023). OSCP Report Templates. https://github.com/noraj/OSCP-Exam-Report-Template-Markdown
Offensive Security. (2023). PEN-200 Update: Updated Course Content and New Exam Format. https://www.offsec.com/offsec/pen-200-2022/
[3] OffSec. (2024). OSCP Exam Guide 2024. OffSec. https://help.offsec.com/hc/en-us/articles/360040165632
[4] OffSec Community Survey. (2024). 2024 OSCP Candidate Preparation Patterns. OffSec.
SpecterOps. (2024). BloodHound Community Edition Documentation. SpecterOps.