There has been a discussion about whether the OSCP is a useful certification and worth the money.

I want to clarify that I am not against the OSCP, not at all. The usefulness of it depends on multiple factors.

Here is my advice on how to determine if the OSCP is right for you:

https://twitter.com/z3roTrust/status/1256802569709514752

Is the OSCP a useful cert? The answer entirely depends on certain factors such as: your skill level, the time you’re willing to spend on it, and the goal you expect to achieve by completing it.

My skill level when I took it: 3yrs Pentesting experience.

Why I took it: 1) “Haben ist besser als brauchen” = It’s better to have than be in need. Women have to prove themselves more & Creds are one way to provide that.

Expectation: learn something new and expand my skill set.

Time effort: 30d lab time + 1 exam try.

Worth it? Meh 🤷🏼‍♀️

When you’re trying to decide if the OSCP is worth it for you, ask yourself the following questions:

1) What goal do I expect to achieve by getting the cert?

If you are a Pentester and want to add the cert to your resume to increase credibility, why not.

If your goal is to get your first pentesting job, you have to keep in mind that the OSCP alone won’t prepare you for your role. Your interview challenge will likely test if you can find WebApp bugs since that’s likely what you will be expected to do as a junior Pentester.

The important factor here is how much time you expect to spend on it, and that depends on your skill lvl. If you have no prior experience, this cert could cost you 6-12+ months in the worst case. Tho I’ve also seen beginner pace through the OSCP much faster (@Monobehaviour)

Be aware of the types of skills you will obtain during the OSCP and ask yourself

2) “is the time effort worth obtaining these skills and will they help me achieve my goal?“

Remember: There are always trade-offs and time is your most valuable currency. Use it wisely.

The time you spend trying to pass could be spent on skills you know are more important for your goal. Often I see ppl who completed the labs but keep failing the exam (exams suck & not everyone does well under time pressure) and continue to spend months attempting to pass it.

If you determine that the OSCP is not worth taking, that doesn’t mean you have to discard it forever. It might just not be the right time.

My advice: don’t take it for the hype or to be “cool”. Focus on your goal, not on being part of a group of people you consider “the elite”.

If you don’t want to spend the time & money but still want to obtain OSCP skills, you can practice on @hackthebox_eu for free. They have many labs, always add new ones, there is a leaderboard if you enjoy competing, and the boxes are very much like the ones you’d find in the OSCP

Success story: @Monobehaviour DMed me when he worked as a dev and asked for advice on how to get into security. Usually ppl expect others to hand hold them and give them step by step instructions, but not him. I pointed him to some recourses and told him about @hackthebox_eu.

He soaked in the resources on WebApp pentesting I gave him and started doing the HTB labs. I saw him poppig one box after another, every day!

Eventually he started the OSCP & passed on first try! All those skills combined got him a job offer as a Red Teamer. I’m so proud of him!

In summary, there is no clear yes/no answer to the question “is the OSCP worth taking”.

Everyone has different goals, circumstances, prior skills, and time-constraints.

It’s your time, your goal. Think carefully about your time/money investment before committing.

Since it fits the topic and there have been people occasionally asking about it, I live tweeted during my OSCP exam and surprisingly ended up completing it in 8 hours 😬

twitter.com/i/events/12570…