OSEP Training and Certification in India

OSEP is the evasion-and-mature-AD specialisation that sits between OSCP and OSCE3. The bootcamp toolkit shifts from ‘getting in’ (OSCP) to ‘staying in undetected and pivoting to crown-jewel targets’ (OSEP). Defender Endpoint, AppLocker, AMSI, ScriptBlock-logging, and EDR are assumed-present on every exam target.

• Cobalt Strike (commercial — concept walkthrough). Bootcamp covers Malleable C2 profile authoring, sleep masking, BOFs (Beacon Object Files), and process-injection workflow. Cohort members without Cobalt Strike licence use Sliver as the open-source analogue.
• Sliver (open-source C2). Full Sliver workflow — implant generation, profile customisation, stagers, listener types (mTLS, HTTP, WireGuard, DNS), Armory extension management.
• Mythic / Apollo agent. Multi-agent C2 framework. Bootcamp covers when to use Mythic vs Sliver for OSEP-style engagements (Apollo’s profile flexibility wins on mature AD).
• AMSI bypass arsenal. PowerShell AMSI patching techniques (AmsiUtils.amsiInitFailed, memory patching, hardware breakpoint variants), and the parallel detection mechanisms that mature blue teams use against them.
• AppLocker / WDAC bypass workflow. LOLBin enumeration via LOLBAS, signed-binary proxy execution chains (rundll32, regsvr32, mshta, installutil), and Constrained Language Mode bypasses for PowerShell.
• Macro + LNK + HTA initial-access toolkit. OLE/XL4M macro authoring, .lnk file weaponisation, .hta JScript droppers, HTML smuggling. Bootcamp covers current AV/EDR detection rates and the obfuscation tax.
• Process injection / hollowing toolkit. Direct syscalls (SysWhispers3, Hell’s Gate, Halo’s Gate), thread-stack spoofing, module stomping, indirect-syscall callsites.
• DotNet tooling (Rubeus, SharpHound, Seatbelt, SharpDPAPI). Ghostwriter-compatible payloads with InlineExecute-Assembly, IEX bypass workflow, and reflection-loading from BOFs.
• Active Directory advanced attack arsenal. Constrained delegation abuse, Resource-Based Constrained Delegation, AD CS attacks (ESC1-ESC15), Shadow Credentials, sAMAccountName spoofing.
• Lateral-movement toolkit (PowerShell remoting, WMI, WinRM, DCOM). Detection-quiet pivoting techniques. Bootcamp covers DC remoting + MSDOM + Excel.Application.Run() chains for AV-quiet lateral.
• Linux-side attack arsenal. Container escape primitives, Kubernetes attack chains, SSRF-to-cloud-metadata pivots — newly emphasised in PEN-300 2024 update.
• Custom shellcode-runner framework. C/C++ loader template that students extend through the bootcamp — by week 10 you have a personal evasion-aware loader that survives the OSEP exam.

The OSEP bootcamp lab is a multi-domain AD forest with Windows 11 endpoints, Server 2022 DCs, and a representative EDR deployment (Defender + Sysmon + EDR-detection-rules layered). Students develop full-chain attacks from phishing-payload through crown-jewel exfil while staying below detection thresholds.

• Weeks 1-3 (Initial access engineering): Macro authoring, HTA droppers, HTML smuggling, ISO/IMG container weaponisation, LNK-file launchers, current AV/EDR detection telemetry.
• Weeks 4-5 (Evasion fundamentals): AMSI bypass deep-dive, AppLocker/WDAC bypass enumeration, Constrained Language Mode escapes, ScriptBlock + Module logging counter-techniques.
• Weeks 6-7 (Process injection + EDR evasion): Direct syscalls, indirect syscalls, callstack spoofing, hardware breakpoint counter-techniques, sleep masking variants.
• Weeks 8-9 (Active Directory attack depth): AD CS attacks (ESC1-ESC15), Resource-Based Constrained Delegation, Shadow Credentials, NTLM relay chains to AD CS, cross-forest trust abuse.
• Weeks 10-11 (Full chain rehearsals): Mock 48-hour exam attempts against Macksofy-built challenge environments — closest available approximation to OSEP exam evasion pressure.
• Week 12 (exam-prep sprint): Report-writing rehearsal against the OffSec format, time-management playbook for the 48-hour attack window, retake strategy.

Total hands-on hours: ~320 hours over 12 weeks. The lab is intentionally hardened — exploits that worked on OSCP-era machines will be detected here. The Macksofy mentor staff includes practitioners with current red-team operator field experience.

The OSEP exam is a 48-hour hands-on attack window followed by a 24-hour report-writing window. OffSec provisions an exam environment with a multi-host network including initial-access phishing entry-point, internal network pivot chain, and crown-jewel objective(s). The exam is graded on completion of objectives plus a 10-point bonus question chain. Pass mark is 100/110 with the bonus, or you complete a ‘secret flag’ chain.

Bootcamp exam-day playbook: Hours 1-6 are initial-access enumeration and phishing-payload preparation. Hours 6-18 are foothold establishment and host-level evasion confirmation. Hours 18-30 are internal pivot and AD attack chain. Hours 30-42 are crown-jewel pursuit and bonus-question chain. Hours 42-48 are buffer + screenshot validation. Sleep is mandatory — OSEP candidates routinely fail through fatigue-induced screenshot omissions.

Stealth grading: OSEP rewards ‘stealth’ demonstration — your attack chain should not trigger more detections than necessary. Graders check evidence of evasion technique application. The bootcamp’s lab purposely simulates an EDR-monitored environment so candidates internalise the evasion discipline.

Retake strategy: Standard OffSec retake terms apply (additional exam fee, 14-day cooldown). OSEP pass rates are lower than OSCP — the bootcamp’s historical first-attempt pass rate is ~50% with prepared candidates. Macksofy includes a post-exam targeted-practice block for retake support, focused on the specific evasion or AD chain where points were lost.

OSEP is the credential that elevates a pentester into red-team-operator territory. India red-team hiring is comparatively small (~150-200 dedicated red-team roles nationally in Q1 2026) but compensates at a 60-90% premium over equivalent-experience pentest roles. OSEP-holders are concentrated at consultancies (NotSoSecure, Payatu, Lucideus, K7 Computing), Big 4 advanced-threat practices, India-headquartered GCC red teams (Microsoft IDC Red Team, Adobe NCR Red Team), and a small set of pure-play firms (Cygnus, Aujas Cybersecurity).

Salary bands (India, 2026):

• OSCP + OSEP + 3-5 years field: ₹28-45 LPA at consultancies, ₹38-55 LPA at GCC red teams.
• OSCP + OSEP + 5-8 years + secondary advanced cert (CRTO / OSEE): ₹50-75 LPA at lead red-team operator / red-team-lead roles.
• 8+ years + OSEP + red-team-engagement portfolio: ₹75-1.4 Cr LPA at principal red-team consultant / red-team practice-lead roles at India-headquartered offensive-security firms.
• Independent / freelance OSEP-holders with 4-6 years background regularly bill ₹15,000-30,000 per engagement-day on India-based purple-team and red-team contracts (₹30-60 LPA equivalent on consistent retainer load).

Average time-to-first-offer post-OSEP for candidates with prior OSCP + 2 years pentest experience: 4-8 weeks. The Indian red-team hiring market is closely-networked — placement happens primarily via warm referral. Macksofy placement cell’s strongest channels are NotSoSecure, Payatu, and Microsoft IDC Red Team.

OSEP vs CRTO (Zero-Point Security Certified Red Team Operator): CRTO is the closest comparator — Cobalt Strike-centric, AD-heavy, evasion-aware. CRTO is cheaper (£365), 8-hour exam, vendor-specific (Cobalt Strike). OSEP is OffSec branding, longer exam (48h), vendor-agnostic (Cobalt Strike OR Sliver OR your own). Pick CRTO if your shop uses Cobalt Strike and your manager values the specific tooling skill. Pick OSEP if you want the OffSec credential branding for recruiter recognition.

OSEP vs SANS GIAC GXPN (Exploit Researcher & Advanced Penetration Tester): GXPN ($979) is a 4-hour multiple-choice exam. Heavy on exploit-development theory. OSEP is hands-on evasion-and-AD; GXPN is exploit-development theory. Different skills — most senior offensive practitioners hold both eventually.

OSEP vs CRTL (Zero-Point Security Certified Red Team Lead): CRTL is the operations-management layer above CRTO. Different scope entirely — CRTL teaches red-team-engagement leadership, not operator skills. Take CRTL after OSEP / CRTO once you’re leading red-team engagements.

OSEP vs OSED (Exploit Developer): Both PEN-300-tier certs. OSEP is evasion + AD; OSED is binary exploit development (Windows shellcoding, ROP chains, custom exploit writing). Different specialisations — OSEP for engagement-side red-team work, OSED for vulnerability-research and exploit-development tracks.

A representative bootcamp end-to-end engagement on Macksofy’s hardened lab forest:

1. Pretext + payload prep (90 min): Author a fake-invoice macro-laden xlsm with VBA stage 1 that downloads a stage 2 PowerShell via mshta. Test against Defender — pass.
2. Initial access (10 min): Mark-of-the-Web stripped via ISO container. User opens xlsm. Stage-1 VBA executes; HTA stage 2 downloads.
3. Stage-2 PowerShell loader (45 min): AMSI bypass via memory patching, ScriptBlock logging evaded via Constrained Language Mode bypass, Sliver implant reflectively loaded into a benign process (procexp64.exe spoofed via process-hollowing). C2 callback established with mTLS to a frontable CDN.
4. Foothold consolidation (30 min): Sleep-mask configured for 5-minute jitter. SharpHound via inline assembly. Local enumeration via Seatbelt BOF.
5. Privilege escalation (60 min): BloodHound reveals user has GenericWrite on a service account. Shadow Credentials attack via Whisker → DA-equivalent NTLM hash obtained.
6. Lateral pivot to DC (45 min): Kerberos S4U2Self/S4U2Proxy abuse to impersonate Administrator on the DC. Mimikatz LSASS dump via direct-syscall variant (Defender-quiet).
7. AD CS attack — secondary chain (75 min): Identify ESC4 vulnerable template (User-template misconfiguration). Request DA certificate via Certify. Use PKINIT to authenticate as DA without password.
8. Crown jewel exfil (45 min): Identify file server with HR PII. Compress + chunked exfil via the existing C2 callback. Avoid spike in C2 traffic that would trigger NIDS — use beacon-jitter expansion.
9. Cleanup + report (90 min): Implant uninstall + persistence-removal + log cleanup (acceptable scope per engagement rules). Write report covering attack chain, evasion-technique audit trail, defensive recommendations.

Total time on a familiar-class environment: ~8 hours. The OSEP exam adds the unknown-environment penalty — expect 24+ hours of comparable work. The bootcamp’s drill repetitions make the chain reflexive.

OSEP is the second-most-difficult OSCP-pathway exam after OSEE. OSCP completion plus AD field experience is the standard prerequisite. Self-assess against this checklist; eight-of-twelve is safe baseline.

• OSCP-certified OR equivalent (CRTP + 1 year of internal-pentest experience).
• Comfortable in PowerShell — can write 100+ line scripts, understand pipeline + module + remoting.
• Have written a C/C++ shellcode-runner that injects a payload into a remote process.
• Understand Windows internals at intermediate depth — PEB, TEB, syscall table, NTAPI vs Win32 API.
• Have used Cobalt Strike OR Sliver OR Mythic in a real engagement or training environment.
• Have manually performed an AMSI bypass and validated it on Defender.
• Understand AD attack primitives at depth — Kerberoasting, AS-REP, NTLM relay, AD CS ESC1-ESC4 minimum.
• Have used SharpHound + BloodHound for shortest-path queries on a real engagement.
• Have read the MITRE ATT&CK framework T1003-T1059 control families.
• Can dedicate 15-20 study hours per week consistently for 12 weeks.
• Have a workstation with 32GB+ RAM (multiple Windows VMs needed for evasion testing).
• Comfortable reading public red-team-engagement writeups (TrustedSec, SpecterOps blog, BC Security).

Candidates without OSCP but with strong internal-pentest field experience may be admitted on a case-by-case basis after a Macksofy technical interview. Candidates lacking PowerShell and C basics will be required to complete a 4-week ‘OSEP Foundations’ bridge module before the main cohort.

OSEP fails more candidates at the report-writing stage than at the exploitation stage. The OffSec grading rubric for OSEP is meaningfully different from OSCP — and candidates who default to an OSCP-style report routinely lose 15-25 points to documentation gaps. The Macksofy bootcamp dedicates the final week to OSEP-specific report discipline.

What OSEP graders look for that OSCP graders don’t:

• Evasion-technique evidence chains. For each evasion technique used (AMSI bypass, AppLocker bypass, direct-syscall injection, sleep-mask configuration), the report must explicitly cite the technique, document the configuration applied, and provide before/after telemetry evidence demonstrating the bypass worked. A working bypass without documented evidence costs points.
• Detection-source enumeration per attack stage. For each stage of the attack chain (initial access, foothold, privilege escalation, lateral movement, exfiltration), the report must list which detection sources existed in the environment (Defender, Sysmon, Zeek, etc.), which fired, and which were evaded — including a defensive recommendation for the gaps.
• OPSEC narrative. Unlike OSCP’s machine-by-machine report structure, OSEP expects an engagement-narrative format. Treat the report as if delivered to a CISO post-engagement: tell the attack story chronologically with timestamps, decision points, alternative paths considered, and why specific evasion choices were made.
• Bonus-question chain documentation. The OSEP exam includes a bonus-question chain worth 10 of the 110 total points. The bootcamp drills the discipline of treating bonus questions as a first-class report section with the same evidence depth as primary objectives — many candidates dismiss bonus questions and surrender easy points.
• Remediation recommendations per technique. For each ATT&CK technique used, the report must propose a concrete defensive remediation (configuration change, detection rule, architectural mitigation). OSEP grading penalises generic remediation language; specificity wins.

Macksofy report-writing rehearsal cadence: Weeks 10-11 of the bootcamp include three full mock-engagement report submissions, each marked by a mentor against the OSEP grading rubric. Mock 1 surfaces typical first-attempt gaps (insufficient evasion evidence, OSCP-style structural defaults). Mock 2 measures correction. Mock 3 simulates exam-day time pressure with the report due in the 24-hour post-attack window. Cohort members who score above the OSEP threshold on Mock 3 historically pass the exam itself on first attempt at roughly 80% — versus the 50% average for candidates who skip rehearsal.

Common report-writing failure modes: Screenshots without context narrative; copy-pasted tool output without interpretation; missing timestamps; absent ATT&CK technique mapping; no defensive-remediation section; report exceeds OffSec’s 50-page guideline (graders penalise bloat). The bootcamp’s report template enforces compliance with each.