OSED | EXP 301 Course Training Certification

OSED is the deepest Windows user-mode exploit-development cert on the market — it tests reverse engineering, custom shellcode crafting, modern mitigation bypass (DEP, ASLR, SafeSEH, CFG awareness), and end-to-end weaponisation. Macksofy is NOT an OffSec Authorized Training Partner — this is an exam-prep bootcamp aligned to the publicly-documented PEN-301 syllabus, not official OffSec courseware delivery. Candidates separately purchase the OffSec EXP-301 course + lab + exam voucher directly from Offensive Security.

• WinDbg + WinDbg Preview. Primary debugger for OSED prep. Bootcamp drills WinDbg command-line fluency: !exchain, !heap, !analyze -v, kb, .formats, dt, lm, .reload, x. WinDbg Preview adds Time Travel Debugging which is gold for exploit-dev iteration.
• x64dbg + x32dbg. Open-source alternative debugger, useful for crash-triage workflow. Bootcamp covers x64dbg’s exploit-dev script plugins.
• IDA Free + Ghidra. Static reverse engineering. IDA Free’s free tier covers 32-bit binaries; Ghidra covers everything. Bootcamp drills function-identification methodology, control-flow-graph analysis, structure-recovery workflow.
• mona.py (Immunity Debugger and WinDbg plugins). Critical exploit-dev productivity tool. Bootcamp covers !mona modules, !mona find, !mona rop, !mona stackpivot, !mona egg — these commands compress hours of manual lookup into seconds.
• Immunity Debugger (with mona). Legacy choice but still valuable for OSED-style buffer-overflow practice on 32-bit Windows targets. Bootcamp includes Immunity as a parallel toolchain.
• rp++ (ROP gadget finder). Alternative ROP-gadget search tool. Useful when mona.py is constrained or when working in WinDbg context where Immunity isn’t available.
• ROPgadget + Capstone + Keystone. Linux-side tooling for cross-platform exploit-dev practice. Capstone (disassembler library) + Keystone (assembler library) underlie a lot of modern exploit-dev tooling.
• msfvenom + nasm + custom shellcode-encoder scripts. Shellcode generation + encoding. Bootcamp drills writing custom Windows x86 shellcode from scratch (CreateProcess, WinExec, reverse-shell) — OSED exam tests custom shellcode capability, not just msfvenom usage.
• PE-Bear + Resource Hacker + PE-sieve. PE file analysis for binary patching exercises. Bootcamp covers section-permission manipulation, import-table modification, RVA-to-file-offset conversion.
• FuzzySecurity tutorials + ExpDev-Kiuhnm series + Connor McGarr blog. External-reference reading list. Bootcamp curates the highest-signal OSED-prep blog posts + tutorials available publicly — augments OffSec’s official courseware substantially.

The Macksofy OSED exam-prep bootcamp lab supplements the OffSec EXP-301 lab (which candidates separately subscribe to from Offensive Security). Bootcamp lab content focuses on the high-frequency exam-relevant patterns that OffSec’s lab doesn’t explicitly drill:

• Pre-built Windows exploit-dev lab VMs: Windows 10 + Windows 11 VMs with WinDbg Preview + x64dbg + IDA Free + Ghidra + Immunity + Python-environment pre-installed. Saves 3-4 days of self-configuration.
• 20+ buffer-overflow + format-string practice binaries with progressive difficulty: simple stack-overflow → bad-character mapping → SEH overflow → unicode-conversion overflow → ASLR-bypass via leaked address → DEP-bypass via ROP. Each comes with mentor walkthrough video + scoring rubric.
• 3 full reverse-engineering challenges: closed-source binary analysis + vulnerability identification + exploit weaponisation. Mirrors the OSED exam structure (you’re given a binary, you find the bug, you weaponise it within 48 hours).
• Custom shellcode writing assignments: candidates write x86 Windows shellcode from scratch for 5 progressively-complex tasks (calc.exe pop, CreateProcess shellcode, reverse TCP shell, reflective DLL load primer, AV-bypass simple encoder).
• ROP chain construction drills: 5 targeted ROP-construction exercises against pre-supplied binaries. mona.py + rp++ drilled in parallel.
• Anti-debug + anti-analysis bypass drills: 4 binaries with progressively harder anti-debug techniques (IsDebuggerPresent, NtGlobalFlag, CheckRemoteDebuggerPresent, timing-based detection). Bootcamp drills bypassing each.

Important: the official OSED exam requires the OffSec PEN-301 course subscription + exam voucher purchased separately from Offensive Security. Macksofy bootcamp is exam-prep coaching that compresses your OffSec-lab time by drilling the high-frequency patterns upfront.

The OSED exam (delivered by Offensive Security) is 47 hours 45 minutes practical exam + 24 hours for report writing. Three challenges to complete: typically a custom exploit-dev challenge, a reverse-engineering challenge, and a Windows backdoor challenge. Passing requires substantial completion across all three.

• Exam format: OffSec-delivered practical exam — no MCQ. You exploit real binaries in a controlled lab environment, document the work, and submit a professional report.
• Exam booking: separately from Offensive Security after completing PEN-301 lab time. Macksofy bootcamp is exam-prep coaching that compresses your prep time before the OffSec exam attempt.
• OffSec voucher cost (2026): approximately USD 1,749 for the EXP-301 course + lab + 1 exam attempt; varies — check Offensive Security pricing directly. Macksofy bootcamp pricing excludes the OffSec fee.
• Macksofy bootcamp pricing: INR 95,000 online / INR 1,17,000 classroom-tier (8-12 weeks structured exam-prep cohort). Bootcamp fee is for Macksofy exam-prep coaching only — does not include or substitute for the OffSec PEN-301 course / lab / exam voucher.
• Macksofy bootcamp candidate first-attempt pass-rate: 71% of bootcamp candidates who attempt the official OSED exam pass on first attempt (rolling 12-month average; OSED is the hardest OffSec exam by historical pass-rate). ~88% pass attempt #2 with bootcamp’s 60-day post-attempt mentor support.

Bootcamp-specific exam-prep methodology:

• Build-your-own-tool habit: candidates write Python wrappers around mona.py, custom shellcode encoders, ROP-chain auto-builders. The exam rewards practitioners who have their own toolkit, not just script-kit users.
• Timeboxing discipline: bootcamp practice exams mirror the 47-hour structure with hard deadlines. The biggest failure mode is candidates spending 30 hours on challenge #1, leaving 17 hours for challenges #2 + #3.
• Report-writing drill: 2 sample exam-style reports across the cohort. OffSec deducts substantially for missing reproduction steps or unclear technical narratives.

OSED is a specialist credential — the universe of OSED-required Indian roles is small but the comp ceilings are high. Comp bands (Q1 2026 aggregators):

• Senior exploit developer / vulnerability researcher (4-7 yr offensive background + OSED): ₹18 – 40 LPA at OEM red teams (Microsoft India, Adobe India, VMware India), Indian VR firms (Lucideus / Safe Security, NotSoSecure / Claranet, Payatu), and select MSSPs.
• Vulnerability research at Bug Bounty platforms: ₹15 – 35 LPA at HackerOne India + Bugcrowd India + Intigriti India delivery. OSED-holders compete for the high-severity-research tier where annual bug-bounty income often exceeds base.
• Government adjacent VR (NTRO contractors, NCIIPC research wings, IIT/IISc affiliated research programmes): ₹10 – 25 LPA. Quieter career paths but exposure to nation-state-level research.
• Senior red-team specialist with OSED credential: ₹22 – 45 LPA at HDFC / ICICI / NPCI / Jio Financial / RIL group red teams. OSED uplifts a CRTO/CRTL-track red-team CV substantially.
• Independent consultant + research: ₹3,000 – 12,000/hour day-rate for OSED-credentialed VR consultants in India. Annual income highly variable but ceiling exceeds full-time offers for established consultants.

India-employer pattern: OSED hiring is referral-heavy + portfolio-evaluated. The cert opens conversations but employers want to see published research (advisories, CVEs, conference talks). Bootcamp encourages candidates to publish at least one technical write-up during the cohort — most-prepared candidates exit with 1-2 portfolio pieces in addition to the OSED credential.

Career-progression sequence we recommend: OSCP → OSEP → OSED (this OffSec sequence is the standard offensive-mastery path). Add OSWE if your specialisation includes web/application exploit-dev. The OSCP → OSED → OSWE-or-OSEP-or-OSEE pattern is the gold standard for offensive specialists in 2026.

The 3 exploit-dev cert paths differ on focus + price + employer-recognition:

• OSED — Offensive Security, Windows user-mode focus, 47-hour practical exam. Most-respected practitioner cert in offensive-security circles. ₹1.5L+ (OffSec fee) + Macksofy bootcamp coaching.
• GXPN — SANS / GIAC, broader scope (Windows + Linux + scripting + AD exploitation primer), MCQ-heavy with practical components. Premium-tier price (SANS SEC660 ~USD 8,000 + ~USD 2,500 voucher). Strong US-multinational recognition.
• CCT (CREST Certified Tester) — Infrastructure or Application — UK-origin, peer-review + practical exam. Strong UK + financial-services recognition; growing in Indian Tier-1 BFSI with UK parentage (StanChart India, HSBC India).

For India-domestic VR career, OSED has the strongest practitioner-respect signal at a fraction of GXPN’s cost. For US-multinational lateral, GXPN signals stronger. For UK financial-services entry, CCT differentiates.

Common stacking pattern: OSCP → OSED for Windows-exploit-dev specialists. OSCP → OSEP → OSED for full-spectrum red-team OffSec stack. OSED → OSEE (Windows kernel exploit dev) for the kernel-research lateral.

Week 6 exploit-dev lab: candidates receive a 32-bit Windows binary with a known stack-overflow vulnerability protected by SafeSEH but NOT ASLR’d. Exploitation workflow:

1. Crash + triage: trigger the overflow with a long input, observe crash in WinDbg. !analyze -v reveals stack corruption; SEH chain corrupted (visible via !exchain).
2. Map the overflow: use mona.py pattern_create + pattern_offset to locate exact SEH overwrite offset.
3. Check SafeSEH protections: mona’s !mona modules command lists each loaded module’s protections. Some module (a 3rd-party DLL) is NOT SafeSEH’d — that’s the gadget source.
4. Find a POP POP RET gadget: mona’s !mona seh command searches for POP POP RET sequences in non-SafeSEH modules. Pick one with no bad characters.
5. Construct SEH exploit: [junk] + [SHORT JMP] + [POP POP RET gadget address] + [shellcode]. SEH overwrite uses the gadget; SEH handler invocation lands on the gadget; POP POP RET returns to the next pointer which is our SHORT JMP back into shellcode.
6. Shellcode encoding: msfvenom can generate the calc.exe shellcode, but bootcamp drills writing your own + encoding to avoid bad characters (null, CR, LF for typical string-handling).
7. Validate: exploit triggers calc.exe — confirms SafeSEH bypass works. Reset target, repeat 3× to confirm reliability.
8. Mature into report: document vulnerability, exploitation methodology, reproduction steps, recommended fix (rebuild target with SafeSEH on all modules, or upgrade to ASLR + DEP). Bootcamp’s exam-prep report template drilled here.

Mentors walk through edge cases (what if no POP POP RET gadget exists in non-SafeSEH modules — answer: look for unaligned gadgets via mona’s -c flag) + harder variations (what if all modules are SafeSEH’d — answer: explore unfreed stack pointers or non-module memory regions). 10+ similar buffer-overflow patterns drilled across the cohort.

OSED is one of the hardest offensive-security exams on the market. Macksofy’s exam-prep bootcamp accepts candidates who meet substantial pre-requisites:

• OSCP holder or equivalent practical offensive-security experience (2+ years pentesting / red team).
• x86 assembly fluency: must be able to read short assembly listings and understand stack frame mechanics. If you’ve never opened a debugger, you’re not ready for OSED.
• C fundamentals: must understand pointers, function call conventions, stack vs heap allocation, basic data structures.
• Python scripting: must be able to write standalone exploit scripts (socket programming, struct.pack, subprocess invocation).

Strongly recommended preparation before bootcamp: complete the FuzzySecurity Windows Exploit Development tutorial series (free, online). Read Hacking: The Art of Exploitation 2e by Jon Erickson — see our cybersecurity books listicle for context. Complete 5-10 vulnserver exploit-dev practice machines on TryHackMe / HackTheBox.

OffSec dependency: bootcamp does not include the OffSec PEN-301 course / lab / exam voucher. Candidates purchase OffSec separately (≈USD 1,749). Bootcamp coaches you toward the OffSec exam attempt — does not substitute for OffSec courseware.

Time commitment: 8 weeks intensive cohort (online evening Mon-Fri + Saturday all-day workshop) + 4-12 weeks of independent OffSec lab grind before the exam attempt. Total: 3-5 months from bootcamp start to exam attempt for most candidates.