OSCP+ 2026 Update: New Exam Structure, AD Sets and What to Study Now

Breadcrumb Abstract Shape
Breadcrumb Abstract Shape
Breadcrumb Abstract Shape
Career & Salary

OSCP+ 2026 Update: New Exam Structure, AD Sets and What to Study Now

  • May 15, 2026
  • 0
Hero banner — OSCP+ 2026 update with new exam structure and AD sets — Macksofy Trainings

If you’ve been preparing for OSCP using a 2022-vintage playbook, you’re behind on three structural changes Offensive Security has made to the exam since 2024. The certification itself is now called OSCP+; the exam scoring has shifted weight toward the Active Directory set; and the certification has moved from lifetime validity to a three-year renewal cycle. None of these change the spirit of OSCP — it’s still the hardest twenty-four-hour technical exam most Indian pentesters will take — but they do change how you should structure your final ninety days of prep.

This guide walks through what’s actually new in the OSCP+ exam in 2026, what you should be drilling now if you’re aiming at a Q3 or Q4 sitting, and the realistic study timeline if you’re starting from a CEH-only background.

TL;DR — what’s new in OSCP+ 2026

DimensionOSCP (pre-2024)OSCP+ (2026)
Certification nameOSCPOSCP+
Exam length23h 45m + 24h report window23h 45m + 24h report window (unchanged)
Total points100100 (unchanged)
Passing score7070 (unchanged)
Active Directory set40 points (3 linked machines)40 points (3 linked machines, all-or-nothing scoring change)
Standalone machines3 × 20 points = 603 × 20 points = 60 (unchanged)
ValidityLifetime3 years — renewable via CPE or re-exam
Bonus marks for course exercises10 points (course + lab report)Removed — no bonus from course exercises
Lab time requiredPWK + lab accessPEN-200 (renamed PWK) + lab access; OffSec Learn One / Learn Unlimited subscription common

The two biggest practical shifts are (1) the bonus marks are gone, so there’s no longer a “safety net” for partial exam performance — you must clear 70 points on the day; and (2) the AD set is now the single biggest exam decider — most candidates who pass have cleared the AD set, and most who fail are candidates who lost time on standalones and never landed the AD chain.

The AD set has become the exam’s centre of gravity

Offensive Security’s AD set is three Windows machines wired into a small simulated enterprise — typically a client workstation, a member server, and a domain controller. The three are scored together: if you reach the domain controller (compromise the DA account), you get the full 40 points. Partial points are awarded for lower trophies (local admin on the workstation, member-server access, domain user with constrained delegation, etc.) but the bulk of the 40 sits at the DA goal.

Translated to prep: you need to know the AD attack chain end-to-end as a single drill, not as separate topics. The chain looks like:

  1. Initial foothold — usually a web service on the client workstation (vulnerable internal app, exposed FTP, MSSQL with weak creds, or a Kerberos pre-auth disabled user discovered via LDAP enumeration)
  2. Local privilege escalation on the client (token impersonation, unquoted service path, AlwaysInstallElevated, kernel exploits — narrower than the standalone-machine PrivEsc list since OffSec usually picks classics)
  3. Credential harvesting — LSASS, SAM, cached credentials, browser-stored creds, files left in user profiles
  4. Lateral movement to the member server using harvested creds — typically WinRM, SMB exec, or RDP
  5. AD enumeration from the member-server foothold — BloodHound or SharpHound for the path map; PowerView / AD module for spot queries
  6. Domain-level escalation — Kerberoasting weak service-account passwords, ASREProasting, ADCS abuse if ESC1/ESC8 vulnerabilities are present, DCSync with appropriate rights, or a constrained-delegation chain
  7. Domain Admin landing + persistence proof — final flag on the DC

If you can do all seven steps from cold start in under four hours on a fresh Hack The Box / OffSec Proving Grounds AD lab, you are ready for the AD set. If any single step still requires you to look up commands, you are not — and the time you’d lose on the day is non-recoverable.

What you should drill in the last 90 days

Assuming a 12–16 hour weekly study budget alongside a day job, a realistic ninety-day OSCP+ ramp from a CEH-level baseline looks like:

  • Days 1–30: PEN-200 lessons + finish 30+ Proving Grounds Practice boxes (mix of OSCP-style Linux and Windows standalones). Build your enumeration cheat-sheet — your own, written by hand. Public lists are a starting point but candidates who rely on them under exam stress lose time.
  • Days 31–60: AD set drills — at least eight full HTB / TryHackMe / Proving Grounds AD chains end to end, repeated until you can do them under four hours. Add the OSCP+ AD-specific machines OffSec ships in the new lab bundle.
  • Days 61–80: Three full mock exams in 24-hour sittings. Use the OSCP+ exam-time format (start at 09:00, score yourself honestly, write reports). If you do not pass two of the three mocks, push the actual exam by 30 days.
  • Days 81–90: Lighter load — review your enumeration notes, sleep, hydrate. Do not learn new tooling in the final ten days. Spaced revisit of the AD chain is more valuable than new content.

If you’re brand-new to penetration testing without a CEH foundation, double the timeline. There is no virtue in arriving at the exam under-prepared — OffSec offers two retakes per voucher (with a fresh lab) so the cost of failing once is not catastrophic, but the time cost of cramming a re-take in 30 days is real.

The three-year validity change — what it means for your CV

Old OSCPs (pre-2024) hold lifetime certifications and keep them. New OSCP+ holders renew every three years via either (a) accumulating Continuing Education credits, (b) holding a higher OffSec certification (OSEP, OSWE, OSED), or (c) re-passing the OSCP+ exam.

For Indian hiring panels in 2026, this matters more than it sounds. Recruiters checking OffSec’s public verification page can now see whether your OSCP+ is “Active” or “Expired”. A lapsed cert on the CV is a worse signal than no cert — it implies you let it expire deliberately. Plan a renewal path before exam day.

OSCP+ cost in India in 2026

OffSec sells the OSCP+ as part of three subscription tiers:

  • PEN-200 + 90-day lab + 1 exam voucher: ~$1,599 USD (₹1.32–1.40 lakh). Cheapest path if you’re confident on the timeline.
  • Learn One: ~$2,599 USD (₹2.15 lakh), 12 months of unlimited PEN-200 lab access + 2 exam vouchers + Proving Grounds access. Recommended for most candidates.
  • Learn Unlimited: ~$5,799 USD (₹4.8 lakh), 12 months across all OffSec courses (OSCP+, OSWE, OSEP, OSED, OSWA, OSMR) with unlimited exam attempts in the year. Right for people running multi-cert paths.

Indian rupee equivalents fluctuate with the exchange rate — verify on OffSec’s checkout page when you’re ready to buy. India-side training programs that prepare you for the OSCP+ run separately and are typically billed at ₹60,000–₹90,000 for an eight-to-twelve-week mentor-led cohort. We at Macksofy are not an OffSec Authorized Training Partner — we run independent OSCP+ exam-prep bootcamps with mentor support, lab problem sets, and weekly mock-AD-chain drills.

Who should pick OSCP+ in 2026?

OSCP+ is the right cert if you (a) want to work as a hands-on penetration tester rather than a compliance / GRC analyst, (b) need a globally portable signal that you can pop a box without a script, (c) are aiming for offensive-security teams at BFSI, GCC, or service-firm red teams in India that explicitly ask for OSCP, or (d) want a prerequisite for advanced OffSec certs (OSEP, OSWE) — the OSCP+ is the de-facto on-ramp.

OSCP+ is the wrong cert if you’re early in your career and have never enumerated a Linux box before. Drop to CEH v13 or Hack The Box Certified Penetration Testing Specialist (HTB CPTS) first, build the foundations, then come back. It’s also the wrong cert if your career goal is governance / audit / risk — CISM, CISA, or CISSP route makes more sense.

How Macksofy Trainings helps

Macksofy Trainings runs OSCP+ exam-prep bootcamps — twelve-week mentor-led cohorts with a focus on the AD set, the new exam-scoring weights, and the three-year renewal path. Our trainers hold current OSCP, OSCP+, CRTO, OSEP, and OSWE certifications between them, and every cohort includes weekly mock-AD-chain drills in our internal lab range plus three full 24-hour mock exams in the eleventh and twelfth weeks.

We deliver these programs across India and the GCC — from our Mumbai and Hyderabad classrooms, weekend cohorts at WeWork partner venues in Delhi-NCR and Bangalore, and full-time online sessions for cities without a centre.

If you want to compare OSCP+ to the closer-by red-team options for Indian hires, our cornerstone CRTO vs OSCP comparison walks through cost, exam, and career signal head-to-head. For the deeper AD attack methodology, see our Active Directory Pentest Guide India 2026. OSCP+ cohort schedules by city:

Frequently asked questions

Is OSCP+ harder than the old OSCP?

Structurally, the difficulty is similar — the same 23h 45m hands-on format, same point distribution. The removal of bonus marks does raise the effective bar; candidates who used to scrape through on 70 points with a 10-point bonus now have to clear 70 in the live exam. In practice that translates to about a 10% drop in pass rate among historical-method studiers.

Can I sit OSCP+ without buying the OffSec course?

No. Exam vouchers are not sold separately from PEN-200 / Learn One / Learn Unlimited. The course material and the exam voucher come bundled.

How long is the report window after the 23h 45m exam?

24 hours. You finish the exam at the end of the 23h 45m window, then have 24 hours to submit a professional report documenting every machine compromised. Reports that don’t meet the format standard can lose points or fail outright — write yours as you go, not at the end.

What happens if I fail OSCP+ on the first attempt?

Learn One and Learn Unlimited subscriptions include retakes (Learn One includes one retake, Learn Unlimited is unlimited within the year). PEN-200 bundle holders can buy retake vouchers at a reduced rate. OffSec gives you a fresh exam scenario on the retake — same format, different machines.

Is OSCP+ accepted by Indian government / PSU recruiters?

Increasingly yes. CERT-In’s empanelled-auditor scheme acknowledges OSCP as a recognised offensive-security credential; PSU banks and several Mumbai-based BFSI security teams ask for it explicitly. For pure-government auditor roles, you may also need CISA or DISA — OSCP+ alone is rarely sufficient.

What’s the realistic Indian salary after OSCP+?

Fresh OSCP+ holders in BFSI / GCC pentest roles see ₹8–14 lakh CTC; mid-level offensive-security engineers (OSCP+ plus three-to-five years of hands-on work) sit at ₹16–28 lakh; senior red-team leads with OSCP+ plus OSEP / CRTO cross ₹35 lakh. Boutique consulting firms pay top-end; in-house BFSI security teams pay mid-range with better benefits.

References

Yasir Arafat

Yasir Arafat is the founder of Macksofy Trainings and a practicing cybersecurity strategist focused on offensive security training, SOC operations, and India-specific cybersecurity career development. Yasir has built Macksofy's EC-Council Accredited Training Center in Mumbai and its branches in Hyderabad, Dubai, and Toronto, growing the institute into one of India's leading certification partners for OSCP, CEH v13, CPENT, and SOC-200 programs. He writes and reviews training curriculum, mentors students through certification exams, and advises corporate clients on security-team hiring and upskilling. Contact: yasir@macksofy.com.


Areas of expertise: cybersecurity training program design, EC-Council Accredited Training Center operations, India SOC and penetration-testing career advisory, OSCP / CEH v13 / SOC-200 curriculum design, and training-delivery oversight across Mumbai, Hyderabad, Dubai, and Toronto centers.

Connect with Yasir on LinkedIn: https://www.linkedin.com/in/yasirarafatshaikh/

CEH v13 vs CEH v12 in 2026 — What Actually Changed (AI Modules, Exam, Cost India)
Security+ vs CySA+ in 2026: Which CompTIA Cert Comes First for an SOC Career?