Choosing between OSEP vs OSCP usually means one of two things: you’re wondering which to tackle next after OSCP, or you’re deciding whether to skip OSCP entirely because you already have pentest experience. Both questions deserve a clear, non-recycled answer — and this guide gives you one.
OSEP (OffSec Experienced Penetration Tester, course code PEN-300) is the red-team-oriented follow-up to OSCP. They share roughly 25% material overlap — mostly Active Directory fundamentals — and diverge heavily after that. Here’s the real breakdown.
The 30-Second Answer
- Take OSCP first. OSEP is explicitly built on top of it and assumes you can already get a foothold in an unknown network.
- Take OSEP second if you want to move into red team operator, advanced pentester, or adversary emulation roles.
- OSEP’s specialty: antivirus and EDR evasion, custom payload development, and advanced Active Directory attack chains — none of which OSCP covers meaningfully.
What Is OSCP?
The Offensive Security Certified Professional (OSCP) — delivered via the PEN-200 course — is the industry’s most recognized entry-level pentest certification. It proves that you can enumerate unknown networks, exploit vulnerable services, escalate privileges on Windows and Linux, and execute a full internal Active Directory compromise under time pressure.
OSCP’s exam is 23 hours 45 minutes hands-on plus 24 hours for reporting. You face three standalone machines and a small Active Directory set. Public exploits are allowed — and expected — but you must adapt them, chain them with misconfigurations, and escalate to Domain Admin without defensive tooling getting in your way. OSCP machines run with disabled or minimally configured AV; evasion is not part of the test.
What Is OSEP?
The OffSec Experienced Penetration Tester (OSEP) — delivered via the PEN-300 “Evasion Techniques and Breaching Defenses” course — is a 300-level certification focused on the skills a real red team operator needs when a target environment actually has working defenses.
OSEP assumes you can already pop an initial shell. The course starts from “you have code execution — now stay hidden, move laterally, and extract data without triggering the EDR or the SOC.” The exam is 47 hours 45 minutes hands-on plus 24 hours report, and every machine is hardened with modern defenses: AMSI, AppLocker, Windows Defender, Constrained Language Mode, script block logging, and realistic Active Directory structures.
OSEP Core Skills
- Custom C# and C payload development with shellcode injection techniques
- Bypassing AMSI, Windows Defender, and commercial EDRs at runtime
- AppLocker and Constrained Language Mode (CLM) bypass techniques
- Advanced Active Directory attacks — Kerberos delegation abuse, shadow credentials, ADCS (ESC1–ESC11), cross-forest attacks
- Linux server-side attacks, client-side exploitation via macro-enabled documents and shortcut files
- Pivoting through segmented networks with SOCKS proxies, SSH tunnels, and custom C2 stagers
- Process injection techniques — classic, APC queue, thread hijacking, module stomping
- Persistence via COM hijacking, scheduled tasks, WMI event subscriptions, and service DACLs
OSEP vs OSCP: Detailed Comparison Table
| Criterion | OSCP (PEN-200) | OSEP (PEN-300) |
|---|---|---|
| Certification body | OffSec | OffSec |
| Level | Professional / 200-level | Expert / 300-level |
| Primary focus | Initial access + AD basics (blackbox) | Evasion, lateral movement, custom payloads, advanced AD |
| Defensive tooling in exam | Minimal to none | Active AV, EDR, AMSI, AppLocker, CLM |
| Exam duration | 23h 45m hands-on + 24h report | 47h 45m hands-on + 24h report |
| Exam scoring | 100 pts; 70 to pass | 100 pts; 70 to pass (secret flag system in 2024+) |
| Languages expected | Python, Bash, PowerShell | C#, C/C++, PowerShell, Python |
| Prerequisites (official) | None stated | OSCP or equivalent experience strongly recommended |
| Typical prep time | 3–6 months | 4–8 months post-OSCP |
| Course price (2026) | From USD 1,649 (Learn One) | From USD 2,599 (Learn One) |
| Retake voucher | USD 249 | USD 249 |
| First-attempt pass rate (est.) | ~50–60% | ~35–45% |
| Job titles after | Penetration Tester, VAPT Consultant | Red Team Operator, Adversary Simulation Engineer, Senior Pentester |
| Typical India salary | INR 7–18 LPA | INR 15–35 LPA |
Can I Skip OSCP and Go Straight to OSEP?
Technically, yes — OffSec does not enforce OSCP as a formal prerequisite. Practically, it’s a bad idea for almost everyone.
OSEP’s course material assumes you already know how to enumerate a Windows host, recognize common service misconfigurations, understand Active Directory authentication primitives, and find your way around PowerShell and Linux. It spends zero time teaching these. If you walk into PEN-300 without that foundation, you will spend half the course Googling terms from the PEN-200 syllabus — at which point you’re paying 300-level prices for a 200-level education.
The only candidates who reasonably skip OSCP: working red-teamers with 3+ years of commercial experience, military or government offensive security practitioners, and CTF players with strong AD and evasion fundamentals already.
Exam Difficulty Reality Check
OSEP is significantly harder than OSCP on every axis except raw enumeration. Here’s why:
- Defenses are on. Your Metasploit payloads, your Mimikatz binaries, your SharpHound dumps — all of them flag and die instantly. You need working knowledge of what’s being signatured and how to bypass it.
- Custom code is required. OSEP’s exam rewards candidates who can write a C# loader, implement indirect syscalls, and tweak shellcode on the fly. Copy-paste from PoCs stops working.
- Chaining is mandatory. You rarely solve OSEP machines in one hop. You chain an initial access technique with an AV bypass with a privilege escalation with a persistence primitive — four steps deep.
- Time pressure is worse. 48 hours sounds generous until you realize most evasion techniques require you to test, iterate, and retry. A single encoding issue can burn 3 hours.
Community fail rates for OSEP sit around 55–65% on first attempt. Candidates who pass on the second attempt almost always cite “spent the first attempt learning what defenses were actually in play” as the key lesson.
OSCP or OSEP First? A Decision Tree
- Do you have an OSCP or equivalent (eWPT, CRTP, PNPT) certification already? → Go OSEP.
- Have you done commercial internal pentests for 2+ years? → Go OSEP, but budget extra time.
- Are you targeting a red team operator or adversary simulation role specifically? → Eventually both; OSCP first, OSEP second.
- Are you a working SOC analyst wanting to move into offensive security? → OSCP first, full stop.
- Student / career transitioner with no prior pentest work? → OSCP first, then decide between OSEP, OSWE, or CRTO based on your 12-month career target.
OSEP Syllabus Highlights (What OSCP Does Not Cover)
Module Structure
- Operating System and Programming Theory — PE structure, Windows APIs, reflective loading
- Client-Side Code Execution with Office — VBA macros, DDE, OLE, protected view bypasses
- Client-Side Code Execution with Windows Script Host — JScript, WScript, LOLBAS chains
- Process Injection and Migration — CreateRemoteThread, QueueUserAPC, Module Stomping
- Introduction to Antivirus Evasion — signature-based detection, behavioral heuristics
- Advanced Antivirus Evasion — shellcode encryption, thread hijacking, syscalls
- Application Whitelisting — AppLocker rule enumeration and bypass
- Bypassing Network Filters — DNS tunneling, domain fronting, SOCKS over HTTPS
- Linux Post-Exploitation — stealth persistence, credential harvesting from memory
- Microsoft SQL Attacks — xp_cmdshell via impersonation, trust chains
- Active Directory — Kerberos delegation (unconstrained, constrained, RBCD), ADCS abuse, MSSQL links
- Lateral Movement in Active Directory — DCSync, DCShadow, Golden/Silver/Diamond tickets
You will notice that nothing on this list appears in the OSCP syllabus except surface-level AD material. OSEP is not “OSCP harder” — it is a fundamentally different certification targeting a fundamentally different job.
Total Cost Breakdown in India (2026)
| Component | OSCP | OSEP |
|---|---|---|
| Learn One subscription (course + 1 exam) | ≈ INR 1,37,000 | ≈ INR 2,15,000 |
| Retake voucher | ≈ INR 20,500 | ≈ INR 20,500 |
| Lab extension (per month) | ≈ INR 10,000 | ≈ INR 10,000 |
| Indian institute-led mentored training (optional) | INR 40,000–90,000 | INR 70,000–1,30,000 |
| Total realistic first-attempt outlay | INR 1.5 – 2.5 lakh | INR 2.8 – 3.8 lakh |
Job Outcomes After OSEP
OSEP holders in India typically move into one of four roles:
- Red Team Operator at financial services, consulting Big 4, or dedicated red team providers — INR 15–28 LPA
- Adversary Simulation Engineer at product security teams running purple-team exercises — INR 18–30 LPA
- Senior Penetration Tester leading high-assurance engagements with evasion requirements — INR 14–24 LPA
- Threat Emulation Specialist at CERT-empanelled consultancies running APT simulation contracts — INR 16–28 LPA
Internationally, OSEP plus a few years of experience routinely places candidates in roles at USD 120,000–180,000 across North America, Europe, and Australia.
How to Prepare for OSEP After OSCP
- Close the AD gap. Go deeper than OSCP required — study resource-based constrained delegation, shadow credentials, and ADCS ESC1–ESC8 using resources like HackTricks and The Hacker Recipes.
- Learn C# properly. Not “read a blog post.” Build three to five custom tools yourself: a PE loader, a simple C2 beacon, a process injection utility.
- Understand what AV and EDR actually do. Study YARA rules, ETW, AMSI hook internals, and userland API hooking. The book Evading EDR by Matt Hand is the single best prep resource.
- Practice in realistic labs. PEN-300’s own labs, Proving Grounds Practice red-team boxes, Dante Pro Lab on HackTheBox, and Offshore Pro Lab cover the evasion and chaining mental model.
- Write your exploits. Do not copy-paste during prep. Every PoC you study, re-implement in your own tooling. This is the single highest-leverage habit for OSEP.
OSEP and OSCP Training at Macksofy
Macksofy’s OSCP program is built for candidates preparing for the PEN-200 exam, with mentor-led modules, custom lab access, and structured exam simulation. For the next step, Macksofy’s OSEP (PEN-300) program focuses heavily on evasion toolchain development, custom C# loaders, and four full dry-run exam environments mirroring the real PEN-300 exam constraints.
Frequently Asked Questions
Is OSEP harder than OSCP?
Yes, significantly. OSEP assumes all of OSCP’s skills as baseline and adds evasion, custom payload development, and advanced Active Directory chains. Community pass rates for OSEP are roughly 10–20 points lower than OSCP.
Should I do OSEP or OSWE after OSCP?
Depends on your target role. OSEP → red team, adversary simulation, advanced pentesting. OSWE → application security, senior web pentest, bug bounty. The two have almost no overlap.
How long should I wait between OSCP and OSEP?
Minimum three months, ideally six to twelve. Use that time to build C# proficiency, study modern AV/EDR internals, and do at least one hands-on red-team-style pro lab (Dante, Offshore, or Rastalabs).
Does OSEP replace OSCE?
No. OSCE was retired and replaced by three separate specialist certifications: OSEP (evasion / red team), OSWE (web exploit development), and OSED (exploit development / reverse engineering). Together, these three make up the OSCE³ designation.
Is OSEP recognized outside India?
Yes. OSEP is recognized globally and specifically referenced in red-team and adversary-simulation job descriptions across North America, Europe, Middle East, and Australia. In India, it maps directly to senior pentest and red team roles at consulting firms, banks, and product companies.
Final Verdict
OSEP vs OSCP is not really a comparison — it’s a sequence. OSCP proves you can break in. OSEP proves you can break in, stay in, and move laterally against a defended environment. If your career goal is traditional VAPT consulting, OSCP alone may be enough. If your goal involves the word “red team” in any form, OSEP is not optional — it’s the certification that hiring managers actually look for after OSCP.
Plan your offensive security track with Macksofy OSCP and Macksofy OSEP, or book a call with a mentor for a tailored roadmap.
References & Further Reading
Authoritative resources cited or relevant to the topics covered above:
