OffSec Certified Professional (OSCP) Online Training & Certification Prep
The industry's hardest hands-on penetration testing credential — OSCP — is earned by demonstrating live exploitation skill across a 24-hour practical exam. Boost eLearning prepares you with structured PEN-200 curriculum, Live Labs on real attack infrastructure, and coaching from Certified Partner instructors who hold the cert themselves.
Course Overview
The OffSec Certified Professional (OSCP) is the penetration-testing industry’s most respected hands-on credential. Unlike knowledge-based multiple-choice exams, OSCP is awarded solely on the basis of a 24-hour practical exam in which candidates must compromise machines in an isolated network, collect proof flags, and submit a professional penetration-test report within an additional 24 hours. There is no theory shortcut.
OffSec’s official training course, PEN-200 (Penetration Testing with Kali Linux), is a self-study curriculum built around the OffSec lab environment. Boost eLearning layers structured instruction on top: Certified Partner instructors — all active penetration testers who hold OSCP themselves — guide cohorts through the PEN-200 syllabus with live demonstrations, methodology coaching, and direct technique feedback that is simply not available from self-study alone.
The curriculum begins with foundational enumeration discipline and escalates progressively: information gathering, service exploitation, Active Directory attacks, tunnelling and pivoting through multi-hop networks, and custom exploit development. The methodology taught is deliberate and reproducible — the same structured approach that earns points in the OSCP exam and delivers value in real client engagements.
Boost Live Labs complement the official OffSec lab access with additional attack scenarios, including pre-built Active Directory domain environments, intentionally misconfigured Linux and Windows hosts, and network pivoting ranges that replicate corporate segmented architectures. Students building towards the OSCP exam benefit from the additional repetition and scenario variety.
The OSCP is consistently cited by hiring managers across red-team, penetration-testing, and offensive-security consulting roles as a differentiating credential. It is accepted as a qualification baseline for numerous government and defence contractor offensive security positions. Boost’s Pass Guarantee applies: complete the programme, attempt the exam, and if you do not pass on your first attempt your course fee is refunded.
What You'll Learn
- Build a structured, repeatable enumeration methodology for external and internal penetration tests
- Exploit vulnerable services on Linux and Windows hosts manually and with a deep understanding of underlying vulnerability mechanics
- Perform Active Directory enumeration and compromise using BloodHound, Impacket, and manual techniques including Kerberoasting, AS-REP roasting, and Pass-the-Hash
- Escalate privileges on Linux systems via SUID/SGID abuse, cron job hijacking, writable paths, and kernel exploits
- Escalate privileges on Windows systems via token impersonation, AlwaysInstallElevated, unquoted service paths, and DLL hijacking
- Establish persistent tunnels and pivot through multi-segment networks using SSH port forwarding, chisel, and ligolo-ng
- Transfer tools and payloads to and from target systems using multiple file-transfer methods appropriate to each environment
- Modify and adapt existing public exploits to fit specific target configurations
- Develop a buffer overflow exploit from scratch against a 32-bit Linux or Windows target (covered in PEN-200 curriculum)
- Produce a professional OSCP-format penetration test report documenting findings, proof flags, and remediation recommendations
- Manage time and energy effectively across a 24-hour exam engagement without losing enumeration discipline
Who This Course Is For
- Penetration testers and red teamers who need a practical, employer-recognised credential
- Security engineers and architects who want hands-on offensive knowledge to inform defensive design
- CTF competitors and self-taught hackers seeking structured methodology and formal recognition
- Offensive security consultants preparing to move into higher-value engagements
- Government and defence contractors whose roles require an approved offensive security qualification
- CEH or Security+ holders ready to progress to a fully practical certification
Course Outline
- OSCP exam structure and scoring (points per machine, bonus points, report requirements)
- Setting up Kali Linux and essential tooling
- Note-taking and documentation discipline for 24-hour exams
- OffSec lab access orientation and Boost Live Labs onboarding
- Nmap scan methodology: phases, timing, output formats
- Service-version enumeration and manual banner grabbing
- Web application enumeration: Gobuster, Feroxbuster, directory and file fuzzing
- SNMP, SMB, NFS, and RPC enumeration
- Building an enumeration checklist that holds up under exam pressure
- Searching and validating exploits: ExploitDB, GitHub, Packet Storm
- Modifying public exploits: fixing offsets, shellcode, and connection parameters
- Exploit categories: RCE, LFI/RFI, deserialization, command injection
- Metasploit use within OSCP rules (one machine limit)
- Generating and staging payloads with msfvenom
- Manual exploitation of common services: FTP, SSH, HTTP, SMB, SQL
- Manual enumeration scripts: LinPEAS, Linux Smart Enumeration
- SUID/SGID binary abuse and GTFOBins
- Writable cron jobs, PATH hijacking, and wildcard injection
- Capabilities, sudo misconfigurations, and NFS no_root_squash
- Kernel exploit identification and safe deployment
- WinPEAS and manual Windows enumeration
- Token impersonation: SeImpersonatePrivilege, JuicyPotato, PrintSpoofer
- Unquoted service paths, weak service permissions, DLL hijacking
- AlwaysInstallElevated and registry-based escalation
- Stored credential discovery: SAM, credential manager, configuration files
- AD enumeration with BloodHound, SharpHound, and PowerView
- Kerberoasting and AS-REP roasting: attack and hash cracking
- Pass-the-Hash and Pass-the-Ticket with Impacket
- DCSync and secretsdump for credential extraction
- ACL abuse: GenericAll, GenericWrite, WriteDACL
- Domain persistence: Golden Ticket, Silver Ticket fundamentals
- SSH local, remote, and dynamic port forwarding
- Chisel and ligolo-ng for SOCKS proxying
- Proxychains configuration and tool routing
- Multi-hop pivoting through segmented lab networks
- Transferring files across pivots without internet access
- Stack memory layout and function call conventions
- Controlling EIP: fuzzing, finding offsets with pattern_create/pattern_offset
- Bad character identification and shellcode space calculation
- JMP ESP technique for return address control
- Generating shellcode with msfvenom and building a working exploit from scratch
- Two full timed exam simulations on Boost Live Labs networks (10 machines across two mock exams)
- Time-boxing strategy and mental endurance for 24-hour exams
- OSCP report structure: executive summary, technical findings, proof screenshots, remediation
- Report writing workshop: instructor-reviewed draft submission
- Exam booking process, proctoring setup, and exam-day checklist
About the Certification Exam
- Exam code
- PEN-200 / OSCP
- Length
- 24-hour practical exam + 24 hours to submit the penetration test report
- Questions
- Practical exploitation of machines in an isolated VPN network (no multiple-choice component); points awarded per machine compromised
- Passing score
- 70 out of 100 points (machines carry 10 or 20 points each; standalone machines plus an Active Directory set)
- Exam cost
- ~$1,649 USD (PEN-200 course bundle with 90 days lab access and one exam attempt)
- Where
- OffSec remote proctoring via the OffSec exam portal (webcam and screen sharing required)
The certification exam fee is paid separately to the testing provider and is not included in the course price unless stated otherwise.
Live Labs Included
Hands-on practice on real environments
This course includes Live Labs — direct access to real hardware and cloud environments so you build the skills the exam actually tests.
- Array
- Array
- Array
- Array
- Array
- Array
Pass Guarantee Included
Complete this course and if you don't pass the certification exam on your first attempt, we'll refund your course fee or give you a free retake — your choice.
