OSEP and OSWE Review

Background

I am a cybersecurity professional, a business owner and a hacker at heart. I started my career in cybersecurity in 2020, but I was interested in cybersecurity and involved in the cyber community long before. I’ve had several Penetration Testing, Red Teaming and Application Security roles in the past at a senior level, so I could say that I am fairly experienced. In 2023 I passed the OSCP on my second attempt. Since then, I’ve had several talks at conferences, including DEF CON 33 and DEF CON 32, discovered more than 10 CVEs and had some involvement in bug bounty and vulnerability disclosure programs. Recently, in 2025 I passed the OSWE and at the beginning of 2026, I passed the OSEP.

What are the OSEP and OSWE?

OffSec (previously known as Offensive Security) are one of the most well-known training and certification providers in cybersecurity. They are best known for their OffSec Certified Professional (OSCP) certification, but also for the "Try Harder" mentality that they try to instil in their students. OffSec have a coding systems for their courses based on the track and difficulty of the course. Thus, the PEN-200 training (Penetration Testing with Kali Linux), the course leading to the OSCP certification, is considered a foundational-level course within the Penetration Testing track. While I did not initially agree that OSCP is "foundational", looking back, I think that it is rightly a foundational cert in a non-foundational field, in the sense that Penetration Testing is simply not an entry-level domain.

Following the 200/foundational-level courses, come the 300/advanced-level. These are the PEN-300 (Evasion Techniques and Breaching Defenses), WEB-300 (Advanced Web Attacks and Exploitation) and EXP-300 (Windows User Mode Exploit Development) courses, leading to the OSEP, OSWE and OSED certifications. Achieving all three of them automatically leads to earning the OSCE3 (OffSec Certified Expert 3). And then, finally comes the 400/expert-level EXP-401 (Advanced Windows Exploitation), the most advanced course offered by OffSec, and arguably on the market (although this is debatable).

So, for the purposes of this blog post, the OSEP and OSWE are the advanced certifications for Penetration Testing and Web Exploitation offered by OffSec. OSEP focuses mostly on Active Directory, client-side attacks and antivirus evasion, while the OSWE focuses on white-box web application penetration testing and reviewing source code. Both exams are proctored, 48-hour practical, open-book exams. I recommend reading the official exam guides, however, in simple words, you are allowed (and expected) to search the internet and use your notes during the exam, however, you are not allowed to seek external, third-party help. There are some restrictions as to the tools you are allowed to use and there are strict limitations on the use of AI. Moreover, following the exam, students have 24 hours to create a professional, detailed report showing their work. Keep in mind that the report is important - I've heard stories of people who achieved the objectives, but failed because of the report.

The OSWE exam encompasses two web applications which you must do a white-box penetration test against. The aim is to get the local (low-privilege) and proof (high-privilege) flags on both machines, and create exploitation scripts for both to automatically get a reverse shell. The minimum passing criteria is getting 85 points - I believe that this can be achieved by getting to local flags and one proof flag.

The OSEP exam includes a relatively complex, enterprise network. The objective is to obtain at least 10 flags or to get the secret.txt flag from one of the machines. There is not a lot of transparency about the number of machines or their structure before starting the exam. The exam involves getting initial access into the network and pivoting through it while evading the antivirus.

Did I need the OSEP and OSWE?

Since I already work in the field, in senior roles, I suppose I did not actually “need” the certificates. Instead, I believe that in cybersecurity (although this may ring true for any field), one must continuously develop. I took the OSEP and OSWE as personal challenges and actually, I paid for them myself. Moreover, I am aspiring to achieve the OSCE3.

OSWE

I first planned the OSWE. For some reason, I felt that the OSWE would be tougher for me than the OSEP. I had some experience with white box web application penetration testing, but it was limited. So, on the 10th of February 2025, I bought 3 months of access to the OSWE course materials and labs. I started working through the course materials and after a while I started having mixed feelings about the course. On one hand, it was great, it challenged me and took me out of my comfort zone - forcing me to explore certain types of web application vulnerabilities which I have avoided up to that point. However, on the other hand, I couldn’t help but feel that the course is more like a walkthrough of white box testing a few applications. This is not bad per se, but I felt that a lot of times, the course said things like “because of this specific line in the source code, we can do this“, instead of explaining the process of identifying the specific line in the source code. In the end, this forced me to build my own methodology, so I suppose that the course did its job. Unfortunately, due to work engagements and things going on in my personal life, I couldn’t complete the challenge labs. So even though I wasn’t feeling particularly confident, I planned my exam for the 2nd of April 2025, giving me enough time to do some labs and reschedule my exam in case I failed. 

Going into the exam, I did not really know what to expect. I read a lot of reviews which mostly referenced the challenge labs, which I did not get the chance to do. So I went in almost “blind”. One of the requirements of the exam is to create a script which demonstrates end to end exploitation, resulting in a root reverse shell on the system. To be honest, this did not concern me at all, because I had sufficient experience with Python and I love automating things.

So 12 minutes before the scheduled start time, I tried to log into the proctoring tool and it did not work. I contacted OffSec support and after a few refreshes and clearing my browser data, I was able to login and start my exam. Unfortunately, I cannot go into too many details about the exam itself, but at least in my case, the level of difficulty was at the same level as the walkthroughs included in the course material. In the end, I started my exam at 16:00 on the 2nd of April and submitted my report at 15:30 on the 3rd of April. Yes, you heard me right - even though there are 48 hours to complete the challenges and 24 hours to submit the report, after less than 24 hours, I finished my exam and submitted the report. This was for a simple reason - I pushed through it intensely, achieved the minimum passing objective (one challenge with local and proof flags, and another challenge with local only) and did not have enough energy to go on and complete the second challenge. In terms of the report, I simply reported as I went, writing everything down directly in the main report. The most fun part of the exam was not the exploitation itself, but creating the exploitation Python scripts.

In the end, around 18:00 on the 4th of April, a bit over 24 hours after submitting the report, I received an email notifying me that I passed the exam. Due to the lack of sleep during the exam and the whole stress around it, I said that I will not be taking any OffSec certifications anytime soon. However, on the 13th of May, about one month after passing the OSWE, I started having the itch again - I had to get my OSEP.

OSEP

For me, before starting the course, the OSEP felt a bit easier than the OSWE mentally. I was more familiar with AD exploitation, as I had several engagements during my career where I was able to exploit enterprise-grade AD configurations for companies in various industries, including financial institutions and energy companies. However, doing the maths, based on my previous experience with the OSWE, I decided to give myself more time - so I bought the Learn One subscription from OffSec, allowing me to prepare for the OSEP for a whole year, while also giving me two exam attempts and the opportunity to also take the OSWP exam. I felt that this was the best compromise - I simply wanted to avoid going through the same pressure I went through with the OSWE. So, on the 13th of May, I started my one-year journey to prepare for the OSEP.

My progress was mixed. Within the first week, I read through all the course materials, and within the first three weeks, I tried out almost everything presented in the course, but have yet to attempt the challenge labs. My favorite part of the course were the AV evasion techniques, which by the end of the extra mile exercises allowed me to generate payloads undetected by most modern AV software. There was also a lot of C# coding involved in the OSEP, but luckily, in most cases, I did not have to write it all from scratch, instead I could reuse a lot of what was already provided in the course or online. For purposes of calibration - keep in mind that while I have plenty of experience with C, C++ and Python coding, if you were to ask me to write a C# program which displays “Hello World” in the console a bunch of times without using any template or checking the internet, I would have had trouble with the task. Same goes for PowerShell, where I had some basic experience, but I was far from proficient in it.

During the summer months, I barely touched the OSEP, besides one quick attempt to do a challenge lab which I could not even get initial access to. This really affected my morale so I forgot about the OSEP for a while. This was until the winter, when I decided to get back to it and focus on the challenge labs. I used the OffSec discord intensely, because I had limited time - there were a lot of work projects, conferences and other activities which required my attention, so I did not have the privilege to spend more than 2 or 3 hours a day during weekdays and maybe 4 or 5 during weekend on the challenges. After completing 5 challenge labs, I felt fairly confident about going into the exam, so I scheduled it for the 16th of January at 14:00. There were a few chapters which I felt a bit uncomfortable with, but I just thought that the chances of those vectors being on the exam are very slim... Guess what - that’s exactly what I had on the exam!

I faced some issues the night before and the day of the exam. Firstly, I moved from using a laptop to using an Intel NUC which did not have a webcam. I realized too late, so I ended up using my Sony Cinema Line FX30 as a webcam (I guess the proctors never saw a candidate this clearly). Also, during the day of the exam, the proctor said that I cannot use my screen as it is a TV (to be fair, the exam policy mentions this). So I had to improvise, move the TV screen away and use another monitor which I had at home. Also, sometime during the exam, my webcam feed froze, because my camera ran out of battery and the USB connection was not enough to charge it. So I went out, bought a webcam and some food and came back with it.

I started my session and within one hour, I already had high-privilege access to the first machine. The initial access vector was very simple. Still, there were a couple of rabbit holes, but based on my previous experience and my well defined methodology, I focused on the correct attack vector. I stayed on until about 21:30 that day and had 3 flags and a lot of notes. I was happy with my progress so I prepared to rest and had a perfect night’s sleep - exactly 8 hours. This was very surprising, I did not expect to sleep well during the exam, however, because I was happy with my progress up to that point, I guess I was able to disconnect completely. 

During the second day, my aim was to get 5 flags by 14:00, making sure that I obtained half the flags by the halfway point of the exam. And this was exactly what happened. However, at this point I got stuck for a bit. I kept making some stupid mistakes, so I knew I had to take a break. During the exam, my approach was generally to take a 5 minute break every 30 minutes or so and a couple of longer breaks along the way. So after taking a longer break, I came back and realized my mistake and knew exactly where to look. From that point onwards, things became a lot easier and I was confident that I was going to pass. During all this time, I was also taking screenshots and saving my terminal output into Obsidian alongside my notes, to make sure that it is all well documented. I did face some frustration throughout the exam, especially related to the quality of the exam network - at times, the machines were very slow, especially when going through proxies. Jokes on them though, I was used to bad connections from previous work with some customers - doing penetration tests through VPNs, VDIs and proxies.

Regardless, I pushed through and around 20:30 on the second day, so less than 36 hours after starting my exam, I obtained 10 flags and secret.txt. I took a break, telling the proctor that I don’t know if I will be back or not, but couldn’t help it and returned a bit later to revert the network and document all the steps again. By 2:25 I felt confident with my documentation so I decided to close the exam.

Next morning, around 8 I started writing the official report and submitted it at 10:20. So similarly to the OSWE, I ended my exam early, the only difference being that I was smarter about my breaks this time. On the morning of the 20th of January, I refreshed my “Exam” page on the OffSec portal where I got the much awaited “We are pleased to announce you that you have passed the OSEP exam” message!

OSEP and OSWE comparison

In terms of the difficulty, the OSWE was way harder than the OSEP for me. This was because I had more experience with AD testing and have not had the opportunity to do too many white box tests. However, I am aware that this is also about personal taste, so other people may have a different opinion.

In terms of the quality of the course, while both where fun and interesting, I preferred the OSEP. I found it to be very practical and clear. Some people complain that it is outdated and maybe it is (although it has received some significant updates in the past year), however, if you do the extra miles you will have payloads which still evade most of the AV software on the market. On the other hand, the OSWE was fun, but it wasn't as practical in my opinion. I often found myself following the steps in the course, without fully understanding why I was doing those steps. Nevertheless, during the OSEP exam I kept referring back to the course, whereas during the OSWE exam I felt that opening the course materials was useless. In other words, the OSEP course material is a better reflection of the exam than the OSWE.

In terms of the labs, unfortunately, I cannot really compare the two, as I only did the labs for the OSEP which were fantastic. While going through the course forces you to develop some payloads, you get the chance to stress-test them and build upon them in the labs. The labs contain a lot of "AHA!" moments, which bridge some gaps from the course - they are a nice stretch, forcing you to try things out and expand your methodology. Some client-side attacks on the labs are very specific or particular, so they don't really reflect a real-world environment, but still, it is a good way to get some experience with these attacks.

Finally, the exams where both great! You will most likely never feel prepared, so sometimes the best approach is to just jump head-first into the challenge. I typically tend to do well in high-stress situations, so during both exams, I did a lot of learning. Maybe this wouldn't have happened if I came 100% prepared, but for me, the stress of the exams gave me some extra focus and brought me into a flow state, where things simply made sense. Looking back, I think the OSEP was a bit easier for me, but the comparison is not fair, because I had more time to prepare for it and also had more experience with AD testing and AV evasion.

How to pass them?

There are several posts online claiming that they can help you pass. To be honest, there isn't a secret - just put in the work. For the OSEP, the course materials and labs are enough to pass - if you do those, you're golden! For the OSWE, the OffSec Discord is great. I highly recommend interacting with other learners and checking out the WEB-300 channels. I suppose that the course materials are enough to pass the OSWE as long as you build a osep 60 page reportproper methodology in your mind. For both, I would recommend checking out this GitHub repo: https://github.com/CyberSecurityUP/OSCE3-Complete-Guide.

As for some practical tips, I would recommend making sure to have a well-defined schedule for your preparation. It is definitely possible to prepare and take any of the two in 90 days, but you must book enough time to prepare. If you know you will not have the time, maybe find another period when you will have a more flexible schedule or perhaps go for the Learn One subscription (one-year long). Make sure to do the exercises and the extra miles - they really help in the long run. Engage with the community on Discord and the OffSec forums, but before asking questions, make sure you spent enough time trying things out and exploring your options - it makes it easier for people to help you without giving too much away, while it also helps you learn and maintain a sense of achievement. Make sure to drink enough water, eat and take breaks during the exam! Some people react poorly to stress and they forget about the basic needs - make sure that those are covered before anything else! Also, this may sound obvious, but make sure that you are familiar with the exam setup before the exam itself. You do not want to be in the position I was in where I had to run to buy a new webcam during the exam or switch my setup at the beginning of the proctoring session. In terms of reporting, I recommend taking VERY detailed notes as you go. It is better to have too many notes during the exam than not enough. Lastly, make sure that you surround yourself with people who support your journey. The preparation will add some extra hours of work every day, so you may have to reallocate some time temporarily from hobbies, spending time with friends and other activities. It is important to have a balanced lifestyle, but make sure you have your priorities straight. Most importantly, loved ones are typically the ones closest to the struggles - they see the good, the bad, and the ugly. My wife was of immense help during this time - I would like to take this opportunity to thank her for her continued support! I really couldn't have done it without her.

Next steps

Well, this is the time for rebalancing my priorities. I want to reallocate the learning time back to some personal development outside of cyber for now. This is of course, until I get the itch again and jump into the OSED! Other than that, I will probably take the OSWP sometime before May since it is already included in the Learn One subscription. Also, I am looking forward to contributing more to the cybersecurity community. I lecture at a University sometimes and I cannot wait to share some of the things I learned with the students. I want to organise a CTF in the near future and I want to find and support young, talented individuals to grow in cybersecurity.