I had read several positive reviews on Offensive Security’s PWB course, and decided to enrol a few months back. Having completed the course and passed the exam, I can confidently say that this is the best course that I’ve taken to date, and I’ll now expand on that a little.

In terms of pricing, I think that for the course quality and depth, the cost is exceptionally low. The amount of work that has gone into the creation of the course and the extensive live training environment (labs) is obvious from the outset. The training itself is delivered through documentation and an audio/video series. All of the exercises are fully repeatable and practicable in the lab environment. The number of target machines within the lab environment and the complexity and detail of the setup is one of the biggest assets of the course. I’m not sure that a more comprehensive setup exists anywhere else. The range of different operating systems and vulnerable software is vast.



I came from a background of extensive Linux system admin, LAMP web application development and LAMP pen testing. I’d done a few infrastructure pen tests, but nothing major, and this was my main reason for taking the course. My Linux experience was probably the biggest help throughout the course and while it is suggested that students have, “a solid understanding of TCP/IP, networking and reasonable Linux skills” on the offsec site, I cannot stress the importance of this enough. If I was unfamiliar with the Linux command line before starting this course, I would really have struggled and potentially bombed out half way through. I learned little major on those fronts of my existing experience however, I learned and practiced an absolute ton in areas that I hadn’t touched too often such as the exploitation of vulnerable windows services, advanced usage of metasploit, constructing and debugging win32 buffer overflows, generating different exploit payloads, and more topics than I can even list.

The real difference in this course is it teaches actual practical skills, which I feel is something that is missing from some of the other infosec training training out there. The entire course and lab environment has been engineered to require a fair amount of persistence, hence the offsec, “try harder” motto. If you don’t gain a practical mastery over the techniques and the lab work, you won’t pass the exam. The exam is a 24 hour battle – there’s no cramming irrelevant knowledge and facts out of a book for this, it’s all practical skill based. I can’t go into any detail of the exam, but I can say it’s appropriately tough, as well as lots of fun, and it covers the work taught and practiced throughout the course and labs well. The 24 hour time limit also doesn’t allow for a whole lot of fumbling around and googling, which is a good thing, because a strict time limit is often faced in live pen tests.

Not to brag, well maybe a little… I completed 100% of the exam objectives in only 8 out of 24 hours, and delivered my full report the next day. My linux and scripting skills and experience really helped me more than anything else. My best advice is:

  1. The ability to multitask and fast. If you’re sitting there waiting for an nmap scan to finish then you’re wasting time.
  2. Completing all machines in the lab and completing the ‘going the extra mile’ exercises in the course material before booking the exam
  3. Starting the exam rested and relaxed, as well as taking a couple of short 10 minute breaks in the exam.
  4. Not getting stuck on one machine and burning up hours on it. Move on and come back later. If you’re struggling, set a reasonable time limit, and then just move on.
  5. Document the lab work and useful URLs thoroughly along the way, and go over those notes making sure that you’re comfortable with the processes you used to exploit every machine; what you did, and why and how it worked.

There is a very active channel, #offsec on freenode where it’s possible to speak to the admins as well as other students on the course. The admins are usually quickly available for student questions, but don’t bother asking for help with attacking certain machines – there’s no spoon feeding, and it would completely defeat the purpose of the course if there was. The answer to requests for help cracking machines is going to be “Try Harder”.

Some of the machines in the lab are very challenging, but I would say that the practice and perseverance to exploit and gain root/admin on each and every machine is the most valuable thing to take from the course. Going the extra mile and fully exploiting all machines in the lab was very valuable.

I signed up for 60 days lab access, but ended up using about 36. I could probably have only got 30 days and completed the lab work in that time if I really wanted to kill myself on it, but I was already putting several hours in each night, and didn’t need the added pressure. Of the other students that I’ve spoken to, those that had the biggest issue with the exam were those that had just not completed the labs, skipped over tough machines, or not completed the exercises in the documentation and videos.

The OSCP is a certification that has already gained a very solid recognition and I only hope and expect that to continue. I’ve taken a couple of other security related certifications including the CEH, Security+, CISSP and the TigerScheme QSTM. If I had to select a candidate to perform a pen test on a client network, the OSCP certified candidate would get the job every single time.