2026 OSEP Review: The Good, The Missing, and What You Should Know

After months of grinding through challenge labs and finally sitting for the exam, I’ve officially passed the Offensive Security Experienced Penetration Tester (OSEP) certification. This wasn’t originally on my roadmap — a coworker recommended it after I cleared OSCP, and I was hesitant at first. But after seeing how much the course material impacted my day-to-day work, I decided to sit for the exam even though I had OffSec Enterprise without a voucher. Now that I’m on the other side, I want to share an honest breakdown of what worked, what’s missing, and whether this certification is right for you.

The Unpopular Opinion: I Don’t Recommend It (But Hear Me Out)

Let me start with what might seem like a contradiction: OSEP is currently my favorite certification, and I’ve used what I learned in every single assessment since starting the course. The material is solid, practical, and immediately applicable to real-world pentesting. But I still don’t recommend it.

Here’s why: The OSEP is missing critical Active Directory attack vectors that are table stakes in 2025. No ADCS coverage. No SCCM. No WSUS abuse. These aren’t niche techniques — they’re foundational AD exploitation paths that certifications like CRTP, CRTE, and especially HTB’s CAPE cover extensively. The course needs an update to reflect modern TTPs, and until that happens, I can’t in good conscience tell someone to drop $1,500+ on it when superior alternatives exist.

That said, if your employer is footing the bill? Absolutely go for it. The OSEP is well-recognized in the industry, and the hands-on skills you’ll develop are invaluable. It’s 1/3 of the OSCE³, and the OffSec brand still opens doors. Just don’t expect it to be comprehensive AD training.

What OSEP Gets Right

Despite my criticisms about missing content, the course excels in several areas:

1. Focused Learning Curve

Compared to OSCP’s sprawling scope, OSEP is refreshingly focused. The learning curve is manageable but still requires you to think critically about each challenge. You’re not drowning in a sea of unrelated topics — everything builds toward sophisticated exploitation in restricted environments.

2. The “Simple Things” That Make All the Difference

This is where OSEP truly shines. The course teaches you practical tricks that seem small but compound into massive efficiency gains:

Running chown on files as root to change owner before using scp to transfer them to your attack box

Leveraging silver tickets to access Linux servers with GSSAPI enabled in SSH

Process hollowing for AV/EDR evasion (this became a staple in my toolkit)

These aren’t flashy techniques, but they’re the kind of knowledge that separates efficient operators from those constantly fighting their tools.

3. Real-World Obstacles

Unlike OSCP where finding the right exploit often means you’re done, OSEP throws realistic hurdles at you even after initial compromise. You might have everything set up correctly, understand the vulnerability, and still get blocked by:

Antivirus/ASR rules

PowerShell Constrained Language Mode (CLM)

Application whitelisting

Other defensive measures

The first few challenge labs felt rough because of this. But this is exactly what makes the course valuable — you’re not just learning to exploit vulnerabilities, you’re learning to operate in hardened environments that mirror real enterprise networks.

The Challenge Lab Experience

I spent four months working through Challenge Labs 1–7. Full transparency: I was going through a rough breakup at the time, and this course became my escape. I’d dedicate 10 hours a week to whatever challenge I was stuck on, working through it between assessments at EON Security.

After a three-month break, I came back in December 2025 and finished Challenge Lab 8. Here’s my ranking of what matters most:

Must-Do Labs:

Challenge Labs 7 & 8: These are the retired exam labs. If you can complete these without significant struggle, you’re ready. Period.

Challenge Labs 5 & 6: Solid performance here indicates you’ve got the fundamentals down.

The earlier labs (1–4) are important for building skills, but 5–8 are where you prove you’re exam-ready.

My Note-Taking Game Changer

From day one, I took detailed notes knowing I’d need quick reference material during the exam. But here’s what really made the difference: after completing all eight challenge labs, I consolidated everything into a zip file and fed it to my local LLM.

I had the AI reorganize all my notes by technique rather than chronologically. This created an intuitive reference system where I could instantly find examples of specific attacks and their implementations. During the exam, this meant I could quickly copy, paste, and adapt techniques to my specific situation instead of hunting through pages of notes.

Would I recommend this approach to other OSEP students? Absolutely. I’ve always wanted clean, organized notes, and AI helped me transform my messy study materials into a proper reference sheet for “all things hacking.” It’s been invaluable not just for OSEP, but for every engagement since.

The Exam: 8 Hours and One Embarrassing Mistake

Unlike my OSCP attempt where I hit a wall and needed a nap to reset, I went into OSEP and powered through in one sitting. Total time: about 8 hours, though 2 of those were spent stuck on something absurdly simple that I’m still slightly embarrassed about.

The Scheduling Hiccup: I made one critical mistake before even starting — I scheduled my exam in Adak time while living in EST. Learn from my stupidity: double-check your timezone settings.

Time Management: The course material is sufficient preparation. If you’ve completed the challenge labs and organized your notes effectively, you have everything you need. I didn’t use any supplementary resources beyond the official course content.

Technical Takeaways for Real Engagements

I mentioned earlier that I’ve used OSEP material in every assessment since starting the course. Here’s what that looks like in practice:

The techniques I referenced earlier — the “simple things” like file permission management before transfers and Kerberos ticket manipulation for lateral movement — have become standard parts of my workflow. Process hollowing techniques for AV evasion are now in my regular playbook.

One confession: I’ve become overly reliant on BloodHound. It’s so efficient that I’ve lost my proficiency with manual LDAP queries. Going forward, I’m planning to rebuild my ldapsearch skills and recreate the notes I lost after leaving my previous position. The OSEP reminded me that automation is powerful, but understanding the underlying queries makes you more effective when tools fail.

Background Matters

My experience as a red teamer and daily work as a penetration tester at EON Security definitely helped. But I want to give credit where it’s due: PwnedLabs courses significantly improved my initial access efficiency, which was clutch during the exam. The combination of practical pentesting experience and focused training from multiple sources creates a stronger foundation than any single certification can provide.

The Money Question: Is It Worth It?

The short answer: Only if your employer is paying.

OSEP is a fun certification that genuinely changed how I approach vulnerabilities and systems. The hands-on experience is excellent, and the OffSec brand is respected across the industry. If you’re a penetration tester, security researcher, or red teamer, having OSEP on your resume is beneficial.

But: At $1,500+, I cannot recommend spending your own money on this when HTB’s CAPE exists as a superior alternative covering modern AD attack vectors. CAPE includes ADCS exploitation and SCCM abuse — critical techniques that OSEP simply doesn’t address. Until OffSec updates the course to reflect current TTPs, it’s not competitive with its alternatives from a pure content perspective.

The value proposition only makes sense if you’re getting the OffSec brand recognition for free (via employer sponsorship) while still gaining the practical skills.

What’s Next?

For me, OSEP served as an introduction to more sophisticated offensive security topics. Learning to bypass AV, ASR rules, and Constrained Language Mode was valuable, but I recognize the gaps in my knowledge. I’m still missing crucial expertise in areas like:

ADCS exploitation (planning to take Altered Security’s CESP-ADCS)

SCCM abuse (still researching the best practical training for this)

Other modern AD attack vectors

Am I pursuing more OffSec certifications? Nope. I’m done with OffSec for at least a year or two. Not because the training is bad — it’s quite good — but because other providers are covering the material I need to level up in my career right now.

Final Thoughts

OSEP is a solid certification that will make you a better penetration tester. The hands-on labs are excellent, the techniques are immediately applicable, and having OffSec credentials on your resume still opens doors. The course taught me practical skills I use in every engagement.

But it’s not the comprehensive AD certification some people expect it to be. It’s lacking coverage of modern attack vectors, and at current pricing, it doesn’t compete well with alternatives like CAPE or the CRTP/CRTE path for someone paying out of pocket.

My recommendation to colleagues and blog readers: If your employer offers to pay for OSEP, take it. You’ll learn valuable skills and add a respected certification to your resume. But if you’re self-funding your education, look at CAPE first. And regardless of which path you choose, advocate for OffSec to update the OSEP to include ADCS, SCCM, and other modern AD exploitation techniques.

The offensive security field moves fast. Our training should keep pace.