The luck thing is real. Let's not pretend otherwise.

Go read any OSCP Reddit thread or Medium post-mortem. At some point, almost everyone says some version of "I got lucky on the foothold" or "thank god the AD set was manageable." One person in a popular write-up straight-up said they convinced themselves they just got lucky and didn't actually earn it.

And you know what? That feeling isn't completely delusional.

You open the exam dashboard. 24 hours on the clock. You throw nmap at your first target and it comes back with almost nothing useful. Or you find a service, Google it, and the only exploit you find is some 2014 CVE that's already patched. Or you're 14 hours in, you've nailed two standalone boxes, and the AD set is doing something you've never seen in any lab.

That happens. The exam is intentionally inconsistent. Different candidates, different exam builds, different machine combinations. Some people get an AD set that clicks immediately. Others spend six hours on a foothold that should've taken thirty minutes.

So yes. Luck is real.

But here's the thing: luck only fills the gaps where methodology runs out. If nmap returns nothing and you know to do a full port scan, check UDP, probe specific services manually, look at version banners carefully — that's not luck, that's process. The exam stops feeling like luck the moment you have an answer for every "I don't know where to start."

That's what we teach. Not "here are the tools." The answer to every dead end.

What OSCP actually is in 2026

Just so we're on the same page with current facts:

The OSCP exam is 23 hours and 45 minutes of exploitation, followed by 24 hours to write and submit your report. You need 70 out of 100 points to pass.

The exam currently consists of:

3 standalone machines — 20 points each (60 points total)
1 Active Directory set — 40 points total (3 machines, DC included)

AD is now 40% of your score. It's not optional. You can own all three standalones and still fail if you can't touch the AD set.

No bonus points anymore. As of November 2024 those are gone. You earn your 70 by performing on exam day, full stop.

The report matters too — not as a percentage of your grade exactly, but OffSec has failed candidates who had enough points technically but submitted documentation that couldn't be replicated by a third party. Your screenshots, your command output, your methodology — it all has to hold up. Writing well isn't optional.

One Metasploit module allowed, for one machine, used once. Everything else is manual.

OSCP+ vs OSCP

Quick note since this confuses people: since November 2024, passing the exam earns you OSCP+, which is the same credential but expires after 3 years and needs recertification. Your underlying OSCP certification is lifetime — it doesn't go anywhere. The "plus" just means your active status lapses if you don't renew. For most hiring decisions, the distinction doesn't matter. Employers are looking for OSCP.

Why the "try harder" mantra is both correct and completely useless advice

OffSec's famous motto gets plastered everywhere. Forums, Discord, Reddit. "Just try harder."

It's technically correct in the sense that persistence matters. People who pass OSCP are generally the ones who don't stop when they hit a wall. But "try harder" as actual advice is about as useful as "just be better at hacking."

What it should mean — and what nobody explains — is: try differently, not just more of the same.

Spending five hours on one machine running the same enumeration over and over isn't trying harder. It's burning your exam clock. The right interpretation is: step back, question your assumptions, try an attack angle you've been avoiding, move to another machine and come back fresh.

That mindset is teachable. It's a thinking pattern, not a personality trait. And it's one of the things that's genuinely hard to learn alone — because when you're stuck in a lab by yourself at midnight, you don't know if you're missing something obvious or if you've genuinely exhausted the attack surface.

What actually separates people who pass from people who don't

It's not raw technical knowledge. Plenty of technically strong people fail OSCP. The separators are:

Enumeration discipline

The number one reason people don't get a foothold is incomplete enumeration. They find a few open ports, focus on the obvious ones, and miss the weird service on port 8080 or the anonymous FTP they glossed over. Systematic enumeration — every port, every service, every version number, every response header — is a trainable discipline. It's boring. It's the difference between passing and not.

AD from first principles

AD is the final boss. Everyone knows this. But most people approach it by learning BloodHound and hoping it hands them the attack path. BloodHound is a tool that visualises what you should already understand. If you don't know what Kerberoasting is at the concept level, you won't know why the attack is viable even when BloodHound draws you an arrow. We teach the underlying mechanics first — how trusts work, what delegation means, why pass-the-hash works, why it doesn't sometimes — before touching the tooling.

Note-taking and documentation during exploitation

A lot of people fail not because they didn't own enough machines, but because they can't reconstruct what they did. You're 20 hours into the exam, you've compromised three boxes, and you need to write a report from scratch in the next four hours. If your notes are "tried some stuff, got root," you're done. Screenshot everything. Every command. Every meaningful output. Do it during the exam, not after.

Report quality

The report isn't an afterthought. It's half the 48-hour experience. OffSec requires documentation thorough enough for a third party to replicate every step. That means clear methodology, exact commands, proof screenshots (local.txt and proof.txt with your IP visible), and coherent writeups for each machine. The people who pass comfortably have usually written several lab reports before exam day. The people who fail sometimes do it on machines they actually owned.

What comes after OSCP (and why we care about that)

OSCP is the entry point. It earns you the right to say you can do basic penetration testing. Then the question becomes what comes next.

The OffSec advanced track goes deeper:

PEN-300 → OSEP — Evasion techniques that work against modern EDR. Bypassing AV, AMSI, AppLocker. C2 infrastructure. Advanced Active Directory. This is where you learn to operate in environments that fight back, not just environments that are configured poorly.

WEB-300 → OSWE — Deep web application exploitation. Source code review, chaining vulnerabilities, building custom exploits from scratch. Less "scan and find a CVE," more "read 3,000 lines of PHP and find the authentication bypass."

EXP-301 → OSED — Low-level exploit development. Stack overflows, ROP chains, heap exploitation. If PEN-300 and WEB-300 are operational, OSED is foundational in the best possible sense.

The reason this matters isn't just a cert roadmap. It's that OSCP opens a question: "OK, I can find and exploit weaknesses in a lab. How does this work on a real engagement?" We have active penetration testers here who answer that question regularly, for real clients, in real environments. What does an actual pentest report look like vs. an OSCP lab report? What does a client debrief look like? What happens when the target has an EDR that eats your payload?

Those aren't things you can get from a course. They come from doing the work.

The honest answer on what a tutor is actually for

You don't need a tutor to pass OSCP. Thousands of people self-study and pass. The course materials are solid. There are great free resources — IppSec's walkthroughs, TryHackMe's offensive paths, Proving Grounds Practice machines that closely mirror the exam.

But self-study has a ceiling problem. You get stuck. You don't know if you're stuck because you're missing something small, missing something fundamental, or if the machine is genuinely hard and you should move on. You spend days on a box that a ten-minute conversation would've unlocked — not by giving you the answer, but by asking you the right question.

That's what structured mentorship does. It compresses the timeline. It makes the difference between eight months of grinding labs and twelve targeted weeks where every session moves you forward.

We ask for payment for the full program upfront, not per-session. That's not just a business preference — it means we're accountable for getting you to the exam ready, not just billing for hours. If you get stuck on AD for three weeks, we adjust. If your report writing is weak, we spend time there before exam day. The outcome is what matters.

Our OSCP students pass because by the time they sit the exam, luck isn't the variable. They've been stuck before, found the way out, and know what to do when the exam throws something they haven't seen. That's the only prep that actually works.

Ready to start?

If you're thinking about OSCP — whether you're just starting out or you've failed an attempt and want to figure out what went wrong — start a conversation. No pressure, no sales pitch. We'll tell you honestly where you are and what you need.