Editor’s note (2024): The OSCP exam format has changed significantly since I sat it in 2021. The buffer overflow machine is gone; Active Directory is now in. The point breakdown below reflects the old exam. The lessons about pacing, note-taking, and your start time still hold.

I forfeited my first OSCP attempt. I had the 70 points I needed to pass, but I wanted 100, and I’d enjoyed the exam so much that re-spending $249 felt fine. I’d be back in a month with the perfect score.

I sat the second attempt a month later and scored 50.

It hurt.

This post is about what happened between that 50 and the eventual pass, eight months later, on my third attempt. I’m not going to dress it up as a hero’s journey. By the end I’d realized I didn’t actually want to be a full-time pentester, and I’ve been doing Security Engineering since. The certification still mattered for the skills, and those skills still pay rent. But the most useful things I learned aren’t on the OffSec syllabus.

Why I was here at all

Early 2000s. A French hacker calling himself “Rhylkim” ran a site about phreaking, carding, and the dark arts. That’s where I got hooked. I was a kid running a home lab: two old computers, a crossover Ethernet cable, an hour that felt like ten minutes. Exploits from IRC and packetstormsecurity.com. Idéal J on the speakers. Every good origin story has a soundtrack.

Twenty years later I was a year into a GRC role and looking for the most direct path back to the part of the field that had hooked me. OSCP was it.

Attempt 1 (March 2021): the forfeit

Eight months of prep: all the PWK material, about half the boxes on the NetSecFocus spreadsheet on Hack the Box. Started the exam at 7am. By the deadline I had 70 points but my notes were a mess and I was missing screenshots. Wrote no report. Forfeited.

I told myself this was the right call. The rush was good, I’d been close, I’d just do it better next month.

Attempt 2 (April 2021): the wall

Started 8am. Stuck on two machines I didn’t fully understand. In a real engagement you walk away and come back the next day; you don’t get that in a 24-hour exam. 50 points. Done.

The cooling-off after a second fail is 8 weeks. I needed it.

What actually changed between attempt 2 and 3

Three things.

Note-taking. Switched to Obsidian (markdown, paste screenshots inline). One template per machine: Executive Summary, Enumeration, Exploitation, Post-Ex Enumeration, Privesc, Loot. “Document as you go” is one of those clichés you only earn the hard way. Failing to do it on a 24-hour exam means losing points you’d already scored.

Pace. I’d been cramming 6-hour weekend sessions while keeping a job and a life. After failing twice I switched to 60 minutes every other day. Retention went up. So did the fun, which turns out to be a half-decent signal that you’re actually learning.

Start time. This sounds trivial. It isn’t. Attempts 1 and 2 I started in the morning, ran out of mental fuel by midnight, and made bad decisions in the small hours when something didn’t crack. Attempt 3 I started at noon, slept through the night halfway in, came back fresh, and finished strong.

Attempt 3 (November 2021)

Started 12pm. Hit 75 points around hour 20, slept, kept pushing for 100 (didn’t get there), wrote a clean report from the Obsidian notes the next day. Passed.

I did not use Metasploit. The “you can use it but only once” rule felt like a trap, so I left it alone.

For enumeration I leaned on a throwaway bash script I’d written that chained nmap top-1000, full SYN, banner scan, gobuster, and a full UDP sweep. It’s bad code; I keep it around as a study artifact, not a recommendation.

What stays with me

A couple of things, and I’ll keep this short because the motivational version of this post writes itself and nobody wants to read it.

The forfeit was a bad decision dressed up as a confident one. I confused enjoying the exam with being ready to pass it cleanly. Both were true, but the second didn’t follow from the first.

Failing on attempt 2 was the actual unlock. After that I stopped optimizing for speed and started optimizing for one question per topic: can I explain it, detect it, and exploit it? If the answer to any was no, I wasn’t moving on.

I’m not a pentester now. I do Security Engineering, and the OSCP work pays off there mostly in vulnerability management: better scoping of third-party pentests, sharper triage of findings, the ability to push back on “noise” claims with evidence. Worth the three attempts? Yes. Worth the $249 forfeit? Probably not.

Resources I actually used