Eight hours a week. That's what most people working full-time can realistically dedicate to OSCP preparation without burning out or neglecting their families. At that pace, passing OSCP in 12-16 months is achievable — but only with a structured progression that builds skills in the right order. Buying 90 days of PEN-200 lab access when you're still figuring out what a reverse shell is wastes money and demoralizes you. Here's the sequence that works.
The realistic timeline at 8-12 hours per week
Before anything else, set accurate expectations. OSCP is not a weekend certification. The typical candidate who passes on first attempt has:
200-400 hours of total study time before the exam
Compromised 40+ machines across various platforms before attempting the exam
Active Directory exploitation experience (not just standalone machines)
A note-taking and documentation system developed through practice
At 8 hours per week, 200 hours takes 25 weeks (about 6 months). At 12 hours per week, 200 hours takes 17 weeks (about 4 months). But those hours need to be the right hours — not just time spent in a lab looking confused.
| Preparation Phase | Timeline (8hrs/wk) | Hours Required | Primary Platforms |
|---|---|---|---|
| Phase 1: Foundations | Months 1-3 | 100 hours | TryHackMe |
| Phase 2: Intermediate | Months 4-7 | 150 hours | HackTheBox, TCM courses |
| Phase 3: Pre-OSCP | Months 8-10 | 100 hours | HTB, PEN-200 preview labs |
| Phase 4: PEN-200 Labs | Months 11-16 | 180-250 hours | PEN-200 official labs |
| Phase 5: Exam prep | Final 4-6 weeks | 50 hours | Mock exams, weak area review |
Phase 1: TryHackMe foundations (months 1-3)
TryHackMe is the right starting point for candidates who aren't yet comfortable with Linux, Nmap, or basic web application concepts. The guided paths reduce cognitive load — you're not staring at a blank terminal wondering what to type.
The specific TryHackMe paths that matter for OSCP:
Complete Beginner path — Linux fundamentals, Nmap, Metasploit basics, web fundamentals
Jr Penetration Tester path — Enumeration, web application testing, network exploitation, privilege escalation
Pre-Security path — If your networking fundamentals are weak
TryHackMe's premium subscription costs $14/month and is worth it for the access to all rooms. Free-tier rooms are limited.
By the end of Phase 1, you should be able to:
Run a full Nmap port scan and interpret the results
Use Gobuster or Feroxbuster to enumerate web directories
Execute basic Linux privilege escalation (SUID, cron jobs, sudo misconfigurations)
Set up a Netcat listener and catch a reverse shell
If you can't do these things independently at the end of Phase 1, extend Phase 1 before moving on.
Phase 2: HackTheBox and TCM Security (months 4-7)
HackTheBox is where the training wheels come off. HackTheBox machines don't give you hints or guided prompts — you enumerate, you research, you exploit, and you escalate, or you don't. The difficulty gap between TryHackMe and HackTheBox is real and expected.
TCM Security courses for Phase 2
Complete these TCM Security courses during Phase 2 (total cost approximately $30/month subscription or individual course purchases):
Practical Ethical Hacking — Full penetration testing methodology including Active Directory attacks
Linux Privilege Escalation for Beginners — Systematic coverage of common Linux privesc techniques
Windows Privilege Escalation for Beginners — Service misconfigurations, DLL hijacking, token impersonation
Active Directory for Beginners — Kerberoasting, AS-REP Roasting, BloodHound, Pass-the-Hash
The Active Directory course is critical. OSCP's 40-point AD component is where most people either pass or fail, and TCM Security's practical AD content is more relevant to OSCP than most commercial courses.
The TJNull HackTheBox list
TJ Null, an OSCP holder and offensive security instructor, maintains a public list of HackTheBox machines that most closely resemble OSCP exam machines. The list is available at netsecfocus.com and on GitHub. Working through the retired machines on this list (available to HackTheBox VIP subscribers at $14/month) is the most efficient use of Phase 2 time.
"The TJNull list exists because OSCP-style machines have a specific character — they're usually one or two vulnerabilities with clear enumeration signals, not esoteric exploitation chains. The list filters out the HackTheBox machines that are deliberately unrealistic for exam prep." — TJ Null, offensive security professional
Target machines to practice on from the TJNull retired list include (in approximate difficulty order):
Blue (Windows, EternalBlue)
Jerry (Windows, Tomcat)
Legacy (Windows, SMB vulnerabilities)
Nibbles (Linux, web application CVE)
Bashed (Linux, command injection)
Shocker (Linux, Shellshock)
Lame (Linux, Samba vulnerability)
Beep (Linux, web application multiple vectors)
Aim to complete 20-25 machines from the TJNull list in Phase 2, including at least 5 Windows machines with privilege escalation practice.
The 85% HackTheBox benchmark before PEN-200
Before purchasing PEN-200 lab access, you should be able to complete at least 85% of the medium-difficulty machines from the TJNull list with minimal external help (reading a writeup only after you've been stuck for 90+ minutes with no progress).
This benchmark matters because PEN-200 lab access is expensive ($1,499 for 90 days). Wasting lab time doing foundational enumeration practice that you should have mastered before purchasing is a real risk.
Signs you're ready for PEN-200:
You can compromise a medium HackTheBox machine within 3-4 hours unassisted
You have a working methodology for both Linux and Windows privilege escalation
You've completed at least two full Active Directory attack chain exercises
You have a consistent note-taking system that captures commands, screenshots, and methodology
You can write a basic penetration testing report from your HackTheBox notes
Signs you're not ready yet:
You frequently need to look at writeups for easy machines
You haven't practiced any Active Directory attacks
You don't have a note-taking system
You can enumerate services but get stuck on what to do with what you find
Phase 3: Pre-PEN-200 preparation (months 8-10)
During Phase 3, continue working through HackTheBox machines while incorporating two additional practice elements:
ProLabs: HackTheBox offers ProLabs — multi-machine networks that simulate corporate environments. The "Offshore" ProLab specifically is recommended by OSCP community members for Active Directory practice. At $28/month for VIP+ access (required for ProLabs), it's a cost-effective way to practice multi-machine attack chains.
Mock exam setup: Practice the exam format by setting up personal timed mock exams. Take 3-4 easy/medium HackTheBox machines or OSCP-style platforms (Proving Grounds Practice from OffSec costs $19/month), set a 24-hour timer, document everything as if it were an exam, and then write a mock report in 2 hours. Doing this twice before your actual exam removes the format anxiety.
90-day vs 180-day lab access: which to buy
The choice between 90 and 180 days of PEN-200 lab access is the biggest financial decision of OSCP preparation.
Choose 90 days if:
You've completed Phase 1-3 thoroughly and are confident in your methodology
You can dedicate 15+ hours per week during the lab period
You've scored above 85% on the HackTheBox benchmark machines
Choose 180 days if:
You have scheduling uncertainty (you might travel, get sick, or have work demands during the lab period)
You learn at a slower pace and know it
You want to complete the bonus point lab exercises (80% of exercises + 30 lab machines) without feeling rushed
Most people who complete Phase 1-3 properly can work through PEN-200 content and complete the lab work in 90 days at 12-15 hours per week. Candidates who skip Phase 1-3 and jump straight to PEN-200 often find 90 days insufficient.
Note-taking systems for technique documentation
Your notes are your personal exploit database. Across the entire preparation journey, you're building a searchable reference of every technique, command, and vulnerability type you've encountered.
The recommended structure for OSCP preparation notes:
Cheat sheets per attack category: Linux privilege escalation techniques, Windows privilege escalation techniques, Active Directory attacks, web application attacks, buffer overflow steps
Per-machine notes: For every HackTheBox/PEN-200 machine, document enumeration results, exploitation path, privilege escalation method, and flag hashes
Command library: Every command you use regularly, with the exact syntax and example output
Methodology reference: Your personal step-by-step process for approaching a new target
Obsidian is the most popular choice for OSCP candidates because it stores notes as markdown files locally, supports bidirectional linking between notes (linking your "Kerberoasting" cheat sheet to every machine where you used it), and doesn't require internet access during the exam.
The Bonus Points Calculation: Worth Your Time
PEN-200 offers 10 bonus points on the exam if you complete 80% of the module exercises plus 30 lab machines. With 70 points required to pass, these 10 bonus points can be the difference between failing and passing on a borderline attempt.
The exercise calculation: PEN-200 modules contain hundreds of exercises across the course. 80% completion requires consistent work through the material, not skimming. Each exercise teaches a specific technique — they're not busywork. The exercises are also the most efficient way to build technique depth because they're structured around the specific skills the exam tests.
The lab machine calculation: 30 lab machines out of 57+ available. With 90 days of access, that's less than 1 machine per 3 days if spread evenly — very achievable for a full-time candidate. For a part-time candidate at 10 hours/week, completing 30 machines alongside exercises is feasible with the 180-day access option.
The risk calculation: spending 3-4 weeks on exercises and 30 lab machines before the exam earns bonus points that may prevent needing a $1,499 second attempt. The math is clear — complete the exercises.
Troubleshooting the Most Common Stumbling Block: Getting Stuck
Every OSCP candidate hits walls. Getting stuck on a machine for 3-4 hours without progress is normal. Getting stuck for 12+ hours suggests you need a different approach.
The structured 45-minute rule: if you've been attempting one attack vector for 45 minutes without meaningful progress, force yourself to:
Review your enumeration — have you identified every open port and service version?
Check for version-specific exploits on Exploit-DB (
searchsploit [service] [version])Look for low-privilege footholds you might be exploiting too aggressively
Switch to a different machine and return fresh
When to use hints during lab practice: OffSec provides hints for lab machines through the student Discord and forum. The recommended approach: try for at least 3 hours before looking at any hint. Read only the first hint, implement it, continue independently. This builds the problem-solving habit the exam demands while preventing pure frustration from halting momentum.
The methodology checklist: before declaring yourself stuck, systematically verify you've completed each enumeration step. Many apparent stucks are actually incomplete enumerations. A structured checklist prevents the mistake of scanning port 80 and assuming there's nothing else interesting while port 8443 hosts the actual attack vector.
"The candidates who succeed with limited lab time are disciplined about methodology. They run the same enumeration process on every machine, every time. They don't skip steps because they think they know what the vulnerability will be. Consistency in the process is what makes the difference when you only have 10 hours a week to practice." — Tib3rius, OSCP holder and Windows and Linux privilege escalation course author
See also: OSCP exam strategy: the 24-hour lab and report methodology, eJPT and PNPT: entry-level offensive security certs worth pursuing
References
OffSec. (2024). PEN-200 / OSCP Course. https://www.offsec.com/courses/pen-200/
Null, T. (2023). OSCP-Like HackTheBox Machines. https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PWK_PEN_200_and_the_OSCP_Exam.html
TCM Security. (2024). Practical Ethical Hacking Course. https://academy.tcm-sec.com/p/practical-ethical-hacking-the-complete-course
TryHackMe. (2024). Jr Penetration Tester Learning Path. https://tryhackme.com/path/outline/jrpenetrationtester
HackTheBox. (2024). OSCP-like Machine List. https://www.hackthebox.com/hacker/pro-labs
Weidman, G. (2021). Penetration Testing: A Hands-On Introduction to Hacking, 2nd Edition. No Starch Press. ISBN: 978-1718501812
Frequently Asked Questions
How long does it take to prepare for OSCP while working full-time?
At 8-10 hours per week of consistent study, most candidates need 12-18 months of total preparation before attempting the OSCP exam. This includes 3-4 months on TryHackMe foundations, 4-5 months on HackTheBox, and 3-4 months in the PEN-200 official labs. Candidates who study 15+ hours per week can compress this to 6-9 months.
What is the TJNull HackTheBox list?
The TJNull list is a curated collection of retired HackTheBox machines selected by OSCP holder TJ Null for their similarity to OSCP exam machines. The list focuses on machines with clear enumeration signals and one to two exploitation steps, filtering out machines with unrealistic exploitation chains. Working through this list on HackTheBox VIP is widely considered the best exam preparation available.
Should I buy 90 or 180 days of PEN-200 lab access?
If you've completed Phase 1-3 preparation (TryHackMe, TCM courses, HackTheBox TJNull machines) and can dedicate 12-15 hours per week, 90 days is usually sufficient. Choose 180 days if your schedule is unpredictable, you need time for the bonus point exercises, or you've skipped earlier preparation phases and need more learning time in the official lab environment.
What should I know before starting PEN-200 lab access?
Before purchasing PEN-200 access, you should be able to independently compromise medium-difficulty HackTheBox machines in 3-4 hours, perform both Linux and Windows privilege escalation without consulting guides for common techniques, have completed at least two Active Directory attack chain exercises, and have a working note-taking system for documenting exploitation methodology.
What note-taking tool is best for OSCP preparation?
Obsidian is widely recommended for OSCP preparation because it stores notes as local markdown files (no internet dependency during exams), supports bidirectional linking between technique notes and machine notes, and handles code blocks and screenshots cleanly. CherryTree is the traditional alternative with a tree structure that maps well to per-machine documentation.