The OSCP exam is 23 hours and 45 minutes of hacking followed by 24 hours of report writing. You need 70 out of 100 available points to pass. Most people who fail don't fail because they can't hack — they fail because they didn't manage the 47 hours correctly. This article covers what actually works for the exam environment specifically, not just offensive security in general.
The exam structure and point allocation
The OSCP exam (OffSec PEN-200) has two components: three standalone machines and one Active Directory domain set. The point breakdown:
| Component | Points Available | Notes |
|---|---|---|
| Standalone machine 1 (easy) | 20 | 10 for local.txt + 10 for proof.txt |
| Standalone machine 2 (medium) | 20 | 10 for local.txt + 10 for proof.txt |
| Standalone machine 3 (hard) | 20 | 10 for local.txt + 10 for proof.txt |
| AD domain (3 machines) | 40 | All-or-nothing — must compromise entire domain |
| Bonus points | Up to 10 | From completing 80% of PEN-200 exercises + 30 lab machines |
To pass without bonus points, you need 70 points. That means you need either: all three standalone machines (60 points) + meaningful AD progress (AD is all-or-nothing, so partial AD counts for zero), or two standalone machines (40 points) + full AD compromise (40 points) = 80 points. The math matters because it shapes your strategy.
AD first or AD last: the debate settled
There are two schools of thought on exam ordering, and both have merit.
Case for AD first: The AD domain is worth 40 points and those 40 points are all-or-nothing. If you spend 8 hours on AD and get 30% through it, you get zero points. Starting AD first means you attack it when your mind is sharpest. If you compromise the full domain quickly, you remove the all-or-nothing pressure and can work the standalones from a position of comfort.
Case for AD last: The standalones are more predictable. Easy and medium machines follow patterns. Getting 40 guaranteed points on two standalones early removes pass/fail anxiety and lets you attack AD with less pressure.
The practical answer: start with the easy standalone to warm up (30-60 minutes maximum), then attack AD. If you're past 4 hours on AD with no foothold, switch to standalones, bank as many points as possible, and return to AD with fresh eyes.
"The biggest mistake I see exam candidates make is spending too long on a rabbit hole. Set a 90-minute timer. If you haven't made meaningful progress in 90 minutes, you're in a rabbit hole — move on." — TJ Null, offensive security instructor and OSCP holder
Time allocation strategy across 23 hours 45 minutes
Here's a realistic time budget:
- Hours 1-2: Enumeration on all four targets simultaneously — run automated scans (
nmap,gobuster,enum4linux) while doing manual enumeration on the first target - Hours 2-6: Focused attack on AD domain — aim for foothold and first machine compromise
- Hours 6-8: Easy standalone machine — complete enumeration, exploit,
local.txtandproof.txt - Hours 8-12: AD continuation or medium standalone, depending on AD progress
- Hours 12-16: Medium standalone machine
- Hours 16-20: AD completion if not done, or hard standalone
- Hours 20-22: Mop up — clean up any machines you're close on, re-enumerate anything missed
- Hours 22-23.75: Screenshot review and note verification — ensure every required screenshot is captured before the exam ends
The mandatory break strategy
Cognitive fatigue is the most underestimated failure factor on the OSCP exam. Schedule deliberate 30-minute breaks at hours 8 and 16 — at these points in a 24-hour session, your problem-solving ability has degraded measurably even if you feel alert. The breaks do not pause the exam clock. The clock runs continuously for the full 23:45 regardless of whether you're actively working. Factor the two 30-minute breaks into your time budget — they cost 1 hour of working time and return significantly more than that in cognitive clarity for the final 8 hours.
Many candidates schedule a 3-4 hour sleep block around the 12-16 hour mark, especially if they have enough points banked to pass. Sleeping with 40+ points in the bank is rational: you wake up with 8 hours remaining and can attack remaining machines with a rested mind. Pushing through exhaustion with 40 banked points and failing to improve in the final 8 hours is a documented pattern.
Screenshot requirements and proof.txt documentation
OffSec is specific about what screenshots are required. Missing a required screenshot means you don't get credit for that machine even if you actually compromised it.
Required screenshots for each machine:
- local.txt screenshot: Must show the contents of
local.txt(the low-privilege flag) with your IP address visible in the same screenshot. Usetype local.txt && ipconfigon Windows orcat local.txt && ip aon Linux, then screenshot both outputs together. - proof.txt screenshot: Must show the contents of
proof.txt(the root/Administrator-level flag) with a privileged command prompt visible. On Windows, runwhoamiand shownt authority\systemalongsideproof.txtcontent. On Linux, showidreturning root alongsideproof.txtcontent. - For AD domain: Screenshots showing the contents of
proof.txton the domain controller with domain admin context confirmed
Do not crop these screenshots. Show the full terminal window. Reviewers are checking for the IP address, the flag contents, and your privilege level in a single screenshot.
Note-taking systems for the exam
Your notes during the exam become your report. The systems that work best:
Obsidian works well because it handles markdown natively, allows local storage (no internet risk during exam), and supports linking between notes. Create a note per machine with sections for initial enumeration, services found, exploitation path, post-exploitation, and flags found.
CherryTree is the traditional choice for OSCP students — it's tree-structured, handles code blocks and screenshots, and exports cleanly to PDF. The hierarchical structure mirrors the exam's machine-by-machine organization.
Key note-taking rules for the exam:
- Write the exact command that worked, not a paraphrase
- Record the full URL or request if a web vulnerability was involved
- Note your IP address at the start of each session (it can change if you disconnect)
- Screenshot every significant step —
local.txt,proof.txt, and major privilege escalation steps - Record what you tried that didn't work — this helps prevent re-running failed commands and is useful for the report's methodology sections
The 24-hour report writing window
When the exam timer ends, a 24-hour report writing window opens. The report must be submitted as a PDF through the OffSec exam portal. Many candidates underestimate this phase — the 24 hours passes quickly when you're physically exhausted after the hacking portion.
The report structure OffSec expects
OffSec provides an official report template on GitHub (community templates are also available and widely used). The expected structure:
- Executive Summary — One page maximum, high-level findings for a non-technical audience. Describe the overall security posture of the environment and the most critical findings without technical jargon.
- Methodology Overview — Tools and techniques used, general approach to the assessment, and the ethical scope boundaries.
- Per-machine findings — For each compromised machine:
- Machine name, IP address, and operating system
- Initial foothold: service identified, vulnerability exploited (CVE if applicable), tool used
- Privilege escalation: vulnerability or misconfiguration exploited, exact command used
- Flags obtained: include
proof.txthash value - Remediation recommendations: specific steps the hypothetical organization should take
- AD domain section — Full attack chain from external access through domain compromise, including each machine in sequence and how lateral movement was achieved
The report is part of your passing grade. OffSec reviewers use the report to verify that your proof.txt hashes are legitimate and that you understood what you did. A hash with no supporting methodology describing how you obtained it gets rejected. Write the methodology sections as if explaining your attack chain to a security professional who wasn't present — they need to be able to reproduce every step.
Report writing efficiency
- Start writing the report during the exam, not after — use your running notes to fill sections as you complete machines
- Have a report template ready before exam day
- Redact or remove any information about the OffSec internal exam infrastructure
- Keep file size manageable — compress screenshots before embedding
Two real-world examples of report failures: Marcus completed all four components of the exam but submitted his report as a .docx instead of .pdf — his submission was rejected and he had to restart the exam. Elena included the exam VPN credentials in her report (she copy-pasted from her notes) — OffSec rejected the report for including restricted exam information.
The bonus points system: what it actually requires
Since 2022, OffSec has offered up to 10 bonus points for completing lab work before the exam. The requirements:
- Complete 80% of the PEN-200 course exercises (not just watching videos — the written exercises in each section)
- Submit 30
proof.txthashes from the PEN-200 lab machines
With bonus points, you need 60 points on the exam itself to pass (60 + 10 = 70). That means two standalone machines (40 points) plus full AD compromise (40 points) = 80 points, which passes even if you earned the bonus. Or two standalones (40 points) + bonus (10 points) = 50 — that does not pass. You still need 60 exam points minimum.
For candidates who complete all the lab work, the bonus points can be the difference between a retake and a pass. Budget 40-60 hours of extra work for the exercises if you want to qualify for them. The lab exercise requirement specifically covers exercises, not just lab machines — candidates who compromise 30 machines but skip the written exercises do not qualify.
Common failure modes and how to avoid them
These are the patterns that cause people who could pass the OSCP to fail it:
- Rabbit holes: Spending more than 90 minutes on any single path without meaningful progress. Set a timer.
- Skipping enumeration: Rushing to exploitation without thorough enumeration. Run
nmapwith-sV -sC -p-and actually read the output. - Missing screenshot requirements: Realizing at hour 22 that you don't have a
proof.txtscreenshot with the required IP address visible. Capture screenshots immediately when you get a flag. - No backup notes: Running commands without recording them. If your note-taking tool crashes, you lose your exploitation path documentation.
- Report procrastination: Starting the report after the exam ends with 18 hours of window remaining. The 24 hours goes faster than expected.
- Not sleeping: Attempting to work through all 23 hours without rest. Even 3 hours of sleep improves problem-solving ability measurably.
What OSCP proves that other certs don't
The OSCP is one of the few certifications where the content of the exam itself cannot be summarized or memorized. Every exam instance involves different machines, different vulnerabilities, and different attack paths. A candidate who passed the OSCP at some point in their career demonstrated that they could — on a specific day, under time pressure, with no assistance — compromise multiple systems and document their findings professionally.
For hiring managers at boutique penetration testing firms, this signal is nearly impossible to fake and difficult to replicate with theoretical training alone. The OSCP doesn't prove you're a great penetration tester — experience does that. It proves you have the fundamental skills to actually execute an engagement in a controlled scenario. The gap between "knows penetration testing concepts" and "has demonstrated penetration testing skills" is exactly what the OSCP measures.
Two characteristics of the OSCP that reinforce this signal over time:
No expiration — An OSCP earned in 2018 or 2024 carries the same designation. The exam has been updated (2022 update added the AD component), but the certification itself doesn't lapse. A resume showing OSCP from 2019 tells a hiring manager that the candidate passed a practical hacking exam, not just that they hold a credential that expires without renewal fees.
Transparent methodology verification — OffSec's report review process means every OSCP holder submitted documentation of their exploitation methodology. This creates a higher standard than multiple-choice exams where the thought process behind an answer is unknowable.
See also: CEH vs OSCP: which certification proves more to employers, How to study for OSCP with limited lab time: a structured approach
References
- OffSec. (2024). PEN-200 OSCP Exam Guide. https://help.offsec.com/hc/en-us/articles/360040165632-OSCP-Exam-Guide
- OffSec. (2024). PEN-200: Penetration Testing with Kali Linux. https://www.offsec.com/courses/pen-200/
- Null, T. (2023). The TJNull OSCP Prep List. https://www.netsecfocus.com/oscp/2021/05/06/The_Journey_to_Try_Harder-_TJnull-s_Preparation_Guide_for_PWK_PEN_200_and_the_OSCP_Exam.html
- Georgia Weidman. (2021). Penetration Testing: A Hands-On Introduction to Hacking, 2nd Edition. No Starch Press. ISBN: 978-1718501812
- OffSec Community. (2023). OSCP Report Templates. https://github.com/noraj/OSCP-Exam-Report-Template-Markdown
- Offensive Security. (2023). PEN-200 Update: Updated Course Content and New Exam Format. https://www.offsec.com/offsec/pen-200-2022/
Frequently Asked Questions
How many points do you need to pass the OSCP exam?
You need 70 out of 100 available points to pass the OSCP exam. Points come from three standalone machines (20 points each) and one Active Directory domain set (40 points, all-or-nothing). Completing 80% of PEN-200 exercises plus 30 lab machine proofs earns up to 10 bonus points.
Should you tackle the AD domain first or last on the OSCP exam?
Most experienced candidates recommend starting with the easy standalone to warm up, then attacking AD when your mind is sharpest. The AD domain is worth 40 points on an all-or-nothing basis, making it high-risk to leave until you're exhausted. If you're past 4 hours on AD without a foothold, switch to standalones and bank guaranteed points first.
What screenshots are required for the OSCP exam report?
Each machine requires two screenshots: one showing local.txt contents with your IP address visible, and one showing proof.txt contents with a privileged shell prompt visible. The IP address and flag contents must appear in a single screenshot. Do not crop screenshots — show the full terminal window.
How long do you have to write the OSCP exam report?
You have 24 hours to write and submit the report after the exam hacking portion ends. The report must be submitted as a PDF through the OffSec exam portal and must document the exploitation methodology for each machine, including the commands used and how you obtained each flag.
What note-taking tool is best for the OSCP exam?
Obsidian and CherryTree are the two most popular choices among OSCP candidates. Both handle markdown and code blocks well. Obsidian stores notes locally (no internet dependency) and supports linking between notes. CherryTree's tree structure maps well to machine-per-machine organization. The specific tool matters less than using it consistently throughout the exam.