Watch this video for a quick overview on the exam process, from scheduling to submitting your exam report.
This video was current as of October 2022. As we continue to improve the Training Library, slight modifications in the interface or functionality may appear.
Have more questions? Check the frequently asked questions below.
The certification exam simulates a live corporate network in a private VPN. You will have 47 hours and 45 minutes hours to complete the challenge itself and a further 24 hours to submit your documentation.
The OSEP exam guide is available at the following link: OSEP Exam Guide
This is, of course, a very difficult question to answer. At a minimum, we recommend that you understand the majority of the concepts taught in the course and complete the challenge labs.
To learn how to schedule an exam, how to see the amount of time you have left before your exam attempt expires or understand how rescheduling an exam works, please visit our Important information about exam scheduling or Important information about exam scheduling in the Training Library article, depending on the environment you are studying in.
All exams have a cooling off period in between attempts. You can view additional details on the cooling off period here.
Points are awarded from finding flags in the form of local.txt or proof.txt files; each flag is worth 10 points.
The exam can be passed in one of two ways. Either you achieve the objective provided on the control panel, or obtain at least 100 points.
It is not possible to obtain any bonus points on the OSEP exam from completing the course exercises.
The exam objective will be provided on the control panel when the exam starts. Completion of that objective is proven by obtaining the secret.txt flag.
Once your exam starts, you will get access to the control panel. On the control panel, you will find an explanation of the simulated penetration test and the associated goals.
You should include enough information in the exam report so our graders can replicate your steps.
In the exam report, you must include a screenshot of the flag in its original location by using the type or cat command. Additionally you must include the output of the ipconfig/ifconfig/ip a command.
The shell from which the flag is documented must be a fully interactive remote shell. This means a web shell or RDP session is not sufficient.
The exam simulates a black box penetration test and as such, the total number of machines in the exam is not provided to students. It should be considered an exam secret that must be enumerated during the exam.
It is not required to compromise all machines in order to pass the exam. In fact, some machines are not possible to be compromised.
Just like in a penetration test of a real corporate network, many machines will have dependencies.
You can revert the exam machines through the control panel. Due to dependencies, it's not possible to revert individual machines; instead, they are listed in groups.
There are multiple avenues of attack that can be found through enumeration, so no single machine is required to pass.
We regularly patch the exam machines in order to prevent unintended attack vectors. Do not expect a new vulnerability to provide an easy way to pass the exam.
Exam machines will have various security solutions configured as taught in the course material. Note that bypasses taught in the course and practiced in the labs will also work in the exam.
The exam only contains modern and fully patched operating systems.
Just like in the PEN-300 course and challenge labs, the majority of topics and machines use Windows as the operating system. However, there will be Linux machines in the exam as well.
The exam is designed to test and verify skills and knowledge as covered in the syllabus. Allowing the use of commercial tools in the exam may provide an unfair advantage to some students.
As part of the exam, the student will be provided with a development VM in the VPN. This VM will contain tools such as Visual Studio and Microsoft Office among others.
The challenges in the PEN-300 labs train most of the concepts that are tested in the exam. The last challenge in the PEN-300 labs has a comparable complexity to the exam.
The OSEP exam consists of a pool of exam sets. The exam sets are assigned at random, so there is no guarantee you will receive the same exam set on a retake.
All OSEP exams are now proctored. Please make sure to read our online FAQ.