I’ve taken training across offensive, defensive, cloud, and forensics. These reviews cover what each course delivered and whether it was worth the cost.
I took OffSec’s PEN-200 (Penetration Testing with Kali Linux) course and passed the OSCP (Offensive Security Certified Professional) exam with 75 points in August 2020. At the time, I was working in digital forensics on the defensive side. I had taken eLearnSecurity’s eJPT and PTP beforehand, and used the PTP exam as preparation the week before OSCP. PTP gives you about a week to complete the hands-on portion, so it served as a practice run for a longer proctored exam. My company organized a cohort where a group of us studied together and sat for the exam on the same timeline. That cohort format helped with accountability and gave us people to troubleshoot with when we got stuck on lab machines.
Working through the PEN-200 labs changed how I approached systems. I went from reconstructing what happened on a machine to figuring out how to break into it. That’s what eventually moved me from defensive work into penetration testing.
OffSec updated PEN-200 in 2023 to add Active Directory attack content and restructure the curriculum. This review covers the pre-2023 version. Where relevant, I note what the update addressed.
Figure 1 — The PEN-200 lab environment (2020).
The course
PEN-200 covers foundational penetration testing methodology: information gathering, vulnerability scanning, web application attacks, buffer overflows, privilege escalation on Linux and Windows, and client-side attacks. The course material is delivered as a PDF and accompanying video modules. The content is structured and walks through each topic with examples. It works as a reference for the labs. It leaves gaps if used on its own.
OffSec states this up front. The course does not hand you everything you need to pass the exam. Their “Try Harder” philosophy means the material gives you a starting point, and you fill the gaps through research and experimentation. You will encounter machines in the lab that require techniques the PDF does not cover. That is by design.
The PDF includes exercises at the end of each section. Do all of them. The exercises are separate from the lab machines and cover different ground. They walk you through specific techniques step by step: writing a basic buffer overflow, crafting a client-side payload, pivoting through a compromised host. The foundational learning comes from these exercises, not the lab machines. The lab machines test whether you can apply what the exercises taught. Skipping the exercises and jumping straight to the lab is a common mistake.
The lab environment is where PEN-200 delivers its value. The course includes access to a network of vulnerable machines spanning multiple subnets with dependencies between them. I spent most of my preparation time working through as many lab machines as possible. Each machine required enumeration, exploitation, and privilege escalation, and the machines varied in difficulty and attack surface. Difficulty ranged from a single hour to days of research and iteration. You build pattern recognition through the lab that the course material alone cannot give you.
Take thorough notes and screenshots for every lab machine. I used OneNote at the time, but Obsidian would be my choice now. Those notes serve you twice: during the exam, where you have 24 hours to write a full penetration test report, and on real engagements months later when a service or configuration matches something you saw in the lab. By exam day, writing things down as you go should be automatic.
Figure 2 — Summary (fake) notes from a PEN-200 lab machine.
Keep a structured log for every lab machine you complete. Record the machine name, IP, services found, attack path, and any rabbit holes you went down. You can reference these during the exam and on real engagements.
I rated content quality a 3 out of 5. The material covers the fundamentals and gives you enough to start each topic. You will need to research beyond it. The hands-on lab rated a 5 because no other training environment I used at the time matched the breadth and realism of the PEN-200 lab network. PEN-200 is a lab-first course, and the written material serves as a reference to support what you are doing in the lab. If you buy PEN-200 and only read the PDF, you will miss most of the value.
I supplemented with Virtual Hacking Labs (VHL) during my preparation. VHL provided additional practice machines in a similar format, and I found it useful for building volume and reinforcing methodology. If you have time before the exam window closes, add a second source of practice machines.
The exam
The OSCP exam is a 24-hour proctored, hands-on assessment. You receive a set of target machines and must demonstrate exploitation and privilege escalation to earn points. A proctor monitors your screen and webcam for the full 24 hours. After the hands-on portion, you have an additional 24 hours to write and submit a penetration test report documenting your findings. The format is public information documented on OffSec’s website. I passed on the first attempt with 75 points.
The exam was representative of the lab environment. The techniques required were consistent with what I had practiced across the PEN-200 lab machines and VHL. Nothing in the exam required knowledge outside the scope of what the labs had prepared me for. If you’ve put in the hours on lab machines and have a methodology that works, 24 hours is enough time.
What stuck
OSCP built two habits that carried into my professional work.
Persistence as a working discipline. PEN-200 conditions you to keep working when an approach fails. You enumerate further, research the specific service version, and try a different vector. I use that same process on engagements now.
Enumeration methodology. OSCP drills the principle that thorough enumeration comes before exploitation. Reconnaissance and service identification became automatic through the lab work. I apply it on internal networks the same way I applied it on PEN-200 lab machines.
The largest gap in the version I took was the lack of Active Directory content. The pre-2023 PEN-200 curriculum did not cover AD attacks, and AD environments make up the majority of enterprise networks. OffSec addressed this gap in the 2023 course update. Their PEN-300 (OSEP) course also covers AD attack chains in depth for those who want dedicated AD training beyond what PEN-200 now offers.
Bottom line
Most people who want to work in offensive cybersecurity will benefit from OSCP. It remains the certification that hiring managers recognize, and it proves you can execute a penetration test from enumeration through privilege escalation. You should not start with OSCP as your first exposure to offensive security. Complete boxes on HackTheBox or TryHackMe first, and be comfortable with Linux, basic networking, and scripting. Go in with that foundation and spend your time on the lab machines.
HackTheBox’s Certified Penetration Testing Specialist (CPTS) has been gaining traction as an alternative. I haven’t taken it, so I can’t compare them directly. For career impact, OSCP still carries more recognition with hiring managers.