In late 2024 OffSec rebranded the OSCP exam to OSCP+ and changed enough of the underlying mechanics that 2024-syllabus content is now obsolete. If you're starting in 2026, you're studying for OSCP+ — not the legacy exam. Here's what's different and what it means for Indian candidates.
- Buffer-overflow box (25 points)
- Standalone Linux + Windows + 3-host AD chain
- Bonus 10 lab points for completing exercises + lab boxes
- Lifetime certification — no recertification
- PEN-200 v2.0 / v3.0 syllabus
- Buffer-overflow REMOVED
- Full Active Directory chain expanded — single connected AD set worth ~40 points
- Bonus lab points REMOVED
- Cert valid 3 years — CPE-based recertification required
- PEN-200 v4.0 syllabus + AWS cloud module
What was removed
- Buffer-overflow standalone target — no more bespoke BoF practice for the exam
- Bonus lab points — you can no longer 'bank' 10 points before exam day
- Self-paced 'lifetime' certification — every OSCP+ now expires after 3 years
What was added
- Expanded Active Directory chain — full 5+ host AD set worth ~40 of 100 exam points
- AWS cloud module (PEN-200 modules 20–21) — IAM enumeration, S3 / EC2 / Lambda discovery, Pacu modules
- Modern post-exploitation — RBCD, Shadow Credentials, ADCS abuse (ESC1-ESC8) covered explicitly
- CPE-based 3-year recertification — the cert lapses without 90 CPEs
Why OffSec made these changes
Real-world penetration testing in 2024–26 is dominated by Active Directory and cloud — not by hand-rolled buffer overflows. OffSec aligned the exam with what hiring teams actually pay for. The recertification requirement also brings OSCP into line with industry standards (CISSP, GIAC) and makes the cert a continuing-education signal, not a one-time stamp.
How prep changes for OSCP+ in 2026
| Topic | Pre-2024 weight | 2026 weight |
|---|---|---|
| Buffer overflows | Significant — bespoke practice | Zero |
| Active Directory | Moderate (3 hosts) | Heavy (5+ hosts, ~40 pts) |
| Web exploitation | Moderate | Moderate |
| Privilege escalation (Linux + Windows) | Heavy | Heavy |
| Cloud (AWS) enumeration | None | Moderate (PEN-200 mod 20–21) |
| Reporting | Required (basic) | Required (stricter rubric) |
| Lab grinding for bonus | Worth 10 points | No bonus — pure exam scoring |
What hasn't changed
- 24-hour exam window + 24-hour reporting window
- 70 / 100 passing score
- Hands-on practical format with required professional report
- Mentor-until-pass culture at Macksofy and other Authorized Partners
- Recognition with hiring managers — OSCP+ is treated as 'OSCP' on every JD we've reviewed in 2026
Should I worry about the recertification clock?
Practically: no. 90 CPEs in 3 years is one OffSec annual subscription course (40 CPEs), one industry conference (8 CPEs/day) and a handful of webinars or blog posts. If you're working in security, you'll accumulate them by accident. The risk is for OSCP+ holders who leave security for unrelated roles and never log activities back into OffSec's CPE portal.
Cost in India in 2026
- OffSec direct: PEN-200 + 90-day lab + exam ≈ ₹1,70,000 (USD 1,749)
- Macksofy Authorized Partner package: official course + 60h instructor-led bootcamp + mentor-until-pass = ₹1,45,000 (15% off, 3/6/12-month EMI)
- Self-study without mentor: cheaper but average pass rate drops below 50% on first attempt
Macksofy's OSCP+ bootcamp is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.