OSEP is the certification OSCP holders ask about most often. Is it worth doubling the spend? Will it actually help you clear senior red-team interviews? After supporting 200+ OSEP candidates over the past three years, here's the honest answer.
- Cost: ~₹1,84,000 (Learn One)
- Prerequisite: None — entry-level
- Focus: Generalist exploitation
- Exam: 24h hands-on + 24h reporting
- Role unlocked: Pen-tester (junior to senior)
- Cost: ~₹1,84,000 (Learn One)
- Prerequisite: OSCP-level fluency strongly recommended
- Focus: AV/EDR evasion · advanced AD
- Exam: 48h hands-on + 24h reporting
- Role unlocked: Adversary simulation operator
What OSEP actually teaches
- Custom shellcode loaders that bypass modern AV / EDR
- AMSI and ETW patching — both intro-level and advanced
- Process injection techniques — including newer ones (Hell's Gate, Halo's Gate, etc.)
- Advanced AD attacks — Kerberos abuse beyond Kerberoasting, RBCD, ADCS exploitation
- Lateral movement past Defender for Endpoint
- Custom payload development — turning known POCs into something that works on a hardened target
Where OSEP differs from OSCP
| Dimension | OSCP | OSEP |
|---|---|---|
| Exam difficulty | Hard (endurance) | Hard (depth) |
| Lab environment | Mixed Linux + Windows + small AD | EDR-protected Windows + advanced AD |
| Tools allowed | Limited Metasploit | Custom payloads encouraged |
| Antivirus posture | Disabled in most boxes | Defender enabled · evasion required |
| Active Directory depth | Basic (one chain) | Multi-domain · advanced trust abuse |
| Real-world fit | Generalist pen-test | Adversary simulation / red team |
Hiring impact in India
- OSCP → 90% of pen-tester JDs in India list it
- OSEP → Listed at top BFSI red teams, MSSPs, Big-4 advanced pen-test practices
- OSCP + OSEP → standout combination — typical salary ₹25-40 LPA mid-level in Mumbai/Bengaluru
- OSEP alone (without OSCP) → unusual; HR filters often miss it
OSEP vs CRTO — the related question
OSEP and CRTO target similar career outcomes (advanced red team roles) but teach different toolkits. OSEP is OffSec-style — custom payloads, AV evasion from first principles, no Cobalt Strike. CRTO is Cobalt Strike-centric, opsec-focused, more 'real engagement' feel. Both are excellent. If you're picking one, pick the one your target employer's red team uses.
Decision tree
- No certs yet → OSCP first. Always.
- OSCP, 0-1 yr exp → CRTP for cheap AD depth, then operator time
- OSCP, 1-2 yr exp, EDR-aware engagements → OSEP
- OSCP, 1-2 yr exp, Cobalt Strike shop → CRTO
- OSCP + OSEP / CRTO, 3+ yr exp → CRTE for multi-forest, or specialist OSED / OSWE
Macksofy's OSEP prep with OSCP refresher is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.