OSCP Exam Preparation: A 90-Day Study Plan
A structured 90-day study plan for the Offensive Security Certified Professional (OSCP) exam, covering lab strategy, methodology, and exam-day execution.
Why OSCP Is Different From Every Other Certification
The Offensive Security Certified Professional (OSCP) is the most respected penetration testing certification in the world — not because of what you know going into the exam, but because of what you can do during it. The exam is a 24-hour practical challenge where you must compromise a set of isolated machines in a controlled lab environment and submit a professional penetration test report within 24 hours afterward.
There are no multiple-choice questions. No memorization tricks. If you cannot find vulnerabilities, exploit them, escalate privileges, and document your findings under time pressure, you will not pass.
This guide gives you a realistic 90-day plan to get ready.
Prerequisites Before You Start
OSCP is not for beginners. Before enrolling in the PEN-200 course (the official OSCP training), you should have:
If you do not meet these prerequisites, spend 2-3 months on TryHackMe's "Complete Beginner" and "Jr Penetration Tester" paths first. Starting OSCP underprepared is one of the most common ways people fail.
The PEN-200 Course Structure
When you purchase PEN-200, you receive access to course materials (text and video) plus lab time (typically 90 days). The course covers:
The lab environment contains over 70 machines organized into network segments. Some machines are standalone; others require you to pivot through intermediate hosts to reach them.
The 90-Day Plan
Days 1-30: Course and Foundations
Read and watch all PEN-200 course materials methodically. Do not rush. After each section, attempt the associated exercises and capture any lab machines in that topic area.
Set up your Kali Linux environment during this phase. Organize your notes from the beginning — a structured note-taking system (Obsidian or CherryTree work well) will save you hours on exam day. Create templates for each phase of your methodology: reconnaissance, enumeration, exploitation, post-exploitation, and pivoting.
Build your personal enumeration checklist during this phase. For every machine, you should have a repeatable process for port scanning, service enumeration, web directory discovery, and vulnerability identification. Consistency during labs makes the exam much less stressful.
Aim to complete the course materials and the exercise writeups (these are eligible for 10 bonus points on the exam, which can be decisive at the pass/fail boundary).
Days 31-60: Lab Machines and HackTheBox
Stop reading and start hacking. During this phase, your goal is volume and variety.
In the official PEN-200 labs, target 25-35 machines. Do not look at hints until you have spent at least 2 hours on a machine. When you do look for hints, use them as learning opportunities — understand exactly why you missed the vulnerability, not just what it was.
Supplement with HackTheBox. The TJ Null list of OSCP-like HackTheBox machines is the community's gold standard resource — it curates machines with similar difficulty and style to the actual OSCP exam. Work through at least 15-20 machines from this list during this phase.
For every machine you compromise, write a full walkthrough in your notes. Practice writing as if you are producing a real penetration test report. This is not optional — the report is 50% of your OSCP grade.
Days 61-75: Active Directory Focus
Active Directory attacks deserve their own dedicated phase because they are a significant portion of the OSCP exam and require a fundamentally different approach than standalone machine exploitation.
During this phase, focus on:
Enumeration with BloodHound and manual AD enumeration techniques. BloodHound maps Active Directory relationships visually and identifies attack paths automatically — it is an essential tool. Practice running it against the PEN-200 AD lab sets.
Kerberoasting: Requesting service tickets for accounts with SPNs and cracking them offline.
AS-REP Roasting: Identifying accounts that do not require Kerberos preauthentication and capturing their hashes.
Pass-the-Hash and Pass-the-Ticket: Lateral movement using captured credentials or tickets.
Domain privilege escalation: Identifying misconfigurations in GPOs, ACLs, and group memberships that allow escalation to Domain Admin.
The PEN-200 AD sets walk you through multiple connected machines that require chaining techniques. Complete all AD sets and document your methodology carefully.
Days 76-90: Exam Simulation and Refinement
In the final two weeks, simulate the exam environment as closely as possible. This means:
Timed mock runs: Pick 3-4 machines you have not solved, set a timer for 8 hours, and work through them without notes or hints. Practice the mental endurance required for the real exam.
Report writing practice: After each mock session, write a full penetration test report using the OSCP reporting template. Time yourself. The 24-hour report window goes faster than you think.
Methodology review: Audit your enumeration checklist and make sure you are not skipping steps. Most OSCP exam failures are caused by missed enumeration, not insufficient exploitation skills.
Sleep and stress management: The final week before the exam, sleep well and do lighter practice. Fatigue is one of the biggest exam killers.
Exam Day Strategy
Your exam consists of three standalone machines (worth 20 points each) and one Active Directory set (worth 40 points, but all machines in the set must be compromised for full credit). Passing score is 70 points.
The AD set first strategy works well for many candidates: spend the first 4-6 hours on the AD set because it has the highest point value and the clearest attack path structure. If you can complete the AD set, you need only 30 more points from standalone machines to pass.
Take breaks every 90 minutes. Stand up, drink water, take a short walk. A fresh pair of eyes often spots what an exhausted mind misses.
Screenshot everything. The report requires screenshots proving access — screenshot your proof.txt file contents alongside a command that proves code execution on the machine (for example, running whoami in the same terminal window).
Do not spend more than 3 hours on any single machine without moving on. Document what you have tried, move to the next machine, and return with fresh perspective.
Common Reasons People Fail
Skipping enumeration: The single most common failure mode. If you rush to exploitation without thorough enumeration, you will miss the actual vulnerability vector.
Over-relying on Metasploit: The exam restricts Metasploit use significantly. Practice manual exploitation techniques for every vulnerability type.
Poor time management: Not taking breaks leads to tunnel vision. Stuck candidates who take a 20-minute walk frequently return to find the solution immediately obvious.
Weak report: A technical pass with a poor report can still result in a failing grade. Practice writing clear, professional reports that describe every step with supporting screenshots.
Certifications That Benefit From OSCP Skills
The skills developed during OSCP preparation directly benefit these certification exams: CEH v13 (offensive techniques), CompTIA PenTest+ (methodology and reporting), GPEN (GIAC Penetration Tester), and eventually OSED and OSEP for advanced offensive security roles.
CyberCertPrep has practice question banks for CEH and PenTest+ that will reinforce the theoretical knowledge behind the techniques you are practicing in your OSCP lab.
Sources & References
Daniel Agrici
CEH, Security+, PenTest+
Daniel is the founder of CyberCertPrep. With a background in penetration testing and security consulting, he has passed 8 cybersecurity certifications and writes about exam strategies and career development.
Ready to start practicing?
50+ certifications. 99,000+ questions. 20 free per cert.