The OSCP has a first-attempt pass rate of 15 to 25%. Most candidates who fail were not underprepared in the conventional sense. They had studied. They had done labs. They just had not prepared for the specific demands of a 24-hour proctored exam where nothing goes to plan and the only thing that gets you through is having rooted enough machines that the patterns feel automatic.
This guide is the realistic version. What OSCP actually tests. What prepared actually means. How long it genuinely takes. And the exact preparation path that gives you the best chance of passing on your first attempt.
What Does OSCP Actually Test?
Let's start with what you are signing up for.
OSCP is a 24-hour practical exam on an isolated VPN network. You have to compromise machines worth enough points to reach 70 out of 100. The structure in 2026: three standalone machines worth 20 points each and one Active Directory set worth 40 points. After the 24-hour hacking window closes, you get another 24 hours to write and submit a professional penetration test report. No report, no pass, even if you hit the point threshold.
Metasploit is restricted to a single machine. Every other compromise requires manual exploitation. The exam is proctored via webcam throughout.
The difficulty is not the technical concepts. The concepts are learnable. The difficulty is performing under sustained time pressure, after hour 16 when you are tired and stuck, on machines you have never seen before, with a deadline that does not move. The candidates who pass have done this so many times in practice that the enumeration methodology is automatic. They are not solving new problems on exam day. They are pattern-matching against problems they have seen before.
That is what you are preparing for.
How Long Does Preparation Actually Take?
Honest answer: 300 to 500 focused hours. Realistic preparation requires 10 to 20 hours per week for three to six months, and that assumes you already have offensive security fundamentals in place before you start. If you are building those foundations at the same time, add another three to four months.
The timeline by starting point:
Active penetration tester with existing hands-on experience: Three to four months of focused OSCP-specific preparation.
Security professional with foundational offensive skills: Four to six months.
Career changer with IT background: Six to nine months, including time to build the offensive fundamentals first.
Complete beginner: Do not book OSCP yet. Build foundations first. The money and the frustration are not worth spending before you are ready.
Less than 10 hours per week and the material fades between sessions. More than 20 hours per week is sustainable only if you are not working full-time. The people who pass on their first attempt are almost always the ones who were brutally consistent over a sustained period, not the ones who crammed.
What Skills Do You Need Before You Start PEN-200?
The PEN-200 course is not where you learn the basics. It is where you refine and apply offensive skills you already have. Arriving without these in place wastes lab time and money.
Linux and Windows proficiency. The command line fluency to navigate, enumerate, and operate efficiently in both environments without hesitation. If you are still looking up basic commands, you are not ready.
Networking fundamentals. TCP/IP, DNS, how services communicate, how to read a port scan and understand what it means. Nmap should feel like a natural extension of your thinking, not a tool you have to consciously remember how to use.
Web application security. SQL injection, XSS, authentication bypass, file inclusion, command injection. Manual exploitation using Burp Suite. The OSCP consistently includes web application targets and candidates who treat web security as a gap area leave points on the table.
Active Directory fundamentals. The AD set is worth 40 points and is the portion of the exam most candidates find hardest. Kerberoasting, Pass-the-Hash, BloodHound enumeration, lateral movement between hosts. You need to have done this repeatedly in a lab environment before exam day.
Privilege escalation on Linux and Windows. This is where exam points are lost or won. Automated enumeration tools help but manual enumeration is what finds the non-obvious paths that automated tools miss.
Report writing. Every machine you compromise during preparation should be documented in professional report format. Not notes. A finding, with evidence, impact, and reproduction steps. The exam report is graded. Candidates who have never written a professional finding before exam day lose marks they should not.
The Preparation Path That Works
Step 1: Build the foundations on TryHackMe
TryHackMe's Cyber Security 101 path and Pre Security path cover the networking, Linux, Windows, and core security concepts that PEN-200 assumes you already have. If you are building from scratch, start here.
Step 2: Build offensive fundamentals with the Jr Penetration Tester path
The revamped Jr Penetration Tester path on TryHackMe is 89 rooms across 17 modules, completely rebuilt for 2026. It covers the exact skill domains OSCP tests: web application exploitation aligned to the 2025 OWASP Top 10, a nine-room Active Directory module covering Kerberoasting, credential harvesting, and lateral movement, full privilege escalation on Linux and Windows, Metasploit and the wider exploitation toolkit, and pentest methodology including report writing. Work through it in sequence and document every room.
Step 3: Sit PT1 as a readiness checkpoint
TryHackMe's PT1 certification is a 48-hour practical engagement across web, network, and Active Directory targets with a graded professional report. It is the closest exam format to OSCP available before you commit to the real thing. If you can pass PT1, you have the foundational skills and the reporting discipline that OSCP requires. If PT1 exposes gaps, you know exactly what to fix before spending $1,749 on PEN-200. Premium subscribers receive a 15% discount.
Step 4: Unguided machines
TryHackMe's harder rooms and unguided practice are where OSCP readiness develops. There is a specific and important gap between completing guided labs and being able to root a machine with no hints. Closing that gap requires deliberate, unguided practice. Work through TryHackMe's harder offensive rooms without hints. Try to root machines in the time frame an exam target would require. If you get stuck for more than an hour on something that should be straightforward, note the gap and go back to fundamentals.
Step 5: The PEN-200 labs and exam
By the time you buy PEN-200, your lab time should be used to refine and automate your methodology, not to learn new concepts. The candidates who pass on their first attempt typically have their enumeration workflow, privilege escalation checklist, and report template already in place before the lab access starts. The labs confirm the approach. The exam tests whether it is automatic.
What Actually Goes Wrong on Exam Day
Rabbit holes. You spend three hours on a machine that is not the intended path. The fix is methodology: enumerate everything on every machine before you start exploiting anything. The answer is almost always in what you found at enumeration, not in a technique you have not tried yet.
The AD set. Candidates who have not done enough AD lab work in sequence, compromising machines in a chain rather than independently, hit a wall on the AD set. 40 points. You need most of them to pass. Do not underinvest here.
The report. Candidates who leave report writing to the final hours submit reports that cost them marks. Every flag you capture during the exam needs to be documented with a screenshot as you go. Rebuilding the narrative from incomplete notes at hour 22 is how passing scores turn into failing ones.
Burnout at hour 16. Take breaks. Sleep if you need to. The breakthroughs come after stepping away. The exam is long enough to survive a two-hour sleep window and still have time to pass.
Is It Worth It?
Yes, if you are serious about a penetration testing career. OSCP appears in the majority of senior pentesting and red team job postings. Holders typically earn $100,000 to $160,000 or more. The PEN-200 bundle costs $1,749 and includes the course, 90 days of lab access, and one exam attempt.
Even candidates who do not pass on their first attempt report that the preparation builds genuine skills that translate directly into better professional work. The ROI is real either way.
But spend that money only when you are genuinely ready for it. PT1 first. Unguided machines until the methodology is automatic. Then OSCP.
Start Your Preparation Here
The Jr Penetration Tester path covers the skills OSCP tests. PT1 validates your readiness before you commit to the real exam. Both are the most direct structured path from where you are to where OSCP needs you to be.
Start building. The exam will still be there when you are ready for it.
Nick O'Grady