OffSec & OSCP : Embracing The Suck and Managing Your Mental State

Offensive Security Certified Professional's entirely practical structure and learning curve (more of a right angle!) has given it a fearsome reputation amongst InfoSec students - and rightly so.

There are plenty of technical write-ups available, but the mental strain of pursuing this qualification (and the rest of the OffSec stack for that matter) is almost never written about.

This is a collection of advice from people who have been there, done it and passed the OSCP on keeping youself happy and sane.

For the uninitiated, what is OSCP?

OSCP is one of several information security qualifications offered by Offensive Security, and is usually the first of them that most people do.

It is entirely practical, with no theory segment whatsoever - setting it apart from most other security qualification. It also has a fairly legendary (by this point) learning curve.

Once you sign up and pay your bill - you pick a start date and get sent your PDF "textbook" and a set of videos explaining some concepts and some of the exercises.

You also get a connection pack that allows you to connect to the OSCP labs and you're pretty much left to your own devices.

Dependent on whether you bought a 30,60 or 90 day package - which will run you just under a grand (for the 90 day) in dollars or pounds - you'll get instructions on how to book your exam - and off you go!

If you're interested, the page to check OSCP out is here.

What sort of difficulty level is OSCP?

How long is a piece of string? If you're a pro with 5 years testing experience, you'll probably breeze it, but this qualification is not for people like that.

It only requires "basic networking and scripting knowledge" according to the material and that is who OSCP is aimed at, really.

In reality though, you would really want to have a pretty solid working knowledge of networking/the TCP/IP stack , and the ability to understand or read Python and C code.

If you're really starting from 0% experience - oh boy, are you in for a learning right-angle rather than a curve.

It's not easy, regardless of where you start.

Let's hear some advice from OSCP holders and students on how to keep yourself sane in the labs and during the exam.

Welcome to the next 30/60/90 days of your life!

Try Harder: My Ill-fated Expedition into Camp PWK

I'll start with my own story about OSCP first - as it'll explain why this article exists.

I was a system administrator in the Army and was introduced by my best friend to cybersecurity as a field. As anybody who's been Morpheus-ed ("take the red pill, and see how deep the rabbit hole goes....") into this industry will know - I immediately wanted in.

But HOW?

Cue years on years of putting myself through most of CompTIA's cybersecurity stack (can highly recommend) and a few other qualifications to really round out a rock-solid foundation in I.T.

But I wanted to sit at the cool kids table.

Or at least what I thought was the cool kids table from afar, before realising we're even bigger dorks when I got to sit at said table.

I get the CREST Practitioner Security Analyst and Registered Penetration Tester qualifications and boom - I'm qualified to the standard needed to get a job. Happy as Larry, I shot out applications with the enthusiasm of a puppy on ecstacy.

Cue one Disney-esque song and dance number, and I managed to find a position at a great cybersecurity consultancy as a CHECK Team Member Penetration Tester.

Roll credits, wipe tears, move on.

But where does OSCP come into all of this?

As anybody looking at the course, has done the course and who has passed the course - OSCP has a reputation amongst penetration testers as "the penetration tester's penetration testing qualification" , because we love nothing more than pointless gatekeeping.

But it is not without reason that it's gained such a reputation.

So I figured that if I was going to be a "real" penetration tester, then I needed OSCP, lest my "133T" status be taken away from me.

I never had it, but the fear persists, you know? Good old impostor syndrome.

I pay £1k on my credit card for the 90-day package, book my course date and the panic immediately set in.

"WHAT THE F**K DID YOU JUST DO, MATT?!?"

To be fair, that also could have been the espresso I'd just had - we will never know...

That Sunday, my course materials turned up and I immediately got cracking.

I reckon I threw about 3-4 hours a night at PWK that first week, on top of my work in pentesting already.

FIRST LESSON : OSCP will swallow your life, and quickly!

Establish a routine, and a healthy one - you are not going to be able to sustainably do a full-time job AND 6 hours a night. You shouldn't do it, because you just end up burning out and hating it. Work out what you can do sustainably, and stick to it - trust me on this one.

I loved it, and the next few weeks passed like lightning - I rooted some boxes, some easy, some harder and got through 90% of the book and videos within the first 30 days.

I met some cool guys online and I was flying.

But then after a while, the simpler stuff stopped working, and I hit the outer limits of my knowledge. All of my research, just ended up with cryptic hints on the OSCP forums, getting told "try harder" by people on other forums or the eventual solution I'd find not working.

It was INFURIATING. This wasn't much fun anymore. My progress slowed to a crawl, and I went a whole week without rooting a single box.

SECOND LESSON: Expect, prepare for and EMBRACE the "suck"

Your beginner's luck will last a couple of weeks maximum. It will start to suck fast, hard to a degree that just hasn't happened with any other qualification I've attemped.

Christ, even third year of my Economics Bachelor's wasn't this bad.

Prepare a strategy - I highly recommend ratcheting down your expectations for progress and just reach for the next smallest thing. and TAKE BREAKS! OFTEN!

I won't go into it here, but forces external to OSCP got worse, and my mental health deteriorated with it. Rather than being something I wanted to do, and looked forward to tackling - now OSCP labs were a chore. An exercise in just feeling more and more like an impostor pretending to be a cybersecurity professional.

It really did shake my confidence - and I don't blame anyone that takes a big confidence knock from the experience. I was already working in cybersecurity and as a pentester, no less. And now I felt like a fraud. Why couldn't I get this?

Eventually, things came to a head, and after speaking to my wife - I decided to withdraw from the OSCP course as it just wasn't working out.

No cathartic Disney-esque Field of Dreams ending, here.

Just the realisation that this course was just a little bit above my skill grade at the time.

And that's fine - OSCP is a course about learning to hack, not pentest. You can be an excellent penetration tester without OSCP, and with it. You can be a terrible penetration tester without OSCP, and with it. It's just a piece of paper after all, albeit one with clout and credibility.

I still have a job I enjoy as a penetration tester, and am continually at work on improving my entire career skillset, not just exploitation.

THIRD LESSON: Don't tie your self-worth or professional worth to how you do in this, or any other qualification.

This I have seen time and time again. The wall of suck has hit, and you don't feel like Mr.Robot anymore. You start pointing the finger inwards at yourself.

"God, if you can't even get this, you really must suck, huh?"

No. You don't suck. Penetration Testing, the end-goal of most people who attempt this qualification, requires a wide-ranging skillset of which enumeration and exploitation are just two. Consulting skill, writing well and your phone manner are all big parts of it too. Just because this might not have gone your way, doesn't mean you're out of luck for getting into cybersecurity.

Advice from OSCP Students, Holders and Cyber Professionals

You're not the first or last to attempt the OSCP challenge, and I hope you can help add to this post as Comfortably Dumb grows bigger!

This is advice from people working in the industry, on how to keep yourself healthy, happy and sane.

Jac Julian, OSCP Holder & Junior Penetration Tester at Fidus Information Security

Jay Jay Davey, Security Analyst at Carnival UK

Matthew Lashner, OSCP and IT Security Auditor at Vanguard Financial Services.

Lee Carter, Software Engineer at DVSA

Sergey Egorov, Penetration Tester at Commerzbank AG

Douglas Geddes eJPT, BCom(Hons) ,CAPM(PMI) and OSCP student

We're working on a big piece about managing burnout and impostor syndrome in information security and cybersecurity as a whole - if you have any stories on either of these topics, please let us know at matt@comfortablydumb.co.uk or through the Contact and Details page on this site.

Take care of yourself, your mental and physical health will always come first over a course, no matter which one it is.