Portfolio

OSEP Exam Review & Prep Guide 2025: My Road to OffSec Experienced Penetration Tester

Von /

OSEP was the certification that made me respect the difference between “I can pop a box” and “I can operate through a hardened Windows environment without losing the plot.” This is not a spoiler post and it is not a bypass recipe. It is my review of the prep, the mindset, and the parts that actually changed how I approach offensive security work.

OSEP certificate earned by Rian-Adrian Friedt
My OSEP certificate. Real screenshot/asset, no AI-generated image.

After the Exam

The exam itself felt surprisingly manageable compared to the amount of preparation behind it. I finished the main work in about 7 hours, even though I went into it with very little sleep. That does not mean OSEP is automatically easy. It means the preparation finally paid off: the workflow was clear, the notes were usable, and the decision-making under pressure felt controlled.

Quickmeme piece of cake meme used in OSEP post

Meme note: When the prep is harder than the actual fight, the exam starts feeling less like a monster and more like a checklist with attitude.

The biggest lesson for me was that OSEP rewards calm execution more than panic creativity. If you understand your lab work, keep clean notes, and know how to troubleshoot without losing time, the exam becomes much less chaotic.

I also noticed that not every module or topic needs the same depth for every person. Some areas were essential for my workflow, while others were useful context rather than something I had to over-study. The important part is knowing your own weak points and validating them in a lab instead of blindly collecting more material.

I am grateful for the opportunity to pursue this certification and for the people around me who supported the process. My family, my wife, and MindBytes GmbH gave me the space, motivation, and support to keep pushing my offensive-security path forward.

Looking back, OSEP was less about proving that I can run a specific technique and more about proving that I can stay methodical when Windows, tooling, and assumptions do not behave perfectly. That is the part I will actually carry into real work.

Why I Went for OSEP

After OSCP and CPTS, I wanted something that forced me deeper into Windows tradecraft, Active Directory operations, payload adaptation, and realistic reporting pressure. OSEP felt like the next logical step because it does not reward panic-clicking tools. It rewards understanding what is happening when the lab starts pushing back.

For me, the real goal was not only passing an exam. The goal was becoming more comfortable with the uncomfortable parts: things breaking, payloads failing, assumptions being wrong, and needing to explain the whole chain clearly afterward.

The Prep Mindset

The biggest shift was moving from checklist mode into operator mode. A checklist is useful, but OSEP prep punishes shallow repetition. If something fails, you need to know whether the issue is architecture, context, permissions, language, delivery, detection, or just your own notes being messy.

  • Build a repeatable workflow instead of relying on one favorite trick.
  • Understand why a technique works before trying to adapt it.
  • Treat every failure as feedback from the environment, not as random bad luck.
  • Keep a clean lab journal: what changed, what failed, what worked, and why.
  • Practice reporting while practicing exploitation, not only after the exam.

What Helped Me Most

1. A Real Windows Lab

The most useful prep was not reading another list of commands. It was testing ideas in an isolated Windows lab until I understood the constraints. If a technique only works when everything is perfect, it is not a workflow. It is a lucky demo.

2. Active Directory Repetition

OSEP and AD are not the same thing, but AD thinking helped a lot: enumeration discipline, privilege relationships, lateral movement logic, and not trusting the first obvious path. Zephyr was useful for that because it trained me to think in longer chains and stay organized.

Hack The Box Pro Labs Zephyr certificate by Rian Friedt
Zephyr helped me build patience for larger AD-style environments before OSEP.

3. Evasion as Reasoning, Not Magic

The modern evasion topic is easy to explain badly. I do not see it as “use this trick and win.” I see it as understanding how controls reason about behavior, why suspicious patterns stand out, and how defenders can validate that their coverage is not only signature-based. That mindset is much more useful professionally than publishing a fragile bypass recipe.

Defensive takeaway: If a tester can reason about behavior, defenders should reason about behavior too: process chains, memory behavior, scripting patterns, unusual authentication, and the gap between alert volume and actual visibility.

My Study Structure

I treated prep like a small project instead of a random grind. Every week needed a theme. Every theme needed notes. Every note needed enough context that I could return to it later without asking “what was I even doing here?”

  • Phase 1: refresh Windows internals, PowerShell habits, and basic payload handling concepts.
  • Phase 2: work through PEN-300-style topics with lab validation and careful notes.
  • Phase 3: practice chaining, troubleshooting, and recovering when the obvious route dies.
  • Phase 4: timed practice blocks with report writing immediately afterward.
  • Phase 5: final review of notes, common failure modes, and evidence collection habits.

Meme break: Payload fails silently. Me: “Maybe it is the environment.” Also me: forgot one tiny assumption from three pages ago.

What I Would Do Differently

I would start writing exam-style notes earlier. Not because the report is difficult to format, but because evidence quality becomes much easier when you train it from the beginning. Screenshots, timestamps, clear commands, and short explanations save you from future-you.

I would also spend less time hunting for perfect external resources and more time repeating the same concepts until they felt boring. Boring is underrated. Boring means you can perform under pressure.

Exam-Day Lessons Without Spoilers

  • Do not let one failed path destroy your rhythm.
  • Keep your notes structured even when you are tired.
  • Take screenshots earlier than you think you need them.
  • Separate assumptions from confirmed facts.
  • If something feels too messy, step back and rebuild the chain in plain language.

Who Should Take OSEP?

OSEP makes sense if you already have a foundation in penetration testing and want to become more comfortable with Windows-heavy offensive work, payload adaptation, Active Directory-style thinking, and reporting under pressure. If you are still building fundamentals, I would not rush it. Build the base first. OSEP is much better when you can focus on the advanced parts instead of fighting basics.

Final Thoughts

OSEP made me more patient and more technical at the same time. It taught me that offensive security is not only about getting execution. It is about understanding the environment, adapting responsibly, collecting clean evidence, and translating technical work into something useful for defenders and clients.

No AI-generated images were used in this post. The screenshots/assets shown here are my own certificate/lab-related assets.

Nach oben scrollen