How to Prepare for OSCP: A Practical Guide
An honest, no-nonsense roadmap for passing the OSCP — the lab strategy that worked for me, the resources I'd repeat, and the ones I'd skip.
The OSCP is not the hardest certification in offensive security, but it is one of the most respected — partly because of its 24-hour practical exam, and partly because OffSec has a long history of refusing to dumb it down. I'm midway through my own preparation right now, and the plan below is what I'd give to anyone starting from a clean slate.
A note before anything else: the OSCP is a methodology test, not a memorisation test. Anyone who tells you to "learn these 30 exploits and you'll pass" is selling you something. What the exam actually checks is whether you can enumerate a box thoroughly, pick the right tool, and not panic when the first three things you try don't work. Build the habits, not the trivia.
The Three Pillars of Prep
The work breaks naturally into three buckets, and you should be touching each of them every week.
Bucket one: foundations. Before you touch the OffSec course material, make sure your Linux command line is fluent, your Bash + Python scripting is at least junior-level, and your networking knowledge covers subnetting, TCP/UDP basics, and how a TCP handshake actually looks on the wire. If tcpdump, ss -tlnp, and iptables -L are unfamiliar tools, spend a week on them first. Trying to learn pentesting on top of shaky Linux fundamentals is like learning chess while still figuring out which way the pieces move.
Bucket two: hands-on hacking. This is where the bulk of your hours will go. The OSCP labs are good but expensive, so most candidates supplement them. The two platforms I would recommend without hesitation are HackTheBox and TryHackMe. On HackTheBox, focus on the boxes tagged "OSCP-like" — the community has done a great job curating this, and the TJ Null OSCP list is the gold standard. Aim to complete 30+ boxes from that list before you sit the exam.
A box-a-day cadence is realistic if you have full-time prep, two-per-week if you have a job. Whatever the cadence, the rule is: never look at the writeup until you've spent at least two hours genuinely stuck. Frustration is the cost of building intuition, and there is no shortcut.
Bucket three: report writing. A surprising number of OSCP candidates pass the practical and fail the exam because their report is incomplete or unreadable. Build the habit early. Every box you root, write a one-page report immediately: target IP, methodology, screenshots, the exact command and payload that worked, and the privilege escalation path. By the time you sit the exam, the report template should be muscle memory.
A Realistic 12-Week Schedule
Here is the rough cadence that has worked for me and for most candidates I've talked to. Adjust for your starting level and your day job.
Weeks 1–3 : Foundations + Linux/Windows enumeration drills
Target: 10 easy HTB / TryHackMe boxes, with reports.
Weeks 4–6 : Web app exploitation focus
SQLi, LFI/RFI, file upload, deserialisation, auth bypass.
Target: 10 medium boxes, web-heavy.
Weeks 7–9 : Privilege escalation deep-dive
Linux: SUID, sudo misconfig, kernel, capabilities.
Windows: services, registry, tokens, GPO.
Target: 15 boxes, mixed difficulty.
Weeks 10–11 : Active Directory + buffer overflow refresher
Kerberoasting, AS-REP, GPP, BloodHound flows.
Target: 5 AD-flavoured boxes + 2 full buffer overflows.
Week 12 : Exam simulation
Two full 24-hour practice exams from the OffSec or
proving-grounds catalogue. Treat them like the real thing —
no breaks longer than 30 min, no cheat sheets you wouldn't
have on exam day.
The 24-hour practice exams are the single biggest predictor of whether you pass on the first try. The exam isn't hard because the boxes are individually impossible — they aren't — it's hard because by hour 18 you are exhausted, sloppy, and starting to convince yourself that the rabbit hole is the answer. Doing it twice in practice teaches you what your own brain does at 3 AM, which is the most useful information you can have on exam day.
Tools You'll Use Every Single Day
The OffSec exam restricts some automated tools, so build your toolkit around what is explicitly allowed: nmap, gobuster / feroxbuster, nikto, wpscan, crackmapexec, evil-winrm, responder, impacket, bloodhound, linpeas, winpeas. You can use Metasploit on one box only — pick the one where its payload generation actually saves you time, not the one where you're stuck.
A small thing that pays disproportionate dividends: keep a personal cheatsheet of every successful command you've ever run, organised by phase (recon, web, priv-esc, AD, post-ex). I keep mine in a single Markdown file with Ctrl+F as the search engine. By month three of prep, that file is more useful than any course material.
For browser-side tasks during the exam — encoding payloads, generating reverse shells, decoding JWTs — having a private, ad-free, locally-running toolkit beats Googling under time pressure. The tools on this site are exactly that: the reverse shell generator, the payload encoder, and the XSS payloads reference all earn their bookmark on exam day.
Practical Takeaways
If I were starting over tomorrow, the three things I would do differently are: start the report template in week one (not week ten), do all the TJ Null boxes before the exam (not the popular half), and book the practice exams the moment I started prep so I had a hard deadline. Pass or fail, the prep itself will make you a measurably better pentester. That's the part nobody can take away from you, regardless of which letter shows up on the result page.