This post is only available in English.

As is tradition, when you complete the Offsec Certified Expert 3 (OSCE3) you must write a blog post about it. The Terms of Service of OffSec do not explicitly state it, but everybody knows ;)

My Background in 2021

Feel free to skip if you already know me :)

I kind of dislike some other blog posts one frequently finds about people completing or attempting OffSec certifications. Not always is the technical background properly explained. The background does help to frame the challenge level: is the certification really that hard, or do people just like to complain on the internet?

I have a technical degree in applied computer science (read: mostly programming) and a master's degree in computer science (read: math and programming). During my studies, I wrote code every day, not necessarily required by the degree, but because I enjoyed it. In my master's, I participated in research projects where cryptographic verification schemes were implemented and wrote middleware for data distribution service with a model-driven development (MDD) approach for embedded devices in Rust. I wrote apps for the initial product development stage and touched every level of code integration on Android, from low-level C up to Kotlin. I wrote compilers, and I implemented protocol gateways on FPGA. At the time I was preparing for the OSCP exam, I had a job working full time as an IT security consultant.

So my background is a highly technical one.

Starting Small with the OSCP

My first experience with OffSec certification was the entry-level OSCP.

During that time, I did some penetration testing at work and got the feeling that if you're doing penetration testing, you should be certified to an acceptable standard. This would prove that you can provide a high-quality service and aren't just claiming to do penetration testing when you're actually just running random tools or Nessus.

Recalling, the OSCP took me around 120 days + 30 days. At first I chose the 120 days because I had a full-time job, doing mostly pentesting. I did extend for 30 days because the Active Directory part was added, and I did need to study up. If I am not mistaken, the AD part was at that time effectively mandatory to pass.

How did I prep for the exam:

• I did complete around 30-ish Proving Ground machines (medium to hard).
• A good amount (25) of the shared lab machines. Yes, the lab was shared, and it was painful.
• I did write the lab report, but 2/3 through I just grinded more machines and never submitted it.
• I did grind the buffer overflow methodology down to 20 minutes, but they changed the exam format :(

The OSCP is intense, and if you're intellectually curious, it can provide that kind of kick, which one craves. Just the right level for a challenge. I do think that the OSCP is an entry-level certification that does provide an opportunity to start an upskilling journey, as the certification clearly focuses on enumeration and identification of known vulnerabilities and misconfiguration.

The Start of the Journey

After getting my OSCP in 2022, I initially decided that I would rather not pursue any further certifications, but given the time. I thought to myself:

That coin would be kinda nice :)

My OffSec certification triathlon did start at the start of 2023 with the OSEP. Followed by the OSWE in 2024. On the first of August 2025, I got my last certification as an OffSec Exploit Developer (OSED), and with that I got the OSCE3 as a freebie.

For the uninitiated, the certification of the OSCE3 (OSEP, OSWE, OSED) all require a 48-hour exam + 24 hours to write the report. Each certification covers a different area of expertise:

• OffSec Experienced Penetration Tester (OSEP) covers Windows, Active Directory, AV evasion, and penetration tests against hardened corporate environments.
• Offsec Web Expert (OSWE) covers identifying web vulnerabilities through code audits, like insecure deserialization in C#, Python, PHP, etc., and other common web vulnerabilities.
• OffSec Exploit Developer (OSED) covers shellcode development, bypassing memory protection, and reverse engineering.

Taking the dog for a walk (OSEP)

The OSEP is probably the course that is closest to the OSCP and it extends and focuses on Windows environments and evasion aspects. This time I did have Learn One, but that was really a convenience, not a necessity. My experience from doing OSCP in 150 days was that powering through the content gives a nice focus, but if your private life changes, stretching the content is also fine.

Starting off, my god, Windows is a mess. I really feel for all the administrators who have to work with such an environment.

I did the course in 2023, and the content may have changed since then. At that time, the course did cover:

• Kerberos and Windows Authentication Mechanism
• Lateral Movement
• Active Directory and Forests
• DevOps-Specific Vulnerabilities
• MSSQL and Server Linking
• Office-Related Phishing Content
• Different ways to get code execution via LOLBAS
• Different ways to bypass the Defender, e.g., process injection or UAC

Reading the material and some other blog posts, the most important part of OSEP is preparation. Thinking about all possible scenarios and preparing something for it that you can drop into the console and will work is key. And alternatively, knowing a resource where you can look something unknown up. That was the time when I did start my custom shellcode development in Rust, as the Defender really could not deal with Rust async programs that well, and the shell was more stable than the one generated with msfvenom.

The exam format was pretty straightforward:

• Get the required flags and get 100 points
• And/or the secret.txt (not sure; it's been a long time)

The exam environment is a simulated corporate environment. You have 48 hours to hack your way through and afterward 24 hours to write a report. They pretty much cover almost everything in the course material in some shape or form.

I got all the flags within the first day and spent the rest of my time not getting the secret.txt. To this day I do not know what I missed that I could not access the vault :(

Overall I would say that the upskilling from OSCP to OSEP is more a slight incline instead of a hill. Some chapters are more complicated for technological reasons; other parts can be prepared for. You will definitely build a solid understanding of Active Directory environments and how to exploit them. And I found what I learned useful for past projects. Evasion could be a bit more extensive; this may be an effect of the course being C2 vendor independent-ish, which I like.

Getting caught in the web (OSWE)

The OSWE is more an outlier from the typical pentesting-focused courses. This one is about learning to do source code analysis for web applications and identification of vulnerabilities.

Initially, I was reluctant to do the OSWE. I already had an extensive programming background and have frequently done code audits. This time I used Learn One extensively to procrastinate.

The course is for the most part a collection of use cases of common web vulnerabilities. I feel the course tries to teach concepts that the "student" needs to learn and then can apply. I think for someone without any proper programming background, this course would be hard.

Same as before: 48 hours to hack and 24 hours to write the exam report. The exam tasks you to evaluate multiple machines and identify vulnerabilities, chain them together, and write exploit scripts. That process can greatly speed up if you know the Burp Extension for exporting requests as Python code. :)

In the end, the course does enable one to detect and analyze more obscure web vulnerabilities via code auditing. I think one (without a programming background) could achieve a competency level that would benefit a software project.

Doing a Bit-Flip (OSED)

I always found the OSED material kind of intriguing (read: FOMO). During the OSEP, I started my research into shellcode developments in Rust. So I did have some knowledge I could build on.

I enjoyed the course. Reverse engineering and staring at bits and bytes reminded me of my previous embedded experience. Content-wise, the OSED covers (taken from the syllabus):

• DEP and ASLR Bypass via ROP Chains
• SEH Overflows
• Custom Shellcode Development (32- and 64-Bit)
• Reverse Engineering
• Format String Attacks
• Egghunter

The debugging is done through an older version of WinDbg (32-bit), and reversing is done with the free version of IDA.

As before, preparation is key. Similar to OSEP, prepare your utility scripts and code templates that you can easily piece together whatever is required by the exam.

For this course, it is really hard to say what the takeaway is. I found that the greatest challenge was finding bugs via reverse engineering under a time constraint with a tool limitation. Also, I write the ugliest assembler code if I have to rush it.

Maybe I just have to take the time to develop some PoCs for some recent CVEs to take proper advantage of the newly gained knowledge.

The Certified Expert 3 and Conclusion

Is the OSCE3 certification worth it? Yes (read: Coin!), but you really need to commit to doing the course. Do the extra miles, read other resources, and try out the referenced techniques. I used the links they provided for further reading. This provides a fantastic upskilling opportunity. However, I did encounter some dead links.

The price-to-value ratio is alright, as long as they keep updating the material. It would be good to be able to buy individual updated sections. They did change some content for OSEP, but I will never know what it is. Overall, the courses have enough depth. Teaching code auditing to someone who seldom writes code is difficult (OSWE), but the use case approach could be an option for some people. If you have access to Learn One, I recommend attempting the exam after reaching an 80% knowledge level to test whether you can pass it. As this is the best way to detect gaps, by testing it!

Like my Pentesting & Code Audit and Security Assessment Service, if you do not test it, you will not know what you are missing and will get hacked when your admin is on vacation. So reach out, get tested by an OSCE3 and find out how good your security posture really is! :)

I think, compared to the old OSCE, this newer version of the course is better. It was a good decision to divide up the course; with that, you can actually verify different areas of expertise more intensely.

Ranking the individual courses for price-value is pretty difficult: I found the OSEP has the most depth to it, and OSWE did showcase different kinds of vulnerabilities, but I did go into the course with my previous experience. OSED, I am really unsure. The format is the right way to teach the concepts, but I have the feeling something is missing from the course, or I just have not found the right area to apply it.