OSCP in 2026: Is It Still the Gold Standard, and Is the New Format Harder?

In November 2024, OffSec quietly killed the OSCP that an entire generation of pentesters trained for. The buffer overflow machine — the one candidates spent months drilling — disappeared. Bonus points went with it. Active Directory, formerly skippable, became 40% of the exam by itself. And the certificate now carries an expiration date for the first time in its 18-year history. Eighteen months in, the question recruiters keep getting asked is whether the new exam still means what the old one did, and whether passing it is harder, easier, or just different.

The short version: OSCP+ is still the most-named credential in pentest job postings, the new Active Directory section is genuinely more punishing for unprepared candidates, and the rebrand has reshuffled how it sits next to alternatives like PNPT, CRTP, and CRTO. Whether it’s still the gold standard depends on what role you’re chasing — and how much you trust a credential whose meaning changed mid-flight.

What Actually Changed in November 2024

OffSec’s overhaul collapsed into three structural moves. The Active Directory portion was rebuilt around an “assumed compromise” model, where learners start with a standard user account on the AD domain and work toward full domain compromise. Bonus points — the up-to-10-point buffer earned by completing PEN-200 lab exercises and challenge labs — were eliminated. And a new OSCP+ designation now sits alongside the legacy OSCP, carrying a three-year expiration tied to continuing-education requirements.

Passing the updated exam earns both certifications: the lifetime-valid OSCP and the time-bound OSCP+, which expires three years from issuance unless maintained through CPE credits, a recertification exam, or another qualifying OffSec certification. Anyone who passed before November 1, 2024 keeps their original OSCP indefinitely. Anyone passing after that date gets both badges, with the + quietly aging out unless they put work in to keep it.

The official rationale for the AD overhaul is straightforward. Under the old format, the AD environment was gated behind a single initial-compromise vulnerability — if a candidate couldn’t exploit it, they couldn’t demonstrate any AD knowledge at all, and the bonus-point system sometimes encouraged candidates to skip AD entirely. Combined, those design choices meant a candidate could pass the OSCP in 2023 without ever touching Kerberos.

That gap mattered because it diverged sharply from real engagements, where AD compromise is the assessment.

How the OSCP+ Exam Is Scored Now

The exam runs 23h45m for the hands-on portion, followed by a separate 24-hour window to submit a professional report. Three standalone machines award 20 points each (10 for low-privilege access, 10 for privilege escalation) for 60 points total. The Active Directory set is worth 40 points: 10 for machine #1, 10 for machine #2, and 20 for the Domain Controller. Bonus points were eliminated as of November 1, 2024. Passing requires 70 of 100.

The AD set works in sequence. Candidates receive a username and password to simulate a breached-environment scenario, then chain through the three machines toward the Domain Controller. Partial credit is now available within the AD set — a notable change. Under the old rules, failing to clear the entire AD chain meant zero AD points. Under the new rules, popping the first foothold workstation still earns 10 points even if the DC stays out of reach.

The proctoring rules tightened alongside the format. OffSec enforces a strict tool policy and explicitly prohibits AI/LLM assistance during the exam, alongside the long-standing one-target-only rule for Metasploit. Webcam stays on for the entire 24-hour window. Internet access is allowed for research, but pasting prompts into ChatGPT or Claude is grounds for disqualification.

Is the New Exam Actually Harder?

It depends entirely on the candidate. The OSCP+ is harder for someone who would have skated through the old exam by clearing the three standalone boxes plus bonus points, and easier for anyone who put serious time into AD anyway. The two changes that matter most pull in opposite directions.

Working against the candidate: AD is now mandatory, the bonus point cushion is gone, and 40 of 100 points sit in a single chained scenario where one missed pivot can lock the rest of the set. Under the pre-2024 format, a candidate who landed two standalone machines fully (40 pts) plus partial credit elsewhere plus 10 bonus points could squeak across. That math no longer works. Now a passing exam essentially requires either a clean AD compromise or near-total success on the standalones — and the standalones, by community consensus from 2025–2026 reports, have not gotten easier.

Working in the candidate’s favor: the assumed-breach AD model removes the cliff edge of the old “one vuln gates everything” gateway. The new format awards partial points within the AD domain, removing the requirement to fully clear the AD exam set to receive any AD-related points. A candidate who lands the foothold and one lateral move walks away with 20 of 40 AD points instead of zero. Buffer overflow exploit development — historically a guaranteed standalone worth 25 pts and a major time sink in preparation — has been deprioritized. Recent exam takers report that buffer overflow is no longer the guaranteed standalone machine it used to be, and over-indexing on it at the expense of Active Directory practice is now a documented failure mode.

The net effect is that the difficulty distribution flattened. Fewer candidates fail catastrophically (zero AD points), and fewer skate by on bonus-point padding. The middle of the curve thickened. Pass rates haven’t been published by OffSec, but community reporting from 2025 suggests the failure rate sits around ~70% on first attempt — roughly consistent with historical numbers, though now driven by AD weakness rather than buffer-overflow blocking.

What Candidates Are Actually Failing On

The technical content shifted, and so did the failure modes. Three patterns dominate post-mortem write-ups from 2025–2026 candidates.

Pivoting and tunneling. The AD set frequently requires moving between subnets, and candidates who never built the muscle memory for it stall on machine #2. Analysis of failure reports identifies pivoting as a primary deficiency: candidates compromise the entry machine but fail to tunnel traffic to reach the internal network. The community-favorite tool for this is Ligolo-ng, which has largely displaced Chisel for OSCP-style pivoting because it creates a tun interface that makes pivoting feel like a local network connection.

Kerberos and AD-specific abuse. Kerberoasting, AS-REP roasting, and Pass-the-Hash are baseline expectations now, not bonus knowledge. BloodHound ingestion and querying — particularly the “shortest path to Domain Admin” query — appears in nearly every passing candidate’s writeup.

Report writing. This is the silent killer. Every major step needs a screenshot showing the proof file contents alongside the IP address (ifconfig or ip addr) in the same terminal — two separate screenshots don’t count. Candidates who hack four machines but submit unreproducible reports lose points the graders cannot recover for them.

How OSCP+ Stacks Against Alternatives

The cert market has changed around OSCP, and that’s at least as important as the format change itself. Three competitors now occupy real estate that used to be uncontested.

PNPT (TCM Security’s Practical Network Penetration Tester) sits at roughly $399–$499 with one free retake — a fraction of OSCP’s $1,699 standalone exam fee. PNPT requires candidates to perform OSINT on a target, conduct an external pentest to gain initial access, pivot through a five-machine Active Directory network, and gain Domain Admin with persistence, then deliver a 15-minute online presentation to a TCM staff member acting as a client. The presentation requirement is unique among major pentest certs and maps closer to the actual consulting workflow than OSCP’s static report.

CRTP (Altered Security’s Certified Red Team Professional) is the AD specialization play. CRTP simulates an assumed-breach scenario and focuses entirely on Active Directory attack vectors, going further on AD specifically than either PNPT or OSCP+, with a 24-hour exam in a multi-domain lab. It’s not a general pentest cert and doesn’t try to be.

CRTO (Zero-Point Security’s Red Team Ops) runs in a licensed Cobalt Strike environment and signals red-team-operator readiness rather than pentester baseline.

Is OSCP Still the Gold Standard?

The honest answer is: yes for hiring filters, no for technical superiority. Those used to be the same thing.

OSCP remains the most universally recognized mid-level pentest certification, appearing as a requirement in most penetration tester job postings globally. Government contracts, DoD-aligned roles, and large consulting firms — Mandiant, NCC Group, the big-four security practices — still treat it as a baseline filter. OSCP has shifted from being a ceiling to being a floor: for senior red team roles, candidates need to complement it with CRTO, CRTE, or OSED, but as an entry or mid-level practitioner credential, it’s still the strongest single investment.

Where the gold-standard claim weakens is on the technical content itself. PNPT’s full-engagement format (OSINT through report through live debrief) maps closer to actual consulting work. CRTP’s AD lab is deeper than the OSCP+ AD set. CRTO covers C2 frameworks the OSCP exam explicitly bans. None of these alternatives carry OSCP’s recruiter recognition, but each is a more honest test of one specific skill.

The three-year OSCP+ expiration also complicates the “gold standard for life” pitch. Anyone earning the credential now is on a maintenance treadmill — CPE credits, recertification exams, or stacking another OffSec cert before the + lapses. The legacy OSCP without the + remains valid forever, but it also won’t reflect AD-mandatory exam knowledge for candidates who passed pre-2024. Recruiters increasingly ask the year of certification.

Frequently Asked Questions

Does the legacy OSCP still count, or do I need OSCP+? The legacy OSCP — earned before November 1, 2024, or earned after that date and allowed to lose its + — is valid for life and still appears as a qualifying credential in nearly every job description that lists OSCP. Hiring managers don’t typically distinguish at the resume-screen level. The + matters for renewal-conscious employers and for proving recent AD knowledge.

How do I maintain the + so it doesn’t expire? The three maintenance paths are: passing a recertification exam within 6 months of the + expiry date, passing another qualifying OffSec certification before the + expires, or completing OffSec’s CPE program. Most candidates pursuing additional certs naturally fold maintenance into their next exam attempt.

Should I take OSCP+ first or go straight to PNPT or CRTP? If your target role lists OSCP by name, take OSCP+. If you want a cheaper realistic engagement experience, take PNPT. If you already work in AD-heavy environments and want specialization, CRTP. Skipping OSCP and jumping directly to OSEP or CRTO is technically possible but generally not recommended, since both assume the initial-access and pentest fundamentals OSCP teaches.

Is buffer overflow still on the exam? Not as a guaranteed standalone. It can appear as a component of a machine but no longer occupies a dedicated 25-point slot. Time formerly spent grinding overflow templates is better redirected to AD attack chains.

The Verdict

OSCP+ is a more honest exam than the cert it replaced. The AD changes reflect what pentesters actually do; the bonus-point removal closes a loophole; the + expiration drags an old credential into the modern model where every other major cert renews. That doesn’t make it the best exam on technical merits — PNPT and CRTP each beat it on specific dimensions — and it doesn’t mean the new format is dramatically harder for prepared candidates. What’s harder is bluffing through it. The candidate who never built AD muscle memory but used to scrape 70 points from standalones plus bonus is the one this exam was redesigned to fail.

For hiring purposes, OSCP is still the credential that opens the most doors. For learning purposes, treat it as one tool among several and stack accordingly. The gold standard didn’t move; the floor underneath it just got higher.