OffSec’s advanced track is no longer a side quest after OSCP. It’s the gate between mid-career penetration testers and the small population of practitioners who can breach hardened enterprises, write working exploits against modern Windows mitigations, and chain primitives into kernel-level compromise. The three certifications — OSEP, OSED, and OSEE — sit on top of the foundation in roughly that order of difficulty, and earning the first three 300-level credentials (OSEP, OSED, plus OSWE) automatically grants OSCE³, OffSec’s expert-tier umbrella designation.
The track has shifted in 2025 and 2026. PEN-300 expanded its evasion content in response to mature EDR and XDR deployments. EXP-301 stayed deliberately close to its 32-bit roots, despite the temptation to chase 64-bit shiny objects. EXP-401 — the gateway to OSEE — remains in-person only and is still the hardest exam OffSec offers. This article maps how the three fit together, what each one actually tests, where the pitfalls live, and how to sequence them without burning a year on the wrong cert.
What Sits Above OSCP and Why It Matters
The 200-level OSCP validates that you can compromise a small simulated network using documented techniques. It’s the floor for working penetration testers, not the ceiling. The 300- and 400-level certs assume that floor is solid and push into territory most practitioners never touch on the job: bypassing application allowlisting, building custom shellcode, chaining ROP gadgets against DEP and ASLR, and — at the OSEE level — exploiting kernel-mode bugs in 64-bit Windows.
The track exists because the gap between “I can run impacket against a flat network” and “I can operate on an estate with Defender for Endpoint, AppLocker, constrained language mode, and ESAE-style tiering” is enormous. OffSec built the 300-level curriculum to fill that gap with hands-on tradecraft rather than theoretical multiple choice.
OSEP: Evasion and Active Directory at the Senior Level
OSEP is the entry point most candidates choose, because PEN-300 builds on what OSCP already taught. The course is structured around 20-plus modules covering client-side attacks, application allowlisting bypass, advanced Active Directory attacks, antivirus and EDR evasion, lateral movement, and persistence. After the modules, learners hit seven Challenge Labs that simulate realistic engagements against defended environments.
The exam runs 47 hours and 45 minutes in a private VPN against a simulated corporate network. Six target machines, ten flags, and a fallback path: reaching the secret.txt file on the final machine can also pass you, regardless of flag count. You then have 24 hours to upload documentation. The report is graded as strictly as the technical work — missing screenshots or unclear reproduction steps cost points, and once you submit, you cannot resubmit.
What makes OSEP distinctive in 2026 is the curriculum’s response to mature defensive tooling. The course teaches AMSI bypass techniques, AppLocker evasion, process injection variants (process hollowing, thread hijacking, APC injection), Kerberos abuse including unconstrained and constrained delegation attacks, and the development of custom tooling in C# to evade signature-based detection. Candidates who skip C# practice tend to struggle — the language shows up repeatedly in exercises and reflects the actual tradecraft red teams use against Windows-heavy enterprises.
Prerequisites are not formal but are real. You need solid familiarity with Active Directory, comfort with PowerShell and at least one compiled language, and the ability to enumerate and exploit common privilege escalation paths without hand-holding. Most successful candidates come in with OSCP plus 1–2 years of active pentesting work.
OSED: The Exploit Development Crucible
OSED is where the track narrows. EXP-301 is described as intermediate, but the prerequisite knowledge — x86 assembly, C, debugger fluency, basic reverse engineering — filters out most candidates who haven’t done significant low-level work before. The course spans 13 modules covering stack-based buffer overflows, SEH overwrites, custom shellcode (egg hunters, reverse shells), reverse engineering with IDA, DEP and ASLR bypass via ROP, and format string vulnerabilities used to build read primitives.
The exam is again 47 hours 45 minutes, but the structure differs from OSEP: three independent exploit development tasks, each requiring a working Python 3 exploit and detailed documentation. You submit a .7z archive containing a PDF report and your .py files within 24 hours of finishing.
The course is unapologetically 32-bit and Windows-only. This is a deliberate pedagogical choice that draws criticism: real-world exploitation has moved largely to 64-bit, and modern bug classes look different. OffSec’s defense — accurate, in our reading — is that the underlying reasoning skills (controlling EIP, finding gadgets, bypassing mitigations under constraint) transfer cleanly to 64-bit work, and that mastering them in the simpler 32-bit environment is more pedagogically efficient than throwing learners at 64-bit complexity straight away. Practitioners disagree on whether that tradeoff still holds in 2026.
What OSED actually teaches well: building exploits under constraint, custom shellcoding without leaning on Metasploit, reverse engineering binary protocols, and ROP chain construction from scratch. What it doesn’t teach: heap exploitation, modern mitigations like CFG and CET, browser exploitation, or anything kernel-mode. Those live in OSEE.
OSEE: The Hardest Exam OffSec Sells
OSEE is the expert-tier credential and a different beast from the 300-level certs. EXP-401 — Advanced Windows Exploitation, often called AWE — is delivered in-person only, typically at Black Hat USA or as private cohorts, because the course requires intensive instructor interaction that OffSec has chosen not to virtualize. This alone makes OSEE inaccessible to many practitioners; you need travel budget and timing to even attempt it.
The course covers 64-bit kernel exploitation, complex heap manipulation, modern mitigation bypass against widely deployed enterprise applications, and the kind of bug-hunting-meets-exploitation work that mirrors actual zero-day research. The exam is 72 hours of unsupervised work in a virtual lab, requiring discovery and exploitation of unknown vulnerabilities, plus a detailed penetration test report.
OffSec recommends completing the 300-level certs before EXP-401, and explicitly notes the course requires evening study commitments — case studies and supplemental reading — on top of full days in class. The exam pass rate is not published but is widely understood to be the lowest of any OffSec credential. Retake pricing for OSEE is not listed in the standard portal; you submit a request to OffSec to arrange one.
Skill Surface by Certification
| DOMAIN | OSEP | OSED | OSEE |
|---|---|---|---|
| AV / EDR evasion | Core | — | Implicit |
| Active Directory attacks | Core | — | — |
| Process injection / hollowing | Core | Touched | Advanced |
| Stack overflows / SEH | — | Core | Assumed |
| DEP / ASLR bypass via ROP | — | Core | Core |
| Custom shellcode | Touched | Core | Core |
| Reverse engineering (IDA) | — | Core | Core |
| Heap exploitation | — | — | Core |
| 64-bit kernel exploitation | — | — | Core |
| Architecture focus | x64 Windows + AD | x86 Windows | x64 Windows + kernel |
How to Sequence the Track
The conventional ordering is OSEP → OSWE → OSED → (optionally) OSEE. There are three reasons this works for most candidates.
First, OSEP is the closest neighbor to OSCP skill-wise, so the cognitive transition is gentler. You’re still doing penetration testing — just against harder targets. Second, OSWE and OSED test very different mental models (white-box source code review versus binary reverse engineering), so spacing them allows mode-switching without burnout. Third, OSED is the hardest of the three OSCE³ components for most candidates, and approaching it last means the OSCE³ payoff is immediate when you pass.
Candidates with strong web application security backgrounds sometimes invert and start with OSWE. That works. What rarely works: jumping straight to OSED without OSEP momentum, because EXP-301’s prerequisite assumptions about debugger comfort and assembly fluency are stricter than the marketing suggests.
OSEE should be a deliberate decision, not a natural progression. The cert pays off for vulnerability researchers, exploit developers at offensive firms, and red team members who specifically need 0-day capability. For most senior pentesters, the OSCE³ ceiling is more than sufficient.
Pricing, Subscriptions, and Retakes
Where the Track Falls Short
Three honest critiques apply across the advanced certs.
32-bit dominance in OSED. Modern exploitation is 64-bit. EXP-301’s commitment to x86 fundamentals is defensible pedagogically, but a candidate finishing OSED in 2026 still needs significant additional study — Corelan’s modern materials, OST2, sbug’s RET2 Systems courses — to be production-ready against current targets.
OSEE accessibility. In-person-only delivery makes the highest-tier cert structurally unavailable to anyone without travel budget or geographic proximity to Black Hat. OffSec has shown no public roadmap to virtualize EXP-401, and the rationale given (high-touch instruction) is plausible but constraining.
Reporting overhead. All three exams penalize weak documentation aggressively. Strong technical operators routinely fail because they didn’t screenshot the right artifact at the right moment, or didn’t record the exact command that produced an observed result. Treat report mechanics — file naming conventions, screenshot discipline, command logging — as a separate skill to drill before exam day.
Frequently Asked Questions
Do I need OSCP before attempting OSEP? Not formally, but practically yes. PEN-300 assumes OSCP-level enumeration, exploitation, and AD basics are reflexes. Candidates who skip ahead almost always end up grinding through fundamentals during paid lab time.
Is OSCE³ worth pursuing if I don’t already do all three disciplines at work? Depends on goals. The OSCE³ designation has measurable hiring value at consulting firms and senior red team roles. If your current job is web-only or AD-only, the off-discipline certs become learning investments rather than skill validations — still valuable, but on a longer payback timeline.
Can I prepare for OSED without OffSec’s course? You can build the skills via Corelan, OST2’s Architecture and Vulnerability classes, and HackTheBox’s exploit development tracks. The exam itself, however, is calibrated specifically to PEN-300 patterns of thought, and skipping the course raises difficulty meaningfully even for capable practitioners.
How much real-world tradecraft does OSEP teach versus exam-specific tricks? More than most certifications. The course’s evasion content tracks current EDR behavior closely enough that practitioners report applying techniques directly in client engagements. The gap between course and reality is smaller for OSEP than for OSED.
The Honest Verdict
The advanced track does what it’s designed to do: separate practitioners who can operate against defended environments from those who can only operate against undefended ones. OSEP is the most directly job-applicable. OSED is the most pedagogically intense and the one most likely to change how you read code. OSEE is a credentialing event for a small population of specialists and not something to chase for resume aesthetics alone.
If you’re sitting at OSCP and asking what’s next, the answer in 2026 is OSEP — start there, see how the evasion content lands, then decide whether the OSCE³ trifecta or something narrower fits your trajectory. The track rewards depth, not collection.
