Offensive Security (now owned by INE) publishes three tiers of practical offensive certs that together form the most-respected credentialing stack in red team work. OSCP, OSEP, and the OSCE³ compound cert all require 24-hour-plus practical exams in lab environments, and they produce credentials that actually correlate with hiring manager confidence in the candidate.
Here is how the three fit together and which one belongs in your plan.
Quick overview
OSCP (Offensive Security Certified Professional)
- Course: PEN-200
- Exam: 24-hour practical + 24-hour report, 5 target machines
- Passing: 70/100 points
- Cost: ~$1,500 (includes 90-day lab access)
- Prereqs: basic Linux + networking + Python or Bash scripting
- Market role: penetration tester
OSEP (Offensive Security Experienced Penetration Tester)
- Course: PEN-300
- Exam: 48-hour practical + 24-hour report, multiple chained targets
- Passing: 100/100 (task-based, must complete enough)
- Cost: ~$2,500 (includes 90-day lab access)
- Prereqs: OSCP-level skills; official prereq is "OSCP or equivalent experience"
- Market role: senior pen tester, red teamer
OSCE³ (Offensive Security Certified Expert 3)
- Not a single exam — a compound cert
- Requires OSEP + OSWE + OSED
- OSWE (Web Attacks with Kali Linux, WEB-300)
- OSED (Exploit Development, EXP-301)
- Market role: senior red teamer, exploit developer, security researcher
The OSCP tier
OSCP is the market-standard pen testing cert. It is the one hiring managers name when they write offensive job descriptions. The 24-hour practical exam separates it from MCQ certs — you either can compromise the machines or you cannot, and your report must prove it.
What OSCP actually tests
You are given lab access for 90 days (extendable). The exam drops you into a network with 5 target machines. To pass, you compromise enough targets to earn 70 points. The point values are:
- Standalone targets: 20 points each
- Active Directory targets: 40 points as a set (must compromise the full chain)
You have 24 hours to exploit. Then 24 more hours to write a pen test report that documents your findings.
Skills tested: enumeration, web app attacks, privilege escalation (Linux and Windows), Active Directory attack chains, pivoting between networks, buffer overflow-adjacent exploitation (scaled down from older versions).
Who should take OSCP
If your career target is pen tester, senior pen tester, red team operator, or any offensive security role — yes. OSCP is essentially non-optional for those careers in 2026.
Study time for someone entering from a non-offensive IT background: 6–9 months of deliberate prep including 100+ HackTheBox / TryHackMe machines before even attempting the lab.
What OSCP does not prepare you for
OSCP is strong on network attacks, privilege escalation, and AD. It is weaker on:
- Deep web application exploitation (covered by OSWE)
- Exploit development (covered by OSED)
- Evasion techniques (covered by OSEP)
OSCP is the breadth cert. Depth requires the higher tiers.
The OSEP tier
OSEP (PEN-300) is the natural step up for pen testers who want to move into red team work. It focuses on evasion — getting past EDRs, antivirus, AMSI, AppLocker, WDAC. The course teaches post-exploitation techniques that reflect modern red-team engagements.
What OSEP tests
The exam is 48 hours of practical + 24 hours of report. You face multiple targets in a more complex environment than OSCP's lab. Passing requires not just compromising machines but doing so while evading defensive tooling.
Skills tested: advanced AD attacks (Kerberos, delegation chains), evasion of EDR and antivirus, PowerShell obfuscation, AMSI bypass, application whitelisting bypass, operational tradecraft.
Who should take OSEP
If you work or want to work in red team, specifically. Red team is adversary emulation against mature defensive controls. OSEP maps directly.
Study time: 3–6 months after OSCP. Budget the lab time.
Market signal
OSEP appears in 18% of red team job postings and ~6% of pen test postings. Lower absolute numbers than OSCP, but for red team specifically it is one of the top three credentials (alongside CRTO and SANS GXPN).
The OSCE³ tier
OSCE³ is not a single exam. It is earned by passing three exams: OSEP + OSWE + OSED.
OSWE (WEB-300)
Web application exploitation at depth. White-box testing focus — you get source code and find/exploit vulnerabilities.
Skills: authentication bypass, source code review, SQL injection at depth, type juggling, prototype pollution, server-side template injection, deserialization attacks.
Exam: 48-hour practical + 24-hour report. Compromise specific web apps.
Market role: web app pen test specialist, secure code reviewer, bug bounty hunter (high-tier).
OSED (EXP-301)
Exploit development for Windows. Low-level work: shellcoding, buffer overflows, ROP chains, format string bugs.
Skills: x86 assembly, WinDbg, writing Windows exploits from scratch, bypassing ASLR/DEP/CFG.
Exam: 48-hour practical + 24-hour report. Write exploits.
Market role: exploit developer, CVE hunter, security researcher at vendor.
The OSCE³ compound
Holding all three earns OSCE³. This is a top-tier credential. Maybe 200–400 people worldwide have all three as of early 2026. It signals "breadth across the three main offensive disciplines."
Market role: senior red team, principal security researcher, vulnerability research lead at large vendor.
Study time total for OSCE³: 12–24 months beyond OSCP. This is a serious commitment.
How to ladder through the stack
Year 0–1 (prep for OSCP)
- Linux admin fundamentals
- Networking (TCP/IP, routing, VPNs)
- Python + Bash scripting competence
- 50+ HackTheBox or TryHackMe machines
- Optional intermediate cert: PNPT or eCPPT
Year 1 (OSCP)
- 3–6 months PEN-200 course + lab
- Pass OSCP
- Land junior or mid-level pen testing role
Year 2–3 (specialize)
Pick based on career direction:
- Red team track: OSEP next. CRTO is a worthy alternative or companion.
- Web app track: OSWE next. PortSwigger Web Security Academy as prep.
- Exploit dev track: OSED next. Requires significant self-study first — this is the hardest of the three.
Year 3–5 (optional OSCE³)
Only if your career is specifically heading to principal-level red team or security research. For most pen testers and red teamers, OSCP + OSEP is enough. OSCE³ is for those who want to be at the top of the practitioner ladder.
Cost reality
Typical total cost through OSCE³:
- OSCP: $1,500
- OSEP: $2,500
- OSWE: $2,500
- OSED: $2,500
- Total courses: $9,000
If you fail any exam, retake fees are $249–$499 depending on the cert.
Most pen testers stop at OSCP. Red teamers stop at OSEP. OSWE and OSED are niche specialization investments.
What the certs do not replace
Real experience. OSCP prepares you to pass an OSCP lab exam. Real pen testing engagements involve client management, scope creep, social-engineering-of-executives-who-call-IT-security "nosy," explaining findings to people who do not understand them, writing reports that lead to remediation rather than filing. None of the OffSec certs teach you those skills. You learn them on the job.
A candidate with OSCP + OSEP + 2 years of real pen test work is more valuable than a candidate with OSCE³ + 6 months of post-cert experience. The certs are credentials; the work is the career.
The 2026 market context
Offensive security hiring has been tight since late 2024. Layoffs in tech have pushed senior people into the junior market, raising the credential bar for entry-level roles. OSCP was historically enough to land a junior pen test role. In 2026, OSCP + a senior home lab portfolio + OSWP or PNPT is the typical profile for junior hires at well-paying shops.
If you are starting today, budget 18–24 months before you can reasonably compete for a first offensive role. OSCP is the midway milestone, not the entry point.
The stack is the gold standard for good reasons. It rewards real skill. Treat it with the seriousness it rewards.