Exam Structure and Scoring System

Exam Structure and Scoring System

The OSCP exam consists of a 24-hour hands-on penetration test followed by another 24 hours to submit a comprehensive report. During the practical portion, candidates receive VPN access to an isolated exam network containing multiple target machines with varying operating systems and difficulty levels. Each machine carries specific point values based on complexity, with successful exploitation required to earn points. The exam network typically includes 5-6 machines with point distributions designed to test diverse skills.

Scoring follows a strict objective-based system where partial credit rarely exists. Candidates must achieve complete system compromise to earn full points for each target. Low-privilege shell access might earn partial points, but full points require obtaining administrator or root privileges. The passing score of 70 points demands successful exploitation of multiple systems, preventing candidates from passing through luck or limited expertise. This all-or-nothing scoring philosophy reinforces the real-world nature where partial compromises provide limited value.

The examination network includes diverse target types testing different skill sets. Buffer overflow machines test binary exploitation abilities, requiring candidates to develop working exploits from scratch. Web application targets assess ability to identify and exploit common vulnerabilities like SQL injection or file inclusion. Active Directory environments evaluate understanding of Windows domain attacks and lateral movement. Legacy systems test adaptability to older technologies. This variety ensures well-rounded penetration testers rather than specialists in single areas.

Bonus points provide slight scoring flexibility for well-prepared candidates. Completing all exercise questions in the course materials and documenting ten lab machine compromises earns 5 bonus points. These points can mean the difference between passing and failing for candidates achieving 65-69 points on exam machines. However, relying on bonus points proves risky as the lab report requires extensive documentation submitted with the exam report, adding significant preparation time.