My OSCE³ Journey
After five years of trying harder, my OSCE³ journey has officially come to an end. What began during the uncertainty of the pandemic has finally led to this moment.
For me, OSCE³ was never just about earning three certifications. It became a long test of patience, discipline, and commitment. There were times when I felt that progress was slow, my motivation plunged, and I sometimes thought it would be easier to quit. But what kept me going was not just my passion for offensive security, but also the desire to finish something meaningful that I had begun during a strange phase of everyone's life.
OSWE: From Auth Bypass to RCE
My OSCE³ journey began with WEB-300: Advanced Web Attacks and Exploitation.
I passed OSWE on April 14, 2022, after nearly a year of preparation. Even as I write this review, I still consider it one of the best white-box web exploitation certifications available. The course forces you to read real code, understand application logic, and trace vulnerabilities back to their root causes. It teaches a way of thinking that stays with you long after the exam is over and carries directly into real-world web application assessments.
But like any long-running program, I believe OSWE could benefit from periodic updates to reflect newer frameworks and architectures. That being said, its core strength remains unchanged. It teaches candidates to think like an attacker who understands the application from the inside, a skill that never really goes out of date. Newer certifications, such as CWEE, are exciting and promising. However, OSWE still sets a very high bar for web exploitation fundamentals.
OSEP: From Evasion to Domain Admin
After completing my OSWE certification in 2022, I immediately purchased the PEN-300: Evasion Techniques and Breaching Defenses course and began my preparation. Although I officially enrolled only a month before taking the exam in November, my real preparation started much earlier. I spent months solving HackTheBox's Cybernetics Pro Lab and focused heavily on defense evasion. I made sure I could reliably bypass a fully patched Windows Defender environment before committing to the course, and that preparation paid off.
For me, OSEP remains one of the strongest certifications for learning disciplined tradecraft inside Active Directory environments. However, the offensive security landscape is continuously evolving, with newer exams like CAPE addressing a wider range of modern Active Directory attack paths. Rather than replacing OSEP, these certifications complement each other effectively. OSEP builds a solid AV foundation, while CAPE expands on how those skills can be applied in today’s environments.
After OSEP, I took a long break from OSCE³. During this time, HackTheBox introduced Academy courses that include certifications. These courses offer modern labs, realistic attack scenarios, and a structured learning approach. As a result, I shifted my focus to HTB Academy. I successfully completed the CWES, CPTS, and CAPE certifications, as well as all three BlackSky Cloud Labs, which cover AWS, Azure, and GCP. Additionally, I earned the Certified Red Team Lead (CRTL) certification from ZeroPoint Security and completed the five EDR Bypass Challenge by HTB during my OSCE³ break.
During this period, I came close to letting go of the OSCE³ goal altogether. There was a lot of new material to explore, and it was easy to stay busy without looking back. But OSCE³ was never only about collecting certifications. It represented an original goal I set for myself: to reach a level of depth and completeness across offensive security domains.
OSED: From ROP Chains to Custom Shell
I returned for OSED last April 2025 and passed the exam 9 months after. EXP-301: Windows User Mode Exploit Development and its exam remains the most technically demanding part of OSCE³. Exploit development forces you to slow down and truly understand how systems work under the hood. Assembly, memory management, calling conventions, and ROP chains leave little room for guesswork. While tools and techniques evolve, the fundamentals taught by OSED continue to be directly relevant.
OSCE³ is not a static program, and like any long-standing certification track, it benefits from continuous refinement to keep pace with the industry. As offensive security evolves, so should the content. What has remained consistent throughout the years is the depth of learning it demands.
OSCE3 Trinity Certs in a jiffy
1. OSEP
OSEP simulates a realistic black-box penetration test against a mature enterprise environment protected by multiple defensive controls. The course focuses heavily on Windows defense evasion, advanced Active Directory attacks, privilege escalation, lateral movement, and post-exploitation tradecraft.
Required Skills
- Developing custom payloads to bypass Windows security mechanisms and AV defenses
- Strong understanding of advanced Active Directory attack paths and post-exploitation techniques
- Expertise in defense evasion, lateral movement, and privilege escalation
OSEP tests your ability to compromise and operate inside a hardened enterprise environment. Out of the three OSCE³ certifications, I found OSEP to be the most approachable. That doesn't mean it's easy. The key challenge is learning how to operate when traditional tools and payloads are no longer effective.
In my experience, candidates who can reliably bypass Windows Defender in the lab environment and complete the Extra Miles exercises along with several challenge labs will be well-prepared for the exam. The course teaches solid tradecraft and provides a strong foundation for modern Active Directory assessments.
2. OSWE
OSWE focuses on white-box web application penetration testing involving large and complex codebases.
Required Skills
- Source code review and vulnerability discovery across multiple technology stacks
- Developing custom exploit scripts for vulnerabilities ranging from authentication bypass to remote code execution
- Deep understanding of web exploitation techniques including deserialization, injection vulnerabilities, and access control weaknesses
- Proficiency in Python and familiarity with Java, .NET, PHP, JavaScript, and other popular frameworks
OSWE tests your ability to identify and exploit vulnerabilities through source code analysis. Unlike traditional web application exams that focus heavily on black-box testing, OSWE requires you to understand how an application works internally and identify flaws by reading the code itself.
Out of the three exams, OSWE was probably the most frustrating for me. Since candidates are not allowed to download the source code, the entire review process takes place through a remote desktop session. The latency may seem minor at first, but it becomes noticeable when you're tracing execution paths, jumping between files, and reviewing large codebases.
A few seconds of delay doesn't sound like much, but over the course of a 48-hour exam those delays accumulate and can have a real impact on your focus and momentum. Technical difficulty aside, adapting to that workflow is part of the challenge.
3. OSED
OSED centers on Windows user-mode exploit development and binary exploitation.
Required Skills
- Reverse engineering and vulnerability research
- Identifying and exploiting memory corruption vulnerabilities
- Constructing reliable exploits using techniques such as ROP
- Understanding Windows internals, debugging, shellcode development, and exploit mitigation bypasses
OSED tests your ability to develop reliable exploits for vulnerable binaries through reverse engineering and memory corruption.
Out of the three certifications, OSED was the one I enjoyed the most. There's something deeply satisfying about watching your custom exploit come together after hours of debugging and analysis. At the same time, it was easily the most technically demanding exam in the OSCE³ trilogy.
As always, OffSec has a habit of placing subtle traps in its challenges. It's easy to become confident that you're on the right track, only to discover hours later that you've overlooked a critical detail or made a faulty assumption. I don't want to reveal too much, but if you've taken other OffSec exams before, you already know what to expect: stay disciplined, question your assumptions, and don't force an attack path simply because you've already invested time into it.
Preparing for OffSec’s 48-Hour Exam Format
One thing all OSCE³ exams have in common is the 48-hour, fully hands-on format. This is where many technically capable candidates struggle, not because they lack skill, but because they are unprepared for the intensity and pacing.
The first key is endurance. Treat the exam like a marathon, not a sprint. Plan short sleep windows instead of pushing through all 48 hours straight. A clear mind at hour 30 is worth far more than brute force at hour 10.
Second, documentation is everything. From the first minute, take structured notes. Capture commands, payloads, offsets, credentials, screenshots, and reasoning. If something works once, document it immediately. During the exam, memory is unreliable and time pressure is constant.
Third, avoid rabbit holes. If an approach does not move you forward after a reasonable amount of time, park it and move on. OffSec exams reward methodical progress, not obsession with a single vector.
Fourth, automation helps, but understanding matters more. Scripts break, exploits fail, and environments behave unexpectedly. The candidates who pass are the ones who understand why something should work and can adjust when it does not.
Finally, practice under exam-like conditions before exam day. Set time limits for yourself. Solve labs without looking at notes. Practice writing reports while tired. The technical skills matter, but the ability to perform under pressure is what ultimately decides the outcome.
Useful Resources for Future OSCE³ Aspirants
Below are some practical GitHub repositories and links that actually help when preparing for OSWE, OSEP, and OSED.
OSWE (White-box Web Exploitation)
-
PayloadsAllTheThings
A massive collection of payloads and techniques. Useful not for copying exploits, but for understanding how vulnerabilities are abused. -
SecLists
Essential wordlists for web testing, fuzzing, and discovery. -
Web-CTF-Cheatsheet
Great for understanding common web vulnerability patterns and exploitation logic.
OSEP (Advanced AD and Evasion)
-
PrivescCheck
Excellent for understanding Windows privilege escalation techniques and misconfigurations. -
Inveigh
Helpful for understanding NTLM relaying and credential capture in AD environments. -
PowerShellMafia/PowerSploit
Classic PowerShell post-exploitation framework. Still useful for learning fundamentals even if you do not use it directly in exams.
OSED (Exploit Development)
-
Mona
A staple for exploit development and understanding memory corruption in Windows. -
Svenito Good collection of exploit development notes, examples, and methodology.
-
connormcgarr
Clear explanations of stack overflows, SEH, ROP, and Windows internals.
Final Thoughts
OSCE³ is not a certification you rush, and it is not one you complete by accident. It demands time, patience, and a willingness to sit with hard problems longer than is comfortable. Along the way, it tests not just what you know, but how you think and how you respond when things stop working.
There are many excellent certifications available today, and it is healthy to explore different paths and platforms. But the OSWE–OSEP–OSED combination remains one of the most respected certification tracks for demonstrating elite offensive security capability and technical depth. Together, these certifications span white-box web application exploitation, advanced network and Active Directory operations, and low-level binary exploitation and exploit development. Few certification paths require this level of proficiency across such diverse and technically demanding disciplines. As OffSec itself puts it: "There are certifications, and then there's OSCE³."
Five years after starting this journey during the pandemic, earning OSCE³ feels less like reaching a finish line and more like closure. It is a reminder that some goals are worth pursuing slowly, deliberately, and on your own terms.
~thekeym4ker