If you have been researching the Offensive Security Certified Professional lately, you have probably hit the same confusion thousands of other candidates have: is it OSCP, or is it OSCP+, and why are there suddenly two of them? The short version is that OffSec restructured the certification, removed the old 10 bonus points, and changed how the Active Directory set is scored. This OSCP vs OSCP+ breakdown walks through every change so you know exactly what you are signing up for in 2026.
Nothing about these changes should scare you off the cert. OSCP is still the most respected hands-on penetration testing qualification on the market, and employers still ask for it by name. But the rules have shifted in ways that affect how you study, how you budget your exam points, and what you have to do to keep the credential valid. Let us clear it up.
OSCP vs OSCP+: The Short Answer
When you pass the updated PEN-200 exam today, you do not choose between OSCP and OSCP+. You earn both in a single sitting. They are two versions of the same achievement with one critical difference: how long they stay valid.
- OSCP is valid for life. It never expires. This is the brand recruiters have known for over a decade and the one most job adverts still list.
- OSCP+ expires after three years. To keep the "+" you have to renew it through OffSec's continuing education process.
So the exam is one test, the pass mark is one number, and you walk away with two certificates. The OSCP proves you passed. The OSCP+ proves you passed recently and have stayed current. That is the entire distinction, and once you see it that way the rest of the changes make more sense.
Exam Tip: You do not need to sit a separate exam for OSCP+. Passing the current PEN-200 exam awards both OSCP and OSCP+ automatically. The "+" is simply the renewable, time-limited version of the same result.
The Bonus Points Are Gone
This is the change that matters most on exam day, and it is the one candidates are most anxious about.
Under the old system you could earn 10 bonus points by completing at least 80 percent of the PEN-200 course exercises and submitting a lab report covering 30 to 40 lab machines. Those 10 points were added straight onto your exam score. For years, that was the safety net that let borderline candidates cross the 70-point line without fully clearing every exam target.
In the updated exam, there are no bonus points. Whatever you score on the day is your final score. You have to earn all 70 points inside the live exam window, with no cushion carried in from your lab work.
What this means for your study plan
The practical effect is that the effective pass bar has gone up, even though the headline number (70 out of 100) has not moved. A candidate who used to plan for "60 points in the exam plus 10 bonus" now has to plan for 70 points cleanly. That is one extra standalone machine, or a much deeper push into the Active Directory set.
Two things follow from this:
- You can no longer skip the course exercises and lean on raw talent. The exercises were never the point of the bonus anyway, but the removal means your entire result now rests on exam-day performance. Practise until compromising boxes under time pressure feels routine.
- Point budgeting is now stricter. You need a realistic plan for where your 70 points are coming from before you start the clock, not a hopeful "I will figure it out" approach.
The Active Directory Set Changed (And It Is Mostly Good News)
The Active Directory portion of the OSCP exam has always been the part that breaks people. It is worth 40 of the 100 available points, which makes it impossible to ignore, and historically it was all-or-nothing: fail to complete the full domain compromise chain and you walked away with zero AD points.
Two things have changed here.
Assumed compromise starting point
The updated AD set uses an "assumed breach" model. Instead of having to find your own initial foothold into the domain, you start the AD portion with a standard low-privileged user account already in hand. Your job is to move from that standard user to full domain compromise.
This mirrors how real penetration tests and red team engagements actually begin, since assessors are frequently handed a normal user account to simulate a phished employee. It also removes one of the most frustrating exam failure modes, where a candidate lost the entire 40-point set simply because they could not get an initial foothold.
Partial credit within the AD set
This is the bigger shift. OffSec now awards partial points within the Active Directory chain. Previously you had to fully compromise the AD set to earn anything from it. Now you can pick up points for progress along the chain even if you do not reach full domain admin.
That single change softens the brutal all-or-nothing maths that used to sink so many attempts. It does not make the AD set easy, but it does mean a strong-but-incomplete AD effort now contributes to your score instead of counting for nothing.
Is the OSCP Exam Actually Harder Now?
Put the changes side by side and the picture is nuanced rather than simply "harder" or "easier."
| Element | Old OSCP | Updated OSCP / OSCP+ (2026) |
|---|---|---|
| Bonus points | Up to 10 from lab report + exercises | None, removed entirely |
| Pass mark | 70 / 100 | 70 / 100 (unchanged) |
| AD set value | 40 points | 40 points (unchanged) |
| AD scoring | All-or-nothing | Partial credit awarded |
| AD start | Find your own foothold | Assumed breach (standard user provided) |
| Standalone machines | 3 machines, 20 points each | 3 machines, 20 points each |
| Exam length | ~23h45m hacking + 24h report | ~23h45m hacking + 24h report (unchanged) |
| Validity | Lifetime | OSCP lifetime + OSCP+ 3-year renewable |
The exam itself, in terms of hours, machine count and pass mark, is unchanged. Losing the bonus points raises the effective bar. Gaining partial AD credit and an assumed-breach start lowers it. For most candidates the two roughly offset, but the balance of risk has moved: the exam now rewards broad, reliable exploitation across every target more than it rewards grinding lab exercises for a buffer.
Exam Tip: The exam runs for 23 hours and 45 minutes of hands-on hacking, followed by a separate 24-hour window to write and submit your professional penetration test report. You need 70 out of 100 points, and the report is mandatory. Skipping or fumbling the report can still cost you the pass even after a strong hacking session.
The New Renewal Rule: Keeping Your OSCP+
Because OSCP+ carries a three-year clock, you need to know how renewal works before your first attempt, not three years later.
Your lifetime OSCP never needs renewing. Only the "+" designation expires. To keep OSCP+ active, you complete one of three continuing education paths before the three-year expiry:
- Pass a recertification exam within six months of your "+" expiry date.
- Pass another qualifying OffSec certification exam before your "+" expires (for example moving up to a more advanced OffSec course counts).
- Complete OffSec's Continuing Professional Education (CPE) programme, accumulating the required professional education credits over the three years.
If you let all three lapse, you simply revert to holding the lifetime OSCP without the "+". You do not lose the underlying achievement. In practice, many working penetration testers naturally satisfy the renewal by taking further OffSec certifications as their careers progress, so the "+" clock is less of a burden than it first sounds.
What OSCP / OSCP+ Costs in 2026
Pricing is bundled with the PEN-200 course, since you cannot buy an exam voucher on its own. The entry point depends on how much lab time you buy.
- PEN-200 course plus one exam attempt starts at roughly 1,599 to 1,749 US dollars, depending on whether you select 30, 60 or 90 days of lab access.
- Learn One is around 2,749 US dollars per year and includes two exam attempts plus a full year of lab time.
- Learn Unlimited is around 6,099 US dollars per year with unlimited exam attempts within the subscription period.
For most self-funded candidates the 90-day bundle or Learn One offers the best balance of lab time to price. Give yourself enough hands-on hours: rushing PEN-200 to save a few hundred dollars is a false economy when a re-take costs far more.
Should You Wait, or Sit It Now?
There is no version of "waiting for the next update" that helps you here. The changes are already live, the exam format is stable, and OSCP+ is now the standard result. If you were holding off to see whether the dust settled, it has.
- If you already started studying the old way, you are fine. The course content that prepares you for the exam is essentially unchanged. Just re-plan your point budget around having no bonus buffer.
- If you are new to offensive security, build your fundamentals first. Jumping straight into PEN-200 without solid Linux, networking and basic exploitation skills is the single most common reason people burn an expensive exam attempt. A structured foundation from a cert like CompTIA PenTest+ or hands-on labs pays off before you spend four figures on OSCP.
- If your goal is a penetration testing job, OSCP+ remains the credential that opens doors. The changes do not weaken its standing; if anything, the assumed-breach AD model makes it map more closely to real engagements.
OSCP+ in Your Wider Certification Path
OSCP does not exist in a vacuum. Where it sits in your roadmap depends on your target role.
For a pure offensive security or red team path, OSCP+ is often the milestone that turns a junior tester into a credible hire. Many candidates reach it after building broad security foundations first. If you are still weighing offensive certs against each other, our comparison of PenTest+ vs CEH helps you decide what to tackle before OSCP.
For blue team or SOC-focused careers, OSCP is less essential, and certs like CompTIA CySA+ or a defensive analyst track may serve you better. Knowing how attackers think is valuable everywhere, but the 24-hour OSCP gauntlet is aimed squarely at people who want to break in for a living.
Key Takeaways
- Passing PEN-200 now awards both OSCP (lifetime) and OSCP+ (three-year renewable). It is one exam, two certificates.
- The 10 bonus points are gone. You must earn all 70 points live, which raises the effective bar.
- The Active Directory set now uses an assumed-breach start and awards partial credit, softening its old all-or-nothing scoring.
- Exam length, machine count and the 70/100 pass mark are unchanged.
- Keep OSCP+ valid with a recert exam, another OffSec cert, or the CPE programme within three years. Your lifetime OSCP never expires.
Ready to Start Practising?
The OSCP is won or lost on hands-on repetition, but the certs you build on the way there reward disciplined, exam-realistic practice too. CertCrush gives you exam-style questions and study tracks across the security certifications that get you ready for offensive work, from PenTest+ fundamentals to the analyst skills that make you a stronger tester.
Build the foundation that makes OSCP achievable instead of expensive. Create your free CertCrush account to start practising today, or browse our full range of security certification courses to map out the path that leads to your first pentest role.