OSCE3 Thoughts

offsec, certs, rants

“I just hope that I can pass my OSCP by the time I’m 30.” - me to a friend, circa 2018, 25 years old at the time. In 2017 I got my first job in tech with a background in finance and economics. In 2018, I transitioned to a Security Engineer job and started my career in infosec. I distinctly remember looking at the OSCP at the time and how insurmountable it seemed, thus the quote. 5 years later, just as I turned 30, I got my OSCE3 certification. Needless to say, I have exceeded my expectations by a decent amount.

Why do OSCE3

Primarily for myself. OSCP seemed impossible to me many years ago, but then I passed it on my first go and I have really learned that my limits were really self imposed and I could go the distance if I wanted. So I figured I’d push as far as I could, and got about one OffSec cert/year ever since, mainly constrained by the fact that I kept trying to get my employer to pay for them instead of paying out of my own pocket. With the exception of OSEP where I failed the exam, I passed all the other exams on the first attempt. Here are some quick impressions about each of them

OSEP

In my opinion, by far the most useful of the OSCE3 certifications if you are a generalist pentester. While web apps are most of our work, especially here in Europe, network pentests are still crucial for our fields of work and they can be quite novel and difficult puzzles to solve. OSEP gives you about an “intermediate” level of preparation for assessing an Active Directory network. It gives you the tools to navigate a forest, to exploit shares, to jump across hosts and to leverage the thousands of quirks that kerberos has. It also provides you with a really decent baseline for antivirus evasion techniques. There is still a mountain of information to learn even after the exam, but it is a great platform to start on.

OSWE

I had the most fun with this as I love programming and reading code. The course does throw you off the deep end with some gigantic codebases, but gradually levels out as you progress through it. It does provide you with a solid base to start doing code review and even appsec. It has some marginal benefits for web pentesting too, so I would rank this 2nd as the most useful of the OSCE3 certifications. It is old and not as polished as OSEP/OSED but I’ve found the way it taught things more approachable. I think it’s very important for any infosec professional to be able to work with code and OSWE gets you far enough on that scale to create a solid foundation.

OSED

I will admit from the start that I wasn’t too interested in OSED as I couldn’t use it for my job and I merely did it as an intellectual exercise. I struggled a lot throughout the entire course as I didn’t really have any background or prior knowledge in this field. Eventually things started to click once I had a solid grasp on assembly and I managed to squeeze some fun out of the course. The exam was brutal, mainly because of the timeframe, but I managed to get a passing grade. Looking back at it, I think OSED barely gets you out of the beginner zone when it comes to vulnerability research and exploit development, but its strong focus on assembly will make future research easier.

OSCE3 impressions

If I am to think about practical reasons for doing OSCE3, there wouldn’t be many. OSEP was definitely useful for my career and came at the right time, but OSWE was a simple honing of the skills and OSED was entirely superfluous.

In less practical reasons, I think OSCE3 has been incredibly beneficial for my confidence. I got into the tech and infosec world relatively late, at 25, and I struggled with imposter syndrome a lot.

My feelings

I consider OSCE3 as a good way of having a moderate to advanced level of knowledge of the infosec world. Most of all, I consider it an impressive proof of being able to learn large amounts of information in a short time and apply them in what feels like a crushingly short exam. Coming from the world of software development, there is some merit to having something conclude with an exam instead of a project that can always be improved. However, I do think there is an absolute glut of certifications in the infosec world and that the vast majority of them are not worth taking. OSCE3 might help you stand out but I would not consider it a requirement to have a successful infosec career.

The infosec world encompasses much more than what OSCE3 covers. Cloud security and bug bounty, to name just a few things. I know OffSec has some level 100 courses on those topics, but I’ve tried their cloud-100 course and found it abysmal in quality and functionality. Everything covered by the OSCE3 courses can be found freely (and more up to date) on the internet, although OffSec does save you time by putting all the relevant information in one place. I don’t regret doing it but I don’t think anyone should feel forced to do it.

What’s next?

I am keeping my day job as a pentester, although I am still trying to push for AppSec within my organization. Malware development is also interesting, as it is a fun puzzle, but I hardly get enough internal assessments to make it a priority. For my free time, I would be remiss to not mention LLMs. I have been toying and tinkering with AI for about 5 years now, and the prospect of affordable zero-shot learning is too enticing to pass on. I’m still struggling to find a proper use case for it in the infosec world that has a viable business strategy, but I am exploring and feelings things out and trying prototypes.

Crypto has a very mixed reputation and I have only touched it at a very shallow level, but I intend to dive deeper into it just to see what it’s all about. Lastly, there’s game development. I’m interested in this both because I love indie games, and because they tend to be a great programming challenge on getting things optimized.

Final thoughts

I’ve spent my 20s just learning things, as I had assumed I was clueless about the world. I had a startup attempt that didn’t really go anywhere because of a variety of reasons. Now that I’ve entered my 30s, I am trying to be a lot more selective with what I learn and I am trying to achieve true deep learning. It is the time to build and to apply all the knowledge gained in my 20s. I am grateful to have OSCE3 as a starting point, but I don’t want to lock myself purely within its confines as I find it too limiting for how vast and interesting the world of computers is. I hope that by the time I’m 40 I can look back on my 30s as a decade where I have built things people want. In the meantime, just keep on grinding.