PracticeStudy GuidesBlogFlashcardsEspañol
All Practice Exams

200+ Free OSEP Practice Questions

Pass your OSEP OffSec Experienced Penetration Tester exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
200+ Questions
100% Free

Loading practice questions...

2026 Statistics

Key Facts: OSEP Exam

47h 45m

Technical Exam Window

OffSec

24 hrs

Report Deadline

OffSec

100 pts

Alternate Pass Path

OSEP FAQ

secret.txt

Objective Pass Path

OSEP FAQ

10 pts

Per local/proof Flag

OSEP FAQ

$1,749+

Current Entry Price

OffSec

As of March 10, 2026, OffSec lists PEN-300 / OSEP at a $1,749 starting price via the Course + Certification Exam Bundle and $2,749 via Learn One. The official OSEP exam gives candidates 47 hours and 45 minutes for the technical challenge plus 24 hours for the report, uses 10-point local.txt/proof.txt flags, keeps the total machine count secret, and can be passed either by achieving the control-panel objective via secret.txt or by earning at least 100 points. OffSec publishes the PEN-300 syllabus and exam format, but not a formal percentage-by-domain blueprint, so the practice-question weights below are syllabus-based rather than official exam percentages.

About the OSEP Exam

OSEP validates advanced enterprise penetration testing skill in hardened environments. The official OffSec exam is a proctored, open-book, hands-on corporate-network simulation that emphasizes client-side tradecraft, defense evasion, multi-hop lateral movement, and Active Directory abuse rather than multiple-choice recall.

Assessment

Performance-based corporate-network assessment with hidden machine count and 10-point flags

Time Limit

47 hours 45 minutes + 24 hours to submit the report

Passing Score

Objective completion or 100 points

Exam Fee

$1,749 starting price (OffSec)

OSEP Exam Content Outline

20%

Client-Side Execution and Payload Development

Programming basics, Win32 API usage, Office tradecraft, Windows Script Host droppers, and process-injection concepts used to gain initial footholds.

25%

Defense Evasion and Filter Bypass

Antivirus evasion, AMSI and Defender bypasses, AppLocker and Constrained Language Mode abuse, and techniques for slipping past DNS, proxy, and HTTPS inspection controls.

15%

Post-Exploitation and Credential Access

Linux persistence and hijacking opportunities, kiosk breakouts, Windows credential material, tokens, Kerberos artifacts, and offline dump handling.

15%

Lateral Movement and Infrastructure Abuse

Windows and Linux lateral movement paths, DevOps and Artifactory abuse, Kerberos on Linux, SSH tradecraft, and Microsoft SQL Server pivoting.

20%

Active Directory and Multi-Forest Operations

AD object permission abuse, delegation attacks, forest trust abuse, and chaining footholds into domain or forest compromise.

5%

Exam Workflow and Reporting

Scoring, secret.txt objectives, hidden machine-count implications, allowed resources, reporting requirements, and proctored-exam workflow.

How to Pass the OSEP Exam

What You Need to Know

  • Passing score: Objective completion or 100 points
  • Assessment: Performance-based corporate-network assessment with hidden machine count and 10-point flags
  • Time limit: 47 hours 45 minutes + 24 hours to submit the report
  • Exam fee: $1,749 starting price

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

OSEP Study Tips from Top Performers

1Treat OSEP as methodology plus tradecraft: weak enumeration and poor note taking sink more candidates than isolated tool gaps.
2Write or adapt your own payloads enough to understand how API calls, staging choices, and execution context affect detections.
3Drill AMSI, AppLocker, CLM, and network-filter bypasses as decision trees so you can change approach quickly when one path fails.
4Practice both Windows and Linux lateral movement because the exam environment is mixed even though Windows topics dominate the syllabus.
5Rehearse SQL Server abuse, delegation attacks, and forest-trust logic until you can explain why a path works before you run tooling.
6During practice, document flags, IP context, commands, screenshots, and rationale in real time so report writing is cleanup rather than reconstruction.

Frequently Asked Questions

What is the OSEP exam format?

The official OSEP exam is a proctored, hands-on penetration test in OffSec's private VPN. OffSec states that you receive 47 hours and 45 minutes for the technical challenge and another 24 hours to submit your documentation, and the machine count is intentionally not disclosed to candidates.

How do you pass OSEP?

OffSec's OSEP FAQ says there are two passing paths. You either complete the control-panel objective proved by obtaining secret.txt, or you earn at least 100 points from local.txt and proof.txt flags, each worth 10 points.

How many machines are in the OSEP exam?

OffSec does not publish the total machine count. The FAQ explicitly says the exam simulates a black-box corporate penetration test and that the total number of machines is an exam secret that candidates must enumerate during the assessment.

Can I use notes or outside resources during OSEP?

Yes, OSEP is open-book. OffSec allows your own notes, online resources, and the OffSec Learning Platform, but prohibits AI chatbots and LLMs with direct prompt access during the live exam, and all activity must occur on the monitored host machine.

What changed for OSEP in 2026?

As of March 10, 2026, I did not find an official OffSec announcement of a new OSEP blueprint, scoring overhaul, or separate OSEP+ designation. The main current policy change in the broader OffSec ecosystem is the CPE and maintenance framework for expiring plus-style certifications such as OSCP+, and OSEP is listed as one qualifying higher-level exam for maintaining OSCP+, but OffSec's public OSEP materials still describe OSEP itself as the same PEN-300 certification.

How should I prepare for OSEP?

Prepare like a lab exam, not a trivia test. Focus heavily on the PEN-300 themes OffSec publishes: client-side execution, evasion, AppLocker and AMSI bypasses, credential access, lateral movement, SQL abuse, and Active Directory delegation or trust attacks, then practice documenting every step well enough that a grader could reproduce it.