A Review of Offsec Exploit Developer (OSED) Certification and Exam

EXP-301-Offsec-Exploit-Developer

I recently passed the OSED (Offensive Security Exploit Developer) exam on, and I’m excited to share my experience with you. The OSED, officially known as EXP-301: Windows User Mode Exploit Development, is one of the most challenging yet rewarding certifications in the offensive security field. This exam isn’t just another checkbox on your certification list; it’s a deep dive into the fascinating world of exploit development that pushes you to think like both an attacker and a developer. If you’re considering taking this exam, buckle up, you’re in for an intense but incredibly educational ride.

Background

Before diving into the course, I had a solid foundation in penetration testing and buffer overflows from my my professional experience. However, OSED takes things to an entirely different level. This certification is part of Offensive Security’s OSCE3 certification track, alongside OSEP and OSWE. Unlike general penetration testing, OSED focuses exclusively on Windows exploit development, specifically targeting user-mode applications.

The course assumes you’re comfortable with C programming, can read and write Python scripts, and have at least a basic understanding of x86 assembly. If you’re completely new to exploit development, I’d honestly recommend getting familiar with these prerequisites first. That said, I dedicated roughly 45 days to studying for this exam, a relatively compressed timeline that required focused, consistent effort.

Course Info

The OSED course comes with comprehensive PDF materials (over 600 pages), video tutorials, and access to cloud-based labs. You get a VPN connection to the lab environment where you can practice on vulnerable applications specifically designed to teach various exploitation techniques.

The pricing as of February 2026:

  • Course + Cert Bundle comes with 90 days of lab access and with one exam attempt, which costs approximately $1,749 USD.
  • Learn One subscription, includes one year of access to course material, the associated labs, and two exam attempts which costs approximately $2,749 USD.

OffSec also offers extension options if you need more time, which many students opt for. What I appreciated most was the hands-on nature of everything. This isn’t a course where you passively watch videos, you’re constantly in your debugger, analyzing crashes, crafting exploits, and testing your code. The lab time is invaluable, and even with my compressed 45-day timeline, I used every available hour efficiently.

Syllabus Overview
  1. Windows User Mode Exploit Development: General Course Information
  2. WinDbg and x86 Architecture
  3. Exploiting Stack Overflows
  4. Exploiting SEH Overflows
  5. Introduction to IDA Pro
  6. Overcoming Space Restrictions: Egghunters
  7. Creating Custom Shellcode
  8. x64 Custom Shellcode Creation
  9. Reverse Engineering for Bugs
  10. Stack Overflows and DEP Bypass
  11. Stack Overflows and ASLR Bypass
  12. Format String Specifier Attack Part I
  13. Format String Specifier Attack Part II
  14. VMware Workstation Guest-To-Host Escape
  15. Trying Harder: The Labs

* please refer to official website for more up-to-date information about the course content.

The x64-Shellcode and VM-Escape modules were previously part of the EXP-401: Advanced Windows Exploitation (OSEE) certification, which has now been retired. While these advanced topics are currently included in the course materials, they are not yet part of the exam. However, OffSec has indicated they will be incorporated into the certification exam in the very near future, so future candidates should prepare accordingly.

Each module comes with detailed explanations, hands-on exercises, and challenge labs that mirror the exam difficulty.

The Exam

The OSED exam is a grueling 48-hour hands-on challenge where you’re given three exploitation targets. You have 48 hours to identify vulnerabilities, develop working exploits, and achieve code execution, followed by an additional 24 hours to write your professional penetration testing report.

My path to the exam was anything but smooth. I initially scheduled the exam for January 8th, but I have to take another certification exam around those dates, I had to reschedule. The second date was January 17th, but a work trip abroad forced yet another reschedule. Finally, I settled on February 20th, a Friday.

Here’s where things got really interesting: I had been awake for more than 30 hours, coming straight from a night shift at work. I was feeling sleepy at the start of the exam, and to make matters worse, there was an important registration I needed to handle at 11 AM. I wasn’t sure how long it would take. All these factors made the first day incredibly intense.

Day 1 – Friday:

06:00 AM: Logged into the proctoring system for identity verification
06:15 AM: Proctor was late, continued waiting
06:20 AM: Proctor joined and performed quick identity verification
06:31 AM: Received VPN credentials, attempted connection from host machine but couldn’t connect to exam VM
06:45 AM: Fell back to Kali VM, connection successful
06:50 AM: Tested portal connectivity and quickly skimmed through all challenges
07:10 AM: Decided to tackle the shellcoding challenge first
08:54 AM: Took a short power nap
09:59 AM: Resumed work on the shellcoding task
10:50 AM: POC was almost complete but left for prayer break before testing
03:53 PM: Returned from prayer and a half-hour sleep, started testing
04:35 PM: POC wasn’t compiling, discovered a few silly typos and a logical mistake
05:36 PM: The exam instructions required setting up “something” that wasn’t working for me. Tried troubleshooting, then left for Iftar and Taraweeh break
11:24 PM: Returned and opted for an alternative solution instead of following the exact exam instructions
11:36 PM: POC worked! Moved to the DEP bypass task
01:07 AM: Completed first half of the task, reached the ROP gadget phase, then left for sleep

Day 2 – Saturday:

10:05 AM: Resumed work and started building ROP gadgets
12:50 PM: Almost finished the ROP gadgets, tested Metasploit shellcode, it didn’t work
01:40 PM: After nearly an hour of troubleshooting, fell back to custom shellcode
02:10 PM: Took a one-hour break
03:15 PM: Resumed bad character removal in custom shellcode
05:00 PM: Removed all bad characters and successfully tested shellcode on development machine
05:35 PM: Left for Iftar, prayer, and Taraweeh
10:54 PM: Resumed exam (had to assist someone briefly after Taraweeh)
11:05 PM: Target successfully exploited! Took screenshots and added notes
11:10 PM: Started working on the ASLR/DEP bypass challenge
12:05 AM: Discovered the vulnerable function
01:15 AM: Created initial payload for the target application
01:45 AM: Continued dynamic analysis and found the sent payload in application memory
02:15 AM: Left for sleep

Day 3 – Sunday:

05:30 AM: Resumed session, took notes and necessary screenshots
06:15 AM: Finished the exam!

I spent the rest of Sunday writing my report and submitted it mid-Sunday night. The next morning, Monday, I received the email I’d been hoping for: “We are happy to inform you that you have successfully completed the Windows User Mode Exploit Development certification exam and have obtained your OffSec Exploit Developer (OSED) certification.

You need to successfully exploit at least two out of three targets to pass. The proctoring is done remotely via webcam, and you must maintain connectivity throughout. My biggest piece of advice? Take breaks, even when you feel the pressure mounting. I solved challenges faster after rest than grinding continuously.

The report writing is equally important, OffSec expects professional-grade documentation with clear proof-of-concept code, screenshots, and step-by-step explanations of your methodology.

Tips for Success

Pre-Exam Preparation

  1. Organize the full set of tools and notes you’ll use during the exam. Having everything ready saves precious time.
  2. Work on as many binaries as possible with protections enabled, such as DEP and ASLR. Real-world practice builds muscle memory.
  3. Build many ROP chains manually and become confident using any gadgets you encounter. Don’t rely solely on automated tools.
  4. Study assembly instructions needed to create custom shellcode. Understanding how instructions work at a granular level is crucial.
  5. Gain confidence using various Win32 APIs. Know their parameters, return values, and common usage patterns.
  6. Practice thoroughly with VirtualProtect, VirtualAlloc, and WriteProcessMemory, all three methods.
  7. Go through all course sections and redo exercises if needed for a refresher. Repetition solidifies knowledge.
  8. Set up your report template and organize your Python scripts folder beforehand. This streamlines your workflow during the exam.

During the Exam

  1. Sleep adequately before your exam time and be fully ready when it starts. Fatigue is your biggest enemy.
  2. Review the exam objectives more than once to fully understand each task and what’s required for full points. Missing requirements costs you.
  3. If you get stuck, take a short break, walk around, and get fresh air (after notifying your proctor). It helps more than you think.
  4. If you’re stuck on a challenge for too long, move on to another one and come back later. Don’t waste valuable hours.
  5. Adhere to exam rules and don’t try to violate them by any means. Disqualification isn’t worth it.
  6. Don’t get discouraged and keep your energy up. Every challenge has a solution, try looking at it from another angle.
  7. Once you complete a significant part, document it immediately and take brief notes for reference. During the course, practice by picking a challenge and writing a full report to familiarize yourself with reporting requirements.
  8. When reverse engineering, note down your payload restrictions for every code path. You will forget certain conditions as you progress through the exam.
  9. Schedule breaks every 2 hours and after every small or big victory. Everyone says this because it’s true, you are no exception!
  10. Add comments in both IDA and your scripts. Something may look straightforward now, but your sleep-deprived future self might spend expensive exam minutes or hours trying to understand past thoughts. Comment all parts of your code, including ROP gadgets and assembly. Your scripts will undergo so many changes that you might end up reverse-engineering your own code.
  11. You’re not always allowed to download binaries to analyze with IDA. Make sure you know how to perform tasks in WinDbg, like finding IAT addresses. I’ve heard of candidates failing because they downloaded a binary to resolve IAT entries in IDA when it wasn’t permitted.
  12. The course teaches you lots of assembly tricks if you read between the lines. Make sure you can work with available ROP gadget instructions. For example: How do you subtract when only add is available and there’s a bad character involved? Can xchg or push/pop be used as alternatives for the mov instruction? How do you compensate for side effects of certain assembly instructions?
  13. Organize your analysis visually:
    1. Red for potentially vulnerable memory corruption functions (memcpy, strcpy, memmove)
    2. Yellow for potential memory leaks (fopen, format string functions)
    3. Green if any of the above functions are deemed not vulnerable
    4. Blue for code paths leading to a vulnerable function
  14. In IDA, rename variables and functions as you discover their purpose. I sometimes used names like callsmemcpy1 for a function with a code path to a vulnerable memcpy function. A function calling this would become calls_calls_memcpy1, helping me track code paths to vulnerabilities.
  15. Try to automate repetitive tasks using pykd or other Python scripts. Use regex to filter gadgets, like: ^0x[0-9a-fA-F]{8}: mov eax, [a-Z]{3} ; ret
Resources

When preparing for the OSED exam or diving into Windows Exploit Development, there are a few key resources I found extremely helpful. While the course itself is comprehensive, these additional materials can really help deepen your understanding of Windows internals, security, and exploitation techniques.

  • Corelan tutorials (https://www.corelan.be/index.php/articles/)
    Detailed exploit development tutorials covering stack overflows, SEH exploits, and bypass techniques. Essential reading for understanding fundamental concepts with clear, practical examples.
  • FuzzySecurity tutorial (https://fuzzysecurity.com/tutorials.html)
    Excellent Windows exploitation write-ups with detailed walkthroughs on various vulnerability types, shellcoding techniques, and mitigation bypasses specifically tailored for Windows environments.
  • LiveOverflow YouTube channel (https://www.youtube.com/c/LiveOverflow)
    Visual learners will love these video tutorials covering binary exploitation, reverse engineering, and CTF challenges. Great for understanding complex concepts through practical demonstrations.
  • Windows Internals by Mark Russinovich
    The definitive guide to Windows architecture, kernel mechanisms, and system internals. Provides deeper OS understanding crucial for exploit development.
  • LiveOverflow YouTube channel (https://www.youtube.com/c/LiveOverflow)
    Visual learners will love these video tutorials covering binary exploitation, reverse engineering, and CTF challenges. Great for understanding complex concepts through practical demonstrations.
  • Windows Internals by Mark Russinovich
    The definitive guide to Windows architecture, kernel mechanisms, and system internals. Provides deeper OS understanding crucial for exploit development.
  • Practical Reverse Engineering by Bruce Dang – Complements IDA Pro training perfectly with hands-on exercises in x86/x64 reverse engineering, covering obfuscation techniques and real-world malware analysis.
  • OffSec Discord and forums – Community support is incredible, with fellow students sharing insights, troubleshooting tips, and encouragement. The collective knowledge and experience here is invaluable for overcoming challenges.
  • OSED-Utils (https://github.com/AtlasGondal/osed-utils) – A small collection of utilities like generating shellcode, finding gadgets etc and starter templates intended for OSED-style exploit development and Windows debugging workflows.

These resources will be incredibly helpful whether you’re working through the OSED exam or just expanding your knowledge of Windows security. The more you familiarize yourself with these sites, the better equipped you’ll be to handle the challenges in the exam and beyond.

FAQs

Most people spend 2-4 months with consistent daily practice, averaging 4-6 hours per day. However, your timeline can vary based on your background. I personally dedicated about 45 days with not very intensive focus. If you’re new to exploit development, I’d recommend taking the full 90 days to thoroughly absorb the material and practice extensively.

No, OSCP is not a prerequisite for OSED. While OSCP helps with general offensive security mindset and methodology, the technical skills required for OSED are quite different. OSED focuses on low-level binary exploitation, assembly, and debugger proficiency, whereas OSCP is broader and covers network penetration testing. Strong C programming and x86 assembly knowledge are more relevant prerequisites.

OffSec doesn’t publish official pass rate statistics for any of their certifications. However, based on community discussions and anecdotal evidence from forums and Discord servers, estimates suggest the first-attempt pass rate is around 40-50%. The exam is challenging, and many candidates require a second attempt. Thorough lab practice and understanding of core concepts significantly improve your chances.

Absolutely not. You must write custom exploits from scratch, that’s the entire point of the certification. Automated exploitation frameworks are prohibited. The exam tests your ability to manually identify vulnerabilities, craft exploits, write custom shellcode, and bypass protections using your own code. This requirement ensures you truly understand the exploitation process at a fundamental level.

Not necessarily. A Windows VM with 4GB RAM and a Linux VM for tooling should suffice for most tasks. I ran everything on a laptop with 16GB RAM total without major issues. That said, running IDA Pro and multiple debuggers simultaneously can be resource-intensive, so 16GB is more comfortable. Ensure your system can handle at least two VMs running concurrently, one for your attacking machine and one for analysis.

Yes! A good understanding of both x86 and x64 assembly will be super helpful, especially since a lot of the course revolves around reverse engineering. Also, being comfortable with C programming will make a big difference when you’re reading source code and working on exploits. Finally, some basic knowledge of Windows technologies will help you absorb the material more easily and give you a clearer understanding of how Windows works.

They’re fundamentally different beasts. OSCP is broader in scope, covering various penetration testing techniques across networks and systems. OSED is much deeper and more specialized, focusing exclusively on Windows exploit development. Many people find OSED more technically challenging because it requires low-level understanding of assembly, memory layouts, and protection mechanisms. If you enjoyed the buffer overflow portion of OSCP, you’ll likely find OSED fascinating but significantly more demanding.

Yes, absolutely, if you thoroughly understand and practice everything the course provides. The course gives you all the techniques and knowledge needed to pass the exam. However, success depends on how deeply you engage with the material. Completing all exercises, practicing on challenge labs, and genuinely understanding concepts (not just following steps) is crucial. Supplementary resources can deepen understanding, but the official material is sufficient.

Conclusion

Passing the OSED exam was one of the challenging and rewarding experiences of my cybersecurity career. Despite the compressed 45-day timeline, the scheduling mishaps, working night shifts, and starting the exam sleep-deprived, the journey taught me invaluable lessons about perseverance, time management, and deep technical understanding.

The course transformed my understanding of how software works at a fundamental level and gave me skills that directly apply to real-world vulnerability research and exploit development. The ability to analyze binaries, identify vulnerabilities, craft custom exploits, and bypass modern protections is a powerful skillset that sets you apart in the security field.

If you’re considering OSED, my advice is simple: commit fully, practice relentlessly, and don’t rush through the material. Even though I completed it in 45 days, I had prior experience and I am OSMR certified. Take the time you need, whether that’s 45 days or 90 days or even more to truly master the concepts. The journey is tough, but the knowledge you gain is absolutely worth it.

This certification has opened doors to advanced security roles and given me confidence in tackling complex binary exploitation challenges. The OSED isn’t just about passing an exam, it’s about genuinely becoming an exploit developer. And trust me, once you successfully pop that first shell with custom shellcode you wrote from scratch, bypassing DEP and ASLR with your own ROP chains, you’ll understand why this certification is so highly respected in the industry.

Now go exploit some binaries! You’ve got this.

A Review of macOS Control Bypass (OSMR) Certification and Exam

EXP-312-OSMR-Certification

OffSec’s macOS Control Bypass (OSMR) Certification is a special badge for cybersecurity experts who want to learn how to sneak past macOS security measures in real-world situations. As macOS becomes more popular in big companies, this certification is becoming a really valuable skill.

In this article, I’ll tell you everything you need to know about the OSMR certification, from what the course is like to how the exam works. I’ll also give you some tips to help you ace it. Whether you’re thinking about getting this certification or just curious about it, you’ll find this information helpful.

Background

Offensive Security (OffSec) has built a solid reputation in the cybersecurity world thanks to its hands-on, practical approach to training. Their certifications, like the OSCP (Offensive Security Certified Professional) and OSCE (Offensive Security Certified Expert), are highly respected by professionals and employers alike. The OSMR (macOS Control Bypass) certification is a bit more niche, focusing specifically on macOS security and the techniques used to bypass its built-in protections.

The OSMR exam challenges you to identify and exploit vulnerabilities within macOS systems, skills that are becoming more crucial as Apple devices gain popularity in enterprise environments. If you’re working with or around Apple ecosystems, mastering macOS security and control bypassing is a superpower!

As someone who’s been using Mac for over a decade, I’m pretty familiar with the ins and outs of macOS. Plus, since macOS is a Unix-based system and I have a solid foundation in Linux, I definitely feel like I have an edge when it comes to understanding macOS from both a user and security perspective.

Course Info

The OSMR course offers hands-on experience and is designed for those serious about mastering Apple’s operating system. It focuses on two crucial areas: local privilege escalation and bypassing macOS security controls like System Integrity Protection (SIP) and Transparency, Consent, and Control (TCC).

Throughout the course, you’ll look into macOS system internals, gaining a deeper understanding of how the OS functions internally. This knowledge is essential for discovering vulnerabilities, exploiting weaknesses, and ultimately bypassing protections to gain control over macOS systems. You’ll also explore real-world vulnerabilities—both within macOS itself and in third-party applications—and learn how to identify and exploit them.

Previously, the course content was based on Intel architecture, but with the shift to Apple’s new ARM-based Macs, as of this writing in February 2025, the course has been fully updated to focus on the latest ARM architecture. This update ensures you’re learning the most relevant techniques for exploiting and bypassing macOS security on Apple’s newest architecture.

The OSMR course starts at $1,749, which might be steep for some, but the value is undeniable for serious security researchers. Additionally, since remote labs are discontinued, you’ll need a MacBook with an M-series chip and 1TB of storage for your local lab setup, adding another $1,000 to the total cost.

Syllabus Overview
  1. macOS Control Bypasses
  2. Virtual Machine Setup Guide
  3. Introduction to macOS
  4. macOS Binary Analysis Tools
  5. The Art of Crafting the Shellcodes
  6. Dylib Injection
  7. The Mach Microkernel
  8. XPC Attacks
  9. Function Hooking on macOS
  10. The macOS Sandbox
  11. Bypassing Transparency, Consent and Control (TCC)
  12. Gatekeeper Internals
  13. Bypassing Gatekeeper
  14. Symlink & Hardlink Attacks
  15. Injecting Code into Electron Apps
  16. Penetration Testing on macOS

* please refer to official website for more up-to-date information about the course content.

The Exam

The OSMR certification exam was not so easy because it puts your knowledge of exploit development and security control bypasses to the limit. It’s not an exam you can just walk through without serious preparation. The exam has four tasks, each focusing on important areas like reverse engineering, crafting exploits, bypassing security measures, and creating custom shellcode—all of which are covered in the course. While the exam tests your technical skills, it also requires you to think critically and logically about how to approach each task. You’ll need to apply the course material in ways that allow you to work through complex scenarios under pressure. The tasks are designed to reflect real-world exploit development challenges, so a solid understanding of both theory and practice is essential.

We have 47 hours and 45 minutes (almost 2 days) to complete the exam. It might seem like a lot of time at first, but it’s actually just the right amount of time to test both your technical skills and your time management skills. You need to obtain 70 points out of 80 points to earn the certificate. The exam is not very challenging but thoroughly tests most of the concepts taught in the course, and it definitely represents the key takeaways from the course.

One important lesson I learned: you need to understand not just how to solve each task, but how the tasks interconnect with the overarching concepts of the course. If you’re unclear on the big picture, you’ll likely struggle. The exam really emphasizes the importance of having a solid, repeatable methodology for exploit development and testing. I strongly recommend taking the time to not only complete the course but also to synthesize your own methodology for macOS exploitation before attempting the exam.

I originally scheduled my exam for December 17, 2024, at 11:00 PM UTC+5, but unfortunately, it got canceled due to some unexpected maintenance, so I had to reschedule. I chose January 26, 2025, at 5:00 AM UTC+5 for my new exam date and here’s how the day went:

04:45 AM: Logged into the proctoring system for the identity check.
05:05 AM: Got my VPN credentials, but hit a roadblock—couldn’t connect from my Mac host. Tried transferring the Kali VM, but still no luck. 😢
06:45 AM: Finally solved the issue by adjusting the MTU size and managed to get connected to the VPN.
06:55 AM: Tested the portal connectivity and decided to take a short break to reset.
07:10 AM: Came back, joined the exam, and quickly skimmed through all the challenges.
07:20 AM: Decided to tackle the challenges in order, starting with Challenge 1.
07:50 AM: Discovered the first vulnerability and started working on the exploit.
08:30 AM: Took a break for breakfast.
09:15 AM: Ran into a problem—the exploit code wasn’t working, so I started testing alternative approaches.
10:30 AM: Finally, after a lot of trial and error, I had a working payload!
10:50 AM: Successfully exploited the target and set up persistence.
11:00 AM: Took another break.
11:15 AM: 10 points down, so I started the second challenge worth 30 points.
11:30 AM: Shortlisted a few exploit pathways.
01:25 PM: Got to the end of my shortlisted paths, but all of them were failing.
01:30 PM: Took a break for lunch to clear my head.
02:15 PM: Finally found the right exploit pathway, so I worked on preparing the payload.
02:30 PM: Target exploited and persistence achieved.
02:45 PM: Took another quick break to refresh.
03:00 PM: 40 points down, now onto the next 30-point challenge.
03:30 PM: This one was a bit tricky, but thanks to my prior Linux experience, I knocked it out in about 10 minutes. 😉
03:50 PM: Reviewed the last challenge and took another short break.
04:20 PM: Wasn’t too worried about this challenge since I had a good sense of how to approach it, so I dove in with confidence.
05:30 PM: Made a silly mistake—ended up troubleshooting it for over two hours.
07:45 PM: Finally got the payload fixed and had completed all the challenges.
08:00 PM: Took a break to get some sleep.
09:00 AM: Woke up, and reviewed all the screenshots and details.
10:00 AM: Began writing the report.
02:00 PM: Finished the report and wrapped up the exam.
05:00 PM: Sat down for another two hours to review and polish my report.
07:30 PM: Submitted my report to Offensive Security.

Then, after four days of waiting, I finally got the email I had been hoping for: “We are happy to inform you that you have successfully completed the macOS certification exam and have obtained your Offsec macOS Researcher (OSMR) certification.” 🎉

It was a rollercoaster of a day, but it felt amazing to finally cross the finish line!

Resources

When preparing for the OSMR exam or diving into macOS research, there are a few key resources I found extremely helpful. While the course itself is comprehensive, these additional materials can really help deepen your understanding of macOS internals, security, and exploitation techniques.

  • OS Internals Books (https://newosxbook.com/jbooks.html)
    These books dive into macOS internals in three parts: user mode, kernel mode, and security. They’re packed with detailed information and even discuss real-world vulnerabilities, like the ones used in the Pegasus ZeroClick RCE attack.
  • The Mac Hacker’s Handbook (https://www.amazon.com/Mac-Hackers-Handbook-Charlie-Miller/dp/0470395362)
    This is a must-read for anyone interested in macOS security. Written by Charlie Miller, it covers a wide range of hacking and exploitation techniques for macOS.
  • Eclectic Light (https://eclecticlight.co/mac-problem-solving/)
    The Eclectic Light website has a ton of valuable articles on macOS technologies. It’s great for understanding how macOS works under the hood and for troubleshooting various macOS-related issues.
  • Sektion Eins Blog (https://www.sektioneins.de/categories/blog.html)
    This site features in-depth vulnerability analysis and exploit research focused on macOS, making it an excellent resource for security researchers.
  • Objective-See Blog (https://objective-see.org/blog.html)
    Known for its macOS security tools, Objective-See also has a great blog that covers vulnerabilities and security techniques for macOS.

Additional Research Resources:

  • Apple Developer Documentation: (https://developer.apple.com/documentation/) – Official Apple documentation for APIs and macOS internals.
  • PRZHU’s Blog: (https://przhu.github.io) – A blog with vulnerability analysis and research on macOS.
  • Knight Security Research: (https://knight.sc) – Security-focused site with research on macOS and other platforms.
  • The Evil Bit: (https://theevilbit.github.io/posts/) – Exploit research and vulnerability analysis, including macOS.
  • Nshipster: (https://nshipster.com) – A developer resource for macOS technologies and APIs.
  • HackTricks – macOS Red Teaming: (https://book.hacktricks.xyz/macos-hardening/macos-red-teaming) – A comprehensive guide for red teaming techniques on macOS.

These resources will be incredibly helpful whether you’re working through the OSMR exam or just expanding your knowledge of macOS security. The more you familiarize yourself with these sites, the better equipped you’ll be to handle the challenges in the exam and beyond.

FAQs

Before jumping in, make sure you’re comfortable with these topics:

  • x86-64 Assembly: You’ll be diving into reverse engineering and exploitation, so understanding assembly is key.
  • C & Objective-C Programming: You’ll need to read and write C code, as well Objective-C, as it’s crucial for exploit development.
  • Debuggers and Exploit Development: Having hands-on experience with tools like GDB or LLDB will make things much smoother.

You’ll know you’re ready when you’ve worked through all the exercises (and gone the extra mile). If you feel confident about the material and have a good grasp on everything, then it’s exam time! Just make sure you’ve really internalized the concepts before hitting submit.

The course is mainly focused on macOS, so it won’t teach iOS exploit development directly. However, many of the skills and concepts you’ll learn here—like reverse engineering, and exploit creation—are transferable to iOS. It might not be a direct path, but it can definitely point you in the right direction.

It can take up to 10 business days to get your results, but don’t worry, it’s usually faster. For me, I got my results in about 4 days after submitting the exam report.

If you need more details or have questions, check out these resources:

  • EXP-312: Advanced macOS Control Bypasses – The official course page.
  • EXP-312: OSMR Exam Guide – All the info you need specifically for the exam.
  • OSMR Exam FAQ – The official FAQ from OffSec.
  • For real-time help, join OffSec’s Discord. There’s a channel specifically for EXP-312 (exp-312-general) where the community can answer your questions.

Yes! A good understanding of both Intel and ARM assembly will be super helpful, especially since a lot of the course revolves around reverse engineering with tools like Hopper. Also, being comfortable with C and Objective-C will make a big difference when you’re reading source code and working on exploits. Finally, some basic knowledge of macOS technologies (like XPC and TCC) will help you absorb the material more easily and give you a clearer understanding of how macOS works.

If your goal is just to get the certificate, then yes, the exercises and extra miles will more than prepare you for the exam. The exam itself isn’t overly difficult as long as you’ve done the work. But if you want to really push yourself and dig deeper, I’d recommend going beyond the exercises and practicing even more. That way, you’ll get a more thorough understanding of the material.

You’ll need Hopper or another disassembler to tackle the reverse engineering tasks. It’s also a good idea to be familiar with debugging tools like LLDB, Radare2, or Cutter. Since the exam is remote, make sure your setup is solid and you’re comfortable with all your tools before diving in. It’s important to double-check that your system meets the exam requirements to avoid any surprises. And just a heads-up—since labs are discontinued in November 2024, you’ll need to set up your own lab environment for the exam.

Conclusion

I’m really glad I took the OSMR course. It expanded my understanding of macOS security and made me a better pen tester. While the price might be a bit high for some, especially with the discontinuation of labs, it’s definitely worth it if you’re serious about security research in the Apple ecosystem.

For the exam, managing stress is key, take breaks when needed, and make sure to practice all the exercises. The course content is top-notch, constantly updated, and it’s one of the best resources out there for macOS exploitation.

Whether you’re a pen tester, security researcher, or macOS developer, this course is a fantastic choice. It teaches you the skills you need to approach real-world macOS security challenges. I’d take it again in a heartbeat and look forward to what’s next with OffSec.