A Review of Offsec Exploit Developer (OSED) Certification and Exam

EXP-301-Offsec-Exploit-Developer

I recently passed the OSED (Offensive Security Exploit Developer) exam on, and I’m excited to share my experience with you. The OSED, officially known as EXP-301: Windows User Mode Exploit Development, is one of the most challenging yet rewarding certifications in the offensive security field. This exam isn’t just another checkbox on your certification list; it’s a deep dive into the fascinating world of exploit development that pushes you to think like both an attacker and a developer. If you’re considering taking this exam, buckle up, you’re in for an intense but incredibly educational ride.

Background

Before diving into the course, I had a solid foundation in penetration testing and buffer overflows from my my professional experience. However, OSED takes things to an entirely different level. This certification is part of Offensive Security’s OSCE3 certification track, alongside OSEP and OSWE. Unlike general penetration testing, OSED focuses exclusively on Windows exploit development, specifically targeting user-mode applications.

The course assumes you’re comfortable with C programming, can read and write Python scripts, and have at least a basic understanding of x86 assembly. If you’re completely new to exploit development, I’d honestly recommend getting familiar with these prerequisites first. That said, I dedicated roughly 45 days to studying for this exam, a relatively compressed timeline that required focused, consistent effort.

Course Info

The OSED course comes with comprehensive PDF materials (over 600 pages), video tutorials, and access to cloud-based labs. You get a VPN connection to the lab environment where you can practice on vulnerable applications specifically designed to teach various exploitation techniques.

The pricing as of February 2026:

  • Course + Cert Bundle comes with 90 days of lab access and with one exam attempt, which costs approximately $1,749 USD.
  • Learn One subscription, includes one year of access to course material, the associated labs, and two exam attempts which costs approximately $2,749 USD.

OffSec also offers extension options if you need more time, which many students opt for. What I appreciated most was the hands-on nature of everything. This isn’t a course where you passively watch videos, you’re constantly in your debugger, analyzing crashes, crafting exploits, and testing your code. The lab time is invaluable, and even with my compressed 45-day timeline, I used every available hour efficiently.

Syllabus Overview
  1. Windows User Mode Exploit Development: General Course Information
  2. WinDbg and x86 Architecture
  3. Exploiting Stack Overflows
  4. Exploiting SEH Overflows
  5. Introduction to IDA Pro
  6. Overcoming Space Restrictions: Egghunters
  7. Creating Custom Shellcode
  8. x64 Custom Shellcode Creation
  9. Reverse Engineering for Bugs
  10. Stack Overflows and DEP Bypass
  11. Stack Overflows and ASLR Bypass
  12. Format String Specifier Attack Part I
  13. Format String Specifier Attack Part II
  14. VMware Workstation Guest-To-Host Escape
  15. Trying Harder: The Labs

* please refer to official website for more up-to-date information about the course content.

The x64-Shellcode and VM-Escape modules were previously part of the EXP-401: Advanced Windows Exploitation (OSEE) certification, which has now been retired. While these advanced topics are currently included in the course materials, they are not yet part of the exam. However, OffSec has indicated they will be incorporated into the certification exam in the very near future, so future candidates should prepare accordingly.

Each module comes with detailed explanations, hands-on exercises, and challenge labs that mirror the exam difficulty.

The Exam

The OSED exam is a grueling 48-hour hands-on challenge where you’re given three exploitation targets. You have 48 hours to identify vulnerabilities, develop working exploits, and achieve code execution, followed by an additional 24 hours to write your professional penetration testing report.

My path to the exam was anything but smooth. I initially scheduled the exam for January 8th, but I have to take another certification exam around those dates, I had to reschedule. The second date was January 17th, but a work trip abroad forced yet another reschedule. Finally, I settled on February 20th, a Friday.

Here’s where things got really interesting: I had been awake for more than 30 hours, coming straight from a night shift at work. I was feeling sleepy at the start of the exam, and to make matters worse, there was an important registration I needed to handle at 11 AM. I wasn’t sure how long it would take. All these factors made the first day incredibly intense.

Day 1 – Friday:

06:00 AM: Logged into the proctoring system for identity verification
06:15 AM: Proctor was late, continued waiting
06:20 AM: Proctor joined and performed quick identity verification
06:31 AM: Received VPN credentials, attempted connection from host machine but couldn’t connect to exam VM
06:45 AM: Fell back to Kali VM, connection successful
06:50 AM: Tested portal connectivity and quickly skimmed through all challenges
07:10 AM: Decided to tackle the shellcoding challenge first
08:54 AM: Took a short power nap
09:59 AM: Resumed work on the shellcoding task
10:50 AM: POC was almost complete but left for prayer break before testing
03:53 PM: Returned from prayer and a half-hour sleep, started testing
04:35 PM: POC wasn’t compiling, discovered a few silly typos and a logical mistake
05:36 PM: The exam instructions required setting up “something” that wasn’t working for me. Tried troubleshooting, then left for Iftar and Taraweeh break
11:24 PM: Returned and opted for an alternative solution instead of following the exact exam instructions
11:36 PM: POC worked! Moved to the DEP bypass task
01:07 AM: Completed first half of the task, reached the ROP gadget phase, then left for sleep

Day 2 – Saturday:

10:05 AM: Resumed work and started building ROP gadgets
12:50 PM: Almost finished the ROP gadgets, tested Metasploit shellcode, it didn’t work
01:40 PM: After nearly an hour of troubleshooting, fell back to custom shellcode
02:10 PM: Took a one-hour break
03:15 PM: Resumed bad character removal in custom shellcode
05:00 PM: Removed all bad characters and successfully tested shellcode on development machine
05:35 PM: Left for Iftar, prayer, and Taraweeh
10:54 PM: Resumed exam (had to assist someone briefly after Taraweeh)
11:05 PM: Target successfully exploited! Took screenshots and added notes
11:10 PM: Started working on the ASLR/DEP bypass challenge
12:05 AM: Discovered the vulnerable function
01:15 AM: Created initial payload for the target application
01:45 AM: Continued dynamic analysis and found the sent payload in application memory
02:15 AM: Left for sleep

Day 3 – Sunday:

05:30 AM: Resumed session, took notes and necessary screenshots
06:15 AM: Finished the exam!

I spent the rest of Sunday writing my report and submitted it mid-Sunday night. The next morning, Monday, I received the email I’d been hoping for: “We are happy to inform you that you have successfully completed the Windows User Mode Exploit Development certification exam and have obtained your OffSec Exploit Developer (OSED) certification.

You need to successfully exploit at least two out of three targets to pass. The proctoring is done remotely via webcam, and you must maintain connectivity throughout. My biggest piece of advice? Take breaks, even when you feel the pressure mounting. I solved challenges faster after rest than grinding continuously.

The report writing is equally important, OffSec expects professional-grade documentation with clear proof-of-concept code, screenshots, and step-by-step explanations of your methodology.

Tips for Success

Pre-Exam Preparation

  1. Organize the full set of tools and notes you’ll use during the exam. Having everything ready saves precious time.
  2. Work on as many binaries as possible with protections enabled, such as DEP and ASLR. Real-world practice builds muscle memory.
  3. Build many ROP chains manually and become confident using any gadgets you encounter. Don’t rely solely on automated tools.
  4. Study assembly instructions needed to create custom shellcode. Understanding how instructions work at a granular level is crucial.
  5. Gain confidence using various Win32 APIs. Know their parameters, return values, and common usage patterns.
  6. Practice thoroughly with VirtualProtect, VirtualAlloc, and WriteProcessMemory, all three methods.
  7. Go through all course sections and redo exercises if needed for a refresher. Repetition solidifies knowledge.
  8. Set up your report template and organize your Python scripts folder beforehand. This streamlines your workflow during the exam.

During the Exam

  1. Sleep adequately before your exam time and be fully ready when it starts. Fatigue is your biggest enemy.
  2. Review the exam objectives more than once to fully understand each task and what’s required for full points. Missing requirements costs you.
  3. If you get stuck, take a short break, walk around, and get fresh air (after notifying your proctor). It helps more than you think.
  4. If you’re stuck on a challenge for too long, move on to another one and come back later. Don’t waste valuable hours.
  5. Adhere to exam rules and don’t try to violate them by any means. Disqualification isn’t worth it.
  6. Don’t get discouraged and keep your energy up. Every challenge has a solution, try looking at it from another angle.
  7. Once you complete a significant part, document it immediately and take brief notes for reference. During the course, practice by picking a challenge and writing a full report to familiarize yourself with reporting requirements.
  8. When reverse engineering, note down your payload restrictions for every code path. You will forget certain conditions as you progress through the exam.
  9. Schedule breaks every 2 hours and after every small or big victory. Everyone says this because it’s true, you are no exception!
  10. Add comments in both IDA and your scripts. Something may look straightforward now, but your sleep-deprived future self might spend expensive exam minutes or hours trying to understand past thoughts. Comment all parts of your code, including ROP gadgets and assembly. Your scripts will undergo so many changes that you might end up reverse-engineering your own code.
  11. You’re not always allowed to download binaries to analyze with IDA. Make sure you know how to perform tasks in WinDbg, like finding IAT addresses. I’ve heard of candidates failing because they downloaded a binary to resolve IAT entries in IDA when it wasn’t permitted.
  12. The course teaches you lots of assembly tricks if you read between the lines. Make sure you can work with available ROP gadget instructions. For example: How do you subtract when only add is available and there’s a bad character involved? Can xchg or push/pop be used as alternatives for the mov instruction? How do you compensate for side effects of certain assembly instructions?
  13. Organize your analysis visually:
    1. Red for potentially vulnerable memory corruption functions (memcpy, strcpy, memmove)
    2. Yellow for potential memory leaks (fopen, format string functions)
    3. Green if any of the above functions are deemed not vulnerable
    4. Blue for code paths leading to a vulnerable function
  14. In IDA, rename variables and functions as you discover their purpose. I sometimes used names like callsmemcpy1 for a function with a code path to a vulnerable memcpy function. A function calling this would become calls_calls_memcpy1, helping me track code paths to vulnerabilities.
  15. Try to automate repetitive tasks using pykd or other Python scripts. Use regex to filter gadgets, like: ^0x[0-9a-fA-F]{8}: mov eax, [a-Z]{3} ; ret
Resources

When preparing for the OSED exam or diving into Windows Exploit Development, there are a few key resources I found extremely helpful. While the course itself is comprehensive, these additional materials can really help deepen your understanding of Windows internals, security, and exploitation techniques.

  • Corelan tutorials (https://www.corelan.be/index.php/articles/)
    Detailed exploit development tutorials covering stack overflows, SEH exploits, and bypass techniques. Essential reading for understanding fundamental concepts with clear, practical examples.
  • FuzzySecurity tutorial (https://fuzzysecurity.com/tutorials.html)
    Excellent Windows exploitation write-ups with detailed walkthroughs on various vulnerability types, shellcoding techniques, and mitigation bypasses specifically tailored for Windows environments.
  • LiveOverflow YouTube channel (https://www.youtube.com/c/LiveOverflow)
    Visual learners will love these video tutorials covering binary exploitation, reverse engineering, and CTF challenges. Great for understanding complex concepts through practical demonstrations.
  • Windows Internals by Mark Russinovich
    The definitive guide to Windows architecture, kernel mechanisms, and system internals. Provides deeper OS understanding crucial for exploit development.
  • LiveOverflow YouTube channel (https://www.youtube.com/c/LiveOverflow)
    Visual learners will love these video tutorials covering binary exploitation, reverse engineering, and CTF challenges. Great for understanding complex concepts through practical demonstrations.
  • Windows Internals by Mark Russinovich
    The definitive guide to Windows architecture, kernel mechanisms, and system internals. Provides deeper OS understanding crucial for exploit development.
  • Practical Reverse Engineering by Bruce Dang – Complements IDA Pro training perfectly with hands-on exercises in x86/x64 reverse engineering, covering obfuscation techniques and real-world malware analysis.
  • OffSec Discord and forums – Community support is incredible, with fellow students sharing insights, troubleshooting tips, and encouragement. The collective knowledge and experience here is invaluable for overcoming challenges.
  • OSED-Utils (https://github.com/AtlasGondal/osed-utils) – A small collection of utilities like generating shellcode, finding gadgets etc and starter templates intended for OSED-style exploit development and Windows debugging workflows.

These resources will be incredibly helpful whether you’re working through the OSED exam or just expanding your knowledge of Windows security. The more you familiarize yourself with these sites, the better equipped you’ll be to handle the challenges in the exam and beyond.

FAQs

Most people spend 2-4 months with consistent daily practice, averaging 4-6 hours per day. However, your timeline can vary based on your background. I personally dedicated about 45 days with not very intensive focus. If you’re new to exploit development, I’d recommend taking the full 90 days to thoroughly absorb the material and practice extensively.

No, OSCP is not a prerequisite for OSED. While OSCP helps with general offensive security mindset and methodology, the technical skills required for OSED are quite different. OSED focuses on low-level binary exploitation, assembly, and debugger proficiency, whereas OSCP is broader and covers network penetration testing. Strong C programming and x86 assembly knowledge are more relevant prerequisites.

OffSec doesn’t publish official pass rate statistics for any of their certifications. However, based on community discussions and anecdotal evidence from forums and Discord servers, estimates suggest the first-attempt pass rate is around 40-50%. The exam is challenging, and many candidates require a second attempt. Thorough lab practice and understanding of core concepts significantly improve your chances.

Absolutely not. You must write custom exploits from scratch, that’s the entire point of the certification. Automated exploitation frameworks are prohibited. The exam tests your ability to manually identify vulnerabilities, craft exploits, write custom shellcode, and bypass protections using your own code. This requirement ensures you truly understand the exploitation process at a fundamental level.

Not necessarily. A Windows VM with 4GB RAM and a Linux VM for tooling should suffice for most tasks. I ran everything on a laptop with 16GB RAM total without major issues. That said, running IDA Pro and multiple debuggers simultaneously can be resource-intensive, so 16GB is more comfortable. Ensure your system can handle at least two VMs running concurrently, one for your attacking machine and one for analysis.

Yes! A good understanding of both x86 and x64 assembly will be super helpful, especially since a lot of the course revolves around reverse engineering. Also, being comfortable with C programming will make a big difference when you’re reading source code and working on exploits. Finally, some basic knowledge of Windows technologies will help you absorb the material more easily and give you a clearer understanding of how Windows works.

They’re fundamentally different beasts. OSCP is broader in scope, covering various penetration testing techniques across networks and systems. OSED is much deeper and more specialized, focusing exclusively on Windows exploit development. Many people find OSED more technically challenging because it requires low-level understanding of assembly, memory layouts, and protection mechanisms. If you enjoyed the buffer overflow portion of OSCP, you’ll likely find OSED fascinating but significantly more demanding.

Yes, absolutely, if you thoroughly understand and practice everything the course provides. The course gives you all the techniques and knowledge needed to pass the exam. However, success depends on how deeply you engage with the material. Completing all exercises, practicing on challenge labs, and genuinely understanding concepts (not just following steps) is crucial. Supplementary resources can deepen understanding, but the official material is sufficient.

Conclusion

Passing the OSED exam was one of the challenging and rewarding experiences of my cybersecurity career. Despite the compressed 45-day timeline, the scheduling mishaps, working night shifts, and starting the exam sleep-deprived, the journey taught me invaluable lessons about perseverance, time management, and deep technical understanding.

The course transformed my understanding of how software works at a fundamental level and gave me skills that directly apply to real-world vulnerability research and exploit development. The ability to analyze binaries, identify vulnerabilities, craft custom exploits, and bypass modern protections is a powerful skillset that sets you apart in the security field.

If you’re considering OSED, my advice is simple: commit fully, practice relentlessly, and don’t rush through the material. Even though I completed it in 45 days, I had prior experience and I am OSMR certified. Take the time you need, whether that’s 45 days or 90 days or even more to truly master the concepts. The journey is tough, but the knowledge you gain is absolutely worth it.

This certification has opened doors to advanced security roles and given me confidence in tackling complex binary exploitation challenges. The OSED isn’t just about passing an exam, it’s about genuinely becoming an exploit developer. And trust me, once you successfully pop that first shell with custom shellcode you wrote from scratch, bypassing DEP and ASLR with your own ROP chains, you’ll understand why this certification is so highly respected in the industry.

Now go exploit some binaries! You’ve got this.