CPTS vs OSCP – A Comparison from Someone Who Did Both

ma4xxma4xx
11 min read

If you're into pentesting, cyber security, or just a tech person curious about cyberspace, you’ve probably come across OffSec’s OSCP or Hack The Box’s CPTS. I want to share my thoughts and experiences with both certifications - how they felt, how I prepared, and which one might be right for you.

My Background

I’ve been into computers and electronics since I was small, figuring out how things work has always been fun for me. As a Systems Engineer, I’ve spent already several years in IT, dealing with everything from classic helpdesk and endpoint protection to managing server infrastructures, client systems and several projects. While I like the technical side of IT, I was always drawn to cybersecurity. At some point, I got hooked on the idea of learning more about pentesting. I blame all these cyber stories. You see one too many, and suddenly you're deep into a niche tech topic at 2am, and only half of it makes sense.

Pretty quickly, I realized this stuff isn’t like flashy movie hacking. It’s a deep field with a lot of sub categories. You have to really understand concepts, take notes, repeat, fail, try again… and most importantly: don’t give up.

With barely any practical pentesting experience, but a strong background in IT, I jumped straight into CPTS as my first security cert. I found out about it through a video by John Hammond. At this time, I didn’t even know something like the OSCP existed.

I’m a big fan of learning by doing. You can read 100 books about driving, but if you never get behind the wheel, you’ll never become a skilled driver. The hands-on approach for CPTS was perfect.

CPTS – Certified Penetration Testing Specialist

CPTS is Hack The Box’s practical, hands-on pentesting certification. The certificate does not expire. You can either use your own Linux machine (via VPN), or their in-browser VM called Pwnbox - though I’d personally recommend using your own distro.

The course is part of the HTB Academy platform. It covers a lot, from pentesting methodologies and legal frameworks to web attacks, Windows, Active Directory, Linux, pivoting, cracking, report writing, communication, and much more. I’ve learned so much about common pentesting tools, frameworks and concepts - it’s crazy.

The topics are divided into 28 modules, each ending with an assessment where you’ll solve a mini lab and submit flags or answer specific questions. Some modules are quick, others are seriously in-depth. The learning content is incredibly well structured, and the practical labs really reinforce what you’re learning. The whole thing is really about understanding the concepts, developing the mindset to chain vulnerabilities and misconfigurations, all while thinking outside the box. It’s not just about looking up a CVE and running a GitHub script to solve the puzzle. CPTS uses a nice bit of gamification which keeps motivation high. It still needs more recognition in the industry, but it’s growing steadily.

If you finished the learning path, took good notes, and really understood the concepts, you will have already built a solid foundation:

  • Hacked around 250 Targets

  • 400+ module sections completed

  • 500+ challenge questions solved

  • Over 750,000 words read

There is a Discord server that can be useful for connecting with others or getting help when you're stuck. Make sure to read the rules after joining. The Discord search feature can also be really helpful if you run into a specific problem. Of course, asking for help during the exam is not allowed.

You must finish all assessments to unlock the exam. If you’re already experienced, this might feel a bit restrictive - there’s no skipping ahead to the exam (January 2025).

The CPTS Exam

Once you complete the entire course, you get access to the final challenge: 10-day practical exam, where you’re dropped into a big simulated company environment with full-blown networks, including Web and Active Directory, all from a full black-box perspective.

A lot of people ask what to do after finishing the course but before starting the CPTS exam. Some do HTBs challenges like Dante or Zephyr. I’m not a big fan of this approach, since they might include concepts not covered in the course or exam. In my opinion, the best thing you can do is revisit the concepts you’re still unsure about, tune your notes, and go through the “Attacking Enterprise Networks" module completely blind. Don’t read the questions, don’t follow the guidance, just hack your way through. It’s a easier mini version of the exam and a great way to test yourself.

Tools: You’re allowed to use any tool you like - from Tools like SQLmap to Metasploit (though MSF won’t help much), or even LLMs. These tools might assist with certain attacks, but they won’t solve the puzzle for you. The exam is designed in a way that still requires your own thinking and problem-solving.

The real exams objective is to capture 12 out of 14 flags + a commercial-grade report to pass. HTB offers a template you can use for the report. You have 10 full days time and while it sounds much, dont underestimate it, as the exam can be pretty though. I took time off work just to focus on this. I highly recommend getting as much free time as possible.

There were moments during the exam when I was ready to throw the towel. Frustration is part of the process. But if you hang in there, the feeling of finally breaking through is worth it. I managed to complete 13 out of 14 flags and submitted a 124-page report. About two weeks later, I received an email from Hack The Box letting me know I had passed. Yeah!

After submission, it can take up to 20 business days to receive your results, as every report is reviewed by Hack The Box professionals. You’ll also receive detailed feedback on your report.

Due to Hack The Box’s exam policy, I can’t share too much detail about the actual environment - but I can say this:

Everything you need is taught in the course. The real challenge is putting it all together, thinking outside the box, and pushing through when you're stuck.

If you fail, you get one free retake and two weeks to schedule your second attempt. The second attempt is included, as each exam voucher comes with two attempts. The environment should be exactly the same again. At no point will you receive any hints about the environment or where to look!

OSCP - Offensive Security Certified Professional

I did the OSCP a couple of months after CPTS. The certificate is pretty expensive and I was lucky that my family helped cover part of the cost. You might be able to ask your company for support, otherwise the price can be tough to manage.

The OSCP is still the big name in the industry and widely recognized by HR departments and employers. When you go for the certificate, you now receive both OSCP and OSCP+. The OSCP is valid for life, while the OSCP+ needs to be renewed every three years.

OffSec offers a CTF style training platform with tons of standalone machines and AD environments, but you have to pay €20 per month extra for it. There’s also plenty of learning material covering many classic tools and common attacks, similar to what you’d find on Hack The Box. The downside for me was that the learning material felt a lot less structured than HTB’s and I think if I had started with OffSec instead, it might have been harder to stay motivated at the beginning.

I mostly skimmed through the learning material since I already knew most of it. So instead I focused on playing through the lab machines to prep for the exam (still learned something new here and there).

OffSec also offers a Discord server. You need to link your OffSec profile to your Discord to access the OSCP-related content. There are moderators and mentors who will help you with any questions about the labs, they usually respond quickly.

The OSCP Exam

The exam is proctored, which means you’ll need a webcam (no microphone required) and share your screen/s, you can communicate with the proctor via chat. You have 24 hours to complete the hacking part, which consists of three random standalone machines and a full Active Directory environment. Once the 24 hours are over the environment will shut down and you’ll have another 24 hours to submit your report (not proctored). If you finish the hacking part early, the 24-hour report timer won’t start until the original hacking window has ended.

Yes, you can take breaks, eat, sleep, or do anything else. :)

To pass the hacking part you need to reach at least 70 points (from OffSec’s FAQ):

# 3 stand-alone machines (60 points in total)
20 points per machine
10 points for initial access
10 points for privilege escalation

# 1 Active Directory (AD) set containing 3 machines (40 points in total)
# Learners will be provided with a username and password, simulating a breach scenario.
10 points for machine #1
10 points for machine #2
20 points for machine #3

# Possible scenarios to pass the exam (70/100 to pass)
40 points AD + 3 local.txt flags (70 points)
40 points AD + 2 local.txt flags + 1 proof.txt flag (70 points)
20 points AD + 3 local.txt flags + 2 proof.txt flag (70 points)
10 points AD + 3 fully completed stand-alone machines (70 points)

Coming from CPTS, I reached 100 points after about 9 hours, but this can depend on the machines you get and how well you know the required techniques. You have to submit the flags during the exam in a web-portal, but make sure to double-check them, as it won’t tell you if a flag is correct. Like in CPTS, you also have to submit a report. Don’t forget to include the flags in it! OffSec offers a template you can use, too.

Tools: You are NOT allowed to use automation tools like SQLmap, Burp Suite Pro (community version is allowed) or LLMs like ChatGPT. Metasploit is restricted to a single use. LinPEAS is allowed!

While some out-of-the-box thinking is needed, the OSCP felt to me like it was mostly about finding CVEs and some rather simple misconfigurations.

If you fail, you’ll need to buy another exam retake for around €200. There is a “cooling-off period” which means you have to wait at least 30 days before you can make another attempt.

Costs

CPTS: HTB offers a wide range of payment options. You can get it for roughly €410, including all learning materials, modules, Pwnbox and exam voucher. You can also purchase each module and the exam voucher separately to split costs over time or get a student discount.

OSCP: OffSec offers a Course + Cert Bundle which is arround €1500. Includes 90 days of access to one 200 or 300-level course, the associated labs, and a single exam attempt.

Homer Simpson throwing money in the air

Summary

Looking back at both CPTS and OSCP, I think they have very different strengths.

CPTS gave me a solid and well-structured foundation and the HTB Academy content feels modern and clear. The exam is long (10 days), realistic, and teaches you how to chain vulnerabilities together in a way that actually happens in real engagements. Price-wise, at roughly €410 for the full thing (modules, Pwnbox, and one exam voucher), the value is great. Especially considering the amount of material, labs, and the free retake.

OSCP carries a lot of weight in the industry, most HR departments and recruiters know it. The training platform offers a lot of machines and AD environments, but the learning materials feel a bit outdated and less structured compared to HTB. The exam is more toward CVEs and simple misconfigurations rather than chaining complex attack paths. Price-wise, it’s a big jump at around €1,500 for the course and exam +€200 per retake.

For the depth, structure, and overall learning experience, CPTS is hard to beat - especially for someone starting out or wanting a well-guided path. OSCP is more expensive and less structured, but it’s still the “industry badge” that opens doors. If your goal is skill-building and solid fundamentals, CPTS delivers exceptional value. If your goal is recognition and HR impact, OSCP still has the edge. If you are able to archive both, its great.

CPTS took me a bit over a year from scratch because I went deep into topics, experimented in my home lab, and just took my time. It should be possible to do it faster. Doing the OSCP afterward felt much easier because of that foundation. Am I a crazy hacker now? Probably not. There are people out there on another level entirely. But I know I’ve built a strong base, and I’m getting better with every project and challenge. Some things you learn (tools, techniques, etc.) will be detected by protection mechanisms, so it might be worth exploring topics like AV evasion.

If you can, take your time and start with CPTS! - but that’s just my opinion.

Another big takeaway is how much I’ve built note-taking into my workflow — whether for work, pentesting, or any other project in life. My notes have become far more structured and comprehensive. It’s like having a second brain (now imagine a world without backups :P).

PS: There are also plenty of other good write-ups on this topic that approach it from different angles, for example focusing more on things like documentation. Just look them up with your favourite search engine.

If you need any help just leave a comment!

Peace!

0
Subscribe to my newsletter

Read articles from ma4xx directly inside your inbox. Subscribe to the newsletter, and don't miss out.

htb-cpts#HackTheBoxoscphackingComputer SciencelearningCertificationITcptscpts vs oscposcp vs cpts

Written by

ma4xx
ma4xx

Just a guy writing about IT stuff. 27 y/o.