Just to a small correction, retaking OSCP in the UK does NOT enable you to do the so-called "Government work", it allows you to get the CRT if you also pass CPSA, which IS the normal requirement, however, you must specifically pass the CREST CRT exam, if you want the government work, rather than passing OSCP and CPSA
Appreciate the correction, that's my bad for misreading the conditions. You are correct, while the OSCP can be renewed to get CRT via the equivalency program, this kind of CRT cannot be used for the CHECK scheme.
I can't see non-federal employers suddenly valuing OSCP+ over OSCP out of the blue. I remember when I got my first pentesting job, everyone was more concerned about whether or not I had OSCP, they didn't really seem to factor in that I had OSEP, an arguably "higher level" cert. OSCP is so firmly cemented as the standard that it feels like employers hardly even take notice of new certs. And if any employer "required" me to go get OSCP+, and maintain it, they'd almost certainly be paying for it anyway.
Hello! I'm new here, I found out about the channel thanks to Tyler last night! I want to tell you that the amount of information you are making available to everyone is amazing! Thank you very much!!!
I agree with allot of what you stated, I have conducted allot of internal only tests that are in isolated environments. Many organizations do not want to pay the hefty price of a black box test or red team event. So they would rather white card a two week event to characterize as many vulnerabilities as possible and then use that cost savings for regression testing in the future. I actually just submitting my OSCP + report today lol and even though I did not have my OSCP prior. I was very disappointed in the AD, while it was very straight forward, it was also overly to simple. I understand its an entry level exam, but there was a few missed opportunities within my lab to make it more fun.
I think this change will devaluate the OSCP for people who got it years ago because we did the old "easymode" OSCP version. I think once HR learns about this I think we would have to defend ourselves for not updating it. I would be ok to get CPE credits for keeping my cert active but I think it's unfair to let old OSCP holders recertify beforehand. I will not go back into months of studying for this. I think it would be fair to just upgrade everyone's OSCP to OSCP+ one time and people can then choose to let it expire. Imagine if you passed the OSCP a couple months ago and you hear you have to go through all of it again to get the best version of this cert. That is just ridiculous imho.
I think it definitely feels like a ladder pull by those who got to do the exam somewhat easier. Not being afforded the same opportunities as previous exam takers feels unfair in practice.
@@Tib3rius 100% but their position has actually been strengthened by the UK Cybersecurity Council. They are now one of two bodies that grant chartered and principal membership. Which will be necessary for CHECK team membership.
Interesting. I'm not sure I agree it's "very common" in the industry as a whole. That would be news to me. Web app is different, of course. Always has been assumed breach, but internals being assumed breach as a regular thing I have not heard of.
@@Tib3rius The old school of blue team thinking is not assume breach. Assum breach is one of the best says to train your team to threat hunt and remediate quickly.
@@null.ru.1337 agreed, no question it's likely more informative for the customer, but I was mostly doubtful about it being "very common". I actually asked this on Twitter earlier and judging by the responses there, it's not that common but seems to be increasingly popular: x.com/0xTib3rius/status/1830998396921942067
I dont think oscp + will be a thing like when someone reaches a particular level like yourself u know u have the work experience and skills that you dont have to take an exam over and over again every 3 years maybe only for those who are looking to get into a job that requires this at that time after getting into that job only if the job requires him to take it over and over again will someone be taking the oscp + other wise i think majority of people will get the + removed after 3 years and continue with there job happily being the regular Oscp itself
That's a a really difficult question to answer unfortunately. It depends on where you live, what the job market is like, etc. OSCP is still a good cert to have because it looks good on a resume, but it's not a guarantee of a job. It will at least make you stand out a little bit.
I didn't get the email so I couldn't comment on it, but I did hear that it was in there. A lot of people found out because the link was shared on social media and the page itself didn't immediately mention that the OSCP cert itself wasn't changing.
@@Tib3rius that makes a lot of sense. I’ve also seen people who have gotten the email and decided to screenshot JUST the part that many people were complaining about without showing the whole thing.
I imagine it's to ensure that people are still "skilled" and maintaining them. I don't think it makes any sense either, but that's how it works in US DoD and in the UK as well.
"Everyone knew that OffSec's main goal years ago was to break into the DoD sector and use the OSCP as their gateway. Now that they’ve made it into the U.S. government sector, do you think they care about our opinion? (Hell no)." I am just being real no offense..
Just to a small correction, retaking OSCP in the UK does NOT enable you to do the so-called "Government work", it allows you to get the CRT if you also pass CPSA, which IS the normal requirement, however, you must specifically pass the CREST CRT exam, if you want the government work, rather than passing OSCP and CPSA
Appreciate the correction, that's my bad for misreading the conditions. You are correct, while the OSCP can be renewed to get CRT via the equivalency program, this kind of CRT cannot be used for the CHECK scheme.
I can't see non-federal employers suddenly valuing OSCP+ over OSCP out of the blue. I remember when I got my first pentesting job, everyone was more concerned about whether or not I had OSCP, they didn't really seem to factor in that I had OSEP, an arguably "higher level" cert. OSCP is so firmly cemented as the standard that it feels like employers hardly even take notice of new certs. And if any employer "required" me to go get OSCP+, and maintain it, they'd almost certainly be paying for it anyway.
Hello! I'm new here, I found out about the channel thanks to Tyler last night! I want to tell you that the amount of information you are making available to everyone is amazing! Thank you very much!!!
Thank you!
Thank you for taking the time to explain this.
Glad it was helpful!
I agree with allot of what you stated, I have conducted allot of internal only tests that are in isolated environments. Many organizations do not want to pay the hefty price of a black box test or red team event. So they would rather white card a two week event to characterize as many vulnerabilities as possible and then use that cost savings for regression testing in the future.
I actually just submitting my OSCP + report today lol and even though I did not have my OSCP prior. I was very disappointed in the AD, while it was very straight forward, it was also overly to simple. I understand its an entry level exam, but there was a few missed opportunities within my lab to make it more fun.
Thank you for taking a time to do this.
Thank you for clarification!
Thanks for watching!
I think this change will devaluate the OSCP for people who got it years ago because we did the old "easymode" OSCP version. I think once HR learns about this I think we would have to defend ourselves for not updating it. I would be ok to get CPE credits for keeping my cert active but I think it's unfair to let old OSCP holders recertify beforehand. I will not go back into months of studying for this.
I think it would be fair to just upgrade everyone's OSCP to OSCP+ one time and people can then choose to let it expire. Imagine if you passed the OSCP a couple months ago and you hear you have to go through all of it again to get the best version of this cert. That is just ridiculous imho.
True. This is a good point, especially about very recent OSCP passes.
I think it definitely feels like a ladder pull by those who got to do the exam somewhat easier. Not being afforded the same opportunities as previous exam takers feels unfair in practice.
Thank you for sharing
Great video!
Thanks!
As a UK based tester, I really hope OSCP+ could replace the nonsense that is CREST.
I would much rather do the OSCP again than the CPSA and CRT.
CREST needed replacing 10 years ago. 😅
@@Tib3rius 100% but their position has actually been strengthened by the UK Cybersecurity Council. They are now one of two bodies that grant chartered and principal membership. Which will be necessary for CHECK team membership.
Assumed breach is actually very common. Where I work 90% of pentests are assumed breach both infrastructure and webapp pentests.
Interesting. I'm not sure I agree it's "very common" in the industry as a whole. That would be news to me. Web app is different, of course. Always has been assumed breach, but internals being assumed breach as a regular thing I have not heard of.
@@Tib3rius The old school of blue team thinking is not assume breach. Assum breach is one of the best says to train your team to threat hunt and remediate quickly.
Also the fact that most compromises start with a phishing email. Chances are, your blue team are going to see user account compromises all the time.
@@null.ru.1337 agreed, no question it's likely more informative for the customer, but I was mostly doubtful about it being "very common". I actually asked this on Twitter earlier and judging by the responses there, it's not that common but seems to be increasingly popular: x.com/0xTib3rius/status/1830998396921942067
I dont think oscp + will be a thing like when someone reaches a particular level like yourself u know u have the work experience and skills that you dont have to take an exam over and over again every 3 years maybe only for those who are looking to get into a job that requires this at that time after getting into that job only if the job requires him to take it over and over again will someone be taking the oscp + other wise i think majority of people will get the + removed after 3 years and continue with there job happily being the regular Oscp itself
I won't be surprized if HR/ATS will reject the application/resume thinking tht OSCP+ is not the "original" OSCP cert.
What is the chances of getting job after OSCP?
That's a a really difficult question to answer unfortunately. It depends on where you live, what the job market is like, etc. OSCP is still a good cert to have because it looks good on a resume, but it's not a guarantee of a job. It will at least make you stand out a little bit.
Problem is people didn’t read the email it states your oscp is indefinite and if you get oscp+ and let it lapse it stays as oscp
Precisely. Thank you for saying it.
I didn't get the email so I couldn't comment on it, but I did hear that it was in there. A lot of people found out because the link was shared on social media and the page itself didn't immediately mention that the OSCP cert itself wasn't changing.
@@Tib3rius that makes a lot of sense. I’ve also seen people who have gotten the email and decided to screenshot JUST the part that many people were complaining about without showing the whole thing.
Dude why does the government care about certs that expire lol
I imagine it's to ensure that people are still "skilled" and maintaining them. I don't think it makes any sense either, but that's how it works in US DoD and in the UK as well.
"Everyone knew that OffSec's main goal years ago was to break into the DoD sector and use the OSCP as their gateway. Now that they’ve made it into the U.S. government sector, do you think they care about our opinion? (Hell no)." I am just being real no offense..
Not american, how did they get into gov?