Blog

OffSec News

Aug 13, 2020

New Developments: Retiring CTP and Introducing New Courses

On October 15, 2020, Offensive Security will retire its Cracking the Perimeter course. Find out more about this change, including what comes next.

6 min read

As part of long-running and ongoing work to update, advance, and improve the quality and depth of course offerings at Offensive Security, we will be retiring Cracking the Perimeter (CTP) in 2020.

In summary:

  • October 15, 2020 will be the last day students may register for CTP.
  • Students who hold an OSCE will continue to be OSCEs – we are not taking away your certification or requiring you to recertify.
  • Two new courses will be released over the end of 2020 and the beginning of 2021, each with their own certifications.
  • These two certs, plus the OSWE certification gained from Advanced Web Attacks and Exploitation, will comprise a new, updated OSCE certification.

Our goal in announcing these upcoming changes is to provide sufficient time for potential students to make informed choices about their options. Anyone who would like to take the original CTP course will need to purchase it before October 15, 2020. Anyone who purchases it will be eligible to take the certification exam and earn the legacy OSCE certification. There will be no changes to the current OSCE certification exam as a result of this announcement.

Please continue reading for the full details on why we’re retiring this course, what we’re working on to replace it, and what you can expect in the coming months.

Why We’re Retiring CTP

Cracking the Perimeter and its certification, Offensive Security Certified Expert (OSCE), have been part of the Offensive Security curriculum for a long time. From its beginning, CTP was envisioned as a natural continuation of the learning path for which Penetration Testing with Kali Linux (PWK) (previously known as Penetration Testing with Backtrack or PWB) served as the foundation. This path ultimately culminated in our most advanced course, Advanced Windows Exploitation (AWE).

From a high-level perspective, when CTP was first conceived it attempted to cover three different areas of pentesting expertise: attacking web applications, advanced userland exploit development (manual encoding, egg hunters, etc.) and antivirus evasion, and attacks against network and edge devices. This led to a course that covered the primary areas where advanced penetration testers spent most of their time. With the level of defense and traditional network complexity at the time, we could cover all these topics adequately in a single course.

 

CTP Fundamentals

 

However, the technology and defense mechanisms have greatly improved since then. As we responded to these changes in our PWK and AWE courses, CTP went without an update. Although we still pride ourselves in the recognition that CTP and OSCE have achieved over that time, it is time for an overhaul.

Two New Courses Ahead

Modern protections, whether they are part of an operating system, a well-designed and implemented third-party product, or simply applications written with security in mind, require a wide variety of skills if they are to be defeated. As penetration testers and exploit developers, we have had the privilege of working with a number of organizations that utilize such formidable defensive layers.

These experiences, in addition to the sheer number of publicly disclosed research in areas that CTP covers, are a clear sign that it is no longer possible or realistic to teach this material in a single course and have it be as comprehensive as a modern coverage of these topics needs to be.

For a number of years, it has been our vision to create individual courses that focus more intensely on these attack areas and techniques. The first step in that plan was to create and release an online course that focuses on web application attacks: Advanced Web Attacks and Exploitation (AWAE).

Our AWAE update, which added 50% more course material and addressed student feedback, was released in July 2020. As a part of this update and for the first time, we also added standalone AWAE lab machines, which students can use to further practice their new skills.

Following that release, we started focusing on the remaining two areas:

  • A new course that focuses exclusively on Windows userland exploit development
  • A second new course that focuses on more advanced and modern pentesting techniques that cover AV avoidance, lateral movements, and so on

The next course in our release schedule will focus on advanced pentesting techniques. As the development of this course is reaching its final stages, we anticipate the public release to occur within the next three months.

Finally, the development of our Windows userland exploit development course has been under way for some time as well. Its release will follow shortly after the release of our advanced penetration testing course.

What This Means for You

With the release of these new courses, our goal is to provide more modern and realistic learning paths for individuals either entering or continuing their education in the information security space.

So the question remains: what does all of this mean for the existing OSCE certification? Our belief is and always has been that once you earn a certification, you own it forever without any renewal requirements. That does not change. Anyone who has earned an OSCE will always retain it.

However, we also recognize the value that the OSCE name carries. Given the massive expansion and growing complexity in penetration testing since the introduction of the original OSCE, modern pentesters need to be able to demonstrate sufficient current breadth and depth of knowledge to realistically be viewed as an expert in today’s offensive techniques.

Therefore, a new, updated OSCE certification will be created (with a revised certification name). It will be founded on the successful completion of all three previously mentioned courses:

We strongly believe that completing any of our courses and their respective exams should be rewarded with public recognition. Therefore, it is critical to note that each one of these courses will have its own exam and certification, as AWAE already does.

Further, the completion of all three courses will automatically result in the awarding of the updated OSCE certification. No additional exam will be required once you have obtained the other three standalone certifications.

 

Complete all 3 courses to earn the new OSCE

 

As mentioned at the start, the final step in this part of our course development schedule will be discontinuing the CTP course. The final day on which students will be able to purchase the current CTP course will be October 15, 2020.

Stay Tuned…

As we approach the public release dates for the remaining two courses, we will announce the official course and certification names, pricing, and other details. We will also be providing more information regarding discounts for recent CTP purchasers soon.

We are excited about our upcoming course releases and believe they will provide tremendous value to our students and their journeys in information security. Please stay tuned for more details.