Home Articles Projects About
OSCP+ Certification OSCP Certification
Oliver Jones

Passing the OSCP and Breaking into Cybersecurity

📅 Published: September 7, 2025 👤 Author: Oliver Jones

Long story short, I took the OSCP twice this year and passed on my second attempt in July! If you want to know more about how that process was for me you should check out my other post: My Journey to OSCP: From Chef to Cybersecurity Professional in 7 Months. It’s a good resource if you want to see what a realistic timeline and work ethic are actually required to take the exam, and what prerequisites you should know before signing up.

Exam tunnel vision

At this point, I thought that taking the OSCP was the end goal, but in reality it was just the starting point of a different challenge: Entering the job market. In investing, people often say "It's not about timing the market, it's about time IN the market", unfortunately the same also applies to the job market.

When I was grinding with the sole objective of getting the OSCP in mind, I became blind to the actual main objective of getting certified, which was to use the certificate as proof of my practical skillset in order to land me a job in Pentesting or the general field of cybersecurity. Most people get into the OSCP from other routes such as: studying and taking the exam after an internship or entry level job landed after university, OR trying to get into Pentesting after working several years already in IT. My main issue is that I did not have any of these, and the OSCP was not enough to make up for this lack of professional experience in IT or cybersecurity.

The "intended" paths into cybersecurity

I was faced with a common paradox after I started applying for jobs a couple days post-passing my certification. "Entry Level" jobs in cybersecurity often ask for you to have years of experience or a bachelor's degree plus a master's degree in a related field. This may seem counterintuitive, but it's because cybersecurity is not an entry level field. It’s a field where a good understanding of general IT concepts is a requirement, and employers are going to be preferring candidates with prior years of IT experience. You might even find that some roles require you to be a generalist with a specialization in security, rather than a security specialist who can't do anything else.

If you are someone like me, you don't have prior formal IT experience and can't get hired into IT roles because you don't have the relevant qualifications. Being OSCP certified is a niche role and doesn't really convince someone that you can do general IT work (at least from my experience).

There are a couple of solutions to this, you can either actually go the industry intended paths:

  1. Get relevant IT support certifications or vocational school and do IT helpdesk or support for several years, study and take your cybersecurity certifications while working and then apply for cybersecurity jobs.
  2. Do your bachelor's in computer science or something relevant, then take a master's in the field of cybersecurity (there are so many to choose from). Then, after getting your master's you can apply to graduate programs for cybersecurity consulting companies.

Honestly it's not that easy in reality from what I've seen others go through, you can't get anything with just a bachelor's degree and even with a master's it's super important to distinguish yourself from other candidates. The downside of school is that all of your classmates are in the same exact candidate pool as you and if you haven't done any extracurriculars, projects or certifications on the side, it will take a long time for you to find something.

The non-intended paths / Creating your own experience

I can be a bit unconventional sometimes and that's okay because I enjoy a challenge. This was the main reason I went straight for OSCP instead of spending time on beginner certifications or working in IT. I wasn't doing it just for the job, but also partly for the love of the game.

But I'm not the only one in the world that did this, there is a pretty general consensus on how to succeed with this path, and a lot of this advice is also helpful if you go through other paths. The main idea that you need to get from this article is that you NEED to set yourself apart from other candidates and not just fall in the middle. The market is currently very competitive and the truth of the matter is the cybersecurity industry is not at its peak right now.

I've personally spoken with half of the people involved in cybersecurity in Oslo and the consensus is this:

  1. Smaller consulting companies are only hiring senior talent, not entry level roles.
  2. Large consulting companies that hire entry level have very few positions and it is extremely competitive.

Even as a qualified candidate, you'll need to hone your skills, apply to everything available and be patient. Finding the right role will take some time!

Finally, what can you do to set yourself apart and have the highest chances to succeed?

  1. This is a non-negotiable: Start a blog! You need to have somewhere where you can think out loud and share your projects and ideas. The format is up to you but you should probably make a website or post on GitHub. Blogs are accessible to everyone. Short and long-form videos are great too, but this is a harder sell to recruiters.

    You can post whatever you want on your blog: Machine writeups, mindmaps, the best of your notes, box walkthroughs, home-lab documentation, latest CVE analysis and PoCs, key takeaways from events you attended recently, bug bounty writeups etc. You get the point!

  2. Go to all your local events. I was surprised to find out how many local events are in my area (CTFs, social meetups, presentations, conferences etc.). Cybersecurity is a field where people are constantly getting together and sharing the latest research. Companies are also glad to sponsor these events, promote their teams and security programs, which normally means there is food, drinks, beer, merch, and awards available.

    This isn't the point of the events though, your goal is to learn as much as possible, and meet people. The best way to "become" a professional in your field is to surround yourself with them. If you truly enjoy cybersecurity, this will also be very fun and lead to so many good conversations. People naturally want to be helpful, so feel free to ask people for advice. I've probably asked everyone I've known and 95% have been super kind and helpful.

    Think of cringe quotes like: "Your network is your net worth". There's a reason people say it.

  3. Do A LOT of machines/boxes and post the writeups. It's hard to say you lack experience when you have documented proof of having exploited hundreds of different vulnerabilities on different web applications, operating systems, and network environments. Use platforms like TryHackMe, HackTheBox and Offsec's native Proving Grounds Play, Practice and Challenge Labs. Make sure that you do HackTheBox and TryHackMe boxes visibly! Post the writeups on your website and highlight key takeaways on LinkedIn posts if you want as well.

  4. Participate in bug bounty programs and continue learning more advanced real world exploitation. This is easier said than done, but the OSCP actually teaches you the core mentality for exploiting a target persistently until you achieve your goal. Although labs are much, much easier, they seemed difficult at the start until you learned how to do them. If you spend the time to learn about modern web applications and their security systems, you can earn money from bug bounty, and also prove that you have the ability to hack into full-production, real world web applications. This is huge for setting yourself apart from other candidates who can't say that they have actually hacked a real world target. And it is also a source of income! If you find success in bug bounty, you might even just want to focus on that instead.

Conclusion

I am definitely not an extrovert and some of the more social events seemed difficult at first, until I realized that all the people there shared the same passions as I do! Hopefully after following some suggestions, you will find yourself in a better position to prove your experience, and land an entry or mid level job.

Most of this advice is subjective and oriented to what I think was the most effective for me personally, but regardless I hope that you've been able to get something from this instead of being discouraged by the difficulty. (Although if you've gotten or are in the process of taking the OSCP, I don't think you are the kind of person that gets discouraged by difficulty).

I wish I had applied and spent some time on these things during my OSCP study period instead of just speed-running the exam. Although I am glad to have passed the exam, I lacked a lot of the softer skills when it came to being a candidate. From the perspective of the recruiters, I was also "invisible" since I didn't have much on my Github, LinkedIn, or personal website and this caused me to blend in with so many other candidates and ultimately get rejected.