Post

OffSec SEC-100 & OSCC-Sec Certification Review

AppleTree's detailed review of OffSec's SEC-100 CyberCore course and OSCC-Sec certification exam.

Posted Updated
Preview Image
By Tree
9 min read
OffSec SEC-100 & OSCC-Sec Certification Review

OffSec SEC-100 & OSCC-Sec Certification Review

Overview

Offensive Security has long been associated with tough, practical certifications like the OSCP. With SEC-100: CyberCore – Security Essentials, they set out to create something very different: an entry-level course that brings together the “big picture” of cybersecurity. This course is paired with the OSCC-Sec certification exam, which I took and passed in August 2024 when it was still simply called the OSCC.

I was the first candidate to ever pass the OSCC exam, which made the experience both exciting and a little uncertain since there were no other reviews or walkthroughs to reference at the time. After posting about it, OffSec’s marketing team even reached out and sent me a $100 swag gift card as a congratulations — a small but memorable reminder of how invested they are in their community.

What makes SEC-100 stand out compared to many other entry-level courses is just how wide-ranging the material is. This isn’t just an “intro to hacking” course or a “security theory” cert. It tries to give students a map of the entire cybersecurity landscape: offensive and defensive techniques, cloud and OT, secure software design, risk management, even generative AI. As I’ll explain, it really is a mile wide and an inch deep — and that’s both its strength and its limitation.

This review is based on the course/exam as of August 2024, with updates to reflect the current 40-module structure as of 2025. Content may have changed since writing.

Course Overview

The SEC-100 curriculum is structured into 40 learning modules that progress logically from foundational IT skills into more advanced security concepts. The idea is to ensure that learners — even those completely new to cybersecurity — never feel thrown into the deep end without preparation.

The modules start with the basics (Linux, Windows, networking, scripting) before expanding into offensive techniques, defensive operations, and secure build practices. There are also modules dedicated to cloud computing, cryptography, Generative AI, and OT/ICS environments — topics many other entry-level certs completely skip. That breadth is where SEC-100 really differentiates itself.

Current Modules

  1. Introduction to CyberCore - Security Essentials
  2. Anatomy of Cybersecurity
  3. Cybersecurity Frameworks and Standards
  4. Cybersecurity Roles
  5. Introduction to General Cybersecurity Skills
  6. Linux Basics
  7. Windows Basics
  8. Data Transformation Fundamentals
  9. Python Scripting Fundamentals
  10. PowerShell Scripting Fundamentals
  11. Networking Fundamentals
  12. Enterprise Network Fundamentals
  13. Introduction to Network Firewalls
  14. Cloud Computing Fundamentals
  15. Background to Contemporary Generative AI (GenAI)
  16. Cryptography Fundamentals
  17. Introduction to Offensive Cybersecurity Skills
  18. Penetration Testing Process
  19. Information Gathering and Enumeration
  20. Understanding Web Attacks
  21. Attacking Endpoints
  22. Defense Evasion
  23. Offensive Cloud Fundamentals
  24. Introduction to Defensive Cybersecurity Skills
  25. SOC Management Processes
  26. Defensive Security Processes
  27. Vulnerability Management
  28. Malware Analysis
  29. Social Engineering and Phishing
  30. Ransomware, DDoS, and Availability
  31. Wi-Fi Security
  32. Security of Embedded Systems
  33. Industrial Control Systems and OT
  34. Risk Management in Cybersecurity
  35. Introduction to Build Skills for Cybersecurity
  36. Software Engineering Security
  37. Foundational Input Validation Concepts
  38. Cloud Architecture Fundamentals
  39. Introduction to Assurance Testing
  40. Starting and Developing a Career in Cybersecurity

Learning Experience

The labs are integrated directly into the modules and are designed to scale in difficulty. Early on, they’re intentionally straightforward — configure a firewall rule, write a small Python script, gather information on a target system. Later labs grow more complex, asking you to think critically about attack surfaces, defense mechanisms, or how to design a more secure application.

One thing I appreciated is that the labs never felt out of sync with the material. As some other reviewers noted, you’re always given enough context to solve them, even if you’re brand new to the field. The flow of knowledge into practice feels natural, which is not always the case with cheaper platforms where you’re constantly jumping to Google to figure out missing pieces.

Exam Overview

The OSCC-Sec exam is a 6-hour, proctored assessment that mirrors the course’s three pillars: Attack, Defend, and Build.

Passing Requirements

  • Attack (30 points total)
    • 15 points for Box 1 (proof.txt)
    • 15 points for Box 2 (proof.txt)
  • Defend (30 points total)
    • 15 points for Defense 1
    • 15 points for Defense 2
  • Build (30 points total)
    • 6 questions worth 5 points each

Total: 90 points possible
Passing Score: 60 points minimum
Time: 6 hours

You’re free to take breaks, but since it’s proctored you’re expected to manage your environment — including having backup power or internet if needed.

My Experience

When I sat for the exam in 2024, there were no prior student accounts available — I was the first to complete it successfully. That meant going in blind, relying only on the SEC-100 material. The “Attack” portion was the most engaging, with two small target boxes to exploit and capture proofs from. It felt closest to OffSec’s traditional style.

The “Defend” section was more conceptual, testing knowledge of detection and response strategies. Some found this part easier than expected. The “Build” section was a set of design and best-practice questions — again, more lightweight but aligned with the course’s broad scope.

Overall, I finished with time to spare. Others have since reported needing nearly the full 6 hours, but most agree that if you’ve worked through the modules diligently, the exam feels fair.

Strengths

  • Breadth of Coverage: SEC-100 touches almost every corner of cybersecurity — from Linux CLI to ransomware, from social engineering to cloud architecture.
  • Beginner-Friendly Progression: The course starts simple and ramps up gradually. Labs are challenging without being overwhelming.
  • OffSec Credibility: The OffSec name carries weight. Even at the entry level, employers recognize the badge.
  • Hands-On Labs: Learners aren’t stuck reading slides; you’re constantly applying concepts in lab environments.
  • Coverage of Emerging Topics: Generative AI, IoT/OT, and secure build practices aren’t afterthoughts — they’re included up front.
  • Confidence Building: For newcomers, being able to complete a structured course and pass a proctored exam provides a huge morale boost.
  • Smooth Learning Flow: The material is structured so that each lab directly builds on the knowledge provided.

Limitations

  • Shallow Depth: By design, this is an inch deep. It’s a foundation, not a specialization. Learners seeking mastery in any one domain will need additional training.
  • Uneven Exam Sections: The “Attack” portion feels satisfying, but the “Defend” and “Build” sections are simpler and less rigorous.
  • Premium Pricing: At $899, it costs more than most comparables. The bundle (365 days access, 2 exam attempts, PG Play labs, PEN-103 bonus) offsets some of this, but it’s still expensive relative to other entry-level paths.
  • Limited Job-Readiness: It will make you knowledgeable, but it won’t alone make you a SOC analyst, pentester, or engineer. Think of it as orientation, not certification of role-ready skill.

Comparable Courses and Certifications

SEC-100/OSCC-Sec belongs in the conversation with other entry-level or junior certifications. What sets it apart is its blend of Attack, Defend, and Build rather than focusing solely on one lane.

  • Foundational Broad Coverage: Security+, ISC2 CC, Google Cybersecurity Certificate, SANS SEC275.
  • Practical Offensive: PT1, PJPT, eJPT.
  • Defensive Training: BTL1.
  • Theoretical Pentest-Oriented: PenTest+, CEH.

Comparison Table

Course/CertificationProviderCostNotes
SEC-100 + OSCC-SecOffSec$899Broad, entry-level; mile wide, inch deep across Attack/Defend/Build. Includes 365 days, 2 exam attempts, PG Play labs, and PEN-103
PT1TryHackMe$349Practical pentest fundamentals; hands-on, focused scope
PenTest+CompTIA$1,319Theoretical, multiple-choice; covers network/AD, less hands-on
CEHEC-Council$650Theoretical, industry name recognition; criticized for shallow labs
PJPTTCM Security$249Practical junior pentest cert; accessible and affordable
eJPTINE$249Practical, junior-level pentest cert; stronger offensive depth
Security+CompTIA$392 (exam)Broad intro, industry baseline; multiple-choice only
ISC2 CCISC2Free–$199Broad, theory-focused, beginner-friendly
Google CybersecurityCoursera$39/monthMOOC, non-proctored, beginner-focused
BTL1Security Blue Team£399 (~$540)Hands-on defensive labs, SOC focus
SANS SEC275SANS$7,020Deep, premium foundational course; strong but very costly

Value-for-Cost Perspective

When ranking OSCC-Sec against other certifications, the price-to-worth ratio is the main sticking point.

  • Budget-Friendly Leaders: PJPT and eJPT both deliver strong, hands-on training at $249. PT1 at $349 is another excellent entry-level pentest option.
  • Balanced Mid-Tier: BTL1 (~$540) offers practical defensive content, while Security+ ($392) provides strong recognition though it lacks labs.
  • High-Recognition Theory: ISC2 CC (free–$199) and Security+ are great for resumes but won’t give you real hands-on skills.
  • Overpriced for Depth: PenTest+ ($1,319) and CEH ($650) cost more than they deliver, and many reviewers note they feel outdated.
  • Ultra-Premium: SANS SEC275 ($7,020) is comprehensive but financially out of reach for most.

OSCC-Sec at $899 sits near the premium tier. Yes, it’s more expensive than almost all its peers. But for that cost you’re getting:

  • A year of access
  • Two exam attempts
  • 50+ Proving Grounds Play labs
  • Bonus access to PEN-103
  • And, importantly, the OffSec name tag

That brand credibility is what justifies the price for many learners. If you’re planning to stay in the OffSec ecosystem and progress to OSCP or other advanced certs, the investment makes sense. If you just want a general entry-level cert, cheaper options may serve you just as well.

Final Ratings

CategoryRating
Knowledge Depth6/10
Real-World Applicability7/10
Value for Cost6/10
Study Requirements7/10
Industry Relevance & Accessibility7/10

Overall Score: 7/10

Final Thoughts

For me, SEC-100 and OSCC-Sec were exactly what I needed at the time. It was the course I wish had existed when I first started in security — a structured, practical way to survey the landscape without the chaos of self-study through scattered blog posts and YouTube videos.

Being the first to pass the OSCC exam was a personal milestone, but more importantly it highlighted how OffSec was broadening their catalog. They’re no longer just “the OSCP company” but an organization offering a true on-ramp into cybersecurity.

It’s important to recognize what SEC-100 is and what it isn’t. It is:

  • A map of the cybersecurity territory — Attack, Defend, Build, with labs to tie things together.
  • A confidence builder for beginners.
  • A gateway into OffSec’s higher-level tracks.

It isn’t:

  • A deep-dive in any one discipline.
  • A guarantee of job-readiness on its own.
  • The cheapest option for starting out.

In short: a great starting point, but not an endpoint. It provides the scaffolding — the shape of the field — but you’ll still need to climb further on your own.

AI-assisted editing was used to improve grammar, clarity, and formatting. All technical content and opinions are original.

Course & Certification Reviews
OffSec OSCC-Sec SEC-100 certification review blue team red team cloud security cybersecurity fundamentals
This post is licensed under CC BY 4.0 by the author.