I completed the OSWE on 11/23/2025 around 6am CST, and submitted the report later that evening. The exam was quite a challenge, to say the least. There were multiple points where I hit walls that felt insurmountable—moments where I genuinely thought I might not make it through. Yet somehow, I always figured my way past each obstacle and eventually conquered every challenge thrown at me.
Here’s my honest breakdown of the experience.
My Background
Before diving into the OSWE specifics, some context on where I’m coming from:
- ~7 years in tech, ~5 in infosec, and 3-4 specifically in offensive security
- Cut my teeth on external and internal network pentesting, plus WiFi assessments
- Transitioned into API and webapp testing, then red team operations
- Currently honing my webapp and AI/ML pentesting skillsets
- Already hold the OSEP (first leg of the OSCE³ trilogy)
So I didn’t walk into this exam completely green—but the OSWE still pushed me hard.
Prep Resources That Actually Helped
Beyond the AWAE coursework and labs (which should be a given), here’s what I used:
PentesterLab - Secure Code Review Sections
PentesterLab’s exercises in the secure code review track were solid supplemental practice. They expose you to vulnerability patterns across different languages and force you to develop that “code smell” intuition you’ll need during the exam.
PortSwigger Web Security Academy + Rana Khalil’s Material
PortSwigger’s Web Security Academy paired with Rana Khalil’s supplemental content was a killer combo. The key value-add from Rana: she builds out automated Python scripts for each WSA module. This approach translates directly to the OSWE exam format where scripting your exploits is essential, not optional.
The AWAE Exercises and Extra Miles - Don’t Skip Them
I can’t stress this enough: do not overlook the AWAE exercises and extra mile challenges. Yes, some of those extra miles can take a day or two to crack. Yes, it’s frustrating. But completing them goes a long way toward confirming a first-time pass.
That said, I’ll be honest—I don’t think the supplemental resources are strictly necessary. The AWAE coursework does a solid job of fully prepping you for the exam on its own. I just used the extras because I’m forever suffering from impostor syndrome when it comes to webapp pentesting. Your mileage may vary.
On Using AI as a Study Partner
I’ll say this without reservation: I fully endorse using AI to speed up and optimize your study time.
I know some people balk at AI usage for certification prep. I don’t really care. There’s obviously a right way and a wrong way to use it:
The wrong way: Dump questions into ChatGPT, copy-paste responses without actually digesting or understanding the material. You’re setting yourself up for failure.
The right way: If you’re already motivated to learn the material correctly, AI becomes a force multiplier. Use it to:
- Elaborate on concepts you’re fuzzy on
- Rewrite your garbage notes into something actually useful
- Explain code patterns you don’t immediately recognize
- Generate practice scenarios to test your understanding
My notes are absolutely abysmal by default. I’d bang out what I could during study sessions, then ask AI to either elaborate, rewrite for clarity, or optimize in some other way. Saved me hours of time that I redirected into actual hands-on practice.
Drink responsibly, I guess is what I’m saying.
The Exam Experience
Obviously I can’t discuss specifics about the exam content—OffSec takes that seriously, and so do I. But here’s what I can share:
The 48-Hour Window is Generous
The time allocation gives you more than enough runway to complete everything needed to pass. This isn’t a sprint where you’re racing against the clock from minute one. Pace yourself. Take breaks. Sleep. Seriously—a rested brain finds bugs that a fried brain misses.
It’s a Source Code Review Exam
This is the key mindset shift: there’s no black box fumbling around in the dark. You have the source code. You just need to know the material well enough to read it, understand it, and find the vulnerabilities hiding within it.
If you’ve gone through the coursework, completed the exercises, tackled the extra miles, and taken useful notes—you’ll have everything you need to pass without sweating too hard.
The Walls Are Part of the Process
I hit multiple walls during my attempt. Moments where I stared at the screen thinking “I have no idea how to get past this.” Every single time, stepping away, regrouping, and approaching from a different angle eventually broke through.
The exam is designed to challenge you. Feeling stuck doesn’t mean you’re failing—it means you’re at the part where the learning happens.
What’s Next
With OSEP and OSWE now in the bag, there’s one certification left to complete the trilogy:
OSED - The Final Boss
The OffSec Exploit Developer certification is next on my list to finally claim the OSCE³. After that, I’ll probably take a break from OffSec certs for a while. Their exams are incredible learning experiences, but they’re also mentally exhausting.
Other Irons in the Fire
- CWEE (CWES now?) - I have an attempt in the works, so I need to start studying for that
- WGU Masters in CompSci AI/ML - Still working through this program, currently halfway done
My eyes are definitely bigger than my stomach when it comes to certifications and education. But that’s a problem for future me to deal with.
Final Thoughts
The OSWE lived up to its reputation. It’s not a checkbox certification you can brute-force through—it demands genuine understanding of source code review and web application exploitation. The struggles I faced during the exam made the victory that much sweeter.
If you’re on the fence about attempting it: do the coursework thoroughly, complete those extra miles even when they frustrate you, and trust your preparation when exam day comes.
Want to talk shop?
Reach out to me on:
- Discord: techxlal93
- X/Twitter: @MasePrace93
- LinkedIn: masonaprince
Whether you’re prepping for the OSWE, considering the OSCE³ path, or just want to chat about webapp security—I’m always down to connect.
Cheers!