Nice to meet you. I'm Yu Niida from the Cyber Defense Institute, Inc. I recently passed the OSEE certification exam offered by OffSec. Due to its high difficulty, both exam preparation and report writing involved a lot of trial and error. Hoping this experience might help those aiming to obtain OSEE in the future, I've summarized my learning process and journey to get the certification.
It's a bit lengthy, but I'd be happy if this content proves useful to those currently pursuing OSEE or planning to do so.
Introduction
Since this is my first blog post, I'll start with a brief self-introduction.
I'm Niida from the Red Team Group in Cyber Defense Institute, Inc. I work on network penetration testing and Red Team Operations. While my core responsibilities fall under Offensive Security, I occasionally get called in to assist with cases outside my usual scope—like Incident Response for Ransomware Attacks or Compromise Assessment with a strong Defensive Security focus.
I have a strong personal interest in understanding the inner workings, detailed mechanisms, fundamental principles, and the essence of various systems, including kernel. I find joy in dissecting behavior and the iner workings of the vulnerable program down to the binary level when exploited, then optimizing and reconstructing them for various scenarios. This is purely a hobby.
Among programming languages, I prefer Assembly Language and C/C++. While opportunities to code directly in Assembly are rare, I find pure reading of it enjoyable. When coding in C/C++, I often find myself wondering what the resulting machine code will look like after compilation, letting my thoughts wander to the generated binary as I write.
With that, I'll wrap up my introduction and move on to the main topic.
OSEE Certification Summary
The certification I recently passed is the OSEE( OffSec Exploitation Expert )certification offered by OffSec, an overseas vendor that provides Kali Linux.
OffSec offers various cybersecurity certifications, categorizing them by difficulty level from 100 to 400. Their well-known OSCP( OffSec Certificated Professional )certification is classified as Level 200.
Among these certifications, OSEE is the only one categorized as Level 400, making it the most challenging certification in the field of exploit development.
About EXP-401 and the OSEE exam.
EXP-401 is OffSec's most challenging and advanced course, designed for experienced penetration testers who are ready to tackle complex exploit development.
Overseas Security Certification Roadmap - Paul Jerimy Media, among others, positions this certification at the top right, indicating that it is widely recognized as one of the most difficult certifications to obtain.
As a supplement, to qualify for the OSEE exam, you must participate in the AWE (Advanced Windows Exploitation) training. This training is offered only on-site because OffSec has determined that, given its difficulty level, students require significant interaction with the instructor to fully understand the material.
AWE is a particularly demanding penetration testing course, requiring a significant amount of learner-instructor interaction. Therefore, we limit AWE courses to an in-person, hands-on environment.
I was fortunate enough to receive support from my company through various circumstances, enabling me to attend AWE at Black Hat USA 2024 and gain eligibility for the OSEE exam. While quite some time has passed since then, I hope to share this experience on my blog at a later date.
About OSEE Exam
The OSEE exam is as follows. The technical exam alone spans about three days, making the entire exam a long haul. To pass, you need not only solid technical skills but also careful pacing to manage your physical stamina. As I'll explain later, I completely misjudged my pacing on the final day, which led to a very difficult time from the third day onward, especially during the report submission phase.
- OSEE Exam
- Exam duration: 71h 45m
- Report duration: 24h
- Number of items: 2 item( 50 points per item, 25 points for partial credit )
- Passing score: 75 points
Additionally, for the technical exam, several hosts are provided for analysis and debugging purposes to solve each problem. You can connect to each provided host via RDP over a VPN, and on that host, you will attempt to analyze the target program and develop exploit code using tools like IDA and WinDbg.
As those familiar with OffSec certification exams will know, this exam is also proctored via webcam and screen sharing.
For additional information regarding the certification exam as a whole, including exam requirements, OffSec has published the EXP-401: Advanced Windows Exploitation OSEE Exam Guide. I recommend that individuals considering certification or planning to take the exam review this guide.
Preparation for Exam
I began studying for the OSEE certification exam in May 2025. As mentioned earlier, I had attended the AWE training at Black Hat USA 2024 to gain eligibility for the OSEE exam.
However, the project I was working on since returning to Japan was extremely busy, and after returning home, I left the material untouched for about eight months.
Since the OSEE eligibility period is only one year after completing the AWE course, I felt a sense of urgency that I couldn't afford to delay any longer when considering the time needed to study.
That's the background behind starting my preparation.The first thing I did when starting my studies was to finalize my exam schedule.
Given my personality, I can't feel any sense of urgency without a deadline, so without overthinking it, I booked my first exam date for the time just before my eligibility period expired, as shown below. At the same time, I completed my paid leave request at work (important).
- 2025/7/30 AM 9:00(JST)
I had no choice but to face the fact that I couldn't run away anymore, and that's when I decided to seriously develop a learning strategy.
Learning Strategy
Drawing on the wisdom of those who have published OSEE reviews on blogs, I've decided to proceed with my studies according to the following schedule for the OSEE certification exam scheduled for late July.
I've planned two rounds of reviewing the material because the topics covered by this certification are extremely detailed, and I don't believe it's possible to grasp everything in a single pass.
- May: Reviewing Course Materials (First)
- Purpose:
- Gain an overall understanding of exploit development within each module of the text.
- Listing the unclear aspects of various techniques used in exploit development.
- Purpose:
- June: Reviewing Course Materials (Second)
- Purpose:
- Deepening understanding of the mechanisms behind various techniques in the text through hands-on practice
- Resolve each questions listed during the Reviewing Course Materials (First).
- Purpose:
- First half of July: Reproducing exploit code within the materials
- Purpose:
- Get used to developing exploits from scratch on my own.
- Cultivating the mindset and observational skills required for exploit development.
- Purpose:
- Late July: ExtraMiles Challenge
- Purpose:
- Becoming accustomed to trial and error when faced with problems whose solutions are unknown, while incorporating various techniques learned from teaching materials.
- Purpose:
Thoughts and Feelings During Exam Prep
I quickly registered the OSEE certification exam date in my schedule, but I knew I definitely lacked overall understanding to pass the exam. Driven by the anxiety that even three months wouldn't be nearly enough time, I started studying immediately.
I generally followed my study plan for exam preparation, but for various reasons—such as troubleshooting malfunctioning exploit code and struggling to grasp the textbook content—my progress fell behind schedule. Ultimately, I ended up taking the OSEE exam with several ExtraMiles remaining unresolved.
Though I was anxious, I decided to focus on the essentials I needed to master. Regardless of the exam outcome, I resolved to complete the remaining ExtraMiles after the exam solely for my own technical development. I shifted my mindset and chose to approach exam day without pushing myself too hard.
Before detailing my experience with the exam, I'd like to briefly note some things I was conscious of while studying and various thoughts I had during the process.
Learning Environment
Occasionally, things may not work exactly as described in the materials, so you'll need to be careful about that. If you encounter such a situation, you might want to visit the OffSec Discord channel, which you'll be invited to upon joining AWE.
The hosts used for OSEE exam preparation are several virtual machines distributed via USB during AWE's on-site training sessions. Typically, you log into these virtual machines and gradually complete the exploit code while analyzing the target program step by step according to the materials. However, occasionally you may not achieve the results described in the materials.
“What would happen if I did this?” “Wouldn't this work too?” I tend to study by deepening my understanding through rather tangential exploration, following whatever ideas come to mind. So when I encountered situations like this during my certification studies, I'd think, “Did I accidentally change a setting somewhere?” and try various fixes, like restoring the virtual machine state from a snapshot. Even then, sometimes things just wouldn't work properly.
That's when I suddenly remembered Discord, which I'd completely forgotten about. I searched to see if anyone else was having the same problem, and sure enough, someone else was stuck in the same way. I'd spent quite a bit of time investigating, but after checking the Discord thread, I found the solution right away. This happened several times.
Things I was aware of
While I'm always conscious of this, as I progressed through the textbook for OSEE exam preparation, I made a conscious effort to verbalize and understand the following points regarding the various techniques used within the text.
- What exactly happens inside?
- Why does that happen?
The text includes various source code snippets and WinDbg commands. Of course, the OffSec team has meticulously crafted the materials, so simply executing the commands and source code as written will generally allow you to gain a shell at the end of each module. However, I believed that merely following instructions without understanding the underlying mechanisms would prevent you from applying the knowledge effectively, making it difficult to pass the exam.
Therefore, while studying, I always kept the above two points in mind and made sure to thoroughly analyze each technique introduced until I could fully articulate how it worked. (Simply put, I also found it enjoyable.)
Verbalization Training
As mentioned earlier, while studying, I made a conscious effort to thoroughly verbalize the mechanisms behind each technique. To further this verbalization training, I also organized my understanding and trial-and-error experiences in Obsidian. The main purposes of this process are as follows.
- Thoroughly eliminating the illusion of understanding by putting thoughts into words and preserving them as text.
- To use as a reference when stuck during the exam.
- Practice for report writing.
Of course, I placed great importance on the first two points as well, but I also considered them extremely important from the perspective of practice for report writing.
The reason was that I had never had the opportunity to write up findings related to binary exploits, either professionally or privately. Therefore, to complete the report within the exam's limited time, I thought it would be better to have at least a rough idea of what to write beforehand.
I can't clearly quantify how much it helped, but as I'll explain later, while I did struggle quite a bit with the report writing as expected, I didn't agonize much over the actual wording in the report itself. So I believe it must have had some effect, however small.
Exam
As scheduled, the exam commenced at 9:00 AM JST on July 30, 2025. While reviewing OSEE feedback, I noticed reports of exam environment issues causing delays. Fortunately, I experienced no such problems and was able to start the exam smoothly, including identity verification.
Due to confidentiality regarding the exam content, I cannot disclose detailed information. However, I would like to share brief impressions regarding both the technical exam and the report writing component.
Technical Exam
As mentioned above, there were two questions in total. After spending several hours reviewing the information provided at the start of the exam, I decided to begin with the one that seemed easier at first glance.
This is because whenever I feel my progress isn't good enough relative to the time remaining, I panic, my mind goes blank, and my progress worsens—creating a vicious cycle. So I wanted to solve one problem first to feel reassured. The rough timeline is as shown in the table below.
| Date and Time | Progress on the first question |
|---|---|
| 2025-07-30 11:00 | Commencing vulnerability analysis work |
| 2025-07-31 02:10 | Bedtime |
| 2025-07-31 07:30 | Wake up |
| 2025-07-31 16:00 | Partial points achieved (25 points reached) |
| 2025-07-31 18:00 | Perfect Score Achieved (50 points reached) |
| 2025-07-31 21:00 | Evidence collection for the report is complete. |
I fell down the rabbit hole completely and ended up taking much longer than planned, but I managed to finish one of the problems in about 34 hours after the exam started. Now I could focus all my energy on the remaining problem. Taking a short break, I felt a slight sense of relief inside and began tackling the next problem.
| Date and Time | Progress on the second question |
|---|---|
| 2025/7/31 21:30 | Commencing vulnerability analysis work |
| 2025/8/1 01:30 | Bedtime |
| 2025/8/1 06:00 | Wake up |
| 2025/8/1 22:00 | Partial points achieved (75 points reached) |
As mentioned above, the remaining time had dropped below 12 hours, but I had managed to reach the passing score at this stage. I distinctly remember feeling quite relieved at this point, since I'd honestly been worried right up until the exam that I might not be able to solve a single problem. I decided to take a breather here and started thinking about how to use the remaining time.
First, it's certain that I've gathered all the evidence up to this point. It's already the middle of the night. Should I stay up all night aiming for a perfect score, or should I consider writing the report, get some sleep, and then bet on solving the remaining problems with a clear head in the little time left?
After a moment's hesitation, I decided to pull an all-nighter and aim for a perfect score, thinking that since I'd worked so hard to get this far, I might as well go for it. Looking back now, I truly wish I'd just given up.
| Date and Time | Progress on the second question |
|---|---|
| 2025/8/2 00:30 | Evidence collection for the report is complete. |
| 2025/8/2 08:45 | Exam time has ended. |
After pushing through the remaining analysis work, I managed to identify a path that would likely lead to obtaining the shell. However, my consciousness was already fading, and I couldn't consolidate the details into exploitable code. While I was still experimenting, the exam ended.
Report Creation
I passed the exam, but after pulling an all-nighter, I was physically and mentally at my absolute limit. Honestly, at that point, the only thing on my mind was that since the policy for retaking the exam after a year had passed since taking the AWE course was unclear, it was a gamble. My plan was to “give up for now and aim for a perfect score on the next attempt.”
However, giving up halfway through without seeing things through to the end just wasn't my style. So I decided to push through and finish the report, making sure to submit it properly. With that in mind, I started working on the report.
I was physically exhausted, so even though I couldn't sleep, I lay in bed for about three hours before finally starting to write the report in earnest. Looking at reviews of OSEE by those who came before me, it seemed common enough to fail even with a passing score if the report was insufficient. So, I made sure to be as thorough as possible, paying close attention to avoid any omissions, and simply wrote down everything in detail.
No matter how much I wrote, I couldn't see the end in sight. In the end, I finished the report just an hour and a half before the deadline. The final page count reached 122 pages.
After taking a 15-minute break to avoid mistakes during the final check before submission, I performed one last review and submitted the report. I checked that I had received the Certification Exam Documentation Received email, then fell asleep.
It was the first time I'd pulled an all-nighter since college, and it really made me feel my age. I never want to do that again.
Exam Results
I managed to submit the report, but the score I ended up getting was 75 points—barely passing. Honestly, I wasn't confident I'd submitted a report without any deductions, so I thought passing was hopeless. At that point, my honest feeling was that if I was going to fail anyway, I'd rather get the notification quickly and be done with it.
Reading through various people's reviews, it seemed that OSEE grading generally takes a long time, and some people even mentioned waiting nearly a month to receive their results. So I kept waiting for mine, thinking, “Please hurry up and put me out of my misery...”
My mind gradually calmed down. On the night of August 14th, as I lay in bed and absent-mindedly opened my email, I received the passing notification from OffSec. I was so overjoyed that my mind instantly became wide awake, and I was so excited that I couldn't sleep a wink until the next morning. Even so, I think it was the first time in my life that seeing my own name in an email made me this happy.
After finishing the OSEE Exam
After going through the OSEE certification exams, I think I'll share a few brief thoughts.
About the Content
This course leaves a strong impression as a well-designed program that systematically teaches a comprehensive range of topics related to Windows Exploit Development. Personally, I had almost no formal experience with binary exploits before taking AWE/OSEE, yet I believe that with dedicated study, I could fully grasp the material. Ultimately, the fact that I achieved certification stands as solid proof of this.
Of course, obtaining OSEE doesn't mean you can immediately excel at the forefront of research or exploit development. However, I find it to be excellent content because it describes the mechanisms of security mitigations continuously adopted in the latest Windows (DEP, ASLR, CFG, ACG, CET, Browser Sandbox, kASLR, kCFG, SMEP,SMAP, VBS, etc.) and their bypass techniques.
Level of Qualification Exams
If someone were to retort, "What does someone who didn't get full marks have to say?", I'd agree wholeheartedly. Personally, though, as long as you grasp what you learned in the AWE training, I didn't find the exam itself particularly difficult. Of course, thoroughly reviewing and digesting the AWE material to ensure you understand it is a prerequisite. But I didn't feel the same sense of unfairness (like "Try Harder" comments) I've experienced in previous OSCP or OSEP exams.
On the other hand, I felt that simply memorizing the textbook content wouldn't guarantee passing. The exam requires you to understand the knowledge learned from the textbook in your own way, abstract it, and then apply that understanding to the test questions. In short, it left me with the impression of a well-balanced, thoroughly thought-out exam.
Regarding the Learning Strategy
First and foremost, to grasp the text content, I had originally planned to refer to the text twice during the study planning phase. However, I honestly felt that the first read-through, intended for identifying questions and clarifying points, was unnecessary.
This is because the text content is extremely complex, and it's often difficult to visualize the internal processing taking place without actually running it. Honestly, I feel I didn't achieve the results I had hoped for.
Next, as our predecessors have said, I feel I should have dedicated more time to tackling ExtraMiles. While I can explain the text content to someone else after reading it a few times, I was reminded that when it comes to building the same thing from scratch on my own, my hands move much slower than I imagined.
Of course, a thorough understanding of the text is a necessary prerequisite, but I also believe that the period of trial and error spent solving ExtraMiles was equally important.
The anxiety I always felt
The anxiety I constantly felt since starting exam preparation stemmed primarily from my own lack of experience with binary exploits. The FAQ for OffSec's EXP-401: Advanced Windows Exploitation states the following:
Learners should have experience in developing Windows exploits and be proficient in operating a debugger. Familiarity with tools such as WinDBG, x86_64 assembly, IDA Pro, and basic C/C++ programming is highly recommended. A strong willingness to work and dedicate real effort will greatly aid in success in this security training course.
When I compare my own background at the start of my studies with the technical elements mentioned above, it looks something like this.
- x86_64 Assembly
- In my private life, I've dabbled in reading and writing here and there. Reading itself doesn't bother me at all—in fact, I find it enjoyable.
- However, you must be prepared to battle eye strain later on.
- C/C++
- I can design and code while being conscious of the machine code generated after compilation and memory.
- IDA Pro
- I've used it for work and hobbies, and I have no issues with the basic usage.
- WinDbg
- I've used it several times on projects, so I have no issues with the basic usage.
- I can't handle complicated commands or intricate usage.
- Windows Exploit Development
- If it's basic content like stack-based buffer overflows, I've written exploit code for OSCP.
- I have no experience exploiting heap-based buffer overflow vulnerabilities or developing exploits using techniques such as ROP.
- Certifications
- OSCP( OffSec Certified Professional )
- OSEP( OffSec Experienced Pentester )
As mentioned above, I had almost no experience with Windows Exploit Development. With only about three months left, I couldn't see a path to reaching a level where I could pass the exam. When I started studying, I felt truly hopeless inside.
Now that I've passed, when I reflect on how I managed to get to this point, I personally think the following two factors were probably the most significant.
- I've always had a strong interest in various binary layer technologies, so overall, I was able to continue learning while enjoying it.
- I had previously dabbled in system programming with a few reference books in hand.
For those aiming to obtain OSEE certification, this might seem obvious, but I think it was significant that I could enjoy learning about binary layer technology without any particular aversion. Had I felt even a slight aversion here, I would likely have given up midway and never even reached the stage of taking the exam.
I can't say anything too irresponsible, but if you can enjoy the ins and outs of this particular layer, I think you could achieve good results with OSEE even if you're a bit unsure about your experience.
How to Apply the Techniques Learned in OSEE
As many individuals have already noted in their OSEE reviews, I believe the various techniques and ways of thinking learned through AWE/OSEE extend far beyond penetration testing alone and can be applied to numerous fields. For example, these include the following areas:
Red Team Operations
In red team exercises, it is not uncommon to develop simulated malware, loaders, and other programs. When creating such tools, it is essential to design and build the programs to operate while bypassing detection by security products like AV/EDR.
In such cases, the ability to analyze security products and gain a more accurate understanding of how their detection logic works is considered highly advantageous when devising bypass methods.
Furthermore, while we have not yet reached the stage of actual verification, we believe that several exploit techniques learned through OSEE are likely to be effective as-is in enabling simulated malware to bypass security products' detection logic.
Threat Hunting
As is widely known, threat actors prevalent in the world may attempt to infiltrate systems by exploiting known vulnerabilities for which proof-of-concept exploits have not been publicly released on platforms like GitHub.
Typically, creating detection rules for exploits targeting such vulnerabilities is no easy task. However, I believe that being able to develop proof-of-concept exploits yourself, relying on limited publicly-available information about known vulnerabilities, is extremely helpful for investigating and understanding the traces left behind when the vulnerability is exploited, and for creating detection rules.
Malware Analysis
The analytical skills cultivated through OSEE using tools like IDA Pro and WinDbg can be described as the ability to understand the behavior of programs running on Windows in detail.
This tool is not limited to merely finding/analyzing program vulnerabilities; I believe it can also be useful for analyzing various malware running on Windows. Furthermore, I think the results of malware analysis can be utilized in the security field in various ways, such as presentations at blogs and conferences, investigations during incident response, and developing sophisticated simulated malware for red team exercises.
Conclusion
From the start of studying to passing the exam, it was a period where I was relentlessly pushed to exceed my limits. However, despite the hardship, I personally gained a tremendous amount, and since I was able to immerse myself completely in the world of binary, it was an incredibly enjoyable and deeply satisfying time.
One thing I'd like to mention, which is also reflected in my blog title—“I wanted to try harder”—is that I deeply regret not reaching my full potential. I had the chance to score perfectly, yet I ended up finishing the exam without achieving that goal. I finished the OSEE challenge with this lingering feeling, like something was left undone. This feeling has only grown stronger day by day since receiving the exam-passing notification.
Whenever I confide in people, they get really annoyed and tell me I'm “too negative.” So now I've resorted to consulting AI (Gemini) every single day. I want to keep honing my technical skills, reflecting on where my understanding fell short, so that someday I can finally put this lingering regret behind me.
Moving forward, I'd like to leverage the skills I've acquired at OSEE to venture into vulnerability research work. However, I also have a backlog of various ideas I came up with during my study period that I want to implement as tools, plus a significant number of programs I want to analyze. I plan to gradually work through these and produce outputs.
Well, this has turned out to be quite long, but thank you for sticking with me to the end. I hope this content proves useful to you in some small way.