OSED Review - Stacks and Stacks and Stacks
I. Foreword
Same disclaimer as last time. This is not a clean, well-mannered cert review. It’s a mix of rant, personal update, technical breakdown, and whatever else I feel like dumping on the page. If you want to skip the warmup and jump straight to the meat and potatoes, feel free.
If you read the previous recap where I went through CRTO, OSEP, and CPTS, the format here will feel familiar. If you didn’t: I closed out 2025 with three certs in six months, said I’d take a couple of weeks off to play videogames, and then, predictably, did not.
II. Introduction
OSED had been sitting on my shortlist for a long time. Anyone who goes through OffSec’s pentesting track eventually ends up staring at the EXP catalog and feeling something between curiosity and quiet dread, usually closer to dread. The cultural framing around exploit development does not help. There’s a persistent idea, especially among people who have never written an exploit, that this is where the actual hackers live and everyone else is just clicking buttons in Burp. I don’t buy it, but I’ve heard it said enough times that I’d probably absorbed some of it without noticing.
I started the course in late February. Three weeks of videogames had turned out to be more than enough and I was getting restless. I thought I was reasonably well prepared. I’d done a fair amount of low-level work outside of certifications, some reversing, some shellcode reading, the occasional dive into Windows internals when an engagement demanded it, so I expected the first few modules to feel familiar. They did, for about ten hours. After that it became clear that OSED is not a course about low-level work in the general sense. It’s a course about one very specific dialect of it, Windows user-mode exploit development from roughly the late 2000s through the mid 2010s, and that dialect has its own grammar you have to learn even if you already speak the language.
I spent roughly 260 hours on the material, finished all the labs and all the extra miles, scheduled the exam, and passed. The exam went structurally well, though my body was not thanking me by hour 40. More on that later.
III. OSED - The Actual Cert
The Good Course
OSED is the third leg of OffSec’s OSCE3 bundle, alongside OSEP and OSWE. OSEP teaches you to move through a network the way a red teamer does. OSWE teaches you to attack web applications the way an auditor does. OSED teaches you to write exploits the way someone in 2012 would have written them. That last part isn’t a complaint, but it’s worth saying out loud, because the course never quite says it itself, and a lot of the frustration I’ve seen posted online seems to come from expecting something closer to the frontier.
The material covers, broadly:
- Stack-based buffer overflows. Not the textbook
strcpyexamples, but real applications with real protections to think about. - SEH-based exploitation. The structured exception handler dance, pop pop ret, the usual.
- Egghunters. Building them, tuning them, using them when the primary buffer is too cramped to fit anything useful.
- Custom shellcode using the Keystone engine. By a WIDE margin the most boring stretch of the course. It took me eight sittings to get through and I genuinely considered skipping the extra miles.
- Reverse engineering with IDA Free. Static analysis, identifying vulnerable code paths, mapping out structures, the usual reversing workflow.
- Format string vulnerabilities. Read primitives, write primitives, chaining them into something useful.
- ROP. Chains for
VirtualProtect,VirtualAlloc,WriteProcessMemory, gadget discovery with ropper, and the slow, almost meditative process of stitching the chain together one gadget at a time. - DEP and ASLR bypass. Information leaks, partial overwrites, the standard bag of tricks for dealing with mitigations from this era.
The thing I want to flag here is the pedagogy, because OffSec earns credit for it. Nothing in this list is taught as a trick. You’re shown the bug, walked through why it’s exploitable, made to do it yourself, and then, in the next module, handed roughly the same scenario with one less convenience or one more mitigation. The course never lets you sit comfortably with a technique for long. By the end you’ve learned the techniques, and more usefully, you’ve learned the order in which they tend to fail.
The course is also dated, and it’s worth being upfront about that. The target binaries feel like they were chosen around 2017 and have not been seriously refreshed since. You are not exploiting CET, you are not dealing with CFG in any meaningful way, and you are not touching the kernel. The techniques you learn are still the scaffolding for anything more modern, but if you went in hoping the course would deposit you somewhere near the current état de l’art, you’d walk out frustrated. It won’t. It leaves you with a solid grasp of the era it actually covers, and catching up to the present is entirely your problem.
The toolchain is mostly WinDbg for dynamic analysis, IDA Free for static, Python with pwntools for scripting, with Keystone and ropper as supporting cast.
WinDbg specifically is something I’d recommend getting comfortable with before the course rather than during it. Its command syntax is its own small language, and trying to learn it under the pressure of a 48-hour exam is genuinely miserable. I spent a few weekends earlier this year just sitting with WinDbg and some crash dumps, poking at access violations until the !analyze -v output stopped looking like noise, and that paid off later in ways I had not planned for.
The Discord community around OSED was better than any other OffSec cert community I’ve been around, although to be fair anything from Zero Point still completely outclasses OffSec in this regard, hahahaha. Shoutout to ApexPredator and SoFluffy, the threads I dug through from them saved me hours on at least three different stuck moments.
The Ugly Exam
The exam is three challenges and you need to clear two to pass. I cleared the first two, did not bother with the third, and went to sleep. The honest version of how this went is that I did not plan any of it.
I sat down Saturday noon expecting to grind. OSCP and OSEP I’d both finished in a little under 20 hours, so I came in assuming OSED would compress the same way. Within about an hour I realized that was going to break me.
So a strategy emerged on its own: every thirty minutes, every cleared objective, every time I caught myself rereading the same disassembly for the third time without taking in anything new, I got up. Walked around the apartment, smoked, made coffee, refilled the water bottle, looked out the window. By the end of the 48 hours I’d been through most of a pack of cigarettes and twenty capsules of coffee. I would not call any of that calm. The cadence was disciplined. I was not.
The thing that made the constant breaks work, and I don’t think this gets said enough, is that binary exploitation has a property where uncertainty collapses fast once you commit. You find the offset, the overwrite shape is mostly decided. You confirm the overwrite, the ROP chain has maybe three plausible shapes left. You pick a chain, the gadget search becomes a finite, bounded problem instead of an open field. The work itself doesn’t get easier, but the space of things you’re uncertain about shrinks fast, which means you’re almost never genuinely stuck for long. You’re just doing the next obvious thing slowly. Once I recognized the pattern, I started treating the breaks as the actual mechanism. I step away, the next move clarifies itself in my head while I’m waiting on the coffee or doing the dishes, I come back and execute. Repeat.
After about 26 straight hours of grinding and listening to soundcloud oldies, I passed. I passed! I passed. It was finally over. At that point I was too tired to even think about writing the report (more like polishing it, since I’d been taking notes and screenshots of everything), so I ended the exam, hopped into Battlefield V, and wasted away until night, when my angel of a girlfriend arrived just in time to see me goblinish-ly sitting in front of the pc.
It was the calmest OffSec exam I’ve taken in terms of pacing, by which I mean the pacing was calm, not me. Which is funny, because OSED has a reputation as one of the hardest, and because my actual physiological state was anything but. Most of that reputation comes from people white-knuckling it instead of treating it like normal work. The course quietly teaches you patience as a byproduct, and the exam is mostly a test of whether you noticed.
Worth doing? If you genuinely enjoy debugging, if reading disassembly doesn’t make your eyes glaze over, if spending eight hours chasing a bad offset sounds kind of fun rather than miserable, then yes, you’ll get a lot out of OSED. If any of that sounds like torture, this is not the cert for you. Exploit development is a taste, and pretending otherwise is one of the more annoying tendencies in offsec culture. Ninety-nine percent of cybersecurity professionals could live and die a very fruitful life without ever touching a single line of x86 assembly.
With one caveat: do you want to be OSCE3? Then you do it. In my case, it’s not that I care much about Windows x86 binary exploitation, and it’s not really the title either. I wanted it, so I pursued it. The reasons show up afterward, if they show up at all. More and more I catch myself poking at that wanting, looking for the engine underneath it, and not finding much. But the wanting was enough, the doing followed. It’s been fun.
Would I take it again? Once is enough. The fundamentals are solid now, and the parts of modern exploit development OSED doesn’t cover are exactly the parts I want to spend the next year on. CET, CFG, kernel exploitation, browser internals, that whole side of the field.
The Uglier Take-Away
Price-wise, OSED came in at the usual OffSec premium, 1,750 dollars, which puts it in the same uncomfortable bracket as OSEP.
Here’s where I land, and my position is a little different from what most OSEP/OSED reviews say. I live in Brazil. The local higher education situation is, to put it politely, complicated. My own degree is in Information Security Technology (Remote), roughly the lowest-prestige flavor of higher education you can get here outside of straight-up diploma mills. No company I’ve ever wanted to work at has cared about that degree in the slightest. I’m finishing it because: 1. the marginal effort is close to zero, 2. I still have a mom and a mother-in-law to convince that I won’t become a hobo in the near future, and 3. a checkbox is a checkbox.
So in my financial planning, good certs replace what a respectable university would have cost me, in money and in years. I treat the OSCE3 bundle, OSEP, OSWE, OSED, as a deliberate substitute. A fixed chunk of my income every month is earmarked for it. Might not be the smartest decision but ayy, it works, right? I’m very content with my life.
None of this makes OffSec’s pricing fair in any objective sense. It isn’t. They’re a near-monopoly in their slice of the market and they price like one. But for someone in my situation the math works, and I’d rather pay them than spend another four years grinding a master’s in some half-functional Brazilian program just to add a line to my resume.
Recommendations
Below are some of the materials, scripts, and other resources I used to prepare for the exam:
A quick note on prerequisites: OSED expects you to be functional in x86 assembly, comfortable with Python, and at least passingly familiar with debuggers. Knowing your way around WinDbg specifically works wonders during the course. If any of those three is missing, fill the gap before the course, not during it. The material is dense enough that you don’t want to be learning prerequisites in parallel.
| Study Resources | Review |
|---|---|
| OSED Course Materials and Extra Miles | Do all of them, I cannot stress this enough. Skipping extra miles in OSED is worse than skipping them in OSEP because the techniques are cumulative. Caveat: I did skip one, the one the course itself flags as the hardest, because there was a birthday party on the day I was supposed to attempt it. I still passed, so apparently it was fine, but do as I say, not as I did. |
| Course Labs | Mandatory. Each lab builds on the previous one, and the difficulty curve is well-tuned. Don’t just get the shell, understand the chain and rebuild it from scratch if you have to. |
| Corelan Team’s Exploit Writing Tutorials | Older than dirt at this point, but still the best free resource for stack overflow fundamentals. If you’ve never written an exploit before, read parts 1 through 5 before even starting OSED. |
| pwn.college | More Linux-focused than OSED, but the binary exploitation modules are excellent for building intuition. The course skipped this entirely, but I worked through some of it on the side. If you’re not familiar with x86 ASM or debuggers at all, start here. |
| bmdyy’s QuoteDB and Signatus | QuoteDB is exceptionally good practice. Signatus almost broke me out of frustration, which was entirely on me since it’s more script-dependent than I expected going in. Both are still good practice after the course and before the exam. |
IV. Reflections on the Year So Far
Not much worth saying. I went to RSA earlier in the year, which was nice, getting wasted overseas is a particular kind of pleasure I can recommend. Apart from that the year has been mostly calm. I changed jobs very recently and am now back to a full-time red team operations role, so my cortisol levels are at an all-time low and I feel good and happy most of the time.
The other thing worth mentioning, less an event than a slow accumulation, is that I now have a small group of offsec friends who live close enough to actually see in person. One I’ve known for six years, before either of us was doing any of this seriously. One I met at my first job, and she is probably the sole reason I persisted through the first few months. A few are former colleagues who somehow kept being friends after the job that introduced us stopped existing. One is a guy I met at a conference in Argentina last year, only to find out he lives a few minutes away from me back in Brazil, so we became bros. The pattern I’ve noticed is that nice people pull other nice people closer, and once that starts happening the group stops needing maintenance. It just keeps compounding.
A few more I only know through Discord, also from that same Argentina trip, and we chat through the week. After a long stretch of doing this work mostly alone, having people I can talk technobabble with, in person over a beer or in chat at two in the morning, is genuinely one of the best things about this year. Go out, touch grass, make friends. It really does make everything more fun.
Thanks for reading.