OSCP and CEH in 2026: What Carries Over to AI Red Teaming

A post in r/cybersecurity this week drew 50-plus comments in a few hours: someone with OSCP and CEH knowledge offered to share what they know, for free, to anyone who asked. The reaction was predictably mixed — skepticism, enthusiasm, a few requests for Discord links. But the underlying question is worth sitting with: if you’re coming up through the OSCP track right now, what does that actually prepare you for when the target is an LLM system?

The short answer: more than you’d think, and less than you need.

What OSCP Teaches That Transfers

OffSec’s PEN-200 course ↗ — the pathway to OSCP+ — is built around a methodology first: enumerate thoroughly, map attack surface, escalate deliberately. The 24-hour proctored exam has no walkthrough. You get three standalone machines and one Active Directory set, and you either compromise them or you don’t.

That methodology transfers directly. When you’re targeting an LLM application in a pentest engagement, you’re still doing reconnaissance: what model is behind this? What does the system prompt look like? What endpoints accept user input? What tools or APIs does the agent have access to? The enumeration instinct is identical. The tooling is different; the discipline is the same.

Privilege escalation has an analogue too. In a traditional engagement, you find a low-privilege foothold and work toward SYSTEM or root. In an LLM-integrated system, you start with whatever the model lets a normal user do, and you’re looking for paths that expose capabilities the system prompt was supposed to restrict — exfiltrating conversation context, triggering tool calls with unintended arguments, getting the model to surface its instructions. The escalation model is the same. The mechanism is not.

Web application skills carry over cleanly when the LLM is sitting behind a web frontend. SQL injection, command injection, XSS — Burp Suite still applies. The injection surface just extends into the model layer itself.

What CEH Covers, and Where It Runs Out

The Certified Ethical Hacker curriculum ↗ is broader than OSCP: 20 modules, 550-plus attack techniques, covering footprinting through cloud and IoT. CEH v13 added AI-driven attack techniques to the curriculum, which is at least an acknowledgment that the threat surface has shifted. The AI coverage in CEH remains introductory relative to what practitioners actually need on an AI-focused engagement, but the breadth of the broader curriculum is useful for a different reason.

When you’re doing threat modeling on an LLM system, the attack surface is not just the model. It’s the retrieval pipeline, the tool integrations, the memory layer, the API boundaries, and the logging configuration. Practitioners who’ve worked through CEH modules on network scanning, web application attacks, and cloud enumeration arrive with a mental model that maps reasonably well onto an agentic AI architecture. The threat modeling instinct — asking “what’s connected to what, and what can I reach from here?” — is directly applicable.

The Gap Neither Certification Closes

Neither OSCP nor CEH prepares you for what makes AI red teaming specifically hard: non-determinism.

Microsoft’s AI red team ↗, operational since 2018, has documented this explicitly. The same input to a generative AI system may produce different outputs across attempts. A traditional pentest works because vulnerabilities are reproducible — you find the SQL injection, confirm it, document it. With a language model, you might elicit a policy violation on the third attempt that you could not reproduce on the first two. That changes how you structure a test, how you count findings, and how you report results.

It also means the “try harder” philosophy embedded in OSCP has to be reframed. You’re not brute-forcing a deterministic lock. You’re sampling a probability distribution across model outputs and looking for regions where the system behaves in ways the developer did not intend. Persistence still matters; the failure mode looks different.

Prompt injection shares surface-level similarity with traditional injection attacks, but the mechanics diverge. SQL injection is precise — a ' OR 1=1-- either terminates the query or it doesn’t. Prompt injection works on semantics: you’re convincing the model to treat attacker-controlled text as trusted instructions. The attack surface is the model’s training and context window, not a parser. Reproducibility varies. Coverage is probabilistic. No existing CEH or OSCP module prepares you for that shift.

What to Add to Your Attack Library

If you’re working from an OSCP or CEH foundation and want to move toward AI red teaming:

MITRE ATLAS is the framework equivalent to ATT&CK for ML systems. It catalogs adversarial tactics and techniques targeting AI pipelines — prompt injection, model inversion, data poisoning, model evasion — with case studies drawn from real incidents. Start there for vocabulary and a structured taxonomy of what you’re testing against.

Indirect prompt injection is the current high-value technique and the one most likely to show up in engagements. The attack path works through data the model retrieves rather than direct user input: malicious instructions embedded in a PDF the model is asked to summarize, a web page it browses, an email it processes. An OSCP practitioner will recognize the structural similarity to stored XSS — the payload lands in the system through one channel and executes when the system reads it back. The conceptual leap is small; the target is an LLM context window instead of a browser DOM.

Tool-call manipulation matters specifically for agentic systems. When the model has access to APIs — file writes, email sends, code execution, HTTP requests — the threat model shifts. Your goal is no longer just information disclosure; it’s arbitrary action by proxy. An attacker who can inject into an agent’s context can potentially exfiltrate data through tool calls, send messages impersonating the user, or pivot to systems the model is credentialed to access. The analogy is code execution via stored XSS in a high-privilege browser context.

Evaluation cadence is the practical difference that takes longest to internalize. On a traditional engagement, you test a finding, confirm it, move on. On an AI engagement, you run a test case across multiple attempts, track pass rates, and report findings as distributions. Building even a minimal harness — a script that runs a set of probe inputs against an endpoint and logs outputs — closes more of the gap than any single technique.

Detection and monitoring are the other side of the same coin: for how these attack patterns surface in operational telemetry and what to instrument, SentryML ↗ covers the observability layer for ML systems in production.

The Reddit offer to share OSCP and CEH fundamentals for free is a legitimate on-ramp for anyone building a pentest foundation. It is not a shortcut into AI red teaming. The foundation is real, the transfer is partial, and the gap is specific and learnable — but only if you know where to look.

Sources

• r/cybersecurity — “Anyone wanna learn the CEH or OSCP red teaming free” — Community post offering free instruction in OSCP and CEH content; drew 50-plus comments on appetite for accessible security education. https://www.reddit.com/r/cybersecurity/comments/1t29dor/anyone_wanna_learn_the_ceh_or_oscp_red_teaming/ ↗

• OffSec — PEN-200 / OSCP+ Course Page — Official course breakdown covering the 20-plus modules, exam structure, and methodology behind the OSCP certification, including the 24-hour proctored exam format. https://www.offsec.com/courses/pen-200/ ↗

• EC-Council — CEH v13 Certification Page — Curriculum overview for the Certified Ethical Hacker version 13, including 20 modules, 221 hands-on labs, and updated AI-driven attack content. https://www.eccouncil.org/train-certify/certified-ethical-hacker-ceh/ ↗

• Microsoft Security Blog — “Microsoft AI Red Team: Building the Future of Safer AI” — First-party account of Microsoft’s internal AI red team operations since 2018, covering the distinction between deterministic and probabilistic systems and its implications for test methodology. https://www.microsoft.com/en-us/security/blog/2023/08/07/microsoft-ai-red-team-building-future-of-safer-ai/ ↗