Try Harder, Get Smarter
A teacher’s journey through the OSCP exam
If you can’t explain something to a first year student, then you haven’t really understood it. - Richard Feynman
I love a good challenge. Maybe some would consider me a glutton for punishment, but there’s something that I find extremely satisfying about struggling with a problem until something clicks. When that something clicks, the Eureka! moment is well worth any amount of pain and suffering experienced earlier. In my daily life as a Physics teacher, I wanted my classroom to impart the same type of feelings that made me fall in love with Physics in the first place - challenging yet rewarding.
With that in mind, I was thrilled when several students approached me about learning programming. Well - actually, they asked me how they could learn to hack. I could instantly relate, as my interest in information security was first piqued by the idea that I could cheat in Counterstrike 1.6.
We started with the Cyberpatriot competition, a blue-team defense oriented challenge for highschoolers. This lead to practicing CTF challenges. The next thing that I knew, we had the bug for infosec, myself included.
I never wanted to be an out of touch teacher. Some of the worst teachers I had in high school were those who were disconnected from their content area, merely punching in a paycheck and portraying the same old boring lesson plans that had been out of date since the 1980s. I knew very soon that I’d have to expand my knowledge base if I wanted this club to continue.
On my own I started to do independent research. I went to local meetup groups. I watched conference videos online. I reached out to pentesters in the field looking for help to grow our program. I asked them point blank, “What certification should I look at to find out more about pentesting?”. The overwhelming consensus? The OSCP.
I was told it was a monster, and it was. I was intimidated from the get-go. I had an undergraduate degree in Physics and Computer Science, so I spent a lot of time studying optimization algorithms but never dived too deeply into assembly code. When I logged into the VPN for the first time, I realized that it truly was a hacker’s playground. There were so many devices connected, so many different operating systems, so many obscure platforms that I had never heard of before. While I learned a lot about each of these new technologies, the biggest takeaway I got from the course wasn’t technical at all.
Part of the reasoning that I took the OSCP course was its unique approach to self-directed learning. As part of my education coursework, I learned that students need to be actively engaged in the material in order to truly master a content area and remember it long-term. Mentally I recognized this to be true, but I never really fully appreciated it until I turned the tables and experienced it for myself.
One of the best things about the course was the self-pacing. I could work on the modules in any order at any time. I could break the material up into manageable chunks and be able to instantly practice the skills that I learned in the lab. At the same time, it wasn’t just a set of unrelated topics. Everything was organized in such a way that skipping around the book actually helped me connect the dots for the lab challenges. I didn’t just practice the materials in the lab though — I tried to create my own. Since my original impetus for undergoing the course was to develop my Information Security Club, I had the unique opportunity to take the modules and turn them into mini-demos with the help of virtual machines. In this way, I was able to both share my knowledge with students and really audit my understanding. I had to be able to grasp the mechanics both inside and out in order to be able to fend off thoughtful questions from my students. Just like Feynman said, I never really understood it until I was able to explain it to a group of highschoolers.
My students and I know very well how standardized tests work. I teach students who have mastered the art of rote memorization and regurgitation for a wide array of state and national assessments. However, at the end of the day the content is transient and does not necessarily reflect true understanding. This parallels the current world of tech certifications, where people can memorize definitions, acronyms, and policies without an understanding of how it all fits together. After my experience with the OSCP, I can safely say that it is not like any standardized test that I have ever taken. I did not have to practice my flashcards to prepare for the exam. In fact, the entire exam is technically open book and open internet. The people at Offensive Security do a great job of not letting you get away with just knowing the What about topics, but instead force you to delve deeper and experience the Why and the How of all the interrelated parts.
If you were to visit my classroom today, you would not see a list of terms to memorize on the board or a straightforward set of plug-and-chug problems. Instead, you would see students working on very challenging high-level problems that require critical thinking and deep application. I no longer give students the answer right away, but I instead nudge them gently in the right direction, just like the “help” available from the Offensive Security staff. Is this frustrating to some students? Absolutely. But I have now personally experienced the simple truth that learning is directly correlated with effort. I put myself in the trenches and trudged out tired, exhausted, and proud of my accomplishment. The OSCP totally changed my perspective on learning and I have already seen an attitude shift in many of my students as well.
It’s more than just a certification. It’s a paradigm shift in the way I think about teaching and learning. My students and I are no longer afraid of difficult problems because we have now internalized the concept of “trying harder” to get smarter. We have learned in a firsthand way that if it doesn’t challenge you, it doesn’t change you.
As for me? I can safely say that I’ve been changed for the better.
