Rift Walking: My Journey towards OSAI

I was going through some old stuff and found a printout of my first offensive security course.

OSCP. Pre-2020. Back before the learn portal, before the beautiful new website, before the e-commerce. Old school. When you signed up, you got a VPN key, some instructions, and a PDF. That was it. I could probably dig up the email, maybe I will, but what I found was the PDF itself. A giant document that I had bound in a record jacket, like a vinyl sleeve, so I could carry it around.

I carried that thing everywhere. It is CRAZY that I still have this laying around...this was my constant companion in the beginning. It's a seed. This was the first piece of knowledge that I really valued to the point that I had to have it with me in disconnected environments. From this single certification, all the others were possible. That's CISSP, GXPN, IDOT, GPEN, GCIH...Black Hat labs, community workshops, meetups, everything pretty much. This printed PDF is that seed.

I was living in Europe at the time, working for the government. My time was not my own. Long days. The kind of work where hands-on keyboard practice doesn't happen until you get home, and getting home means 6 PM if you're lucky. Eat dinner. Hang out with my wife and kids for a bit. Then head to the office and try to crank out the things I'd been studying during the day, riding buses, waiting for things to happen, that bound PDF always with me.

I failed the OSCP.

And I failed again. And again. And again.

Not because OffSec is bad. Because they're really, really good. When you're trying to break into the world of highly technical work with niche technologies, it helps to have effort, good troubleshooting methodology, persistence, and the confidence that comes from knowing you've solved difficult problems before. Offensive Security does an excellent job of giving you difficult problems. That's the whole point. That's why when you sat for anything and you were an OSCP, it carried weight. It was a real attrition cert. The forums were not what they are today, and you really had to brace for the 'try harder' that could break your will to solve the problem. It was not for beginners, and if you thought you were hot stuff, well they would cool you off real quick with the constant skill check.

I just couldn't clear the bar.

Here's the thing though. Choosing OSCP as my entry point into this world was one of the best decisions I ever made. I didn't know that at the time. I just picked the hardest door in the building and kept running into it. But everything I learned failing that exam, the methodology, the enumeration discipline, the way OffSec forces you to actually understand what you're doing instead of just following a recipe, all of that became the foundation for everything that came after. I set myself up for success by choosing the path that made sure I failed first.

OSCP is a good cert. It taught me methodology. It taught me enumeration discipline. It forced me to understand what I was doing instead of following recipes. But I'm not part of the crowd that thinks it's the ultimate bar. I've done harder things since. Hack The Box Omniscient was a brutal skill check that I just chased like a zombie because the game was fun. Both platforms provided great environments with real complexity, chained techniques, lateral movement across trust boundaries. That's the kind of work that actually prepares you for engagements.

Certs matter. They prove baseline competence to people who need that proof. But the work is what makes you good. Red team operations at the highest classification levels. Adversary simulation for organizations that don't accept excuses. The kind of engagements where methodology and persistence matter more than any logo on your resume.

And now OffSec releases OSAI. A brand new certification covering AI and machine learning security. The kind of thing that sits right at the intersection of everything I've been building for the last year. And they give me early access.

That bound PDF in my hand right now is a reminder that trying hard matters. All those hours sitting on the bus to and from work, reading this thing, trying to look stuff up on my lowest tier vodafone. It sucked, but those were good days. I feel that fire again. That desire to try and cross the horizon at velocity, it is in my chest again.

Everything circles around if you keep moving.

If you're reading this and you're grinding through something right now, some cert, some skill you can't crack, some bar that keeps moving, here's what I know after 20 years of this: the grind is the education. Not the exam. Not the PDF. The hours you spend failing are the hours that build the methodology that carries you through everything after.

Get the cert. Do the work. But don't confuse the credential with the capability. The people who are actually good at this job didn't get good because they passed an exam. They got good because they kept pushing on the door until it opened, and then they found the next door.

One more thing.

I have a 16-year-old daughter. She teases me about the OSCP. I watched this kid fire off a buffer overflow with remote code execution against a program she was messing with the other day, just casually, like it was nothing. She's a brainiac. She's fearless. And she's trying to strategize a way to get me to sign her up, so that's 100% happening now lol.

She's the future of this industry. I'm watching it happen in real time.

So I have a new goal. I need to get this done before she does. Because I will never, ever live it down if she beats me to it.

But at least I know I've got a study partner who can set me up for success this time.

This Sunday, I'm launching Adversarial Intelligence, a weekly deep dive into AI security. The first issue is a complete free guide to every resource you need to start learning AI red teaming, with an interactive cheat sheet you can take to work. Subscribe so you don't miss it.

Pete McKernan is a disabled Marine veteran, red teamer, and founder of itsbroken.ai. He holds GXPN, CISSP, and GPEN certifications and is ranked Omniscient (#17 US) on Hack The Box. His work on the F.O.R.G.E. framework is published at forged.itsbroken.ai.