I had a blast going through the course materials and exam for OffSec Threat Hunter (OSTH). If you’re thinking about enrolling in this course and taking on the certification exam, read on!

My OSTH Learning Experience

I decided to take up this learning journey due to my brief exposure to threat hunting using Microsoft 365 Defender and Kusto Query Language (KQL) during a cybersecurity internship stint.

I wanted to then dive deeper, but desired something more structured than random YouTube videos. Hand-on practice, industry tools, and real logs. OSTH delivered on that. However, the OSTH course material was relatively shorter compared to other 200-level courses, so I would say the highlight of the course was the opportunity for hands-on, practical training with Splunk and NetWitness. Not to mention, the rare chance to perform hands-on investigations with Crowdstrike Falcon and getting some decent exposure to Crowdstrike Query Language (CQL).

The course assumes you recognise common Windows and Active Directory pentesting tradecraft. If you have never performed lateral movement across Windows workstations, or looked at a suspicious service creation and asked how it got there, you might feel a knowledge gap.

To be fair: How would we hunt evil if we do not think evil?

When I framed each thought like an attacker planning a next step, the hunt gets slightly easier.

I leaned heavily on ired.team and HackTricks for quick refreshers, and I kept the Windows Security Log Encyclopedia open for quickly referencing event IDs I only half remembered. File creates, logons, registry changes, services and scheduled tasks were just some of the usual suspects.

I only had some basic knowledge of Splunk Search Processing Language (SPL) and search commands which the course covers, but does not go in depth to teach specifically. YouTube, Splunk docs and ChatGPT were my go-to for learning more advanced SPL fast.

An understanding of MITRE ATT&CK was also essential as it formed the basis of forming a coherent analysis of threat actor activity, letting us understand the WHO, WHAT, HOW and WHYs of each step of an attack.

OSTH Exam Experience

I was confident starting the exam, having completed all the course exercises and challenge labs. However, the nagging doubts persisted:

“What if I got stuck?”

“What if I just can’t figure out what the threat actor was trying to do?”

“What if I ran out of time?”

Well, as a matter of fact, I did get stuck. I did almost run out of time during the threat hunt. My mistakes were the kind you’d expect, but they still cost me precious time. I chased after an odd process here, a strange path there, and before I knew it minutes flew by with nothing concrete to show for it. At that point I had to mentally reset. I stepped back and asked myself: given what I already knew, what could the adversary realistically be targeting? From there, I reframed my hypotheses and went hunting for evidence to confirm or disprove them instead. Threat hunting is exactly that, an iterative shift between detail and big picture.

Another trap I fell into was writing Splunk queries that were far too general. Without time bounds, hosts, users, parents, or directories, all I got back was an overwhelming haystack of logs. In hindsight, I should have gone into the exam with a broader “query playbook” prepared in advance which encompasses common indicators, scoped tightly enough to be actionable. This would probably be better than leaning so heavily on the handful of documented queries I picked up while practicing the challenge labs.

Preparation Tips

Thinking back, I would recommend going back through any parts of the coursework you felt shaky on as the repetition does pays off. Then, ensure you complete every single challenge lab, but do them with a self-imposed time limit. That was what helped me understand how to pace myself under exam conditions. My first lab took me ages, because I wasn’t used to the expectations of a threat hunt sprint. By the subsequent labs, I felt much more comfortable, and by the time the exam rolled around, I had the rhythm down.

Take lots of screenshots and always track your timestamps, this is key. The most important thing (and possibly the toughest part) is keeping track of the event timeline. Build that timeline early and keep it updated as you go. Don’t leave it until the end! I used Greenshot for capturing and labelling screenshots, which saved me a lot of time later when I had to prove or re-check something.

For note-taking, I relied on CherryTree. I built my timeline there as I went along, logging every notable event in order, which gave me a clear picture of the threat actor’s activity.

Another thing that made life easier: I practiced writing reports for some of the challenge labs. That gave me a sense of structure on what content goes where, how detailed each section should be, and what evidence was strong enough to include. By the exam, I did not have to invent a format from scratch and simply reused the same structure. I even worked on my exam report during the hunt itself. I didn’t wait until the reporting period after the 8-hour sprint. Instead, I gradually integrated my notes into OffSec’s OSTH template as I went along. That way, I was never stuck at the end trying to piece together an entire narrative from half-baked notes.

Finally, adopt an attacker mindset when approaching the course and exam.

Ask yourself: if I just deployed this tool, what would I need next? If I wanted persistence, what steps would I take? What artifacts would I leave behind? Hunting is really about following those logical chains, not just throwing queries into the void.

I hope this helps you in your OSTH and threat hunting journey. If you found this useful, feel free to check out my other write-ups on my profile!