My OSIR and OSTH journey began on May 12th, when I received the annual OffSec voucher. I had been wanting to dive into OSIR for a while since it’s based on Splunk—a widely used SIEM that I hadn’t yet had the chance to explore.
Once I got the voucher, it was obvious that OSIR would be my starting point. The course felt pretty straightforward, thanks to my background in SOC and forensics. That said, I did notice this course had more theory compared to other OffSec courses I’ve done—which is debatable, of course. But to be fair, it doesn’t only cover technical aspects; it also dives into incident management, which I appreciated.
In May 2024, I successfully passed the OSDA certification and learned a lot from that experience. It helps me to move faster in the course. After completing the OSIR labs, I scheduled my first exam attempt for June 6th at 7 PM, right after my workday.
During the exam, I wasn’t very open-minded. I expected the exam to mirror the labs too closely. As a result, I completed Part 1 just 2–3 hours before the exam ended, and I couldn’t finish Part 2, which focuses on forensic analysis. I had no idea where to start because the scenario was different from what I had expected and prepared for. After taking a step back (after failing the first attempt) and reviewing OffSec’s exam report template, I realized I had boxed myself into a specific scenario, expecting it to play out just like the labs.
I had to wait a month before I could retake the OSIR exam. In the meantime, I decided to go for the OSTH certification. Again, the course was pretty straightforward, and since it also used Splunk, I had a head start thanks to OSIR. I picked up some really useful Splunk query tips—like using stats for aggregations, table to focus on specific fields, and earliest / latest to set datetime ranges directly in the query.
I scheduled the OSTH exam for June 19th at 7 PM, again after work. It was only a bit more challenging than the labs—nothing too unexpected. But fatigue definitely hit me. I missed some information that was right in front of me, and it took me nearly two hours to realize it.
In the end, I managed to finish within the allocated time and submitted the report the next day. It was exhausting, especially with work the following morning. I received the success email early Saturday morning and was thrilled to share the good news.
Back to OSIR—I felt more confident going into the second attempt, knowing I had to stay open-minded this time. I rescheduled the exam for July 10th at 7 PM. I started with Part 2 and made decent progress before switching back to Part 1. The Splunk techniques I picked up helped streamline my threat hunting.
The biggest challenge was alert fatigue—reading logs line by line while already tired from the day. I was eager to finish and rest.
But I did it. I completed both parts. Some questions took longer than expected, but I eventually solved them all. I started writing the report that same night and completed it the next day. After several reviews, I submitted it for grading.
This time, the result took longer to arrive than with OSTH, and it gave me a bit of stress. Finally, I got the results on July 15th at midnight. I was definitely happy—especially because it was more challenging than OSTH, and I had failed it once. Sweet revenge, haha!
My Recommendations for OSIR and OSTH
If you’re considering taking these courses, here are a few tips:
- Rest before the exam. You’ll be reading through a lot of logs—being tired won’t help.
- Create a sheet with common detection rules. I’ll share mine soon—it might be helpful.
- Check out other people’s cheat sheets to build your own. I highly recommend this one: 50 Threat Hunting Queries for Splunk/KQL.
- Define a solid methodology. It’ll help you stay focused when faced with thousands of logs.
- Stay open-minded. Don’t expect the exam scenario to be identical to the labs—even if they seem similar.
- Start filling out your report as you progress through the exam: at least with the IOCs and the timeline. This will help you maintain a global view of what happened during the attack. I also recommend using the official OffSec report template, as it follows the expected format. You’ll just need to complete the relevant tables and provide the appropriate text in each section.
Common Questions (Based on My Experience)
Is OSDA required before taking OSIR or OSTH?
No, it’s not. OSDA uses ELK as the SIEM, while OSIR and OSTH use Splunk. The detection concepts are similar, but the query syntax differs slightly.
How long does it take to prepare for the exam?
It depends on your background. For me, I completed both exams in under two months. I studied the full courses, completed all the labs, and built my cheat sheet. The concepts were mostly familiar.
What’s the difference between OSTH and OSIR?
OSTH focuses on threat hunting. You’re given a report of a specific attack and must extract IOCs using that as a reference. OSIR is centered around incident response. It starts with SIEM alerts, and you use forensic tools (Autopsy) to investigate in part 2 of the exam.
What’s Next?
I’m still pursuing my goal of gaining a full 360° understanding of the cybersecurity field. The idea is to be able to guide any organization on how to secure their systems and where to focus efforts.
I’m also open to working on new projects—feel free to reach out via LinkedIn or email. I’ll be happy to connect!