They Told Us It Was About Skills.

They Told Us It Was About Skills.
Photo by Nopparuj Lamaikul / Unsplash

OffSec sent an email recently. In the marketing copy was a single sentence that told the truth:

Prefer to only keep your certification active? You can still purchase the Annual Maintenance Fee ($145) separately without access to the additional labs, training content, or practice environments.

Read that again. They are selling you the right to keep your credential valid — stripped of any educational content — as a standalone product. No pretense. No justification. Just a toll booth with a logo on it.

For years, the industry line on expiring certifications has been that the threat landscape evolves, skills atrophy, and credentials should reflect current competency. It was a reasonable argument, even if it was also convenient. You could nod along and tell yourself that the renewal cycle was good hygiene. The industry was protecting quality. That it wasn't, in the end, just about extracting recurring revenue from people who'd already proven themselves.

That email killed the argument.

If maintenance is about skill currency, why can you pay to maintain a cert with no access to any skills?

If the expiration model exists to ensure practitioners stay sharp, then a bare maintenance fee — one explicitly sold without training, labs, or practice environments — is incoherent on its face. It is a logical contradiction so obvious that OffSec apparently did not notice it, or did not care, which is worse. You cannot simultaneously argue that cert expiry protects the integrity of the credential and offer to preserve that credential for $145 with no effort required. Those two things cannot both be true. One of them is a lie.

The OSCP used to mean something. Not "I attended a course." Not "I maintained my CPEs." It meant: I sat in a room for 24 hours, and either I could compromise the machines or I couldn't. That brutality was the value proposition. The pass rate filtered people ruthlessly. The community respected it because it was a direct measurement rather than a proxy. You either had the skill, or you washed out.

That reputation was built by a culture that was openly contemptuous of checkbox security. Something that couldn't be gamed by study guides and memorization. The whole brand identity was built on the premise that credentials should mean something real.

And now they're selling an annual subscription to keep the badge green.

💡
SANS GIAC certifications: 4-year expiration, 36 CPE credits required, or retake the exam. Cost to maintain varies but regularly runs $499+ per renewal cycle per cert. Discounts of $249 do exist for multiple certificates if certificates are due for renewal within a two-year window. A practitioner holding five GIAC certs is still looking at $1,200+ every four years just to stay "current" — on top of the $7,000–$9,000 per course they already paid.

This is the SANS model. SANS has been running this playbook for the better part of two decades — eye-watering course prices, CPE treadmills, employer-subsidized renewal cycles, and an ecosystem carefully engineered so that HR departments treat their certs as requirements rather than differentiators. It works because enterprise procurement is not a meritocracy. Budget holders don't know what a buffer overflow is. They know what GIAC is because the SANS sales team has been in their building.

OffSec built its identity as the anti-SANS. Cheaper, harder, more respected by people who actually do the work. They captured a generation of practitioners who were exhausted by the theater of compliance-focused certifications and wanted something with teeth. That positioning was earned.

It is now for sale.

Here is the part that should alarm you beyond the money: credential inflation is an information problem. Certifications exist to reduce asymmetric information between practitioners and the people who hire them. When a cert means something consistent, it conveys a signal. When it becomes a subscription, you pay to maintain regardless of whether your skills have kept pace — or equally, regardless of whether the cert content has kept pace with the threat landscape — the signal degrades. Hiring managers who relied on the cert as a filter now have a noisier signal. Practitioners who actually stayed sharp get lumped in with people who kept paying the renewal fee.

But it's not entirely their fault. The hiring process is also to blame for creating this model. Now the hiring process will have to filter out those who have renewed the certificate and those who have continued to build their skills, just like those without certs. HR has created a monster so big that they are left with more noise than ever before.

OffSec is not just monetizing its existing credibility. They are slowly spending it. Every $145 annual maintenance fee that goes out uncoupled from actual skill validation withdraws a little more from the account that the old guard deposited with genuine hard work.

So OffSec ends up with the least signal-dense segment of their audience while systematically alienating the community that made the brand worth anything in the first place.

The irony is that OffSec could have threaded this needle. A renewal model genuinely tied to updated lab content, new exam environments, verified re-testing — that's defensible. Painful, maybe, but defensible. Instead, they hand you the receipt. They told you, in plain language, that you can skip all of that and just pay to keep the logo. And in doing so, they told you everything you needed to know about what the logo is actually worth to them.

Some of us earned our credentials in the era before the expiry clock started. We'll hold them without qualification and without maintenance fees.

For everyone else, evaluate carefully what you're actually purchasing. A skill, or a receipt.