The Complete Guide to Ethical Hacking

Every computer system is vulnerable — hackers prove that daily. So, who can stop them? Believe it or not, hackers.

“Ethical hacking” is a seemingly contradictory term but, when conducted to expose and fix system flaws, ethical hacking is not only legal, it’s vital.

Individuals, companies, government agencies, and universities require sensitive data and proprietary work products to be secured. Consider that the FBI received a record number of U.S. internet crime complaints in 2020 totaling more than $4.1 billion in losses (PDF, 2.6 MB). Enter the ethical hacker, whom cyber security expert Keren Elazari referred to as the internet’s “immune system.”

How can you become an ethical hacker and help strengthen this digital immune system? Read on to learn more about ethical hacking, the skills and education required, the job market, and resources to practice hacking safely and legally. In addition, we’ll dive into the world of ethical hacking competitions where hackers can win big — one 2022 hacking tournament awarded more than $1 million in prize money.

Ready to learn more about ethical hacking? Let’s get started.

What Is an Ethical Hacker?

Hackers identify and exploit gaps and weaknesses in computer systems. Ethical hackers identify the same weaknesses, but do so with the intention of fixing them. The roles of malicious hacker and ethical hacker require similar skills, traits, and techniques, but their motivations are quite different.

Malicious hackers make unauthorized attempts to access computer systems or networks. In response, organizations authorize ethical hackers to identify and close those gaps. Basically, organizations pay ethical hackers to help protect their systems and data from malicious hackers.

According to Purplesec, a cyber security company run by U.S. veterans, cybercrime increased globally by 600 percent during the COVID-19 pandemic and could cost $10.5 trillion by 2025. And, in addition to impacting sensitive data, malicious hackers can even cause harm through medical devices. For example, the late hacker Barnaby Jack demonstrated how to hack pacemakers and insulin pumps so that the loophole giving hackers access could be fixed. In this instance, ethical hacking showed a potential to save lives.

Types of Hackers

Hackers are often classified by their motivations and actions with the analogy of wearing different “hats.” Here are some of the most common types of hackers, identified by the color of their metaphorical hats:

  • Black Hat: These are cybercriminals. Black hat hackers attack vulnerabilities with malicious intent.
  • White Hat: Also known as security specialists, white hat hackers look for the same vulnerabilities as black hats but determine how to fix the issues and prevent future attacks. Sometimes, black hats become white hats.
  • Gray Hat: Gray hats have mixed motivations. They enjoy hacking and often do so without authorization, but they don’t act maliciously. Grey hats often view hacking as sport.
  • Blue Hat: Tech companies hire blue hat hackers to test products and find security issues. Microsoft hosts an annual BlueHat convention.
  • Red Hat: Also known as vigilante hackers, red hats act aggressively to stop the black hats and employ some of their strategies. Government agencies hire red hats for their mission focus.
  • Green Hat: These are the hacking beginners who want to become white, blue, or red hats (but hopefully not black hats). How do they learn? Let’s take a look.

An image that highlights the different types of hackers by the color used to describe them.

How to Become an Ethical Hacker

Those with a curious mind, a taste for coding, and a tenacious personality may want to consider ethical hacking. It requires discipline and a sense of ethics — as the name suggests.

From a tech perspective, ethical hackers must understand networks and operating systems, notably Windows and Linux. JavaScript, Python, and SQL are among the leading languages ethical hackers use, but additional languages may be needed depending on the types of systems being accessed and their security posture.

There are several ways to learn ethical hacking. Information security analysts typically hold degrees in computer science or information technology, according to the U.S. Bureau of Labor Statistics (BLS), but that’s not the only educational pathway. For instance, 8 percent of penetration testers — an emerging role in cyber security — have a high school diploma or equivalent, according to CareerOneStop. In addition, many have learned through independent study, online courses, or boot camps. Here are some resources to help you get started in ethical hacking:

Cybersecurity Guide: This site provides a detailed breakdown of ethical hacking including educational paths, roles to pursue, job types, and certifications. It’s a good starting point for newcomers.

edX: The tech catalog of edX’s free online educational platform includes the basics of cyber security, an introduction to network security, and several classes on penetration testing.

Boot Camps: These programs provide in-demand cyber security and ethical hacking skills in as little as 24 weeks. For instance, University of Denver Cybersecurity Boot Camp digs into system administration, network security, and offensive and defensive techniques. Learners apply their newfound knowledge through real-world projects, immersing themselves in the world of ethical hacking.

Hacking for Dummies: This book introduces novices to key concepts surrounding safeguarding data and ways to otherwise deter cyber criminals.

Google’s Ethical Hacking University: Available at the Google Play store, this free app teaches cyber security and ethical hacking skills. It is intended for people who want to start cyber security careers, as well as businesses that want to start developing a better cyber security posture.

Bug Hunters: Another Google project, this international community of ethical hackers works to keep Google products safe. Bug hunters who find and report flaws have earned more than $35 million in rewards. The site also features Bug Hunter University.

Hack This Site: Under the slogan “training the hacker underground,” Hack This Site presents lectures, projects, challenges, and forums to learn about hacking. It even ranks the site’s top hackers.

Hacker101: The internet security company HackerOne built a companion portal for cyber security novices. This site includes video lessons, games, and an informative guide to hacking.

EC-Council: This cyber security group offers one of the most popular technical certifications: the Certified Ethical Hacker. The program promises to teach the latest tools and techniques to “lawfully hack” an organization.

Where to Practice Ethical Hacking

Hackers develop their skills by hacking. The trouble is, society is generally trying to prevent that, so where can you learn to hack safely and legally? Fortunately, plenty of sites exist for that specific purpose.
It’s important to note that you should always use caution when interacting with, or downloading from, sites devoted to hacking. Remember, you’re in the hackers’ domain and there is always the potential to encounter black hats. That said, here are some of the better-known ethical hacking sites where you can learn and practice responsibly.

PortSwigger Web Security Academy: The site offers volumes of free web security training labs. PortSwigger also offers suggestions for beginning ethical hacker learning paths.

Hack The Box: This site, operated by hackers and members of the infosec community, operates what it calls a “massive hacking playground.” Hack the Box features a gamified environment where users learn, devise, and share hacking techniques. It hosts Capture the Flag (CTF) and Battleground games, which run in real-time, multi-player environments.

PentesterLab: Penetration testing is an important hacking skill. PentesterLab has built one of the largest security platforms, hosting free and paid labs, tutorials, and exercises for hackers of all levels. Check out their free content to begin your practice.

VulnHub: This open-source community builds vulnerable virtual machines (or VM) to serve as training grounds for aspiring hackers.

TryHackMe: This free site teaches cyber security through a series of short, gamified labs that simulate real-world situations. The “hacktivities” include an introductory lesson that guides you through your first hack.

Google Gruyere: Google developers created this web app, named for the cheese, loaded with vulnerabilities for anyone to hack safely.

Defend the Web: Formerly known as HackThis, Defend the Web is an interactive platform with a challenge playground, a dense article collection, and an active community.

Juice Shop: The OWASP Foundation (Open Web Application Security Project) opened the Juice Shop to conduct security training and hold Capture the Flag (CTF) games. The site bills itself as “probably the most modern and sophisticated insecure web application.”

bWAPP: The Buggy Web Application is free, open-source, and deliberately insecure. The application claims to have more than 100 vulnerabilities for aspiring ethical hackers to exploit.

WebGoat: Another deliberately insecure site, OWASP’s WebGoat encourages ethical hackers to test for vulnerabilities common to Java-based apps.

Where to Find Ethical Hacking Competitions

Hacking gameplay — the legal, sanctioned kind — represents a unique way to learn skills, meet fellow hackers, and win prize money. Though the Global Cyberlympics are on hiatus, many other hacking competitions and tournaments are live online.

Ready to get your game on? Check out these ethical hacking competitions.

CTFlearn: Capture the Flag (CTF) is one of the most popular hacking gameplay methods. Users penetrate a server or app and capture a flag — often a line of text or code embedded within the program. CTFlearn hosts a variety of challenges in categories such as programming, cryptography, and forensics.

Google CTF: Google sponsors an annual CTF tournament in two parts and hosts a BeginnersQuest. Google also has published a CTF Field Guide.

National Cyber League: The NCL is a cyber security training ground for high school and college students with a mission to train new cyber security professionals. It hosts a biannual competition in which more than 13,000 students participate.

Hack-A-Sat: Ready to hack a satellite? Hack-A-Sat is a joint program of the U.S. Air Force and Space Force that seeks to develop space cyber security specialists. It does so through a series of CTF challenges and an attack/defend final event.

HackerEarth: This site lists hundreds of hackathons, programming challenges, and coding challenges. It even hosts hiring challenges through which hackers can find new jobs.

CyberTalents: This organization hosts hacking tournaments and ranks competitors worldwide. The site uses those rankings for recruiting and headhunting purposes.

National Collegiate Cyber Defense Competition: The CCDC draws teams from U.S. colleges to compete in protecting business information systems. The event focuses on securing network infrastructure, which makes this competition unique.

Pwn2Own: Part of the CanSecWest convention, Pwn2Own is one of the industry’s largest security competitions, offering an elaborate series of events with major prize money. The 2022 event awarded more than $1.1 million in prizes.

U.S. Cyber Challenge: By hosting cyber quests and camps, U.S. Cyber Challenge wants to identify 10,000 talented tech folks to become cyber security professionals. The nonprofit Center for Internet Security is a sponsor.

CyberPatriot: The Air Force Association sponsors the National Youth Cyber Education Program, also known as CyberPatriot, for kids in grades K–12. Teams compete to find vulnerabilities in Windows and Linux operating systems, as well as virtual networks. No experience is necessary, and the top teams advance to a national finals event.

An image listing the ethical hacking companies mentioned in the article.

Are Ethical Hackers in Demand?

Absolutely. (ISC)², a professional cyber security organization, found through a 2021 study that the global cyber security workforce must grow by 65 percent (PDF, 676 KB) to protect critical assets. Fortinet’s 2022 report on the cyber security skills gap found that leaders struggle to find and retain qualified talent (PDF, 2.5 MB). As a result, 67 percent of leaders say the shortage creates more risk for their organizations.

Given these stats, it’s not surprising that the BLS projects 33 percent growth for information security analysts through the next decade. Salaries are highly competitive in this field, with a median annual wage of $102,600. Further, job satisfaction is high, according to the (ISC)² report, which notes that 77 percent of cyber professionals said they were satisfied or extremely satisfied with their jobs in 2021. Further, job satisfaction was highest among Millennial and Gen Z workers (79 percent).

Become an Ethical Hacker Today

Hackers are no longer just lurking in the dark corners of the internet. Ethical hackers have emerged to help make the internet safer, and many more are needed. Are you ready to join them? If so, it’s time to build your hacking skills and become a force for good in the digital arena — potentially building a lucrative career in the process.

Get Program Info


Step 1 of 6