You don’t need a computer science degree to become an ethical hacker. You don’t need to be a coding prodigy who started programming at age 10. And despite what Hollywood shows you, you definitely won’t be typing furiously while green Matrix code cascades down your screen.

What you do need: curiosity, persistence, and a genuine obsession with understanding how systems break. The rest? You can learn it.

Ethical hackers—sometimes called white hat hackers or penetration testers—get paid to break into systems before the criminals do. Companies hire you to find their vulnerabilities, document them, and help fix them. It’s one of the few careers where your natural inclination to poke at things and ask “what happens if I do this?” becomes your greatest asset.

The demand is staggering. According to the Bureau of Labor Statistics, information security analyst positions (which includes ethical hackers) are projected to grow 33% between 2023 and 2033—vastly outpacing the national average. ISACA research shows that 46% of enterprises have unfilled cybersecurity positions right now. Companies are desperate for people who can think like attackers.

The median salary? Around $135,000 per year, with top earners pushing past $180,000. Not bad for a career that essentially pays you to legally hack stuff.

But here’s what most “how to become an ethical hacker” guides won’t tell you: the path isn’t linear, certifications alone won’t get you hired, and the skills you need go far beyond running automated scanning tools.

Let’s break down what actually works.

What Do Ethical Hackers Actually Do?

Before you invest months learning penetration testing, make sure you understand the day-to-day reality. This isn’t a career for everyone.

Ethical hackers simulate real-world cyberattacks to find weaknesses in an organization’s security posture. You might spend your Monday morning attempting to bypass a company’s firewall, your afternoon crafting phishing emails to test employee awareness, and your evening writing detailed reports about everything you found.

The work typically falls into several categories:

Network penetration testing involves probing corporate networks for misconfigurations, weak authentication, and exploitable services. You’re looking for the paths an attacker would take to move laterally through an organization.

Web application testing focuses on finding vulnerabilities in websites and web apps—things like SQL injection, cross-site scripting (XSS), and broken authentication that could expose user data. Understanding programming fundamentals helps significantly with this specialization.

Social engineering assessments test the human element. This means phishing campaigns, phone-based pretexting, and sometimes physical security tests like tailgating into buildings.

Red team operations are comprehensive, adversarial simulations where you act exactly like real threat actors. These engagements can last weeks or months and involve sophisticated attack chains.

Bug bounty hunting is freelance work where you find vulnerabilities in companies’ public-facing assets and get paid per bug discovered. Platforms like HackerOne and Bugcrowd facilitate these programs.

The common thread? You need to think like an attacker while maintaining the ethics and documentation standards of a professional. Every finding needs to be reproducible, every action logged, every report clear enough for non-technical executives to understand.

The Skills You Actually Need (Not Just Tools)

A common misconception on forums like r/hacking and r/netsec is that learning tools equals learning hacking. It doesn’t. Tools change constantly. The underlying concepts remain.

Networking Fundamentals

You can’t hack what you don’t understand. Before touching any exploitation framework, you need deep knowledge of:

  • TCP/IP and the OSI model — How data actually moves across networks
  • Common protocols — HTTP, DNS, SMTP, SSH, FTP, and when each is used
  • Subnetting and IP addressing — Network segmentation and how organizations structure their infrastructure
  • Firewalls and NAT — How traffic is filtered and translated

The best ethical hackers can mentally trace a packet’s path through a network. When something blocks your attack, you understand why at a protocol level, not just that it happened.

Resources like Professor Messer’s Network+ videos provide solid fundamentals. For hands-on practice, setting up your own home lab with multiple virtual machines and network segments teaches you more than any course.

Operating System Mastery

You need to be comfortable in both Linux and Windows environments—at the command line, not just clicking through GUIs.

Linux proficiency is non-negotiable. Most security tools run on Linux, most servers you’ll target run Linux, and the Kali Linux distribution is the standard ethical hacking platform. You should be able to navigate the filesystem, manage processes, configure services, and write basic shell scripts without thinking.

Platforms like Shell Samurai offer interactive terminal challenges that build muscle memory for essential Linux commands—exactly the kind of practice that translates to real-world testing scenarios.

Windows internals matter because enterprises run on Windows. Understanding Active Directory, Group Policy, PowerShell, and Windows security mechanisms helps you find the misconfigurations attackers actually exploit.

For structured learning, check out Linux Journey for fundamentals and our Linux career guide for growth paths.

Programming and Scripting

You don’t need to be a software developer, but you do need to code. The consensus across security communities is clear: scripting separates hobbyists from professionals.

Python is the go-to language for security professionals. You’ll use it to automate reconnaissance, write custom exploits, parse data, and extend existing tools. Most security tools have Python APIs or are written in Python themselves. Our Python learning guide covers the fundamentals.

Bash scripting enables you to chain commands and automate Linux tasks. A penetration tester who can quickly write a bash loop to test credentials across 50 systems has a massive advantage over someone doing it manually.

PowerShell is essential for Windows-focused work. Many modern attack techniques leverage PowerShell, and understanding it helps both in offense and in recognizing malicious activity.

SQL knowledge helps when testing databases and understanding how injection attacks work at a fundamental level.

You don’t need to master all of these before starting—Python and Bash will carry you far initially. The how long it takes to learn programming varies, but for security-focused scripting, 3-6 months of consistent practice gets you functional.

Security Concepts

This seems obvious, but many people jump straight to exploitation without understanding defense:

  • Common vulnerabilities — OWASP Top 10, common CVEs, attack patterns
  • Authentication mechanisms — How systems verify identity and how those systems fail
  • Cryptography basics — Not the math, but understanding where encryption helps and where it doesn’t
  • Security architecture — How organizations layer defenses and where gaps typically exist

If you’re transitioning into cybersecurity from another field, our cybersecurity career transition guide covers building these foundations.

The Certification Question: CEH vs. OSCP vs. Others

Here’s where discussions get heated. Spend any time in security forums and you’ll see endless debates about which certifications matter.

The honest answer: it depends on where you’re starting and what roles you’re targeting.

CompTIA Security+ (Entry Level)

Cost: ~$400 for the exam Difficulty: Entry-level Time to prepare: 2-3 months for most people

Security+ isn’t specifically an ethical hacking certification, but it establishes baseline security knowledge. Many government and contractor positions require it as a minimum. It’s a solid first step if you’re completely new to security, but won’t qualify you for penetration testing roles by itself.

Certified Ethical Hacker (CEH)

Cost: $950-$1,199 for the exam, plus $1,899-$3,499 for official training packages Difficulty: Intermediate Time to prepare: 2-3 months with IT background

The CEH from EC-Council is the most recognized ethical hacking certification and often appears in job requirements—especially for corporate and government positions. It covers broad topics: reconnaissance, scanning, system hacking, malware, social engineering, web application attacks, and more.

Requirements: You need either 2 years of information security experience OR completion of an official EC-Council training course. There’s also a $100 non-refundable application fee.

The exam is 125 multiple-choice questions in 4 hours.

The criticism: Many in the security community consider CEH too theoretical and focused on memorizing tool names rather than actual hacking skills. The hands-on practical exam (CEH Practical) helps address this, but costs an additional $550.

The reality: CEH opens doors, especially in corporate environments where HR departments recognize the name. Combined with practical skills, it’s valuable. By itself, experienced hiring managers may be skeptical.

According to Payscale, CEH holders earn an average of $86,436—though those with additional practical skills and experience earn significantly more.

Offensive Security Certified Professional (OSCP)

Cost: $1,749 for course + exam, or $2,749 for Learn One annual subscription Difficulty: Advanced Time to prepare: 4-6 months of intensive study

The OSCP from Offensive Security is considered the gold standard for penetration testing certifications. Unlike CEH’s multiple-choice format, OSCP requires you to actually hack into systems.

The exam is brutal: 23 hours and 45 minutes to compromise multiple machines in a simulated environment, followed by a 24-hour window to submit a professional report documenting your findings. Passing requires 70 points out of 100.

There are no formal prerequisites, but Offensive Security recommends strong networking knowledge, basic scripting skills, and familiarity with both Linux and Windows. In reality, most people who pass have significant prior experience or complete the PEN-200 course.

Why OSCP matters: It proves you can actually do the work, not just answer questions about it. Many penetration testing job listings specifically mention OSCP. Hiring managers know that passing OSCP requires real skills.

The average OSCP holder salary is around $120,000, and the return on investment is significant.

Other Certifications Worth Knowing

CompTIA PenTest+ — Mid-tier between Security+ and OSCP, more affordable than OSCP at around $400 for the exam.

GIAC Penetration Tester (GPEN) — Respected in enterprise environments, especially government. Expensive at $2,000+ but recognized.

eLearnSecurity/INE certifications (eJPT, ePTX) — More affordable practical certifications that focus on hands-on skills. The eJPT (Junior Penetration Tester) is often recommended as a stepping stone before OSCP.

For someone entering the field:

  1. Security+ first if you have no IT background — builds foundational knowledge
  2. CEH for corporate credibility and to meet HR requirements
  3. OSCP when you’re ready to prove practical skills and target dedicated pentesting roles

Don’t chase certifications without building real skills between them. The paper means nothing if you can’t perform in an interview or on the job.

Building Practical Skills: Labs and Practice Platforms

Certifications get you interviews. Practical skills get you hired—and keep you employed.

The security community has developed incredible free and low-cost platforms for hands-on learning:

Capture The Flag (CTF) Platforms

CTFs are gamified challenges where you exploit vulnerable systems to find hidden “flags.” They’re addictive, educational, and exactly what you’ll face in interviews.

TryHackMe — Guided rooms that walk you through concepts with hands-on labs. Perfect for beginners. Free tier available, premium unlocks more content.

HackTheBox — More challenging, less hand-holding. Active machines simulate real-world targets. The community and forums provide hints when you’re stuck.

OverTheWire — Free wargames focused on Linux and security concepts. The Bandit series teaches command-line basics; later games introduce exploitation.

PicoCTF — Free CTF designed for students. Great introduction to various security topics with a competition format.

Web Application Security

PortSwigger Web Security Academy — Free, comprehensive, and from the creators of Burp Suite. Interactive labs cover everything from basic injection to advanced topics.

DVWA (Damn Vulnerable Web Application) — A deliberately vulnerable PHP/MySQL web app you run locally to practice web attacks.

OWASP WebGoat — Interactive lessons that teach web security through intentionally vulnerable exercises.

Building Your Own Lab

Nothing teaches like building and breaking your own systems. A home lab running on VirtualBox or Proxmox lets you:

  • Set up vulnerable machines from VulnHub
  • Create Active Directory environments to practice Windows attacks
  • Test tools without legal concerns
  • Break things without consequences

For Linux fundamentals specifically, Shell Samurai provides browser-based terminal challenges that build command-line proficiency—essential for any security work.

Practice Schedule

The cybersecurity subreddits consistently recommend:

  • 10-15 hours weekly minimum for serious progress
  • 1-2 CTF challenges or boxes per week to maintain momentum
  • Document everything — Write up your solutions even for easy boxes; you’ll reference them later

The Career Path: From Entry-Level to Expert

Ethical hacking rarely works as a first job in IT. You need foundational experience first.

Typical Progression

Step 1: IT Foundation (1-3 years)

Most ethical hackers start in help desk, system administration, or network operations. These roles teach you:

  • How real networks and systems operate
  • What normal looks like (critical for identifying abnormal)
  • Soft skills like documentation and communication with non-technical stakeholders

For entry-level positions without experience, see our guide on landing IT jobs without experience.

Step 2: Security Operations (1-2 years)

Moving into a Security Operations Center (SOC), security administration, or incident response builds security-specific knowledge:

  • Reading logs and recognizing attacks
  • Working with security tools daily
  • Understanding how defenders think

This phase isn’t mandatory, but it makes you a better attacker. You’ll understand what defensive tools catch and what they miss. Explore more options in our cybersecurity careers hub.

Step 3: Junior Penetration Tester / Security Analyst (2+ years)

Your first dedicated security role might involve:

  • Running vulnerability scans and validating findings
  • Assisting senior testers on engagements
  • Writing portions of pentest reports
  • Conducting security assessments

Step 4: Senior Penetration Tester / Red Team (3-5+ years)

With experience, you’ll lead engagements:

  • Planning and scoping penetration tests
  • Developing custom exploits and attack chains
  • Managing junior testers
  • Presenting findings to executives

Step 5: Principal / Leadership (5+ years)

Senior technical roles include:

  • Red Team Lead — Managing a team of operators
  • Security Architect — Designing secure systems
  • CISO — Executive leadership (if you want to move away from technical work)
  • Independent Consultant — High hourly rates for specialized expertise

Salary Expectations

Based on current market data:

Experience LevelTypical Salary Range
Entry-level (0-2 years)$70,000 - $90,000
Mid-level (3-5 years)$90,000 - $130,000
Senior (5-8 years)$130,000 - $160,000
Principal/Lead (8+ years)$160,000 - $200,000+

Location matters significantly. San Francisco ethical hackers earn 15%+ above national averages. Remote work has somewhat normalized salaries, but major tech hubs still pay premiums.

For detailed salary data across cybersecurity roles, check our cybersecurity salary guide.

Landing Your First Ethical Hacking Role

Breaking into penetration testing without experience seems like a catch-22: jobs require experience, but how do you get experience without a job?

Build a Portfolio

Since you can’t show client work, demonstrate skills through:

CTF write-ups — Document your solutions to HackTheBox or TryHackMe challenges. Explain your methodology, not just the steps. Publish them on a blog or GitHub.

Bug bounty success — Even finding a minor vulnerability on a public program proves real-world skills. Document the process and the responsible disclosure.

Home lab projects — Build something: an Active Directory attack lab, a vulnerable web app you secured, a network monitoring setup. Write about what you learned.

GitHub contributions — Contribute to open-source security tools. Even documentation improvements show engagement with the community.

Networking Matters More Than You Think

Many security jobs never get publicly posted. The community is smaller than you’d expect, and reputation spreads fast.

  • Attend local security meetups and conferences (BSides events are affordable and beginner-friendly)
  • Participate actively in security Discords and subreddits
  • Help others in communities like r/HowToHack — teaching solidifies your knowledge and builds reputation
  • Connect with professionals on LinkedIn, but offer value, don’t just ask for jobs

Interview Preparation

Ethical hacking interviews often include:

Technical assessments — You might be given a box to compromise during the interview or a take-home challenge.

Scenario questions — “How would you approach testing this application?” or “Walk me through how you’d enumerate a network.”

Report writing — You might need to write a findings report from a lab you completed.

For general interview prep, our technical interview preparation guide covers fundamentals that apply across IT disciplines.

Alternative Entry Points

If traditional pentest roles aren’t opening up:

Internal security roles — Companies’ internal security teams often need pentest support and will train promising candidates. Many people make successful career transitions into IT through this path.

Managed security service providers (MSSPs) — Higher workload but faster learning and exposure to diverse environments.

Bug bounty full-time — Some researchers make six figures purely through bounties, though this requires exceptional skill and persistence.

Security consulting firms — GRC (governance, risk, compliance) roles can transition into technical work. The future of cybersecurity careers continues to expand with new specializations.

Common Mistakes to Avoid

Based on patterns across security communities and hiring discussions:

Chasing tools over concepts — Knowing how to run Nmap matters less than understanding what the results mean and what to do with them.

Ignoring soft skills — Penetration testing is surprisingly communication-heavy. You’ll spend more time writing reports and explaining findings than actually hacking. Poor communication limits your career.

Ethical violations — This should be obvious, but: never hack systems you don’t have explicit, written permission to test. “I was just practicing” isn’t a legal defense. Always use lab environments or authorized bug bounty targets.

Certification hoarding — Five certifications don’t make you more qualified than someone with one certification and proven practical skills. Hiring managers know the difference. Check our best cybersecurity certifications guide to focus on what matters.

Expecting immediate pentesting roles — Most successful ethical hackers built foundation experience first. Rushing into pentesting without understanding how systems work creates gaps that hurt you long-term.

Neglecting documentation — If you can’t write a clear, professional report explaining what you found and how to fix it, your technical skills don’t matter. Practice technical writing from day one.

Is Ethical Hacking Right for You?

This career isn’t for everyone. The reality check:

You’ll love it if you:

  • Get genuinely excited when something breaks unexpectedly
  • Enjoy puzzles and have patience for trial-and-error
  • Stay curious about how systems work under the hood
  • Handle frustration well—most attacks fail before they succeed
  • Write clearly and enjoy explaining technical concepts

You’ll struggle if you:

  • Want predictable, routine work
  • Dislike writing reports
  • Get frustrated easily when approaches don’t work
  • Expect high compensation immediately without foundation building
  • Think certifications alone guarantee success

The best ethical hackers share an obsessive curiosity. They’re the people who, when something doesn’t work, ask “why?” instead of moving on.

Getting Started This Week

Information overload is real. Here’s a focused starting point:

If you have no IT experience:

  1. Start Linux Journey or Shell Samurai for command-line basics
  2. Study for CompTIA Security+ using Professor Messer (free)
  3. Create a TryHackMe account and start the beginner path
  4. Apply for help desk or entry-level IT roles while building skills

If you have IT experience:

  1. Set up a lab with VirtualBox and Kali Linux
  2. Complete 5-10 HackTheBox or TryHackMe machines
  3. Start PortSwigger Web Security Academy for web testing
  4. Consider CEH certification for corporate credibility, then OSCP when ready

If you’re already in security:

  1. Focus on OSCP or advanced certifications
  2. Contribute to open-source security tools
  3. Start bug bounty hunting to build a track record
  4. Network aggressively within the security community

The ethical hacking market isn’t slowing down. Cyber threats grow more sophisticated daily, and organizations need people who can find vulnerabilities before attackers do. The path takes time—expect 2-4 years from complete beginner to entry-level pentesting role—but the career rewards are substantial for those who put in the work.

Start building. Start breaking. Document everything.

Frequently Asked Questions

How long does it take to become an ethical hacker?

Most people need 2-4 years from a starting point with no IT experience to land an entry-level penetration testing role. Those with existing IT backgrounds can transition faster—typically 1-2 years with focused study. Timeline depends heavily on how many hours you can dedicate weekly; 10-15 hours of consistent practice accelerates progress significantly.

Do I need a degree to become an ethical hacker?

No formal degree is required, though some employers prefer candidates with computer science or cybersecurity degrees. What matters more: demonstrated skills, relevant certifications (CEH, OSCP), and a portfolio showing practical ability. Many successful ethical hackers are self-taught or hold degrees in unrelated fields. See our guide on getting into cybersecurity for alternative paths.

How much do ethical hackers make?

According to ZipRecruiter, the average ethical hacker salary in the US is $135,269 annually. Entry-level positions typically start at $70,000-$90,000, while senior penetration testers and red team leads can earn $160,000-$200,000+. Location, certifications, and specialization affect compensation significantly.

Is CEH or OSCP better?

They serve different purposes. CEH demonstrates baseline knowledge and is widely recognized by HR departments—useful for getting past resume filters, especially in corporate or government roles. OSCP proves practical exploitation skills through a hands-on exam and is more respected among technical hiring managers. Ideally, pursue both: CEH for doors to open, OSCP for credibility with security teams.

Can I learn ethical hacking for free?

Yes. Excellent free resources include TryHackMe’s free tier, OverTheWire wargames, PortSwigger Web Security Academy, and PicoCTF. Platforms like VulnHub provide free vulnerable VMs, and Kali Linux is free and open-source. The main costs are certifications (optional but helpful for jobs) and time investment.

Sources and Citations