How to Become an Ethical Hacker

How to Become an Ethical Hacker

I regularly get people asking for advice on how to get into the field of Ethical Hacking, so I thought I'd write this, first, so that I really give it some thought, second, in the hope that it helps someone. So here's how I did it and some general advice from my perspective.

How I Became an Ethical Hacker

Personally, I started as a software developer, I did this job for about 20 years. This definitely isn't a pre-requisite, but being familiar with software development has been a massive help when it comes to security testing for web and desktop applications. Note that Ethical Hacking covers many other topics!

As a developer I was fortunate to work on a web application that required a high level of security. Web app security was always in our minds. Whether I wanted to learn about it or not, I had to. Fortunately, I wanted to learn about lots of things, and security was one of them!

That alone wasn't enough though, I was getting some experience of security, but didn't have a large base of my own knowledge to draw from. That's when I realized that I needed to do something to really improve my skills. This took two forms, the first was to start attending local security focused groups. One was a local OWASP chapter near where I lived and another was a local ISC2 chapter. This meant I was around people who also liked security. That's important because getting a job can be greatly be helped if people are already aware of you. They get to know if you'd be good to work with and what you're passionate about. I also got to see presentations on a variety of security topics and even presented once or twice myself. Eventually I went on to help run one of those local chapters, which was helpful to others and also taught me a lot.

The second form of action I took was to gain knowledge in preparation for a certification. At the time, I opted for the ISC2 CSSLP, which is focused on secure software development. It seemed a good fit as it started with something I knew very well (software development) and had vast amounts of security, a lot of which I didn't know so well. This forced me to learn a variety of security subjects, some of which I loved, others bored me almost to tears. There was a lesson in there though, if I wanted to succeed, I had to be prepared to learn about some things I didn't really care about learning.

For me I found I needed the structure that a certification gave me, otherwise I'd just be picking up random pieces of information with no clear goal.

After I got that certification (it took me almost a year, where I put in effort almost every single day), it helped me to stand out. It showed other people three things about me:

  • I put a lot of effort in
  • I worked hard enough for success out
  • I had a whole new set of security knowledge

These three things were incredibly important, they proved to other people that I was committed to being good at this.

Knowledge alone, is often not enough to get you a job, certainly not in Ethical Hacking.

Fortunately, I was already in a job where I had some experience of security and could leverage that position to get even more. Even telling people I was studying for the certification meant more security work came my way. That took me beyond software development, where at one point I was responsible for some of the work towards financial accreditation, allowing the application to work in the world of finance.

When an Ethical Hacking role came up at the company I worked for, I honestly wasn't sure I knew enough, or had enough experience. If I hadn't applied for that role, I wouldn't be where I am now.

How Do You Become an Ethical Hacker?

Most importantly, you've probably already got some technical skills, a place where you know things. Leverage that.

  • If you're a software developer, target web or desktop application security
  • If you're an IT admin, think about infrastructure and network security
  • If you create environments in the cloud, look at cloud security
  • LLMs, crypto currency, etc

Leverage that knowledge and work on security in that area. It'll be an easy place for you to start.

Next, realize you're going to have to sit down and learn a lot. If you love learning, great, if you struggle with it, you're going to have to find a way that works for you. Books, Pluralsight courses, labs, local security meetups, capture the flag events, do whatever helps you the most. Just keep in mind that at some point you're almost certainly going to have to work hard and not always enjoy it.

Do you need a certification? In the early stages of your career, they certainly help. They show other people those three things:

  • you're willing to put effort in
  • you'll work hard enough to get success
  • you've learned a whole lot about security

You may be able to get those things from elsewhere, but a certification is a common route.

There are a LOT of certifications in security

Next, try to connect with other security people. You never know where your Ethical Hacking job will come from. Knowing people in the industry can help you become aware of jobs and your reputation can help you get those jobs.

Good luck!

Got a comment or correction (I’m not perfect) for this post? Please leave a comment below.
You've successfully subscribed to Gavin Johnson-Lynn!

My Pluralsight Courses: (Get a free Pluaralsight trial)

API Security with the OWASP API Security Top 10

OWASP Top 10: What's New

OWASP Top 10: API Security Playbook

Secure Coding with OWASP in ASP.Net Core 6

Secure Coding: Broken Access Control

Python Secure Coding Playbook