What is ethical hacking? White hat hackers explained

A graphic displaying an ethical hacker

Taking a proactive approach to cyber security

A complete guide to penetration testing


Hackers are usually portrayed as nefarious figures capable of wreaking havoc from the other side of the world, as they sit in a dark room and plot the demise of governments and corporations alike, making life difficult for IT teams. If you read some recent cyber security news, the stereotype isn’t entirely false: in the last week alone, hackers have targeted everyone from jobseekers and security researchers to Facebook and even the European Commission – and that’s the tip of the iceberg when it comes to recent hacking incidents.

Hackers have often been criticised for acting not only illegally, as hacking is considered a cyber crime, but also immorally, especially when targeting organisations working for the greater good, such as the education sector institutions, non-profits, and even laboratories working on the coronavirus vaccine. They have also been known to brag about the financial gains of their operations, one example being the REvil ransomware gang, which in October 2020 claimed to have made more than $100 million in one year from extorting large businesses. Not satisfied with their ill-gotten wealth, the group also revealed plans to make $2 billion with its ransomware as a service business.

However, this doesn’t mean that all hackers are automatically considered cyber criminals. In fact, many of them work to help organisations bolster their cyber security practices through detecting and reporting potential exploits. As their hacking is considered to be for the “greater good”, they are usually known as “ethical hackers” – hackers who use their skills for morally sound measures.

The ethical hacker, also known as a white hat, does the same thing as their malicious counterpart, only instead of exploiting vulnerabilities for the purpose of spreading code, they work with network operators to help fix the issue before it is discovered by others.

Both types of hackers get the same thrill of breaking something that wasn't supposed to ever break, they just have different motives. For many white hat hackers, the process is gamified in the form of bug bounty programmes - competitions that reward hackers with cash prizes for reporting vulnerabilities.

After all, who better to fight a hacker than another hacker?

Black hats, grey hats, and white hats

Within the cyber security community, hackers are divided into three camps - 'black hat' hackers, 'grey hat' hackers and 'white hat' hackers. Black hats hack their targets for self-serving reasons, such as financial gain, for revenge or simply to spread havoc.

White hat hackers, by contrast, actually aim to improve security, finding security holes and notifying the victim so they have an opportunity to fix it before a less-scrupulous hacker exploits it. Grey hats sit somewhere between the two camps, often conducting slightly more morally questionable operations, such as hacking groups that they are ideologically opposed to, or launching hacktivist protests. White hat and grey hat hackers can both be defined as 'ethical' hackers.

How do ethical hackers make money?

Black hat hackers generally earn their money through theft, fraud, extortion and other nefarious means. Ethical hackers, on the other hand, are quite often employed by cyber security companies, or within the security departments of larger organisations. The fact that they know how attackers operate often gives them valuable insight into how to prevent attacks.

Another way that ethical hackers can earn a living is through collecting 'bug bounties'. Large companies, particularly tech firms like Facebook, Microsoft and Google, offer a reward to researchers or hackers who discover security holes within their networks or services. This encourages them to report these holes, allowing them to be fixed before they can be found by criminals.

What motivates ethical hackers?

Most hackers are motivated by curiosity, and ethical hackers are no exception. They're often motivated by a desire to see what makes things tick, poking around in security systems just for the challenge of finding a way around them. Responsibly reporting their findings is the best way to indulge this desire whilst also staying on the right side of the law.

Many are also driven by a genuine desire to make the world more private and more secure. Exposing flaws in widely-used services and applications means that they're less likely to be used to harm innocent people.

Another big motivating factor for ethical hackers is, of course, cash. A career in pen-testing or red-teaming can be extremely lucrative, and often allows hackers to make a great deal more money than they would as a cyber criminal without fear of reprisals. Similarly, bug bounty programmes can provide incredibly generous payouts for discovering major flaws the current record-holder for the highest-value bug bounty is Google's $112,500 payment to a Chinese researcher who discovered a remote exploit vulnerability in Android.

How do I become an ethical hacker?

A graphic depiction of an ethical hacker certificate

(Image credit: Shutterstock)

If you're a hacker that wants to become a white hat, the good news is that you're already halfway there. Ethical hacking is more a state of mind than anything else; a desire to use talents for good, as opposed to evil. If you'd rather use your hacking talents to improve the world's security than to line your own pockets, you're well on your way to becoming an ethical hacker.

In terms of practical steps, there are numerous courses you can take that promise to give you all the skills needed to become an ethical hacker. However, while these can definitely be useful, either as a starting point or as a way to refine your knowledge, the best way to become an ethical hacker is to simply immerse yourself in the world of cyber security.

Read as much you can on the technical elements of hacking and cyber defence, keep up to date with developments in the field, and generally learn as much as possible about the theory and practice of cyber security.

It's also a good idea to learn a couple of programming languages, if you haven't already. While it's not absolutely essential for hackers (ethical or otherwise) to have an in-depth knowledge of coding, it can be incredibly useful, and will pay dividends throughout your career.

Connor Jones

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.