Video Version:

How to Be an Ethical Hacker in 2025

Introduction
For the past several years, we’ve posted annual blogs on how to become an ethical hacker. Given that
these blogs have been well received, we have brought back yet another edition. So, without further ado,
let’s chat about how you can break into the field of ethical hacking in 2025.

A Few Things Before We Begin…

Before jumping into the resources, there are a few things we need to address. First, it’s crucial to build a
strong foundation in IT before diving into the cool, hacky stuff. Think of your hacking career like building a
house—if you throw it up on a weak foundation, it won’t stand for long. The same goes for hacking: if you
skip over essential IT fundamentals, you’ll likely find yourself overwhelmed and lost, which could derail
your journey altogether. Mastering networking, system administration, and security basics might not
seem glamorous, but without them, even the best exploit techniques won’t get you far.

Second, let’s be real—ethical hacking is an exciting field. You get paid to legally break into networks,
applications, and even physical buildings (how awesome is that?). On top of the fun, it pays very well. But
here’s why: not everyone has the drive or skills to succeed in this space. High demand and a small talent
pool create the opportunity for lucrative careers. But if your only motivation is the paycheck, you’re setting
yourself up for frustration.

We’ve seen it too many times—people jump into hacking because it sounds cool or because they’re
chasing the money. That mindset won’t get you far. Hacking is a grind. Breaking into the field is tough,
and even after you’ve made it, you have to keep learning to stay relevant. New exploits and defenses are
constantly emerging, and if you stop sharpening your skills, your peers will leave you behind.

The key takeaway? Choose this field because it excites you, because it sparks your curiosity, and
because you want to be a lifelong learner. The money is a fantastic bonus, but it can’t be your only
motivation. If you put in the work and commit to constant learning, you’ll not only be well-compensated—
you’ll have a blast along the way.
If you are interested, we go into more detail and why you should (and should not) be an ethical hacker in
this video.

Lastly, it’s important to mention that this article is brought to you by TCM Security, a training and
certification company dedicated to building the next generation of cybersecurity professionals. While you
may find our training mentioned throughout, our goal here is to provide honest, unbiased
recommendations to help you on your path. We’re committed to giving you real value, whether that’s
The Foundations
With that out of the way, let’s discuss the foundational skills that we feel are necessary to mold a good
hacker. With each of the skills, we will link the resources and courses to help improve your skillset. Some
of the links will be related to certifications. You do not have to take the certification unless you want to
(though, it could help with landing a job). If you’re tight on funds, just focus on the trainings themselves.
Now, the foundational skills:

Learn the Basics of IT – Networking, Linux, Security

1) Basic IT Skills
By this, we mean your standard break/fix help desk skillset. Can you build a computer and identify its
parts? Can you troubleshoot and fix issues? In the certification world, this would be equivalent to the
CompTIA A+ certification (current version 220-1101 & 220-1102). If you’re brand new to IT and starting
here, we strongly recommend picking one of the following resources:

FREE (self-promotion) – TCM Security Academy – Practical Help Desk

The 19-hour Practical Help Desk course by TCM Security Academy is a free, hands-on
program designed to prepare students for entry-level IT roles. It covers essential skills
needed to excel at a help desk position, including troubleshooting common technical
issues, managing tickets, and customer service fundamentals. The course emphasizes
practical, real-world scenarios to build confidence in resolving hardware, software, and
networking challenges. Ideal for beginners, it offers a straightforward path to building
foundational IT knowledge and experience, making it an excellent starting point for those
pursuing a career in tech.
FREE – Professor Messer – 220-1101 and 220-1102 A+ Courses
Professor Messer’s 220-1101 and 220-1102 A+ courses cover essential knowledge
needed for passing the CompTIA A+ certification, focusing on both hardware and
software fundamentals.
The 220-1101 (Core 1) course dives into hardware technologies such as networking
devices, cables, and peripherals, along with virtualization and mobile device
management. It emphasizes practical troubleshooting, from understanding network
 configurations to managing hardware components like motherboards and storage
systems.
The 220-1102 (Core 2) course shifts focus to operating systems, security, and software
troubleshooting. It includes modules on Windows, Linux, and macOS features, explores
physical and logical security best practices, and provides strategies for tackling malware,
social engineering, and mobile device security. Core 2 also highlights practical IT skills
like Active Directory management and securing SOHO networks.
PAID – Mike Meyers – 220-1101 and 220-1102 A+ Courses
The Total CompTIA A+ Certification courses (220-1101 and 220-1102) by Mike Meyers
on Udemy provide a comprehensive path to passing both Core 1 and Core 2 exams,
essential for earning the A+ certification. Similar to Professor Messer, these courses
cover foundational IT knowledge, with 220-1101 focusing on hardware, networking, and
mobile devices, while 220-1102 emphasizes software, operating systems, and
cybersecurity concepts. Both include hands-on labs, troubleshooting exercises, and
practical scenarios, equipping students with real-world skills for IT roles. With engaging
lectures and practice tests, these courses are ideal for beginners looking to break into IT
and pass their A+ exams on the first attempt

2) Networking Skills
Networking is an essential part of penetration testing. Can you describe the OSI model? Do you know
what service runs on port 22? Can you explain CIDR notation or walk through the TCP three-way
handshake? If these concepts feel foreign, then it’s time to build your networking knowledge. In the
certification world, this would align with the CompTIA Network+ certification (N10-008 or N10-009). If
you’re starting here, we recommend the following resources:

FREE – Professor Messer – N10-008 or N10-009 Network+ Course

Professor Messer offers a free, beginner-friendly course covering the Network+
certification objectives. It walks you through networking essentials, including protocols, IP
addressing, routing, and troubleshooting. This course is ideal if you’re looking for a solid
introduction to networking concepts without any financial investment. You can choose
either the N10-008 or N10-009 course. Both are good starting points and cover a lot of
the same topics. In our opinion, going with the newer version of a course is almost
always more ideal.
FREE – Cisco Networking Academy – Packet Tracer
Packet Tracer by Cisco is a free network simulation tool that provides a hands-on
experience with network configuration and troubleshooting. It allows you to build virtual
networks, making it an excellent supplement to theoretical learning. You can explore
Packet Tracer here.
PAID – Mike Meyers – Network+ Course
Mike Meyers’ comprehensive Network+ course on Udemy provides everything you need
to pass the N10-008 exam. The course features detailed lectures, hands-on labs, and
real-world examples to reinforce key concepts. It’s perfect for anyone serious about
mastering networking fundamentals and preparing for the certification exam.

Side note: If you’re already familiar with networking, you might be wondering about the CCNA (Cisco
Certified Network Associate) certification. While CCNA is valuable, it focuses heavily on Cisco’s
technologies and commands. We recommend starting with a vendor-neutral certification like Network+ to
build a strong foundation. You can always pursue vendor-specific certs like the CCNA later, especially if
your career path or job role demands it.
3) Linux Skills
Linux is a cornerstone of ethical hacking—like, a lot of it. Most hackers rely on Debian-based
distributions, with Kali Linux and Parrot OS being the most popular. While some prefer building their own
custom Linux distros, Kali and Parrot remain the go-to choices for many. Fortunately, there are plenty of
free resources available to help you master Linux.

Learning Linux is much like learning a foreign language. You can gain a lot from following an instructor,
but full immersion makes all the difference. Try installing Linux and commit to using it exclusively for a
week. The initial struggle will give way to faster learning and improved confidence in the environment.

FREE (self-promotion) – TCM Security Academy – Linux 100: Fundamentals

This free course introduces essential Linux concepts, including file management,
permissions, and basic scripting. It’s a great starting point for beginners wanting a
structured introduction to the operating system. You can enroll in Linux Fundamentals
here.
FREE – Linux Journey
This site offers interactive lessons covering everything from basic commands to more
advanced topics. It’s a great way to ease into Linux at your own pace. You can check out
Linux Journey here.
FREE – OverTheWire – Bandit
OverTheWire: Bandit Wargame: Bandit is a fantastic series of challenges designed to
teach you Linux through practical problem-solving, helping you build both knowledge and
troubleshooting skills. Explore OverTheWire’s Bandit.
PAID (self-promotion) – TCM Security Academy – Linux 101
For those seeking deeper, structured learning, TCM Security Academy offers Linux 101,
which builds upon the Linux 100 course mentioned above. This course covers the
foundations needed to become comfortable using Linux, with practical exercises that
prepare you for real-world scenarios. Whether you aim to use Linux in hacking or IT
administration, this course will build the confidence you need.

4) Coding/Scripting Skills
In cybersecurity, being able to read and understand code is essential, even if becoming a professional
developer isn’t the goal. While advanced coding skills can make tasks easier, a basic understanding is
often sufficient to succeed in this field. Many professionals, including ethical hackers, thrive with only
foundational programming knowledge.

Python is the recommended starting point due to its beginner-friendly syntax and wide adoption across
industries. Many educational institutions now teach Python as the primary language in their introductory
courses. It’s essential to focus on Python 3, as Python 2 is outdated and no longer supported. Below are
some recommended resources to get started:

FREE (self-promotion) – TCM Security – Programming 100: Fundamentals

For those completely new to programming, Programming 100 Fundamentals offers a
beginner-friendly introduction. This course covers the basics of coding with Python,
including variables, loops, and control structures, providing a solid foundation for further
programming studies.
FREE – FreeCodeCamp
A hands-on, project-based platform that teaches all sorts of programming languages,
including Python, through interactive coding challenges and videos. You can check out
FreeCodeCamp here.
FREE TRIAL (No credit card required) – Codecademy
 Offers structured, interactive lessons with guided exercises to help beginners build
foundational Python skills. You can check out Codecademy here.

PAID (subscription) – Team Treehouse

A subscription-based platform with in-depth courses that include projects and challenges
designed to reinforce coding concepts. You can check out Team Treehouse here.

PAID (self-promotion) – TCM Security – Programming Classes

For those interested in taking a deeper dive into programming, TCM Security offers a
slew of programming classes that focus on practical applications for cybersecurity.
Those classes include Python 101 for Hackers, Python 201 for Hackers, C# 101 for
Hackers, Rust 101, and Programming with AI.

5) Security Skills
Before starting a cybersecurity career, having a solid foundation in security concepts is essential. If
there’s one certification worth pursuing early on, it’s the CompTIA Security+. This certification builds on
networking fundamentals, introducing core security principles like cryptography, risk management, and
incident response—think of it as “Network++.”

A solid understanding of security fundamentals not only ensures long-term success but also opens doors
to entry-level roles, such as a SOC Analyst. Below are top resources to help you prepare for Security+
and gain essential security skills:
FREE – Professor Messer – SY0-701 Security+ Course
Professor Messer offers a comprehensive Security+ video series covering all exam
objectives, including topics like network security, incident response, and access control.
You can check it out here.
PAID (self-promotion) – TCM Security – Security Operations (SOC) 101
The 30-hour SOC 101 course offers a detailed introduction to Security Operations
Centers (SOCs) and the role of a SOC Analyst. It covers core topics such as log
analysis, incident response, and monitoring tools, providing practical skills to excel in
entry-level security roles. Ideal for those pursuing a career as a SOC Analyst or wanting
to learn to become a better hacker by learning how to defend, this course bridges the
gap between theoretical knowledge and real-world operations.

You’ve Got the Foundations, Now What?

Learning the Basics of Ethical Hacking
Now that you’ve built a solid foundation, it’s time to dive into hacking. For a comprehensive starting point,
we recommend the Practical Ethical Hacking course by TCM Security Academy (self-promotion). This
course covers the essential skills you’ve learned (Linux, Python, and Networking) and takes them a step
further into real-world hacking scenarios including Active Directory and Web Application hacking, which
we will expand on in a bit.

The first 15 hours of this course are available for free on YouTube, broken into two parts for easy access:

Part 1
Part 2

Beyond courses, it’s important to practice hacking on intentionally vulnerable machines—systems

designed to be hacked. These machines follow a “Capture the Flag (CTF)” style, teaching the
fundamentals, tools, and problem-solving persistence required to become a successful hacker. Here are
three top platforms to practice on:

TryHackMe: Best for beginners, this platform offers a range of free/paid labs and guides you
through hacking techniques, explaining each step.
Hack The Box: An alternative to, and often more challenging than, TryHackMe, this platform
offers a variety of vulnerable machines for intermediate users to hone their skills.
VulnHub: A free platform with downloadable, intentionally vulnerable machines, great for
practicing offline.

If you enjoy CTF-style hacking, you might also want to participate in live CTF events. These competitions
are excellent for improving your hacking skills in a team-based environment. Check out CTFTime for the
latest CTF events and read write-ups from past challenges to enhance your learning. Find CTF events at
CTFTime.
 Beyond the Basics

Breakdown of Foundational Skills, Hacking Basics, and Beyond the Basics

Once you are feeling comfortable with the basics, there are several additional areas of hacking that you
should familiarize yourself with, especially if you want to be a pentester. Those areas are:

1) Active Directory
Active Directory (AD) hacking is one of the most overlooked areas by individuals entering the
cybersecurity field. Yet, with more than 95% of Fortune 1000 companies relying on AD for their business
environments, it’s a critical skill to master.

AD hacking frequently comes up in job interviews, especially for security roles. Many candidates with
impressive certifications but limited hands-on experience struggle with this topic, revealing a gap in
practical knowledge. Understanding AD is essential not only for passing interviews but also for excelling
in real-world security roles, where navigating AD environments and identifying vulnerabilities are key
components of the job.

For Active Directory, beyond the Practical Ethical Hacking course mentioned above, there are some
pretty fantastic resources.

Here are people (and blogs) you should follow if you’re interested in Active Directory hacking:

@PyroTek3 – https://adsecurity.org/
@_dirkjan – https://dirkjanm.io/
@Haus3c – https://hausec.com/

Additionally, anything by @SpecterOps, @CptJesus, @byt3bl33d3r, @gentilkiwi, and @harmj0y

2) Web and Mobile Application Hacking

Web and mobile application hacking is one of the most in-demand skills in cybersecurity. Many of the
high-profile bug bounty programs revolve around vulnerabilities in web or mobile apps, and entire roles
are dedicated solely to web application penetration testing. If you want to be a pentester, mastering
application hacking is essential for leveling up your skills. Below are some excellent (mostly free)
resources to help you get started:

PortSwigger Web Security Academy: A comprehensive platform with labs and tutorials focused
on web security concepts.
Hacker101: Free online training by HackerOne, covering web application security fundamentals
and more.
Bugcrowd University: Offers educational content to help you develop the skills needed to
succeed in bug bounty programs.
PentesterLab: A hands-on platform for learning web security through practical exercises and labs.
Self-Promotion:
Since the previous release of this article, TCM Security Academy has released a slew of web application
hacking content.

Practical Bug Bounty – 9.5 hour course – If you’re new to web application hacking, we
recommend starting here. The course covers essential topics of web application hacking and bug
bounty programs, including how bug bounty programs work, finding and reporting vulnerabilities,
and the use of key tools like Burp Suite. It focuses on real-world applications to help students
transition from theory to practice, with step-by-step guidance on identifying common web
vulnerabilities and submitting successful bug reports. This training leads directly to the Practical
Web Pentest Associate (PWPA) certification.
Practical Web Hacking – 10+ hour course – Building upon the Practical Bug Bounty course, this
course covers both fundamental and advanced web vulnerabilities, including SQL injection,
cross-site scripting (XSS), authentication flaws, and command injection. Students learn through
real-world scenarios, with practical exercises designed to build confidence in using tools like Burp
Suite. This training leads directly to the Practical Web Pentest Professional (PWPP) certification.
Practical API Hacking – This course focuses on the growing field of API security, teaching
students how to identify and exploit vulnerabilities in Application Programming Interfaces. The
course covers key attack techniques, including broken authentication, authorization flaws, and
injection attacks specific to APIs. It provides hands-on experience with real-world scenarios,
equipping learners with practical skills for penetration testing and bug bounty hunting involving
APIs. This training leads directly to the Practical Web Pentest Professional (PWPP) certification.
Advanced Web Hacking – Building upon the Practical Web Hacking and Practical API Hacking
courses, this course dives deeper into complex web vulnerabilities and sophisticated attack
techniques. This course covers advanced topics like server-side request forgery (SSRF), XML
external entities (XXE), deserialization attacks, and advanced SQL injection. It’s designed for
those with prior experience in web security who want to refine their skills and tackle real-world
challenges in penetration testing and bug bounty programs.
Mobile Application Penetration Testing – For those interested in hacking mobile applications, this
course offers practical training on securing mobile apps by identifying and exploiting
vulnerabilities specific to Android and iOS platforms. The course covers reverse engineering,
insecure data storage, API vulnerabilities, and mobile-specific security flaws. Through hands-on
exercises and real-world scenarios, students gain the skills needed to conduct thorough mobile
app assessments for penetration testing and bug bounty hunting. This training leads directly to
the Practical Mobile Pentest Associate (PMPA) certification.
Additionally, we offer a free course on YouTube for beginner web application hacking

When learning web app security, it’s also helpful to familiarize yourself with the OWASP project. Pay
special attention to the OWASP Top 10 vulnerabilities and the OWASP Web Security Testing Guide:

OWASP Project
OWASP Top 10
OWASP Testing Guide

Finally, reviewing bug bounty write-ups offers valuable insights into real-world vulnerabilities. Many
bounty platforms, such as HackerOne, maintain archives of these write-ups:

HackerOne Hacktivity
3) Wireless Hacking
You can learn to hack wireless networks pretty quick. In fact, a lot of the hackers started out tinkering with
wireless hacking before jumping into other areas of ethical hacking due to the simplicity of it. You can

easily pick up the skillset needed to hack WPA2 Personal by having the right equipment and reading a
short blog post, such as this one.

WPA2 Enterprise is a little trickier, but hey, there are blogs for that too, such as this one.

4) Certifications
The next thing to discuss are certifications, which can be useful for standing out in the job application
process. Below are some of the top entry-level hacking certifications that can be found on job postings,
sorted by price. If you’re interested in taking a certification, we recommend researching each certification
individually and finding one that best suits your journey.

Multiple CTF-
Practical
Certification Choice Style Government Cost
Exam
Exam Exam

Pentest+ X X X $

PNPT* X $

CPTS X $

CEH X X X $$

OSCP X $$

GPEN X X X $$$

* Designates self-promotion

Categories in the table above are as follows:

Multiple Choice – The exam format is multiple choice. When multiple choice is marked along
with CTF-Style Exam, this means the exam is multiple-choice but has a hands-on component.
CTF-Style Exam – The exam format is hands-on, but not practical. This means that the exam
has more of a gamified experience as opposed to an exam that mimics a real-life engagement.
Practical Exam – The exam format mimics a real-life engagement, requiring hacking techniques
found in real penetration tests to be used in an environment that is modeled after real-world
clients. These exams are often several days long to accommodate the format, whereas most
multiple choice exams often have a time restriction of a few hours.
Government – The exam is recognized by the United States government and can be beneficial
when applying to government jobs.
 Cost – Relevant to the specific certifications listed, $ assumes a cost of $500 or less, $$
assumes a cost of $1,000-$3,000, $$$ assumes a cost of $8,000 or more. All costs assume the
cost of training being included.

5) Privilege Escalation
This is a topic many new hackers struggle with. You land on a machine, but you’re not the admin/root
user. How can you elevate your privileges? You’ll find this area tested in many popular certification
exams, so it’s a topic you should know.

TCM Security does have courses on the topic:

Windows Privilege Escalation – https://academy.tcm-sec.com/p/windows-privilege-escalation-for-

beginners
Linux Privilege Escalation – https://academy.tcm-sec.com/p/linux-privilege-escalation

As does @0xTib3rius:

Windows Privilege Escalation – https://www.udemy.com/course/windows-privilege-escalation/

Linux Privilege Escalation – https://www.udemy.com/course/linux-privilege-escalation/

Plus, there are a million guides out there for PrivEsc. We will leave you to your Googling skills to find
these, but here is just one example of a great guide.

Content Creators
Content creators play an important role in educating the next generation of hackers looking to break into
this field and this article would be incomplete if we did not include some of our favorite content creators.

Note: Anyone online can claim to have expertise in a field. Due diligence and research should be
performed on any content creator(s). Below are vetted industry experts that have active YouTube
channels.

General Hacking:

The Cyber Mentor (self-promotion) – https://youtube.com/c/thecybermentor

John Hammond – https://youtube.com/c/JohnHammond010
HackerSploit – https://youtube.com/c/HackerSploit
IppSec – https://youtube.com/c/ippsec
Conda – https://youtube.com/c/c0nd4
Tyler Ramsbey – https://www.youtube.com/@TylerRamsbey

Web App/Bug Bounty:

NahamSec – https://youtube.com/c/Nahamsec
InsiderPhD – https://youtube.com/user/RapidBug
Farah Hawa – https://youtube.com/c/FarahHawa
Rana Khalil – https://youtube.com/c/RanaKhalil101
Communities
Being part of a community is essential to becoming a skilled hacker. Communities provide opportunities
to ask questions, share knowledge, and connect with others in the field or those starting their journey.
Networking with like-minded individuals not only enhances learning but can also open doors to new
opportunities. A strong community can accelerate your growth and keep you motivated along the way.

TCM Security Community: Our Discord community, with over 60,000 members, is a vibrant
space to connect, learn, and collaborate. Join here.
VetSec Community: For military veterans, VetSec offers a dedicated community to support your
transition into cybersecurity. Learn more at VetSec.

Conclusion
This article provides a solid starting point, though it’s by no means exhaustive. The resources shared
here have guided many professionals in their journeys, but every path in cybersecurity is unique. It’s
recommended to explore additional materials and resources along the way. With the content provided,
there’s more than enough to keep you engaged throughout 2025. Stay curious, keep learning, and—
happy hacking!