🔴 Day 1 — You are here
Day 100 — Professional Penetration Tester
01
“I remember sitting in front of my laptop at 2 AM, reading that a 19-year-old had just earned $50,000 from Google for finding a single security bug. I was 26, stuck in a boring IT support job, making $38,000 a year. That night changed everything for me.”
— The conversation that started SecurityElites. Today, I’m starting the same conversation with you. I am 100% sure every other person will start with ‘What is Ethical hacking?’ But we are built different..
Welcome to Day 1 of 100. No fluff. No padding. No theoretical lectures that put you to sleep. This is a hands-on, step-by-step journey from “I know nothing about hacking” to “I’m ready to get paid to hack legally.” And today, we build the foundation everything else will sit on.
Before I teach you a single command or technique, I need you to understand what ethical hacking actually is — not the movie version, not the scary news headline version, but the real, professional, legally-grounded discipline that companies pay billions of dollars for every year.
This lesson covers everything a beginner needs to know before Day 2. I want you to take your time with it. Re-read it. There are no shortcuts in security — but there is a clear, navigable path. You’re walking it right now.
What Ethical Hacking Actually Is (And What It Isn’t)
Let’s get one thing clear immediately, because the internet has made this unnecessarily confusing: ethical hacking is not about wearing a hoodie in a dark room and “hacking the planet.” It’s a professional discipline — as structured and legitimate as accounting or engineering.
Here is the most accurate definition I’ve been able to put together after 15 years in this field:
DEFINITION
“Ethical hacking is the authorised, legal practice of probing computer systems, networks, and applications for security vulnerabilities — using the exact same methods as malicious attackers — but with the explicit permission of the owner and for the purpose of making those systems more secure.”
— SecurityElites Definition, used in our courses globally
The key word in that definition is authorised. That’s the one word that separates an ethical hacker from a criminal. Same skills. Same tools. Same knowledge. Different permission slip.
Think of it this way. A locksmith can pick any lock — that’s their professional skill. A burglar can also pick locks — same physical technique. The difference isn’t the skill. It’s whether the homeowner said “yes, please check if my locks are secure.”
🔓
Criminal Hacker
Uses hacking skills without permission. Intent: theft, disruption, extortion. Result: prison sentence.
🛡️
Ethical Hacker
Uses identical skills with written authorisation. Intent: find & fix weaknesses. Result: paid contract.
🏢
The Organisation
Pays for ethical hackers to attack their systems before criminal hackers do it for free — and for far worse.
Organisations pay for this because the alternative is far more expensive. The average cost of a data breach in 2025 was $4.88 million according to IBM’s annual report. Paying a pentester $5,000–$50,000 to find the holes first? Obvious business decision.
The Three Types of Hackers — White, Grey, and Black Hat
You’ll hear these terms constantly in this field. I want you to understand them clearly, because how you position yourself — legally and professionally — matters from day one.
| Hat Colour | Who They Are | Permission? | Legal? | Examples |
|---|
| 🤍 White Hat | Professional ethical hackers hired to find vulnerabilities | ✓ Always | ✓ Yes | Pentesters, Bug bounty hunters, Red teamers |
| 🩶 Grey Hat | Hack without permission but usually disclose findings without causing damage | ✗ Often Not | ✗ Illegal | Researchers who report bugs they found uninvited |
| 🖤 Black Hat | Malicious hackers — steal data, deploy ransomware, sell access | ✗ Never | ✗ Criminal | APT groups, ransomware operators, cybercriminals |
⚠️ The Grey Hat Myth: I meet students who think grey hat hacking is fine because “they mean well.” Let me be direct: grey hat hacking is illegal. Good intentions don’t override computer misuse law. If you hack a system without permission — even to report the vulnerability — you are committing a crime. Everything in this course is white hat, always.
For the next 100 days, and for your entire career: we are white hat hackers. We work with permission. We document everything. We help, not harm. Burn that into your professional identity from Day 1.
How Hackers Actually Think — The Mindset That Changes Everything
This is the part of Day 1 that most courses skip entirely. Technical skills are teachable — I’ll teach you all of them over the next 99 days. But before any technique makes sense, you need to understand the thinking pattern behind hacking. It’s completely different from how most people approach systems.
Normal users think: “How do I use this system the way it was designed?”
Hackers think: “How can I make this system do something it was NOT designed to do?”
That’s it. That one mental shift underlies every hack ever performed. A login form was designed to let authorised users in. A hacker looks at it and asks: “What if I put a single quote mark in the username field? What if the password field is 10,000 characters long? What if I manipulate the hidden form field? What if the session cookie is predictable?” Every one of those questions is the start of a potential vulnerability discovery.
THE HACKER MINDSET — 5 CORE PRINCIPLES
01
Question Every Assumption
Every system was built by humans. Humans make mistakes. Every assumption a developer made about “what users will do” is a potential attack surface. Never accept that a system is secure just because it looks secure.
02
Think Like an Attacker to Defend Like a Pro
You can’t protect a system you don’t understand from an attacker’s perspective. The best defenders are people who have spent time thinking like attackers. That’s why ethical hacking skills make the best security engineers.
03
Enumerate Before You Exploit
Real hackers spend 60–70% of their time on reconnaissance and enumeration — gathering information — before touching an exploit. Rushing to attack without understanding the target is how you miss the real vulnerability.
04
Document Everything
Professional ethical hackers take notes on every command run, every finding, every dead end. The report you deliver at the end of an engagement is the product your client is paying for — it needs to be reproducible and clear.
05
Persistence Over Perfection
No hacker gets in on their first attempt. Real
penetration testing involves hours of trying things that don’t work before finding the one thing that does. Your ability to stay methodical, patient, and persistent is a technical skill in itself.
Is Ethical Hacking Legal? The Complete Legal Picture
I want to spend real time on this because it matters enormously — both for your career and your freedom. The legal landscape around hacking is not as complicated as it seems, but it requires clarity.
Ethical hacking is 100% legal when you have explicit, written authorisation from the owner of the system you’re testing. Full stop.
The same techniques without that permission are criminal offences in every major jurisdiction:
| Country/Region | Primary Law | Max Penalty (Unauthorised Access) |
|---|
| 🇺🇸 United States | Computer Fraud and Abuse Act (CFAA) | 10–20 years federal prison |
| 🇬🇧 United Kingdom | Computer Misuse Act 1990 | 10 years imprisonment |
| 🇮🇳 India | IT Act 2000, Section 66 | 3 years + ₹5 lakh fine |
| 🇪🇺 European Union | NIS2 Directive + National Laws | Varies: 2–10 years |
| 🌏 Most Others | Local Cybercrime Laws | Significant penalties apply |
⚖️ The Golden Rule — Memorise This
Never test any system you do not own or do not have explicit written authorisation to test. “Implicit permission,” “they probably won’t mind,” or “I’m just looking” are not legal defences. Written authorisation is not optional — it is the difference between a professional and a criminal.
During this course, every practical exercise happens in controlled environments: your own virtual machines, intentionally vulnerable practice platforms (TryHackMe, HackTheBox), or DVWA running locally. We never touch real systems. Ever.
Ethical Hacking Careers & Real 2026 Salaries
I know some of you are here for the money. That’s completely fine — knowing what you’re working toward is motivating, not shallow. Let me give you the honest picture.
Entry Level (0-2 yrs)
$65K–$90K
SOC Analyst, Junior Pentester, Security Analyst
Mid Level (2-5 yrs)
$90K–$140K
Penetration Tester, Security Engineer, Threat Hunter
Senior (5+ yrs)
$140K–$220K
Red Team Lead, CISO, Principal Security Researcher
Bug Bounty (Top 1%)
$300K+
Elite bug hunters earning from HackerOne / Bugcrowd
Salary figures based on 2026 data from Bureau of Labor Statistics, LinkedIn Salary Insights, and HackerOne annual reports. Figures in USD; significant variation by location.
Beyond salary, cybersecurity has one of the lowest unemployment rates of any technical field — hovering near 0% for qualified professionals. There are currently over 3.5 million unfilled cybersecurity positions globally (Cybersecurity Ventures, 2025). The demand dramatically outpaces supply, and that gap is growing.
The Career Paths in Ethical Hacking
🔍
Penetration Tester (Pentester)Hired by companies to attack their own systems in a controlled way and report what they find. Can be internal (employed by one company) or consultant (working with many clients through a security firm). This is what most people imagine when they think “ethical hacker.”
🎯
Red Team OperatorMore advanced than pentesting — red teamers simulate sophisticated, long-running attacks against entire organisations, including physical intrusion and social engineering, to test how well a company’s defences respond to a real adversary.
💰
Bug Bounty HunterFreelance security researchers who find vulnerabilities in company systems as part of their published bug bounty programs and earn cash rewards per valid finding. No employer. No fixed hours. Purely performance-based income.
🔬
Malware Analyst / Reverse EngineerAnalyses malicious software to understand how it works, what it targets, and how to detect and remove it. Requires deeper programming knowledge. High demand from antivirus companies, government agencies, and financial institutions.
🛡️
Security Consultant / CISOSenior roles advising organisations on security strategy, risk management, and compliance. Often requires technical background plus business communication skills. Some of the highest-paid positions in the industry.
What You Actually Need to Start (The Honest List)
Here’s where I annoy people: I’m going to tell you what you don’t need as much as what you do. Because there’s a whole industry trying to sell you expensive courses, hardware, and certifications before you’re ready for them.
✅ WHAT YOU NEED
- A computer with at least 8GB RAM (any OS)
- Curiosity and willingness to try things
- 1–2 hours per day of consistent practice
- VirtualBox (free) for running virtual machines
- Basic computer literacy (how to navigate files)
- A free TryHackMe or HackTheBox account
- Notebook for documentation (yes, physical is fine)
❌ WHAT YOU DON’T NEED
- A programming degree (we’ll teach basics as needed)
- An expensive computer or custom hardware
- Any prior security experience
- A CEH/OSCP cert before starting practice
- A Mac or any specific OS brand
- An expensive VPN subscription (yet)
- Any paid tools for at least the first 30 days
In Day 2, we’ll install Kali Linux in a virtual machine — the operating system ethical hackers use. Everything from there forward builds on a free, functional setup. You don’t need to spend money to start. The skills you build are the investment.
Your 100-Day Roadmap — The Full Journey at a Glance
I want you to see the complete picture before we start. Where you are. Where you’re going. Every major milestone. This is your map for the next 100 days.
PHASE 1 — DAYS 1–20
Foundation & Mindset
What is ethical hacking • How the internet works • Networking fundamentals • Linux command line mastery • Setting up your hacking lab • Your first live system scan
PHASE 2 — DAYS 21–45
Core Attack Techniques
Reconnaissance & OSINT • Network scanning with Nmap •
Enumeration techniques • Password attacks & cracking • Vulnerability scanning • Your first Metasploit exploit
PHASE 3 — DAYS 46–70
Web Application Hacking
Burp Suite mastery • SQL Injection • XSS • CSRF • File Upload attacks • Authentication bypass • OWASP Top 10 complete • Bug bounty methodology
PHASE 4 — DAYS 71–90
Advanced Techniques
Privilege escalation Linux & Windows • Active Directory attacks • Social engineering • Wireless hacking • Mobile app testing • Post-exploitation
PHASE 5 — DAYS 91–100
Career Launch
Writing professional pentest reports • Building your portfolio • CVs & interviews • Certifications roadmap (CEH, OSCP, CompTIA Security+) • Your first bug bounty submission
99 more days of this — each building on the last. Bookmark this page. Share it. And come back tomorrow for Day 2 where we install Kali Linux together.
🎯 Day 1 Practical Task — Do This Before Day 2
Every day in this course ends with a practical task. Today’s is quick but important — it’s about starting with the right posture. Do all three steps.
📋 DAY 1 CHECKLIST
1
Create a Free TryHackMe Account
Go to
tryhackme.com and create a free account. This is your practice environment for the next 100 days. No credit card needed. Complete the “Welcome” room — it takes 5 minutes and confirms your setup.
2
Write Your “Why” — Keep It Private
Open a notebook or document and answer this: Why are you learning ethical hacking? Be specific. “To earn more money” is less motivating at 11 PM on Day 47 than “To earn $120,000 as a pentester and give my family financial security.” Your “why” keeps you showing up on hard days.
3
Bookmark Day 2 and Join the Community
Bookmark our
100-Day Course page and subscribe to get Day 2 delivered tomorrow. Join the SecurityElites community on Telegram where thousands of students are on the same journey — accountability and peer support make a real difference.
1
🔥
Day 1 is done.
You’ve already done more than most people will ever do.
Most people spend years thinking about learning ethical hacking. You actually started. That matters more than you know. See you on Day 2 — where we install Kali Linux and take our first real step into the lab.
Day 2: Install Kali Linux →
Frequently Asked Questions — Day 1
Can I learn ethical hacking without a computer science degree?
+
Absolutely. The vast majority of successful ethical hackers are self-taught or came from non-CS backgrounds. What matters is structured learning, consistent practice, and the ability to think methodically. This course assumes no prior technical background and builds everything from scratch. Many of my best students came from completely different fields — customer service, teaching, nursing — and became successful security professionals.
How is ethical hacking different from cybersecurity?
+
Cybersecurity is the broader field — it includes defence, compliance, risk management, incident response, and forensics. Ethical hacking (or offensive security) is the offensive subset of cybersecurity: actively attacking systems to find weaknesses. Ethical hackers are a specialised type of cybersecurity professional. Understanding offensive techniques (hacking) makes you dramatically better at defensive security too, which is why this course is valuable even if you want to end up in a defensive role.
Is ethical hacking only for tech people?
+
Not anymore — and this misconception holds a lot of smart people back. Social engineering assessments, report writing, client communication, and risk explanation require people skills more than technical ones. Physical penetration testing requires confidence and interpersonal intelligence. As AI automates more technical grunt work, the human judgment and communication skills in security become more valuable, not less. If you have curiosity and a structured mind, you can be an excellent ethical hacker regardless of your starting background.
What certifications should I target after this course?
+
After completing this 100-day course, you’ll be well-prepared for CompTIA Security+ (excellent foundation, widely recognised by employers), Certified Ethical Hacker (CEH) from EC-Council (great for corporate job applications), and you’ll have a strong base for pursuing OSCP (Offensive Security Certified Professional) — the gold standard in offensive security. We’ll discuss certification paths in detail in Day 95. Don’t pay for certifications before you have the skills to use them — build the knowledge first.
📚 Recommended Reading — Go Deeper
