01
Let me tell you what everyone else getting paid to sell you certifications will never say: you do not need a degree, you do not need an IT background, and you do not need to spend thousands on bootcamps to learn hacking and how to become an ethical hacker. The barrier to this career is not intelligence, money, or connections. It is information — specifically, the absence of a clear, honest, step-by-step roadmap from zero to employed.
Every resource that ranks above this article on Google is either selling you something or written by someone who learned to hack fifteen years ago and has forgotten what it is like to start from nothing. This article is neither. I built SecurityElites.com because I was once exactly where you are — overwhelmed, directionless, and unable to filter the noise from the signal.
What follows is the exact month-by-month roadmap I would follow if I were starting over in 2026 with zero experience. Every tool mentioned is free or low-cost. Every platform is accessible today without a waiting list. Every milestone is realistic. No fluff. No upsells. Let’s get into it.
📌
Bookmark This Page Before You Start
This roadmap links to every resource you need. You will return to specific sections as you hit each month’s milestone. The full 100-day
ethical hacking course, 60-day bug bounty course, and 180-day
Kali Linux course mentioned throughout are all free at
securityelites.com — no registration, no credit card, no catch.
📍 Where This Roadmap Takes You — The Realistic Destination
Month 6
First valid bug bounty report submitted. First CVE or acknowledgement possible.
Month 9
eJPT certified. First bounty paid out. Portfolio building begins.
Month 12
Applying for junior pentester roles. $55K–$75K starting salary range.
Month 18
OSCP preparation. Senior roles visible. $80K–$110K range accessible.
📋 The Complete Roadmap — Jump to Any Section
⚡ The Uncomfortable Truth That Nobody Paid to Tell You
Before we get into the roadmap, I need to say something that the cybersecurity education industry has a financial incentive to never say: the information required to become an ethical hacker is almost entirely free. The community has built extraordinary free resources — PortSwigger Web Security Academy, TryHackMe’s free tier, Hack The Box starting point, OverTheWire wargames, OWASP documentation, YouTube channels with deeper content than $500 courses.
What you are paying for when you buy a $2,000 bootcamp or $999 certification prep course is not information — it is structure, accountability, and a certificate at the end. Structure and accountability are worth money to some people. But if you can follow a roadmap with discipline, you can achieve the same outcome for the cost of an internet connection and a $200 entry certification.
⚠️ Three Things That WILL Stop You (And How to Prevent Each)
1. Tutorial Hell. Watching course after course without practising in a terminal. Fix: for every 1 hour of video, spend 2 hours in a lab. SecurityElites.com is built around practice first — every article has tasks that require a terminal, not just reading.
2. Scope Paralysis. Trying to learn everything at once — networking, programming, cryptography, malware analysis — and making no meaningful progress in any area. Fix: follow this roadmap in order. Do not advance to the next month until you have completed the current month’s tasks.
3. The Certification Trap. Buying expensive certifications before you have foundational knowledge. CEH is not a beginner certification despite how it is marketed. OSCP will break you if attempted too early. The order matters. Stick to the roadmap.
Every offensive security technique — port scanning, network sniffing, man-in-the-middle attacks, web application exploitation — exploits how networks communicate. If you do not understand TCP/IP, you are hacking by rote memorisation without understanding why anything works. Understanding why is what lets you adapt when things do not go according to the tutorial.
🎯 What to Learn
✓ TCP/IP model — the 4 layers and what each does
✓ How DNS resolves domain names to IPs
✓ HTTP and HTTPS — request/response cycle
✓ Ports 0–1023 (common ones by heart)
✓ Subnets and CIDR notation (192.168.1.0/24)
✓ What a firewall actually does — and doesn’t do
✓ ARP, ICMP, UDP vs TCP — when each is used
🛠️ Free Resources
→ Professor Messer’s Network+ Course (YouTube, free)
→ Cisco’s Networking Essentials (free on Cisco)
→ Wireshark — capture and read live packets
✅ Month 1 Milestone
You can read a Wireshark capture and identify: what device is talking to what, which protocol is being used, and what is being sent. You can explain — out loud, not just recognise — what happens when you type google.com and press Enter.
Test: Complete TryHackMe’s “How the Web Works” module
Why networking comes first, not hacking: Nmap (our
Kali Linux Day 1) makes no sense unless you understand TCP SYN packets. Metasploit payloads (Day 3) make no sense unless you understand reverse connections and firewall rules. Every tool teaches itself once you have the networking foundation.
Kali Linux is the standard operating system for ethical hacking — and Linux fluency is non-negotiable in this field. Every tool you will use for the rest of your career runs in a Linux terminal. Professionals who are slow in a terminal are slow in every assessment. Month 2 is about making Linux feel natural before you start using security tools in it.
🎯 What to Learn
✓ File system navigation (cd, ls, pwd, find)
✓ File operations (cp, mv, rm, chmod, chown)
✓ Text processing (grep, awk, sed, cut, sort)
✓ Networking commands (ip, netstat, ss, ping)
✓ Process management (ps, top, kill, systemctl)
✓ Bash scripting basics (loops, conditions, variables)
✓ Pipe and redirect operators (|, >, >>, <)
🛠️ Free Resources
→ TryHackMe Linux Fundamentals (3 free rooms)
→ VirtualBox + Kali Linux (free download)
✅ Month 2 Milestone
Complete all 34 levels of OverTheWire Bandit without hints after Level 10. This single game proves Linux fluency more reliably than any course completion certificate. Also complete Kali Linux Days 1 (Nmap) and 2 (Netcat) from our free course.
Test: OverTheWire Bandit — Level 34 completed
The majority of bug bounty and penetration testing work targets web applications. Before you can find vulnerabilities in them, you need to understand how they are built — how HTTP requests carry data, how cookies maintain sessions, how JavaScript executes in a browser, and why the Same-Origin Policy exists. This month you also install and configure Burp Suite — the professional tool you will use for every web security test.
Core curriculum: Our
Bug Bounty Day 3 (How the Web Works),
Day 4 (OWASP Top 10), and
Day 5 (Burp Suite Deep Dive) are your entire Month 3. These three articles take 6–8 hours to study and practise, and cover every concept you need for Month 4.
Month 3 Milestone Test
Install Burp Suite, configure Firefox with FoxyProxy and the Burp CA certificate, and successfully intercept a request from a PortSwigger practice lab. Modify a parameter in Repeater and observe the changed response. If you can do this, Month 3 is complete.
MONTHS 4–6
Core Attack Techniques — The Part Everyone Rushes and Then Wonders Why They Find Nothing
Months 4 through 6 are where most beginners either build real skills or plateau for years. The trap is tool-collecting — downloading 30 security tools and using each one once without understanding its output. The correct approach is depth over breadth: pick five fundamental vulnerability classes and understand each one completely before moving to the next.
securityelites.comMONTHS 4–6 CURRICULUM — SKILL ACQUISITION MAP
Depth order: master each before advancing to next
WEEK 1–2
Cross-Site Scripting (XSS) — Reflected, Stored, DOM
Bug Bounty Day 11 →
Concept understanding████████████ 100%
Lab completion (PortSwigger)████████████ 100%
Real target identification████████░░░░ 70%
Practice: PortSwigger XSS Labs 1–6 (all free). Goal: find and exploit all three XSS types.
WEEK 3–4
SQL Injection — Union, Blind, Error-Based
Bug Bounty Day 12–13 →
Practice: PortSwigger SQL Injection Labs. Goal: understand UNION-based data extraction and Boolean-based blind SQLi. Then: introduce SQLmap for automation.
WEEK 5–6
IDOR & Broken Access Control
Bug Bounty Day 8–10 →
The highest-frequency bug bounty finding. Practice: PortSwigger Access Control Labs. Learn: ID enumeration patterns, Burp Intruder for automated ID testing, impact documentation.
WEEK 7–8
Authentication Flaws & JWT Attacks
Bug Bounty Day 23–26 →
Password reset logic flaws. JWT algorithm confusion. Session not invalidated on logout. These lead to the highest bounty payouts — worth spending two full weeks understanding deeply.
WEEK 9–12
Network Scanning + Metasploit (Intro)
Kali Course Day 1–3 →
Revisit Nmap with deeper flag knowledge. Introduce Metasploit against Metasploitable2. This is infrastructure hacking — different mindset from web application testing. Both career paths need it.
The PortSwigger Rule: Do not move on from any vulnerability class until you have completed every “Apprentice” level lab on PortSwigger for that class. Free. Interactive. The best web security practice environment on the internet.
Months 4–6 Curriculum Map — 12 weeks, five vulnerability classes, in depth order. Every course day reference links to a free SecurityElites.com article. The PortSwigger labs mentioned are all available without registration on portswigger.net/web-security.
MONTH 7
Your First Certification — The eJPT and Why It Beats CEH for Beginners
By Month 7 you have foundational networking, Linux fluency, web application knowledge, and hands-on experience with the five most common vulnerability classes. This is the right moment for your first certification — not Month 1 when certification vendors want to sell it to you, but Month 7 when you will actually pass it and understand what you are being tested on.
securityelites.comBEGINNER CERTIFICATION COMPARISON — HONEST RANKING
| Certification | Cost | Format | Right Month | Employer Value | Verdict |
|---|
| eJPT RECOMMENDED | ~$200 | Practical lab | Month 7 | ⭐⭐⭐⭐ | Practical exam. No MCQ. Proves real skill. Perfect entry point. |
| CompTIA Security+ | $392 | MCQ + PBQ | Month 8–9 | ⭐⭐⭐⭐⭐ | Required for US government/DoD roles. High corporate recognition. |
| CEH OVERPRICED | $950–$1,999 | MCQ only | Skip it | ⭐⭐⭐ | Memorisation cert. No practical component. Expensive for what you get. |
| OSCP GOLD STANDARD | $1,499 | 24hr practical | Month 14–18 | ⭐⭐⭐⭐⭐ | Industry gold standard for pentesters. Do NOT attempt before Month 12. |
| PNPT (TCM Security) | $399 | Practical + report | Month 10–12 | ⭐⭐⭐⭐ | Great OSCP stepping stone. Includes full report writing component. |
MCQ = Multiple Choice Questions. PBQ = Performance-Based Questions. Practical = Real lab environment exam.
Honest Certification Comparison — eJPT first (Month 7), CompTIA Security+ if corporate/government roles are the goal (Month 8–9), PNPT as OSCP preparation (Month 10–12), OSCP when truly ready (Month 14–18). Do NOT start with CEH — it is expensive, theory-heavy, and not respected by technically-oriented employers.
MONTHS 7–9
Bug Bounty Begins — How to Earn Your First Payout While Still Learning
Bug bounty is not something you do after you are fully qualified. It is something you do while you are learning — and it does three critical things simultaneously: it builds real-world experience on real targets, it validates your skills against actual applications with real defence mechanisms, and it can pay you while you are still a student. Some of the most celebrated bug bounty finds in history were made by people in their first year of learning.
The key is programme selection. Do not start on Google or Facebook. Start on beginner-friendly programmes that have a wide scope, responsive triage teams, and realistic bounties for the findings beginners are most likely to make.
securityelites.comBUG BOUNTY — BEGINNER PROGRAMME SELECTION GUIDE
✅ IDEAL FIRST PROGRAMME HAS:
✓ Wide scope (multiple subdomains / assets)
✓ Accepts informational + low severity findings
✓ Has a “Safe Harbour” policy clearly stated
✓ Active triage with response under 2 weeks
✓ Has disclosed reports you can read + learn from
✓ Is on HackerOne or Bugcrowd (established platforms)
✓ Has “$0” floor — pays something for valid lows
❌ AVOID AS A BEGINNER:
✗ Google, Meta, Apple, Microsoft (extremely competitive)
✗ Programmes with less than 30-day response SLA
✗ Private programmes (you need invitation first)
✗ No scope / vague scope programmes
✗ Programmes with “Hall of Fame only” — no cash rewards
✗ Any programme without a clear Safe Harbour clause
🎯 YOUR FIRST VALID FINDING WILL LIKELY BE:
→ IDOR — changing an ID in a URL or API request and getting another user’s data
→ Security Misconfiguration — exposed .env file, admin panel, open directory listing
→ Missing Security Headers — X-Frame-Options, Content-Security-Policy, HSTS
→ Subdomain Enumeration Finding — a forgotten subdomain with an outdated vulnerable application
Start here: HackerOne’s public programme list → filter by “Bounty” → sort by “Newest” → read 5 disclosed reports per programme before testing. The
60-day bug bounty course covers programme selection methodology in Day 1.
Bug Bounty Programme Selection — The programme you choose as your first matters enormously. A unresponsive programme with unclear scope will demotivate you. A well-run public programme on HackerOne with disclosed reports gives you a learning environment where other researchers’ disclosed findings teach you what is possible on that target.
MONTHS 10–12
Portfolio Building and Your First Job — What Actually Gets You Hired
The cybersecurity hiring process is broken — many job postings for “junior” roles require 3–5 years of experience. The way around this is a portfolio that demonstrates skills more convincingly than years of experience. A person with a documented bug bounty finding, a public GitHub with security scripts, a completed eJPT, and a professional LinkedIn profile is more hireable than someone with 2 years of unverifiable “experience” and no portfolio.
📁 Portfolio Checklist
GitHub: At least 3 security tools, scripts, or CTF writeups you built yourself
Bug Bounty: Even one valid finding with hall of fame acknowledgement is portfolio-worthy
Certifications: eJPT (Month 7) at minimum. TryHackMe completion badges
CTF Writeups: Document your HackTheBox or PicoCTF solutions publicly
Blog/Content: Even 3 technical articles shows communication skill (critical for pentesting reports)
💼 Jobs to Apply For at Month 12
Junior Penetration Tester — $55K–$75K/yr, most realistic first role
SOC Analyst Level 1 — blue team entry, often easier to land, leads to red team
Security Consultant (Junior) — consulting firms, diverse client exposure
Bug Bounty Full-Time — rare but real. Top 1% of HackerOne hunters earn $500K+/yr
Freelance Pentester — small business security assessments while building reputation
💵 Ethical Hacker Salary 2026 — The Real Numbers by Experience Level
securityelites.comETHICAL HACKER SALARY 2026 — BY EXPERIENCE LEVEL
Data sourced from LinkedIn Salary, Glassdoor, Levels.fyi, and direct community surveys — US market unless noted
Bug Bounty (Part-Time, Month 6–12)
While learning, on top of day job
$500–$5K
per month (realistic range for beginners)
Variable — depends on findings
Junior Penetration Tester (0–2 years)
Entry role — first job in security
$55K–$75K
per year — US average
Mid-Level Penetration Tester (2–5 years)
After OSCP / 2+ years experience
$80K–$110K
per year — US average
Senior / Lead Penetration Tester (5+ years)
Specialised, team leadership
$120K–$180K
per year — US average
Top 1% Bug Bounty Hunter (2–5+ years)
Full-time hunting, top HackerOne/Bugcrowd rank
$500K–$2M+
per year lifetime (exceptional cases)
Rare but documented and real
Salaries are US market annual figures. UK/Australia/Singapore run approximately 60–80% of US figures. India/Southeast Asia vary significantly by employer type (MNC vs local).
Ethical Hacker Salary 2026 — The entry-level range ($55K–$75K) is reachable at Month 12 with the right portfolio and certifications. The mid-level range ($80K–$110K) opens up with OSCP and 2 years experience. The top 1% bug bounty figures are exceptional but real — documented in HackerOne’s published statistics.
🎯 The Free Resources Master List — Everything You Need in One Place
securityelites.comCOMPLETE FREE RESOURCES — BOOKMARK THIS SECTION
⭐ SECURITYELITES.COM (FREE)
🎮 PRACTICE PLATFORMS (FREE TIER)
📜 CERTIFICATION PATH (LOW COST)
Month 7: eJPT (~$200) — inelearn security
Month 9: CompTIA Security+ ($392) — optional
Month 12: PNPT ($399) — TCM Security
Month 18: OSCP ($1,499) — Offensive Security
Total cost if you follow the order: ~$600–$800 for the first year
💰 BUG BOUNTY PLATFORMS (FREE)
Complete Free Resources Dashboard — Everything you need is listed here. The SecurityElites.com courses (top left, green border) are your primary curriculum. PortSwigger and TryHackMe are your practice environments. eJPT is your first paid checkpoint at Month 7. Total first-year cost following this roadmap: approximately $600–$800 in certifications.
❌ 7 Mistakes That Kill Progress — Every One of These Has Ended Promising Careers Before They Started
1
Starting with Kali Linux before understanding networking
Kali is a toolbox. If you do not understand what ports, protocols, and packets are, the tools in that toolbox produce output you cannot interpret. Nmap output means nothing without TCP/IP knowledge. Start with Month 1 regardless of how exciting Kali looks on YouTube.
2
Buying the CEH as your first certification
The CEH is a multiple-choice memorisation exam with a $950–$1,999 price tag. It has no practical component. Technically-oriented security employers do not respect it. The same money buys you eJPT + PNPT + six months of Hack The Box Pro. Do not let EC-Council’s marketing convince you it is the entry-level choice.
3
Watching tutorials without opening a terminal
Every hour of security content watched without being executed in a terminal counts for approximately 10% of an hour of actual practice. Security is a physical skill — like surgery or carpentry — that requires repetition in the actual environment. Every SecurityElites.com article has tasks. Do every single one before reading the next.
4
Attempting OSCP before Month 12
OSCP is a 24-hour exam requiring you to compromise multiple machines in a restricted lab environment. Attempted too early, it destroys confidence, wastes $1,499, and consumes months of preparation time for an outcome that was predetermined by insufficient foundational skill. Wait until you can consistently solve Hack The Box medium-difficulty machines without hints.
5
Scanning networks without authorisation and calling it “practice”
Running Nmap against IP addresses you do not own or have permission to scan is illegal in most jurisdictions — regardless of intent. Not only does this risk prosecution, it immediately disqualifies you from any professional security career. Authorised practice platforms exist specifically to solve this problem. Use them. Every SecurityElites.com article includes a legal notice for this reason.
6
Neglecting report writing
A penetration tester’s primary deliverable is not the hack — it is the report. A finding nobody understands fixes nothing. Clients pay for clear, reproducible, technically accurate reports with actionable remediation guidance. Practice writing up every CTF solution and every lab completion as if it were a professional report. This skill separates employed professionals from permanent hobbyists.
7
Waiting until you feel “ready” to start bug bounty or job applications
Nobody ever feels ready. The feeling of readiness in security comes from doing the work, not from completing more preparation before doing the work. Submit your first bug bounty report at Month 7. Apply for your first junior role at Month 10. Get rejected, learn what they wanted, improve, and apply again. The feedback loop of real-world attempts is irreplaceable — and it is only available to people who started.
YOUR ROADMAP STARTS TODAY — NOT MONDAY
The only difference between you and a working ethical hacker is time spent at a terminal.
Month 1 starts with one TryHackMe room and understanding what happens when you type google.com. That’s it. That is the entire first step. All 340 days of free content are waiting at SecurityElites.com — Day 1 of every course is published, free, and ready.
Frequently Asked Questions – How to Become an Ethical Hacker
How long does it take to become an ethical hacker from scratch?
With 1–2 hours daily, most people reach a functional beginner level in 6 months and junior professional level in 12 months. This accelerates significantly with consistent hands-on lab practice over passive video watching. The roadmap in this article covers the 12-month path to first job applications with realistic milestones at each stage.
Do I need a degree to become an ethical hacker?
No degree is required. Ethical hacking is one of the most skills-based careers in technology — employers care about what you can demonstrate. A portfolio of certifications (starting with eJPT), documented bug bounty findings, and completed CTF challenges outweighs a relevant degree in most hiring decisions at technical security firms and consultancies.
What is the salary of an ethical hacker in 2026?
In the US market: Junior penetration testers (0–2 years) earn $55K–$75K/year. Mid-level (2–5 years, post-OSCP) earn $80K–$110K/year. Senior/lead (5+ years) earn $120K–$180K/year. Independent consultants and specialised researchers can earn significantly more. Top 1% bug bounty hunters have documented lifetime earnings exceeding $1M.
What is the best first certification for ethical hacking?
The eJPT (eLearnSecurity Junior Penetration Tester) at approximately $200. It is beginner-appropriate, entirely practical (you perform a real penetration test — no multiple-choice), and recognised by employers. Avoid the CEH as a first certification — it is expensive, theory-only, and widely considered overpriced for what it tests. OSCP is the gold standard but requires 6–12 months of preparation after the eJPT.
Is ethical hacking legal?
Ethical hacking is completely legal when performed with explicit written authorisation. Penetration testers have signed contracts. Bug bounty hunters operate within defined programme scopes. Security researchers use dedicated authorised platforms (TryHackMe, HackTheBox, PortSwigger). Hacking any system without permission is illegal regardless of intent. The legal and ethical framework is what separates ethical hacking from cybercrime — and every article at SecurityElites.com includes this reminder.
📚 Continue Your Journey — SecurityElites.com Free Courses
100-Day Ethical Hacking Course
From absolute beginner to professional — free, no registration
180-Day Kali Linux Course
One tool per day — Nmap to advanced exploitation
60-Day Bug Bounty Course
Platform setup to first paid bounty — completely free
The complete 12-month roadmap from zero to employed
ME
Mr Elite
Founder, SecurityElites.com | Penetration Tester | Security Educator
I started with zero formal IT background. No computer science degree, no industry connections, and no idea what a TCP handshake was. The roadmap in this article is the one I wish existed when I started — not a product brochure, not a certification catalogue, but an honest month-by-month progression that tells you exactly what to learn, in what order, and why. SecurityElites.com exists because this information should be free and accessible to everyone. The 340+ free daily lessons, the three complete courses, the security guides — all of it is here and it costs you nothing but time and effort. That’s the deal.
