The cybersecurity skills shortage has reached peak levels, with more than 500,000 job openings in the field as major cyberattacks loom on the horizon. Organizations are desperate to acquire this talent and as a result, companies are using “ethical hackers" to bolster their cybersecurity practices. These ethical hackers are experienced professionals that make a living by proactively finding bugs and vulnerabilities.
So how did these ethical hackers get started?
Unbound by the usual job requirements of a traditional role in tech they are able to utilize online resources to self teach, observe other hackers, and study tactics from existing professionals. By utilizing these resources, beginner hackers can find their specific passions within the cybersecurity space and eventually make their own mark in the ethical hacking profession.
Beginners Should Look Here
When first dipping their toes into the world of hacking, beginners should utilize basic resources to familiarize themselves with terms, best practices, vulnerability reporting, and other issues they will be expected to know in an organization.
- Nahamsec's "Resources for Beginner Bug Bounty Hunters" offers an index of resources for learning to hack.
- Codingo's search functionality on his website indexes a huge stack of searchable public content from hackers.
- S0cm0nkey's "Security Reference Guide" is another repository of cybersecurity resources.
- InfosecWriteups is a Medium publication that has a huge amount of cybersecurity related write-ups for CTFs and bug bounties.
Practice Makes Perfect
Sometimes, the best way to learn is to do. The labs below provide an opportunity for hackers to get hands-on experience with various types of ethical hacking.
- Pentesterlab: Hands-on approach to learning how to hack.
- Portswigger Labs: Huge set of web application security labs that are totally free.
- Tryhackme: Cybersecurity training platform and competitive hacking game for which you choose between three streams: pre-security for fundamentals, offensive pen testing, or cyber defense.
- Hackthebox: Best known for being an ongoing worldwide competitive Capture The Flag (CTF). They also provide training "tracks."
- Kontra: Online platform that offers a series of hosted labs designed to teach developers about application security.
- Hacker101.com: Online training platform for web security, created by bug bounty platform Hackerone.
- Vulnhub: Platform that allows users to upload "challenge boxes" which are purposely vulnerable virtual machines. The goal is to gain root/system level access on these machines by exploiting various vulnerabilities.
Learn From the Experts
Ethical hackers are often eager to share their findings and beginners should follow them closely. Understanding how professionals approach their bug bounty work will help new hackers form their habits effectively. (Note: Some of these resources haven't been updated in quite some time, but even older material can be very informative!)
- Hackerone Hacktivity: Unlimited stream of disclosed vulnerabilities on the Hackerone platform.
- Crowdstream: The Bugcrowd equivalent of Hackerone's Hacktivity.
- Pentesterland: Provides a large, curated list of bug bounty writeups and resources for beginner hackers.
- D0nut's blog: Mixed bag with lots of gems inside.
- Intigriti's Medium Publication: Filled with lots of great bug bounty content.
- Secjuice: Non-profit publication that posts articles about cybersecurity including CTF writeups, tutorials, methodologies, and more.
- Detectify Labs: Posts a large amount of cybersecurity research from high-profile hackers.
Sit Back and Watch
Another great resource for observing existing hackers is YouTube content. Many notable hackers will post content around their work to knowledge share. New hackers can gain understanding of the career, new findings, and how to work with companies' bounty programs.
- Liveoverflow: This cybersecurity YouTube legend has released over 300 videos about a huge range of topics.
- John Hammond: Channel covering all kinds of topics including CTF walkthroughs, programming tutorials, interviews, the dark web, malware analysis, and more.
- Nahamsec: Does "Recon Sundays" every Sunday, where he streams live recon and brings on guests.
- STÖK: Makes videos mostly pertaining to bug bounties. He interviews hackers, documents live-hacking events, and releases "Bug Bounty Thursdays" — an industry news update every week.
- Farah Hawa: Takes complex topics and explains them in a way that you will understand by breaking it down to fundamentals. She describes different bug classes, hacking process, and career.
- Codingo: Creates bug bounty-specific videos including videos about tools, hacking processes, recon, and more.
- PwnFunction: Focuses primarily on web application hacking.
- Ippsec: Creates walk-throughs of HackTheBox challenge boxes, to simulate watching over the shoulder of a professional.
- InsiderPhD: Makes videos about hacking, bug bounties, machine learning, and more
- Hakluke: And last but not least, it's me! Instructional videos, bug bounty report explainers, career, and mindset videos.