Ethical Hacking Roadmap 2026 — Complete Career Guide

Cybersecurity is one of the fastest-growing career fields with a global shortage of 3.5 million professionals. This roadmap gives you the exact path from complete beginner to professional ethical hacker.

Phase 1: Foundation (0-3 Months)

Before learning hacking, you need a solid understanding of how computers and networks work.

Networking Fundamentals

• OSI Model (all 7 layers)
• TCP/IP protocol stack
• DNS, DHCP, HTTP/HTTPS, FTP, SSH
• Subnetting and CIDR notation
• Firewalls, routers, switches

Resources: Professor Messer CompTIA Network+, TryHackMe “Pre-Security” path (free)

Linux Fundamentals

• Command line navigation and file operations
• File permissions and user management
• Process management and scheduling
• Bash scripting basics
• Package management (apt, dnf)

Resources: The Linux Command Line book (free PDF), OverTheWire Bandit wargame

Programming Basics

• Python fundamentals — strings, loops, functions, files
• Basic Bash scripting
• Understanding how web technologies work (HTML, HTTP, APIs)

Phase 2: Core Security Concepts (3-6 Months)

Key Topics

• CIA Triad (Confidentiality, Integrity, Availability)
• Common attack types: SQL injection, XSS, Buffer overflow, Social engineering
• Cryptography basics: symmetric/asymmetric encryption, hashing, TLS
• Authentication and authorization
• Vulnerability lifecycle and CVE system

Recommended Certifications at This Stage

• CompTIA Security+ — Industry standard entry-level cert. Required by many employers. Cost: ~$400
• CompTIA Network+ — If networking is a weak point

Phase 3: Hands-On Hacking (6-12 Months)

Tools to Master

# Reconnaissance
nmap        # Network scanner
theHarvester # Email/subdomain gathering
shodan      # Internet-connected device search

# Web Application Testing
burpsuite   # Web proxy and testing platform
gobuster    # Directory brute forcing
sqlmap      # Automated SQL injection

# Exploitation
metasploit  # Exploitation framework
searchsploit # Search ExploitDB

# Password Attacks
hashcat     # GPU-accelerated password cracking
hydra       # Network login brute forcing
john        # John the Ripper password cracker

# Post-Exploitation
mimikatz    # Windows credential extraction
linpeas     # Linux privilege escalation enum
winpeas     # Windows privilege escalation enum

Practice Platforms

• TryHackMe — Best for beginners. Guided rooms with hints. Free + Premium ($14/mo)
• Hack The Box — More realistic. Less guidance. Free + VIP ($14/mo)
• VulnHub — Free downloadable VMs. No internet required
• PortSwigger Web Academy — Free web security labs. Excellent for OWASP Top 10
• PentesterLab — Web application security focus

Phase 4: Specialisation and Certification (12-18 Months)

Certification Paths by Specialisation

Penetration Testing

• OSCP (Offensive Security Certified Professional) — The gold standard for pentesters. Requires 24-hour practical exam. Cost: ~$1,500
• eJPT — Good OSCP stepping stone. Cost: ~$200
• CEH — More theory-focused. Widely recognised in corporate environments

Web Application Security

• BSCP (Burp Suite Certified Practitioner) — Practical web security cert from PortSwigger
• GWEB — GIAC Web Application Penetration Tester

Cloud Security

• AWS Security Specialty
• CCSP (Certified Cloud Security Professional)

Phase 5: Bug Bounty and Real Work

Once you have solid skills, start earning through bug bounty programs:

• HackerOne — Largest bug bounty platform. Good for beginners
• Bugcrowd — Wide range of programs
• Intigriti — European focus, good payouts
• Open Bug Bounty — Free, good for starting out

Typical Bug Bounty Payouts

• Low severity (XSS, info disclosure): $50 – $500
• Medium severity (CSRF, IDOR): $500 – $5,000
• High severity (SQLi, XXE): $5,000 – $25,000
• Critical (RCE, authentication bypass): $25,000 – $1,000,000+

Salary Expectations (2026)

• Junior Penetration Tester: $60,000 – $85,000
• Mid-level Security Analyst: $85,000 – $120,000
• Senior Penetration Tester: $120,000 – $160,000
• Security Architect: $150,000 – $200,000+
• Top Bug Bounty Hunters: $500,000+/year

Download our free Cybersecurity Roadmap PDF from our Tools page for a printable version of this entire roadmap.