Table of Contents

Definition

Ethical hacking is an authorized attempt to gain unauthorized access to a computer system, application, or data using the strategies and actions of malicious attackers. This practice helps identify security vulnerabilities that can then be resolved before a malicious attacker has the opportunity to exploit them.

Ethical hackers are security experts who perform these proactive security assessments to help improve an organization’s security posture. With prior approval from the organization or owner of an IT asset, the mission of an ethical hacker is the opposite of malicious hacking. 

What are the key concepts of ethical hacking?

Hacking experts follow four key protocol concepts.

  • Stay legal. Obtain proper approval before accessing and performing a security assessment.
  • Define the scope. Determine the scope of the assessment so that the ethical hacker’s work remains legal and within the organization’s approved boundaries.
  • Disclose the findings. Notify the organization of all vulnerabilities discovered during the assessment, and provide remediation advice for resolving these vulnerabilities.
  • Respect data sensitivity. Depending on the data sensitivity, ethical hackers may have to agree to a nondisclosure agreement, in addition to other terms and conditions required by the assessed organization. 

How are ethical hackers different than malicious hackers?

Ethical hackers use their knowledge and skills to secure and improve the technology of organizations. They provide an essential service by looking for vulnerabilities that can lead to a security breach, and they report the identified vulnerabilities to the organization. Additionally, they provide remediation advice. In many cases, ethical hackers also perform a retest to ensure the vulnerabilities are fully resolved. 

The goal of malicious hackers is to gain unauthorized access to a resource (the more sensitive the better) for financial gain or personal recognition. Some malicious hackers deface websites or crash back-end servers for fun, reputation damage, or to cause financial loss. The methods used and vulnerabilities found remain unreported. They aren’t concerned with improving the organizations security posture.  

What are the skills and certifications for ethical hacking?

An ethical hacker should have a wide range of computer skills. They often specialize, becoming subject matter experts on a particular area within the ethical hacking domain.

All ethical hackers should have

  • Expertise in scripting languages
  • Proficiency in operating systems
  • A thorough knowledge of networking
  • A solid foundation in the principles of information security

Some of the most well-known and acquired certifications include

What problems does ethical hacking identify?

Ethical hacking aims to mimic an actual attack to look for attack vectors against the target. The initial goal is to perform reconnaissance, gaining as much information as possible.

Once an ethical hacker gathers enough information, they use it to look for vulnerabilities. They perform this assessment using a combination of automated and manual testing. Even sophisticated systems can have complex countermeasure technologies that may be vulnerable.

In addition to uncovering vulnerabilities, ethical hackers use exploits against the vulnerabilities to prove how a malicious attacker could exploit it.

Some of the most common vulnerabilities discovered by ethical hackers include

After the testing period, ethical hackers prepare a detailed report that includes additional details on the discovered vulnerabilities along with steps to patch or mitigate them.

What are some limitations of ethical hacking?

  • Scope. Ethical hackers cannot progress beyond a defined scope to make an attack successful. However, it’s not unreasonable to discuss out-of-scope attack potential with the organization.  
  • Resources. Malicious hackers don’t have time constraints that ethical hackers often face. Computing power and budget are additional constraints of ethical hackers.
  • Methods. Some organizations ask experts to avoid test cases that lead the servers to crash (e.g., denial-of-service attacks).

How does Black Duck manage ethical hacking?

Black Duck offers managed penetration testing, also known as pen tests, for web applications and services. This security testing technique simulates a real-world attack on a system to identify vulnerabilities and weaknesses in systems and code. Using a blend of manual and tool-based testing, Black Duck managed penetration testing services provides a comprehensive assessment of a runtime environment with accurate results and actionable remediation guidance.

By opting for a managed penetration testing service provider, companies get access to security testing experts who can help them understand their security risks, meet compliance requirements, and enable in-house security teams to focus on other objectives.

- This glossary was verified by Chai Bhat.

Resources to manage your enterprise AppSec risk

Software Vulnerability Snapshot

Software Vulnerability Snapshot

Get insights into the current state of security for web-based apps and systems

Download the report
Managing Risk at Scale: How to Gain Visibility, Quiet the Noise, and Secure Applications Across the Enterprise eBook cover

Managing Risk at Scale

Learn how to gain visibility and secure your apps across the enterprise

Download the white paper
BSIMM15 report cover

BSIMM15

An analysis of the top software security initiatives

Download the report
©2025 Black Duck Software, Inc. All Rights Reserved