Cybercrime is still a currency black hole. Industry insiders report, year after year, how companies lose trillions of dollars each year to hacking, scams, and data breaches. This is a huge problem, which also means that if you can do something about it, you can make a living off it. Companies are willing to pay if you spare them from a headache: In 2019, HackerOne reported that hackers had detected almost 100,000 vulnerabilities and earned $42 million in bug bounties the previous year. That’s roughly $115,000 a day.

Ethical hacking, also known as “white-hat” hacking, involves using your tech knowledge to find vulnerabilities in computer systems, networks, and apps. The only difference with hacking with your hoodie on is that you have to get permission from the owner. The goal is to actually help them out by finding those weaknesses and suggesting ways to patch them up. These are the best ways to earn money hacking.

‍

Ways to make money hacking

To make money as a hacker, you should start out checking ethical hacking programs. Check out these strategies:

1. Bug bounty programs

One of the most common ways to make money hacking is by joining a bug bounty program. Many companies and organisations offer them, which are rewards for finding and reporting security vulnerabilities. Some popular bug bounty programs include HackerOne, Bugcrowd, and Synopsys.

Bounty programs work by getting contractually-authorised access (but not necessarily authorised access, in the sense of having a legit username and password) to a company’s software. You usually only report the bug—you don’t work to fix it. 

‍

Most bug bounty programs have clear guidelines on how to disclose vulnerabilities. If your report is legitimate, the company will offer you a cash reward. The bigger the security risk you expose, the bigger the reward. And if you don’t follow their due process, you might end up receiving nothing, because you’ll be breaching your agreement (not their systems—you were already doing that).

💡 You should research the company before you start hunting. Knowing their systems (you can’t know exactly what system they use, but if they’re a bank, they could be using COBOL) will make choosing the right bounty program way more attainable.

2. Red teaming 

Red teaming is a specialised form of white hacking that simulates real-world cyberattacks in a controlled environment. This is also done to identify and exploit weaknesses in a company's security posture. Red teams are usually a crew of best-in-class ethical hackers.

First, they map out the “battlefield.” Then, they go into information-gathering mode, learning everything they can about the company's network, employees, and security measures. Once they have intel, the red team launches simulated attacks, mimicking real-world threats that could target the company's network, software, or even physical security. Finally, they deliver a report. Read teaming was typically reserved to business systems, but Microsoft has been publicising their own AI red team.

The best way to start red teaming, considering you still haven’t found your perfect buddies, is to network. Find some attractive red teaming companies and connect with members over social media. Try to make your profile interesting: “I’m an expert in…”

3. Penetration testing

Penetration testers utilise the same tools and techniques as malicious hackers to identify and exploit system security weaknesses. The information gathered during the testing can then be used to pinpoint the system flaws and, therefore, improve the system's overall security, obviously. It’s usually an integral part of any organisation's cybersecurity program.

There are primarily two types of penetration testing: black box and white box.

Black box testing is performed without any knowledge of the system's internals. The tester is only given the system's IP address or URL, and they must use their skills and tools to find and exploit vulnerabilities.

White box testing is performed with full knowledge of the system's internals. The tester is given access to the system’s network, network diagrams, and other documentation. This allows the tester to perform a more comprehensive test and identify more subtle points of weakness.

Do pen testers get access to the source code?

Some outlets mention very lightly that “pen testers are provided access to the source code” for a web app, for example. This is not quite right. If said project is public, open-source, and on GitHub, then yes, pen testers will access the source code. But plenty of private companies are very secretive about their source code and won’t share it with employees, let alone a third party. If a salesperson working at Microsoft can’t access the source code for Windows 98, you can expect a seasoned pen tester to be equally walled off. That pen tester will have to work on the network or visible part of the app instead.

Red teaming vs Penetration testing

Red teaming and penetration testing are both forms of ethical hacking, but there are some key differences between the two. Penetration testing typically focuses on identifying and exploiting vulnerabilities, while red teaming focuses on simulating real-world cyberattacks. Some infosec workers even say that pen testing is more “cracking” than “hacking,” but that pen testers are indeed hackers first.

4. Security consulting

If you’re an accomplished hacker, you can make money by ditching the hoodies and turning to formal attire instead. When you sign on as a cybersecurity consultant, you’ll be invoicing companies for running assessments on how susceptible to hacking their business is. As a cybersecurity consultant, you could also give recommendations on how to stay compliant with norms such as HIPAA (US) or GDPR (Europe).

Being a cybersecurity consultant can be both tough and very profitable. Companies spent about $150 billion on cybersecurity in 2021, including security consulting services. But small companies, despite often being exposed to breachers, hackers, and everything, might not want to afford your expertise. It's easier to win over big companies if you're already well-established. That’s where you’ll be able to take a share of those $150 billion.

The difficult part is getting started. Many consultants rely on recommendations from friends at big law firms—especially because they advise on compliance with GDPR—to connect them with potential clients. This can be a good way to get high-paying jobs. Some estimates say that these referrals might make up almost all of a consultant's business. But some consultants also claim that medium-sized businesses don’t hesitate to avoid paying out invoices. They do this because they’re speculating that you’re so isolated and so laden with work that you won’t press charges.

This is where subcontracting under a bigger consulting firm shows up. You set your own rate, letting them handle sales and billing and potentially adding a premium to your fee. This can be a good way to build a clientele while established firms take care of the trickier sales aspect. If possible, be sure to negotiate a non-compete clause that allows you to work with other firms and develop your own client base alongside subcontracting work.

5. Teaching, training, and speaking

If you're advanced in your field, you might also consider turning to teaching and training to make money hacking.

Here are a couple of effective strategies to get started:

• Develop and deliver training courses: Platforms like Udemy, Coursera, or independent learning management systems can be great outlets. You can monetise the access to these courses.
• Create and publish cybersecurity content:Write informative blog posts, articles, or even e-books on cybersecurity trends and best practices. You can monetise part of this content or use it to establish your brand and live as a conference speaker, for example.

This is more of a marketing career than a hacking or IT career. You build brand recognition and position yourself as a trusted authority. This, in turn, can lead to increased demand for your paid training programs or consulting services. So you might not work doing proper hacking or cybersecurity stuff. Your work, instead, might end up being “looking like an expert hacker” who even attends events and gets paid to speak. 

This is a quick comparison of how other ways of making money hacking work compared to this one.

• You work as a hacker: You actually code or offer best practices to prevent breaches.
• You work to look like a hacker: You become a frontperson. Your actual job is having the personal brand of a hacker, so people call you up for events or buy your courses on how to secure their assets or be like you.

If you go out in public and start calling yourself a “hacker,” you’ll start having your detractors, just like musicians are called out for “selling out.” But when it’s work that can pay your bills, and you can do it well, then it’s worth a shot.

6. Developing security software

Ethical hackers have an in-depth understanding of how vulnerabilities are exploited or curbed. That’s why they can venture into developing security software.

Cybersecurity hackers (developers who work for security, not against it) earn very well. A senior data engineering position at a big antivirus software company is advertised as paying from $189–$311k a year.

Let’s say that developing security software is “easy.” What’s hard is selling it. Cybersecurity is a matter so delicate that few CISOs will want to put their jobs on the line by working with an up-and-coming cybersecurity developer. CISOs will hedge themselves by cutting deals with Gartner’s best cybersecurity players, even if they’re not saving the company any money. No one will buy your homebrew antivirus client, as cheap as your offer can be.

But everyone started from scratch, at least once. The newest cybersecurity companies are usually founded by cybersecurity executives who were acquired (or had a solid client base) and are now starting up a new venture. Besides the traditional vendors, up-and-coming companies from former insiders are a good place to knock on doors if you want to develop software and earn a salary from it. You can eventually become one of those founders yourself.

One point of caution: While remote jobs for developers are all the rage, cybersecurity developers often work in research centres that require strict confidentiality checks and in-person work.

Another way to make a living off developing cybersecurity software is to start your career offering services—such as penetration testing—and slowly pivot to software. Once you have your client base, you can pitch that software to them. That’s how ReFirm Labs, a cybersecurity software vendor taken over by Microsoft, did it. The funniest bit: As a teenager, their founder was arrested for hacking. He ended up making a living off it.

7. Freelance bug hunting

Some ethical hackers choose to work with companies directly on a freelance basis.  

The best strategy might be to find vulnerabilities on your own and then pitch your services to the company you want to work with. This means independently discovering bugs on a company's platform or system without being part of a formal bug bounty program. Once you've identified a critical vulnerability, you can then approach the company directly and offer your bug-hunting skills—or even offer a fix.

This strategy can be highly effective as a presentation letter—but it can go south quickly, too. The latter was demonstrated by the case of a Palestinian hacker in 2013 who posted on Mark Zuckerberg’s wall using Mark’s very own profile.

This hacker discovered a significant vulnerability on Facebook's platform and let everyone know… but wasn't hired by the company itself. Allegedly, they didn’t hire him because he posted on the CEO’s wall without reporting the bug first through the proper channels (the hacker claimed he actually did). Still, the stunt might have helped said developer land a job, at least outside Facebook. From his LinkedIn profile, it looks like he got a position in IT shortly after exposing the vulnerability.

8. Participating in hacking competitions

Many cybersecurity conferences and organisations host hacking competitions. These events test white-hat hackers to find and solve problems in real situations. Winners receive cash prizes and recognition within the cybersecurity community.

Going to these events helps hackers learn about new ways to break into systems—always for the greater good, of course—and also gives them a chance to show their skills to potential employers. It's a chance to meet other professionals and possibly get a good job in cybersecurity.

WeAreDevelopers' CODE100 challenge may not be a traditional hacking competition, but it does require problem-solving skills that are typical for hackers. These challenges often involve tasks that use the kind of critical thinking and creative approaches needed to identify security weaknesses. Of course, there are cash prizes for many of the tasks. 

9. Hacking your way into a new feature

Another smart strategy to make money hacking is figuring out user needs for a certain tech product and developing features that address them. While it’s not actually a hacker activity, it's still, in a way, like “hacking” the existing system. Only not to get unauthorised access, but to find the best path to a new feature or a more user-friendly product, for instance.

Take the example of the YouTube Instant feature—a feature with which you can get YouTube search results while you’re typing on the search bar. (Note: this was a big novelty back in the day). If you’ve ever used it, you should know this project was carried out by a 19-year-old college student who was at the time also doing an internship as a software developer on Facebook. 

The idea started in 2010, with a bet with his college roommate. This student bet that he could build a real-time YouTube search in less than an hour. He lost the bet, but it took him just three hours to complete the task. After learning about this project, YouTube’s CEO offered him a job. That’s a way to make money hacking, if any.

‍

Useful tips to get a gig as a hacker

Convinced to join the white-hat hacker contingent? These steps are not mandatory, but will help you to get right into the fast lane:

1. Get the best tools — What are the best tools for hackers?

In a 2018 survey from HackerOne, hackers answered they were using mostly Burp Suite, Fiddler, Webinspect and ChipWhisperer to complete bounty programs. These are third party applications. This debunks a commonly accepted myth that hackers who earn their living off it first build their own tools, and only then hack. You can start hacking on bounty programs with already-existing software—a shortcut.

2. Get certified

‍There are certifications available for ethical hackers, such as the Certified Ethical Hacker (CEH) and the Offensive Security Certified Professional (OSCP). Although you don't need formal qualifications to make money as a hacker, these certifications can help you stand out and negotiate higher salaries.

As you’ll suspect, no certification is automatically better than the other—it’s only a matter of where you’re at and where you want to go in an information security line of work.

If you’re a starter and need to land your first cybersecurity or hacking gig, then we suggest you stick to CEH ANSI. CEH ANSI is cheaper and better for starting out a career because it’ll give you the introductory knowledge you need to stand out, all while offering you a well-regarded commemorative badge of completion. If you’re already advanced in your cybersecurity career and want to bring up your recognition levels—or start offering your pen testing services to a bank instead of to a mom-and-pop store—then OSCP is a good choice. Also, hackers who’ve completed every exam usually claim that it’s less convenient to grab your first gig with the obscure CEH Practical, not ANSI.

3. Build a portfolio

‍Keep a record of your accomplishments, such as vulnerabilities you have found, bug bounties you have earned, and security projects you have worked on. This portfolio will be helpful when you are applying for jobs or contracts, especially if you don’t have any qualifications. Contributing to open-source initiatives and solving up-for-grabs issues on GitHub is a very good way to prove you care about hacking.

4. Stay up-to-date

You need to understand who is paying for cybersecurity services. Read industry publications, follow security blogs, and attend webinars and training sessions.

Bonus tip: Consider exploring bug bounty programs offered by cryptocurrency companies. They seem to have taken the space for their own. When you google “Bounty Programs,” the first Investopedia link exclusively talks about how these services help ICOs run smoothly. And such a concern means there’s good pay for whoever can control it.

Find a job as a hacker

Making money as a hacker has many more career paths than what it seems at first sight. There’s more to it than just accessing systems. But, outside the bounty programs, being a “hacker” isn’t exactly a job title. That’s why the best way to earn money as a hacker is to find a job that pays you to work with software. A job as a software engineer, for example, will cut that description.

The best place to start looking out for that next career step is a specialised platform like WeAreDevelopers. We’re the #1 developer community in Europe, and we match top talent with European companies. Head to our job board and seek out jobs that correspond with the keywords on this list, such as “Cybersecurity.” Good luck!