Ethical Hacking and Penetration Testing, The Short Answer
Ethical hacking, also called penetration testing or pen testing, is the authorised, structured practice of attacking computer systems, networks, and applications to find security vulnerabilities before malicious actors discover them. The practice is distinguished from criminal hacking by a single, non-negotiable condition: the entire engagement is conducted with written permission from the system owner, within a formally agreed scope. Penetration testers produce detailed written reports describing every vulnerability discovered, the evidence gathered, and prioritised remediation recommendations.
The field is shaped by professional certifications and accreditation schemes that employers and clients use to evaluate competence. The CEH (Certified Ethical Hacker) from EC-Council is the most widely held entry-level pen testing credential globally. CREST accreditation is the UK benchmark for firms and individuals working on government and critical national infrastructure engagements. The OSCP from Offensive Security is widely regarded as the most credible practical credential in the field.
Demand for pen testers in the UK is strong and growing across financial services, government contracting, consultancy, and technology. Entry-level salaries reach up to £40,000, mid-level practitioners earn £40,000–£60,000, and senior specialists with deep expertise in areas such as web application security or OT/ICS can command £60,000–£80,000 or more. Freelance day rates for experienced professionals reach up to £900.
The Penetration Testing Methodology
Professional penetration testing follows a structured, repeatable methodology that ensures the engagement is legally defensible, fully documented, and produces actionable findings for the client. The phases below reflect the CEH framework and the approach used by CREST-accredited firms across the UK market.
Scoping and Authorisation
Before any testing activity begins, the tester and client formally define the engagement: which systems, networks, and applications are in scope, which are explicitly excluded, and what testing techniques are permitted. A rules of engagement document establishes acceptable testing hours, notification requirements, and escalation procedures. A signed authorisation letter is obtained before any active work begins. This legal foundation is non-negotiable because in the UK, the Computer Misuse Act 1990 makes unauthorised access to computer systems a criminal offence regardless of the tester's intent. Written permission is the sole legal boundary between an ethical hacker and a criminal one.
Reconnaissance
Reconnaissance is the information-gathering phase conducted before direct interaction with target systems begins. Passive reconnaissance draws on publicly available sources, WHOIS records, DNS lookups, job postings, LinkedIn profiles, and open-source intelligence (OSINT) frameworks, without touching the target infrastructure. Active reconnaissance involves direct interaction such as port scanning with Nmap or service banner grabbing. The distinction has legal and contractual implications, as some clients restrict active reconnaissance to agreed testing windows. Intelligence gathered at this stage directly shapes the attack surface analysis in subsequent phases.
Scanning and Enumeration
Scanning uses specialised tools to identify open ports, running services, operating system versions, and application fingerprints across in-scope systems. Enumeration goes further, extracting specific details such as user account names, network share names, application version numbers, and configuration parameters that can map to known vulnerabilities. Tools commonly deployed at this phase include Nmap and Masscan for port and service discovery, Nikto for web application fingerprinting, and enum4linux for Windows network enumeration. The resulting output forms the complete attack surface map that guides the subsequent vulnerability assessment phase.
Vulnerability Assessment
Vulnerability assessment systematically tests the identified attack surface for known weaknesses. Automated scanners such as Nessus and OpenVAS identify CVEs (Common Vulnerabilities and Exposures) in target software versions and configuration. Manual testing identifies logic flaws, misconfigurations, and weak credential practices that automated tools frequently miss. Findings are rated using the CVSS (Common Vulnerability Scoring System), providing a standardised severity scale that allows clients to prioritise remediation work according to actual risk. Distinguishing between a vulnerability assessment (cataloguing weaknesses) and a penetration test (actively exploiting them) is an important conceptual distinction professionals communicate to clients.
Exploitation
Exploitation actively leverages identified vulnerabilities to demonstrate real impact to the client. The objective is not to cause harm but to prove that a vulnerability is genuinely exploitable under realistic conditions, for example obtaining a shell on a server, extracting password hashes, reading sensitive configuration files, or demonstrating cross-site scripting in a web application. Metasploit Framework is the most widely used exploitation platform, providing a database of exploits mapped to CVEs. Burp Suite is the standard tool for web application exploitation. Social engineering tests, including phishing simulations, may also be within scope to evaluate human susceptibility alongside technical defences.
Reporting and Remediation Guidance
The penetration test report is the primary deliverable clients receive. A professional report contains three core components: an executive summary written for non-technical stakeholders that translates findings into business risk language; a technical findings section that details each vulnerability, the exploitation steps taken, and the evidence captured; and a remediation section with prioritised, actionable recommendations for fixing every identified issue. CREST-accredited firms operate to specific reporting standards. The ability to communicate complex technical findings clearly in writing, calibrating detail to technical and non-technical audiences simultaneously, is one of the most critical and most valued skills in the profession.
Key Tools and Technologies
Professional pen testers work with a standard toolkit that has developed over many years of practice. Understanding these tools, their capabilities, their limitations, and the contexts in which each is used, is fundamental to building practical ethical hacking skills. Familiarity with this toolkit is expected in CEH and OSCP preparation and appears in technical interview questions for pen testing roles.
Kali Linux
Kali Linux is a Debian-based operating system built specifically for penetration testing and digital forensics work. It ships pre-installed with over 600 security tools including Nmap, Metasploit, Burp Suite, Wireshark, John the Ripper, and Aircrack-ng. Most practising pen testers use Kali as their primary working environment, either as a standalone installation or as a virtual machine. Linux command-line proficiency, file system navigation, process management, scripting, is therefore a prerequisite skill for anyone building a technical career in this field.
Metasploit Framework
Metasploit is the most widely used exploitation framework in the security industry. It provides a curated database of exploits mapped to known CVEs, payloads that establish persistent connections to compromised systems, and post-exploitation modules for privilege escalation, credential harvesting, and lateral movement through networks. The msfconsole command-line interface is the primary way pen testers configure and launch exploits. Understanding how Metasploit works also assists defenders in recognising and detecting exploitation attempts, making it valuable knowledge on both offensive and defensive career paths.
Burp Suite
Burp Suite is the industry-standard platform for web application security testing. Operating as an intercepting proxy, it allows testers to view, modify, and replay HTTP and HTTPS traffic passing between a browser and a target web application. The Professional edition includes an automated scanner for detecting common web vulnerabilities, an intruder module for brute-force and fuzzing attacks, and a sequencer for analysing session token randomness. Burp Suite testing methodology maps directly to the OWASP Top 10, the most widely referenced ranking of critical web application security risks, and to OWASP's Web Security Testing Guide (WSTG).
Wireshark
Wireshark is a network protocol analyser that captures and displays network traffic in real time at the packet level. Pen testers use Wireshark to identify plaintext credentials being transmitted without encryption, to analyse network behaviour during active exploitation, and to follow TCP streams for session-level investigation. Wireshark is equally valuable on the defensive side for identifying unusual traffic patterns, detecting scans, and investigating security incidents. Its cross-disciplinary utility makes it one of the first tools recommended to learners building practical skills in both networking and security.
OWASP Resources
The Open Web Application Security Project (OWASP) is a non-profit foundation producing freely available resources for improving web application security. The OWASP Top 10, updated regularly, is the most widely used guide to web application vulnerabilities globally. OWASP also maintains WebGoat and DVWA (Damn Vulnerable Web Application) as intentionally insecure applications designed for hands-on practice. The WSTG (Web Security Testing Guide) is the methodology reference document used by many firms for web application penetration tests. OWASP resources are actively referenced in the CEH curriculum and in UK university cyber security programmes.
TryHackMe and Hack The Box
Both platforms provide browser-accessible lab environments with guided challenges and intentionally vulnerable machines for skill development. TryHackMe is widely recommended for beginners, offering structured learning paths with step-by-step walkthroughs that build competence progressively. Hack The Box targets intermediate and advanced practitioners with more open-ended, realistic challenges. Both platforms appear on CVs as evidence of hands-on capability and are actively used by employers to assess practical skills. Completing structured paths on either platform alongside formal study significantly strengthens an application for entry-level pen testing or SOC analyst roles.
Professional Certifications
In penetration testing, certifications carry more weight than in many other technology disciplines. Clients granting access to live systems expect testers to demonstrate professional competence before the engagement begins. The certifications below represent the recognised progression pathway from entry level to advanced practice in the UK and international markets.
CEH (Certified Ethical Hacker)
Awarded by EC-Council, the CEH covers 20 modules spanning the full attack lifecycle: footprinting and reconnaissance, scanning, enumeration, vulnerability analysis, system hacking, malware threats, sniffing, social engineering, session hijacking, web application hacking, SQL injection, cryptography, and more. The examination consists of 125 multiple-choice questions and validates broad theoretical knowledge of offensive techniques. EC-Council also offers the CPENT (Certified Penetration Testing Professional) as a practical follow-on credential for those who want demonstrated hands-on exploitation skills after the CEH.
CREST Certifications
CREST (the Council of Registered Ethical Security Testers) is a UK-based non-profit that provides accreditation for pen testing companies and certifications for individual practitioners. The pathway runs from CPSA (Practitioner Security Analyst, entry level) through CRT (Registered Penetration Tester, mid-level) to CCT INF (Certified Infrastructure Tester, advanced) and CCT APP (Certified Web Application Tester, advanced). CREST accreditation is a prerequisite for many UK government and financial services engagements. The NCSC recommends CREST-accredited providers for CHECK assessments, which are mandated for public-sector network testing in the UK.
OSCP (Offensive Security Certified Professional)
The OSCP from Offensive Security is widely regarded as the most credible practical pen testing certification available. The examination requires candidates to compromise five machines within 23 hours and 45 minutes, then submit a complete professional penetration test report within the following 24 hours. There are no multiple-choice questions; assessment is based entirely on demonstrated exploitation and professional documentation. While demanding, OSCP holders are among the most sought-after pen testing professionals in the UK market. Many employers specifically shortlist candidates with OSCP, particularly for senior or consultancy roles.
CompTIA PenTest+
CompTIA PenTest+ is a vendor-neutral certification covering planning and scoping, information gathering, attacks and exploits, reporting, and communication. It sits between CompTIA Security+ and OSCP in terms of technical depth and practical demand. PenTest+ holds DoD 8570 approval for US federal roles, giving it recognised standing internationally as well as in the UK. It provides a well-structured step for learners who have completed Security+ and want to move into offensive security without yet committing to the intensive preparation required for OSCP.
Types of Pen Testing and How to Get Started
Penetration testing is not a single activity but a collection of specialisms. Understanding the different engagement types helps aspiring practitioners identify which area aligns with their interests and existing technical background. The steps below outline a practical approach to building the skills and credentials needed to enter the profession.
Build Foundational Knowledge
Before approaching offensive security, build a solid grounding in networking (TCP/IP, OSI model, subnetting), operating systems (Linux command line, Windows administration), and security fundamentals (CIA triad, encryption, IAM). CompTIA A+ and Network+ provide structured routes to this foundation. CompTIA Security+ provides the security-specific baseline. Attempting pen testing tooling without this foundation leads to superficial tool familiarity rather than genuine understanding of what the tools are doing and why.
Develop Practical Skills in a Safe Environment
TryHackMe's learning paths (particularly Pre-Security, SOC Level 1, and Jr Penetration Tester) provide guided, browser-based lab environments where learners progress through real tools on intentionally vulnerable systems. Hack The Box offers more open-ended challenges for those developing intermediate skills. Setting up a home lab with VirtualBox or VMware, installing Kali Linux, and practising on deliberately vulnerable virtual machines (Metasploitable, DVWA) provides hands-on skill development alongside structured study. Capture-the-flag (CTF) competition results are an increasingly accepted CV credential for entry-level roles.
Choose a Specialisation
Network pen testing assesses infrastructure security, typically requiring strong networking knowledge and familiarity with Nmap, Metasploit, and Active Directory attack techniques. Web application pen testing requires HTTP protocol knowledge, Burp Suite proficiency, and OWASP Top 10 familiarity. Mobile application testing (iOS and Android) is a more niche specialism with strong demand. Red team operations simulate complete adversary campaigns and require broad knowledge across all areas. Most practitioners begin with network or web application testing before specialising further based on where they find the most engaging work.
Target Certifications Strategically
For most UK-based learners, the recommended certification progression is CompTIA Security+ (foundational security knowledge), then CEH or CompTIA PenTest+ (offensive security and pen testing methodology), then OSCP (for practical exploitation credibility) or CREST certifications (for UK government and regulated sector work). The Cyber Security Online Degree Pathway (ODP 7733) complements this certification track by providing an academic qualification alongside industry credentials, supporting both career entry and further higher education progression. CREST examinations require scheduled preparation and are most relevant after at least one to two years of practical experience.
Frequently Asked Questions
Is ethical hacking legal in the UK?+
Ethical hacking is entirely legal when conducted with written authorisation from the system owner and within the formally agreed scope of the engagement. In the UK, the Computer Misuse Act 1990 makes unauthorised access to computer systems a criminal offence regardless of the actor's stated intent. This is precisely why the scoping and authorisation phase is the non-negotiable first step of every professional engagement. Pen testers obtain a signed authorisation letter before any active testing begins and operate strictly within the defined scope throughout the engagement. Stepping outside agreed scope, even inadvertently, can have serious legal consequences. The authorisation document is sometimes informally called a “get out of jail free letter” within the industry.
What qualifications do I need to become a penetration tester?+
There is no single mandatory qualification for entering the pen testing profession. Most employers expect a combination of foundational security knowledge, offensive security-specific certifications, and demonstrated practical experience. Common entry-level expectations include CompTIA Security+ for foundational knowledge, CEH or CompTIA PenTest+ for offensive security coverage, and documented hands-on work from platforms such as TryHackMe or Hack The Box. At a more senior level, CREST certifications and OSCP carry the greatest market weight. A relevant degree or online degree pathway in computing or cyber security supports career entry, particularly into structured programmes and public-sector roles. Portfolio evidence such as CTF results and write-ups is increasingly influential.
How much do penetration testers earn in the UK?+
Entry-level penetration testers typically earn £30,000–£40,000 per year. Mid-level practitioners with two to five years of experience and certifications such as CREST CRT or OSCP can expect £40,000–£60,000. Senior testers, team leads, and specialists in high-value areas such as mobile application security, OT/ICS security, or red team operations can earn £60,000–£80,000 or above. Freelance and consultancy day rates for experienced professionals reach up to £900 depending on specialism, seniority, and client sector. London and the South East attract a salary premium, though remote working is widespread in pen testing and consulting roles, broadening geographical opportunity significantly.
What is the difference between a vulnerability assessment and a penetration test?+
A vulnerability assessment identifies and catalogues potential weaknesses in a system or network, typically using automated tools such as Nessus or OpenVAS. It produces a list of discovered vulnerabilities with severity ratings but does not attempt to exploit them. A penetration test goes further: it actively attempts to exploit identified vulnerabilities to demonstrate real-world impact, then documents findings in a structured report with prioritised remediation guidance. Penetration tests are more expensive and time-intensive than vulnerability assessments but provide far greater assurance that defences are genuinely effective under attack conditions. Many organisations conduct regular automated vulnerability assessments supplemented by scheduled annual penetration tests or additional tests following significant infrastructure changes.
Do I need to know programming to become a pen tester?+
Programming skills are an advantage but not a strict requirement for entry-level pen testing. Most pen testing tools have established interfaces and many engagements can be conducted using existing tooling without writing custom code. However, the ability to read and understand code, particularly Python, Bash, PowerShell, and JavaScript, is highly valuable. Writing custom scripts to automate reconnaissance tasks, modify existing exploits, or create bespoke payloads is what distinguishes strong pen testers from exceptional ones. Python is the most practically useful language to develop for security work, given its widespread use across the security community for tooling, automation, and exploit development.
What types of penetration test are there?+
Penetration tests are classified by target and approach. Network pen testing assesses the security of internal and external network infrastructure. Web application testing focuses on websites and web APIs, typically following the OWASP WSTG methodology. Mobile application testing examines iOS and Android applications for security weaknesses. Social engineering tests evaluate human susceptibility to phishing and impersonation attacks. Red team exercises simulate a comprehensive adversary campaign against an organisation over an extended period, testing people, processes, and technology simultaneously. Physical penetration testing assesses whether an attacker can gain physical entry to a facility. Most pen testing firms specialise in one or two areas, and senior professionals often develop deep expertise in a specific niche.
What is CREST and why does it matter for UK pen testers?+
CREST (the Council of Registered Ethical Security Testers) is a UK-based not-for-profit that provides accreditation for penetration testing organisations and professional certifications for individual practitioners. In the UK market, CREST company accreditation is required for suppliers tendering for government, financial services, and critical national infrastructure work. The NCSC specifically recommends CREST-accredited providers for CHECK assessments, the mandated testing standard for public-sector networks in the UK. For individual practitioners, CREST certifications, particularly the CRT and CCT qualifications, are significant career differentiators that open access to client engagements and sectors that require this level of verified professional competence.
How does the CEH relate to the Cyber Security Online Degree Pathway?+
The CEH and the Cyber Security Online Degree Pathway (ODP 7733) complement each other but serve distinct purposes. The CEH is an industry certification validating specific offensive security knowledge within EC-Council's framework. The degree pathway, a Qualifi Level 5 Extended Diploma, provides broader academic coverage of cyber security including risk management, cryptography, digital forensics, and network security, positioned for progression to a university top-up year and a full honours degree. Many learners pursue both: the degree pathway for academic credentials and further education access, and the CEH for professional credentialling in the job market. They are complementary rather than competing, and studying the degree pathway content strengthens CEH examination preparation in the overlapping subject areas.
Start Your Ethical Hacking Journey
Speak to an advisor to understand which path, from foundational study to the Cyber Security Online Degree Pathway (ODP 7733), fits your current experience level and career goals.