What is professional ethical hacking

This section frames an understanding of ethical hacking as professional ethical hacking

Learning objectives

• Explain why ethical hackers fit within the white hat hackers group

• Become familiar with the professional ethics of ethical hackers

• Identify key industry standards, guidelines, and professional codes of conduct that govern the conduct of professional ethical hackers

• Become familiar with the core ethical principles (e.g., trust, integrity, confidentiality) mandated by professional codes of conduct

• Identify the role of university accreditation and training in instilling a professional and ethical mindset

This section advances an understanding that ethical hackers are white hat hackers who abide by well established and widely accepted industry and government standards, guidelines, and licensing and accreditation requirements regarding what constitutes professional practice. First, the discussion makes the case that ethical hackers are white hat hackers (ethical hacking is a legal practice). Next, the analysis explores the web of professional codes of conduct that govern the behavior of professional ethical hackers (professional ethics of ethical hackers). Finally, the analysis sketches out four types of hacker groups classified based on the legality of their practices and the imperative of professional conduct.

Topics covered in this section

• Introduction

• Ethical hacking is legal

• Professional ethics of ethical hackers

  • Professionalism as grounded in university training

  • Professionalism as grounded in industry standards

  • Professionalism as grounded in industry conventions

• Profiles of hackers

  • White Hat Hackers: The Ethical Professionals

  • Grey Hat Hackers: The Unauthorized Researchers

  • Black Hat Hackers: The Criminals

  • Hacktivists: The Politically Motivated Hackers

• Other perspectives on hacker ethics

Introduction

A Certified Ethical Hacker (EC-Council) is, “a skilled professional who understands and knows how to look for weaknesses and vulnerabilities in target systems and uses the same knowledge and tools as a malicious hacker, but in a lawful and legitimate manner to assess the security posture of the target system(s).” In contrast to a cracker, who is a malicious hacker, an ethical hacker “is someone who employs the same tools and techniques a criminal might use, with the customer’s full support and approval, to help secure a network or system” (Walker, 2017, p. 29).

This analysis frames an understanding of professional ethical hackers as white hat hackers who abide by well established and widely accepted industry and government standards, guidelines, and licensing and accreditation requirements regarding what constitutes professional practice. First, the analysis differentiates white hat hackers from grey hat hackers, black hat hackers, and hacktivists on the basis of legal practice. Next, the analysis explores the key properties (themes) of professional ethics of professional ethical hackers as stipulated/enriched within various industry standards, guidelines, and conventions. Finally, the discussion presents an analysis of four types of hacker groups classified based on the legality of their practices and the imperative of professional conduct.

Ethical hacking is legal

Various perspectives can be used to distinguish between white hat hackers, grey hat hackers, black hat hackers, and hacktivists (e.g., see "Other perspectives on hacking/hacker ethics"). However, we make a comparison differentiating between these four hacker groups and their hacking practices on the logic that there is only one category of legal hacking: white hat hacking. Ethical hackers necessarily fit into the white hat hackers group—there's no ambiguity regrading the legality of their practices.

Hackers can be divided into a number of groups, some of which “are clearly ethical, others are clearly unethical, and still others exist in a gray area of sorts and whose ethics can be debated”, argues Pashel (2006, p. 197). White hats use their skills “in a manner that most would clearly define as ethical". For example, white hat hackers could be employees who "with permission, attack a company’s network in order to determine weaknesses, and law enforcement and intelligence agents who use their skill in the name of national security or to investigate and solve crimes” (p. 197).

For Bodhani (2013), there is white, black, and a wide range of in-between grey hat hackers “who will search for vulnerable systems and inform the company but will hack without permission” (p. 65). Bodhani (2013) presents 10 types of cyber hackers: White hats, black hats, grey hats, blue hats, elite hacker activist, script kiddies, spy hackers, cyber-terrorists and mobile hackers.

But for Young et al. (2007), 9 of the 10 shades of grey represent variations on the same theme: Illegal hacking. Computer hacking is either fully legal and authorized, or is an illegal activity. Presuming there is more than one type of acceptable hacking can give justification to illegal activity. Hackers often view themselves as modern-day Robin Hoods (Young et al., 2007). This Robin Hood mentality allows hackers “to deceive themselves and view their illegal activities as providing a service for the greater good. It also gives them cause to justify their activities should they be caught engaging in any illegal activities by blaming the victims” (p. 282).

Hacking as an illegal practice “is used most typically to describe a person who accesses computers and information stored on computers without first obtaining permission" (Pashel, 2006, p. 197). Pashel (2006), citing Logan and Clarkson (2005), advances the definition of hacking as accessing a system that one is either not authorized to access or one who accesses a system at a level beyond their authorization.

The practices of professional ethical hackers are governed by a legal framework. Ethical hackers abide by the imperative to obtain permission before attempting to access a computer network (Graves, 2010; Harris, 2021; Palmer, 2001). While a white hat hacker is “authorised to break into supposedly ‘secure’ computer systems without malicious intent, but with the aim of discovering vulnerabilities in order to bring about improved protection,” a black-hat hacker is “someone who hacks with malicious intent and without authorisation” (Bodhani, 2013, p. 64).

Pike (2013) draws a sharp distinction between white and black hats. A white-hat hacker is defined as “a hacker who is committed to full compliance with legal and regulatory statutes as well as published ethical frameworks that apply to the task at hand.” In contrast, a black-hat hacker is “a hacker who either ignores or intentionally defies legal or regulatory statutes with presumably little interest in ethical frameworks” (p. 69).

Similarly, Palmer's (2001) use of the explicit terms “ethical hacker” and “criminal hacker” places him squarely in the same camp of moral clarity as Pike (2013) and Young et al. (2007)—there is really one type of ethical hacker, the hacker who hacks within a legal framework. Logan and Clarkson (2005), Palmer (2001), Sharma and Sefchek (2007), Xu, Hu, and Zhang (2013), and Young et al. (2007) all more or less echo Pike’s definition--essentially placing hacking and hackers at either side of the law.

That ethical hacking is a legal practice is hardly a point of contention whether in literature or within the public sphere. But it should be noted, legal does not necessarily equate with ethical. For example, Pashel (2006) and Bodhani (2013) explicitly acknowledge variations of grey hat hacking exist, but they too agree that white hat hacking can be distinguished as being legal and authorized.

The key defining characteristic of ethical hacking in comparison to other hacking practices is the legal imperative: ethical hacking is unambiguously legal. The practices of ethical hackers are governed by a legal framework. Ethical hackers have authorization to hack the target system (Graves, 2010; Palmer, 2001). Ethical hackers need prior authorization, stipulated in a legally binding contract with the computer network owners, before attempting to breach a computer network (Bodhani, 2013; Palmer, 2001; Young, Lixuan, & Prybutok, 2007).

The imperative that testing must be authorized to avoid legal risks is enriched within the major industry standards/guidelines such as ISO/IEC 27001 (Authorization & Legal Compliance, A.18.1.4) and codes of professional associations such as IEEE Code of Ethics (Ethics 3, 4).

Professional ethics of ethical hackers

Ethical hackers operate within a structured framework of professional codes of conduct which define their responsibilities and ensure accountability. Several professional codes of conduct exist for information security professionals and ethical hackers, applicable to individuals who are members or certified professionals of the respective association. For example,

• Industry certifications and training: CEH Code of Ethics (EC-Council), OSCP (Offensive Security Code of Conduct), (ISC)² Code of Ethics, ISACA Code of Professional Ethics.

• Professional associations: ACM Code of Ethics (2018), IEEE standards/guidelines (IEEE Cybersecurity Initiative, IEEE Certified Ethical Hacker (CEH) resources), IEEE code of ethics, IEEE code of conduct.

• Industry standards/guidelines: OSSTMM, ISO/IEC 27001, OWASP (Open Web Application Security Project) Testing Guide, PCI DSS Penetration Testing Guidance.

• Regulatory/governmental standards/guidelines: NIST SP 800-12 and NIST SP 800-53 touch on broader security and privacy principles, NIST SP 800-115 (Technical Guide to Penetration Testing) emphasizes authorized testing.

• Professional licensing/accreditation bodies: Professional Engineers Ontario (PEO)/PEO code of ethics, Canadian Engineering Accreditation Board (CEAB), Canadian Information Processing Society (CIPS).

This segment explores the professional ethics of ethical hackers as stipulated/enriched in several key formal codes of ethical conduct (professionalism as grounded in university training, and professionalism as grounded in industry standards), and conventional codes of ethical conduct (professionalism as grounded in industry conventions).

Professionalism as grounded in university training

Three Canadian university professors (PPT11, PPT3, PPT10) of computer science disciplines interviewed for a PhD thesis said professionalism, as in professional ethics or a professional code of conduct, guides the behavior of professional engineers and computer scientists.

As a professional engineer, said a Canadian university professor of computer science and software engineering (PPT3), he is “bound by a number of codes of practice, of ethics.” “As a professional engineer, I’m bound by the PEO code of ethics … I’m also bound by the software engineering code of ethics, the ACM code of ethics, the IEEE code of ethics, because I’m members of multiple societies that have codes.” PPT3 says he teaches “five different codes of ethics. They are all broadly the same, but I teach about them to students.” PPT3 adds:

That is in the course calendar descriptions and it’s also in our accreditation. We are accredited by CIPS, the Canadian Information Processing Society, and by the Canadian Engineering Accreditation Board, and both of those require us to teach students about ethics.

Accreditation bodies like the Canadian Engineering Accreditation Board (CEAB) and Canadian Information Processing Society (CIPS) require ethics education as part of degree programs. This means students learn not only technical penetration testing skills but also how to apply ethical decision-making in real-world scenarios. For example, coursework may include case studies on responsible disclosure dilemmas or discussions on legal consequences of unauthorized testing, reinforcing that ethical hacking is not just about technical skill but professional responsibility.

Adhering to multiple overlapping ethical guidelines, all of which reinforce the same core values, ensures that ethical hackers do not merely rely on personal judgment but follow institutionalized best practices that have been refined over decades. University programs teaching ethical hacking incorporate these professional codes into their curricula to ensure graduates enter the field with a strong ethical foundation.

Key assumptions involved in this perspective is that university instruction equips students with ethical, scientific, and critical thinking skills necessary for professionalism on the job.

It’s kind of like when software engineering became an engineering discipline. There were a lot of coders that knew how to code, but they didn’t have the mindset to approach it as a systematic large problem. I think ethical hacking is a very similar thing. (PPT11)

PPT11 adds, ethical hacking “has become more of an engineering type of discipline now. There’s structure, there’s rigor, there’s tools out there that can be used for it … you need to systematically approach a problem, how to see if you can penetrate a system or not.” It is “that systematic nature that most of the underground ethical hackers, or the small people, don’t have because they’ve never had exposure to doing it in kind of an engineering mindset.”

Professionalism as grounded in industry standards

Unlike malicious hackers, professional ethical hackers adhere to formalized codes of conduct, often outlined by organizations such as the EC-Council (International Council of E-Commerce Consultants), Offensive Security, and (ISC)².

This segment focuses on professional ethical hacking ethics within three industry domains: industry certifications and training authorities, professional associations, and Industry standards/guidelines. First, the discussion sheds light on key professional ethical hacking ethics of ethical hackers and information security professionals within industry certifications and training authorities: CEH Code of Ethics (EC-Council), OSCP (Offensive Security Code of Conduct), (ISC)² Code of Ethics, and ISACA Code of Professional Ethics.

Second, the discussion sheds light on key professional ethical hacking ethics of ethical hackers and information security professionals within professional associations codes and industry standards/guidelines: Professional associations: ACM Code of Ethics (2018), IEEE standards/guidelines (IEEE Cybersecurity Initiative, IEEE Certified Ethical Hacker (CEH) resources), IEEE code of ethics, and IEEE code of conduct; industry standards/guidelines: OSSTMM, ISO/IEC 27001, OWASP (Open Web Application Security Project) Testing Guide, and PCI DSS Penetration Testing Guidance.

Industry certifications and training authorities

This segment explores what are the key professional ethics and values of an ethical hacker, and how are they defined by these authoritative sources? The following two tables summarize the key findings.

Table 1 shows how the core ethical principles are formally mandated by the major bodies that certify ethical hackers. The Clarifying Comments focus on why each theme is a key component of professional ethics.

Table 1: Professional ethics as defined by industry certifications and training authorities

Theme	How it Defines Professional Ethics (as seen in CEH, OSCP, (ISC)², ISACA)	Clarifying Comment on its Ethical Significance
Trust	Codes explicitly frame trust as a duty to be reliable and honorable in all dealings with clients, the public, and the profession. (ISC)² places "the public trust" in its first canon.	Trust is the currency of the profession. Without it, clients cannot grant the deep access required for testing, and the public cannot rely on the security of the systems tested.
Acting with Integrity	Defined as a non-negotiable requirement for honesty, even when unobserved. It's the foundation of (ISC)²'s canons and is central to all other codes, prohibiting dishonesty and requiring transparency.	Integrity is what separates a professional from a mercenary. It ensures that the hacker's actions are guided by principle, not just the letter of the contract.
Confidentiality/Privacy	Mandated as a strict duty to protect all client information encountered. EC-Council and ISACA codes are explicit about maintaining confidentiality "at all times."	Ethical hackers are granted privileged access to sensitive data. Breaching confidentiality is a fundamental betrayal of the client relationship and is often illegal.
Disclosure of Vulnerabilities	Ethics require that findings are reported responsibly—only to authorized client contacts—and never publicly disclosed without permission. This is a key tenet of responsible practice.	Prevents "extortion-by-vulnerability" and ensures that the client has the first opportunity to remediate, protecting them and their users from harm.
Protecting System Integrity	Embedded in the principle to "do no harm." The ethical duty is to conduct testing in a way that minimizes disruption and avoids unnecessary damage to systems and data.	The goal is to improve security, not degrade it. Reckless testing that causes outages is unprofessional and violates the core purpose of the engagement.
Reporting Accidental Damage	A specific requirement of professional integrity. If testing causes unintended disruption, the ethical duty is to immediately and fully inform the client.	Demonstrates accountability and honesty. Hiding mistakes is dishonest and can compound the damage; transparency allows the client to respond effectively.
Authorization/Legal Practice	The most fundamental ethical boundary. All codes mandate strict adherence to the law and the explicit, written scope of authorization.	This is the literal line between "ethical" and "malicious" hacking. Operating without authorization is a criminal act, regardless of intent.
Best Practices	Certifications themselves are a commitment to using validated, proven methodologies rather than ad-hoc or reckless techniques.	Using best practices is a duty of care. It ensures the work is effective, repeatable, and safe, providing competent service to the client.
Protecting the Public	Explicitly framed as a primary ethical duty, especially in the (ISC)² code ("Protect society"). It places the professional's work in a broader social context.	Establishes that the professional has a responsibility beyond the paying client to the safety and security of the general public who use the systems they test.
Professionalism	The codes themselves are definitions of professionalism, requiring competent, diligent, and socially responsible service.	Professionalism is the holistic embodiment of all these themes. It's the commitment to the role as a trusted expert, not just a technical practitioner.
Skills of Ethical Hackers	The ethical obligation to maintain and apply relevant, up-to-date skills is implicit in the certification requirements and the duty to provide "diligent and competent service" ((ISC)²).	An unskilled ethical hacker is an ethical risk. They may miss critical vulnerabilities (providing a false sense of security) or cause damage through incompetence.
Goal of Testing	The unified ethical goal is not to "break in at all costs" but to faithfully work to improve the client's security posture within the agreed boundaries.	Aligns the hacker's incentives with the client's. The value is in the truthful assessment of security, not in proving superiority or causing embarrassment.

The following table sheds light on key provisions within ethics codes of industry certifications and training authorities.

Key codes of conduct for information security professionals (adapted from Thomas et al., 2018, pp. 5-6)

Code of conduct	Key directives
CREST Code of Conduct	CREST is a not for profit organization that originated in the UK. It has active chapters across Europe, the Middle East, Africa and India (EMEA), the Americas, Asia, and Australia, and New Zealand. CREST’s purpose is “to provide a level of assurance that organizations and their security staff have a level of competence and qualification in conducting security work such as penetration testing, threat intelligence or incident response (CREST, n.d.).” The CREST code of conduct “covers requirements such as ensuring regulatory obligations, adequate project management, competency, client interests, confidentiality, and ethics (CREST, 2016).”
EC-Council Code of Ethics	EC-Council is best known for its Certified Ethical Hacker (CEH) certification, which is recognized as a U.S. Department of Defence (DoD) 8570 cybersecurity certification. The EC-Council Code of Ethics requires “confidentiality of discovered information, ensuring that any process or software obtained is legal and ethical, ensuring proper authorization, adequate project management, continuing professional development, ethical conduct, and not being convicted of any crimes (EC-Council, n.d.).”
Global Information Assurance Certification (GIAC) Code of Ethics	GIAC provides several highly regarded certifications in the security industry which include penetration testing, security management, and digital forensic certifications. The GIAC Code of Ethics is comprised of four sections: Respect for the public, respect for the certification, respect for the employer, and respect for oneself. The code mandates that “professionals will take responsibility and act in the public’s best interests, ensure ethical and lawful conduct”; maintain confidentiality, competency, accurate representation of skills and certifications “and avoiding conflicts of interest (GIAC, n.d.).”
ISACA Code of Professional Ethics	ISACA was established in 1969 and focuses on IT governance. It has over 140,000 members worldwide (ISACA, n.d.). ISACA provides training and certification for information security and cybersecurity professionals. The ISACA Code of Professional Ethics mandates that compliance with standards and procedures, due diligence, legal conduct and confidentiality, competency, and continuing professional development are maintained (ISACA, n.d).
ISC2 Code of Ethics - Code of Ethics Preamble: The safety and welfare of society and the common good, duty to our principals, and to each other, requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.	The International Information System Security Certification Consortium or ISC2 – more correctly, (ISC)² – is an international, not for profit organization with over 125,000 members in the information security profession (ISC2, n.d.). ISC2’s Code of Ethics Canons consists of four directives: 1) Protect society, the common good, necessary public trust and confidence, and the infrastructure; 2) Act honorably, honestly, justly, responsibly, and legally; 3) Provide diligent and competent service to principals; and 4) Advance and protect the profession.

Professional associations and industry standards/guidelines

The following table shows how broader professional communities and technical standards operationalize and reinforce these same ethical principles.

Table 2: Professional ethics as reinforced by professional associations and industry standards

Theme	How it Defines Professional Ethics (as seen in ACM, IEEE, OSSTMM, OWASP, etc.)	Clarifying Comment on its Ethical Significance
Trust	Professional codes (ACM, IEEE) establish trust as a societal duty for all computing professionals. Standards build trust through reliable, scientific methods.	Positions the ethical hacker within the wider community of computing professionals, all of whom are stewards of public trust in technology.
Acting with Integrity	Requires honesty in research, communication, and practice. IEEE's code, for example, mandates "honest and realistic" statements. Standards require unbiased application.	Ensures that findings and reports are truthful and not exaggerated to sell services or downplayed to please the client.
Confidentiality/Privacy	ACM and IEEE codes explicitly list respecting and protecting privacy as an ethical imperative. Standards like PCI DSS and ISO27001 provide frameworks to achieve it.	Reinforces that privacy is a human right and a core security objective, not an afterthought.
Disclosure of Vulnerabilities	ACM's code ties disclosure to public well-being. Standards like OWASP provide the structured, safe channels for how to report findings ethically.	Provides a clear, professional framework for navigating the ethically fraught area of vulnerability disclosure, balancing client needs with public safety.
Protecting System Integrity	The duty to "avoid harm" (ACM) is operationalized in standards like OSSTMM, whose rules are designed to be "non-destructive" and "verified."	Translates the ethical principle into a concrete, methodological requirement, making "do no harm" a repeatable practice.
Reporting Accidental Damage	OSSTMM and OWASP explicitly require documenting and reporting any unintended effects, making it a procedural step, not just a moral one.	Bakes the ethical requirement of transparency directly into the professional methodology, ensuring it is never overlooked.
Authorization/Legal Practice	The absolute foundation. OSSTMM defines a "test" by its authorized scope. Professional codes universally require compliance with the law.	These sources provide the "how" for legal practice, but they are meaningless without authorization. They are tools for professionals, not scripts for vigilantes.
Best Practices	These documents are the codified best practices. Adherence to them (e.g., OWASP Testing Guide) is a hallmark of professional conduct.	Using peer-reviewed, community-vetted standards is a duty of care. It prevents "cowboy" tactics and ensures the work is defensible and sound.
Protecting the Public	A central pillar of ACM and IEEE ethics ("safeguard the public," "contribute to society"). Secure systems resulting from standards inherently protect the public.	Explicitly states that the profession's ultimate client is society itself, providing a moral compass for difficult decisions.
Professionalism	The association codes define the aspirational and enforceable norms of the entire computing profession, within which ethical hacking is a specialty.	Anchors ethical hacking within the broader context of professional computing, demanding a higher standard than just technical skill.
Skills of Ethical Hackers	Associations advance knowledge through research. Standards define the required skills to correctly implement complex testing methodologies.	Establishes that continuous learning and methodological rigor are ethical obligations to remain competent and effective.
Goal of Testing	Standards provide the ethical "why": OSSTMM to measure, OWASP to find flaws, PCI DSS to ensure compliance. This defines success ethically.	Prevents "goal drift." The professional's aim is a truthful, measured outcome defined by the standard, not personal glory or arbitrary "success."

The analysis of industry codes and standards reveals that the professional ethics of ethical hackers are organized around several key thematic pillars. These can be broadly categorized into foundational principles, client-centric imperatives, and methodological commitments. Foundational principles include trust, integrity, professionalism, and the ultimate goal of testing, which collectively form the moral core of the profession. Client-centric imperatives are actions directly tied to the client relationship, such as confidentiality, authorization, protecting system integrity, and the disclosure of vulnerabilities solely to the client. Finally, methodological commitments are the practical applications of ethics, encompassing the use of best practices, maintaining relevant skills, reporting accidental damage, and the overarching duty of protecting the public. These themes are not isolated; they are interwoven constructs that various authoritative documents collectively define and enforce.

Foundational principles like integrity, trust, and professionalism are explicitly articulated as non-negotiable requirements across all authorities. The codes of ethics from (ISC)², EC-Council, and IEEE place integrity and honorable conduct as their first principle, establishing it as the bedrock upon which professional credibility is built. Similarly, the goal of testing is uniformly defined not as "breaking in," but as improving security, a purpose reinforced by certifications that validate skills and standards like OSSTMM that frame the objective as accurate measurement. This consistent framing ensures that the professional’s motivation is aligned with the client’s security needs and the public good, rather than personal glorification or malicious intent.

The client relationship is defined by a strict set of ethical imperatives that are heavily emphasized in both professional codes and technical standards. Authorization and legal practice is the most critical of these, serving as the absolute boundary that distinguishes ethical hacking from criminal activity; it is the foundational rule in every code and the first step in standards like OSSTMM and the OWASP Testing Guide. From this authorization stem other duties: confidentiality is mandated to protect all client information encountered, protecting system integrity is a duty of care to avoid unnecessary harm, and the responsible disclosure of vulnerabilities is strictly limited to the client to prevent public exposure and allow for remediation. The duty to report any accidental damage immediately is a specific manifestation of integrity and transparency within this client relationship.

These ethical obligations are operationalized through methodological commitments codified in industry standards and guidelines. Documents like the OWASP Testing Guide and OSSTMM provide the detailed, peer-reviewed best practices that translate ethical intentions into safe, effective, and repeatable actions. Adherence to these methodologies is itself an ethical duty, as it ensures skills are applied competently and minimizes the risk of negligent testing. Ultimately, the consistent application of these themes—from foundational integrity to client-focused actions and methodological rigor—culminates in the profession’s highest duty: protecting the public. By creating more secure systems through ethical conduct, the professional hacker fulfills a social responsibility that extends beyond the immediate client, a principle championed by associations like ACM and IEEE and embedded in the outcomes of security-focused standards.

The universality of the discussed themes across various standards/guidelines/conventions/codes of ethical conduct reinforces that ethical hacking is not a subjective practice but one grounded in well-established professional norms. By internalizing these codes, ethical hackers ensure their work enhances cybersecurity without veering into ethically questionable practices. Ultimately, professionalism in ethical hacking is what separates it from malicious hacking, making it a respected and legally defensible discipline.

Professionalism as grounded in industry conventions

Graves (2010) and Palmer (2001) agree on three key attributes of ethical hackers: trust, honouring the integrity of the client’s system, and seeking prior permission from the client. Graves refers to these traits as professional.

First and foremost, ethical hackers “must be completely trustworthy. While testing the security of a client’s systems, the ethical hacker may discover information about the client that should remain secret" (Palmer, 2001, p. 771). During an evaluation, “the ethical hacker often holds the ‘keys to the company,’ and therefore must be trusted to exercise tight control over any information about a target that could be misused” (Palmer, 2001, p. 771).

According to EC-Council (International Council of Electronic Commerce Consultants), an ethical hacker is “an individual who is usually employed with the organization and who can be trusted to undertake an attempt to penetrate networks and/or computer systems using the same methods and techniques as a Hacker.”

Ethical hacking is typically designed to simulate real-world attacks. The ethical hacker will use the same techniques and tools of malicious hackers, target the same information and infrastructure assets, and hence might expose confidential information and even might unwillingly damage assets or disrupt the infrastructure (Harris, 2021; Palmer, 2001).

Ethical hackers hold a unique position of trust, as their work involves accessing sensitive systems that could be exploited if mishandled. Ethical hackers can be trusted not to exploit findings for personal gain or malicious purposes. Further, they will report discovered vulnerabilities privately to the organization, not publicly disclose them without the client's explicit consent.

One rule that IBM’s ethical hacking effort had from the very beginning was that we would not hire ex-hackers. While some will argue that only a “real hacker” would have the skill to actually do the work, we feel that the requirement for absolute trust eliminated such candidates. (Palmer, 2001, p. 772)

Harper et al. (2011) are an important authority on what constitutes ethical hacking. We do not have to agree with them wholeheartedly, but their conception of ethical hackers underscores the centrality of trust in ethical hacking practices. The title of their book, Gray Hat Hacking: The Ethical Hacker’s Handbook, is a giveaway to their view, which is that ethical hackers are in fact grey hat hackers by necessity, by virtue of their practices.

Many times, while the ethical hacker is carrying out her procedures to gain total control of the network, she will pick up significant trophies along the way. These trophies can include the CEO’s passwords, company trade-secret documentation, administrative passwords to all border routers, documents marked “confidential” held on the CFO’s and CIO’s laptops, or the combination to the company vault. The reason these trophies are collected along the way is so the decision makers understand the ramifications of these vulnerabilities … as soon as you show the CFO his next year’s projections, or show the CIO all of the blueprints to the next year’s product line, or tell the CEO that his password is “IAmWearingPanties,” they will all want to learn more about the importance of a firewall and other countermeasures that should be put into place. (Harper et al., 2011, p. 11)

Andrasik (2016), and Thomas et al. (2018) make the same point as do Harper el al. (2011), that ethical hackers will sometimes unavoidably access privileged information. Underscoring the importance of trustworthiness, Andrasik (2016) proposes that organizations hiring ethical hackers need to talk to references first:

If a pen-test group is going to actively try to breach your defenses, you want to know their ethics are beyond reproach. That knowledge should come from somewhere other than a well-crafted website or canned testimonials— it should come from conversations with companies that have experienced a pen test by the group in question.

Thomas et al. (2018) argue that "to be effective, ethical hacking involves trying to gain access to a system to access confidential and sensitive information. This means, that a certain level of trust needs to be established between the ethical hacker and the party engaging them” (p. 3).

The authors point out a fact highlighting an intrinsic grey area in the ethical hacking profession and which emphasizes the need for ethical hackers to espouse a strong moral standing.

[A]n ethical hacker needs to keep their knowledge of exploits up to date, and they will likely need to go “underground” to gain this knowledge (Conran 2014). Because ethical hackers may even utilize questionable means to gain intelligence it may result in a question of their professional ethics. (Thomas et al., 2018, p. 4)

Ethical hackers should take “all precautions to do no harm to their systems during a pen test” (Graves, 2010, para. 1). An ethical hacker will not damage or harm the test network infrastructure or information assets and will report on and remediate any accidental damage (Graves, 2010).

In the case of computer security, these “tiger teams” or “ethical hackers” would employ the same tools and techniques as the intruders, but they would neither damage the target systems nor steal information. Instead, they would evaluate the target systems’ security and report back to the owners with the vulnerabilities they found and instructions for how to remedy them. (Palmer, 2001, p. 770)

Research by Tavani (2016) emphasizes the duty of care that ethical hackers owe to organizations and end-users. This includes avoiding unnecessary disruptions (e.g., crashing production servers) and ensuring that discovered vulnerabilities are not leaked to malicious actors. Additionally, ethical hackers must avoid conflicts of interest—such as working for competing firms without transparency—to maintain professional credibility.

Profiles of hackers

Ethical hackers use the same tools as malicious hackers but with the strategic end of fortifying a computer system's security. While ethical hackers aim principally to achieve security risk mitigation, the various other hacker groups hold other priorities for their hacking activities. Follows is an analysis of the four types of hacker groups classified based on the legality of their practices and the professionalism of their conduct.

White Hat Hackers: The Ethical Professionals

White hat hackers only hack computer systems or machines with legal authorization to do so (including legal contractual agreements). So whether resident (in-house) employees of a company or hired by a company for security testing, the practices of white hat hackers would be ethical as long as hacking is performed in accordance with agreed upon terms and within the specified authorization parameters. Bug bounty hunters are ethical hackers since they work within this legal contractual framework.

The practices of white hats align with professional codes such as the ACM Code of Ethics (2018), which mandates permission-based hacking (e.g., Principle 2.8: "Access computing and communication resources only when authorized"), the IEEE Code of Ethics, the IEEE Code of Conduct, and the IEEE Cybersecurity Initiative.

White hats operate with explicit client permission and follow well established penetration testing industry and regulatory ethical guidelines (e.g., EC-Council’s CEH, OffSec's OSCP, ISO/IEC 27001, IEEE 802.10, OWASP, and NIST SP 800-115):

• EC-Council’s CEH Code of Ethics (explicit rules for pentesters).

• Offensive Security's OSCP curriculum includes ethics module to reinforce professional conduct.

• ISO/IEC 27001 (includes security testing norms).

• IEEE 802.10 (historical standard for security) and newer frameworks emphasize authorized testing.

• OWASP (Open Web Application Security Project) provide guidelines for responsible vulnerability disclosure.

• NIST SP 800-115 (Technical Guide to Penetration Testing) emphasizes authorized testing.

Key traits of ethical hackers:

• Operate legally under contracts or employment agreements (Schneier, 2020).

• Follow responsible disclosure practices (ISO/IEC 29147), e.g., report vulnerabilities privately to the vendor.

• Motivated by improving security, not fame or profit.

• Often hold industry certifications like CEH (Certified Ethical Hacker) or OSCP (Offensive Security Certified Professional).

• Compliance with laws like the Computer Fraud and Abuse Act (CFAA) (Schneier, 2020).

Examples:

1. Kevin Mitnick (post-reformation) – Once a notorious black hat, he became a respected cybersecurity consultant and author.

2. Charlie Miller – A well-known security researcher who worked for companies like Uber and Cruise Automation, uncovering critical vulnerabilities responsibly.

3. Troy Hunt – Creator of Have I Been Pwned, a security expert who collaborates with companies to expose data breaches ethically.

Grey Hat Hackers: The Unauthorized Researchers

Grey hat hackers fall between white and black hats—they hack computer systems without permission but usually claim altruistic motives (Jordan & Taylor, 2004). They often breach regulations (e.g., CFAA) in the course of discovering security flaws within commercial software—a practice critiqued in literature as "vigilante security" (Denning, 2010). They then notify the software vendor asking it to fix discovered vulnerabilities and threaten public exposure of the vulnerabilities if the vendor does not oblige (sometimes they demand payment). While some may genuinely help improve security, their methods are illegal and ethically questionable. Some call themselves security researchers, but legitimate researchers work within legal frameworks (e.g., ethical hacking consultants).

Key traits of grey hat hackers:

• Hack without permission but often claim to act in the public interest.

• May extort companies by threatening to release vulnerabilities.

• Often seek recognition (bragging about exploits on social media or at conferences).

• Some transition into white hat roles, while others drift toward black hat activities.

Examples:

1. Marcus Hutchins (MalwareTech) – Initially a grey hat hacker, he later became a white hat after stopping the WannaCry ransomware attack.

2. The Anonymous Researcher Who Leaked iOS Vulnerabilities – Some grey hats have exposed Apple or Microsoft flaws without authorization, claiming it was for public safety.

3. Researchers Who Sold Zero-Days – Some grey hats have sold exploits to companies (or even governments) instead of reporting them responsibly.

Black Hat Hackers: The Criminals

Black hat hackers come in two variations. The original/more traditional attribution of the label "black hat hackers" is associated with bad actors who hack for personal profit or for some other criminal goal. The more recent use of the term black hat hacking refers to presumably legal hacking practices whereby hackers have no prior knowledge of the target system (i.e., an attribution based on a technical perspective rather than an ethical perspective). Within our classification scheme, black hats are criminally-minded.

Black hat hackers as criminals engage in illegal hacking for personal gain, sabotage, or espionage (Chandler, 1996). They exploit vulnerabilities to steal data, deploy ransomware, or disrupt systems. Research ties them to organized crime and state-sponsored threats (Rid, 2013), with motivations ranging from financial theft to ideological disruption. Unlike white hats, they have no ethical constraints and often work within organized cybercrime syndicates or are rogue intelligence operatives. Their activities include identity theft, financial fraud, and espionage.

Key traits of black hat hackers:

• Operate purely for personal profit or destruction.

• Use malware, phishing, and zero-day exploits maliciously.

• Often work in underground forums (e.g., Dark Web markets).

• May be state-sponsored (e.g., hacking for governments).

Examples:

1. Albert Gonzalez – Mastermind behind the TJX and Heartland Payment Systems breaches, stealing millions of credit card details.

2. Evgeniy Bogachev – Creator of the Zeus banking Trojan, responsible for stealing over $100 million.

3. The Lazarus Group – A North Korean state-sponsored hacking group behind the Sony Pictures hack and WannaCry.

Hacktivists: The Politically Motivated Hackers

Hacktivists leverage cyber techniques for political or social causes, blurring the line between activism and cybercrime (Samuel, 2004). While some actions (e.g., DDoS attacks) are illegal, their goals distinguish them from profit-driven black hats (Coleman, 2014). Unlike black hats, they are not primarily motivated by money but by ideology. Their targets include governments, corporations, or organizations they oppose. Tactics include DDoS attacks, website defacements, and data leaks.

Key traits of hacktivists:

• Motivated by political/social causes (e.g., human rights, anti-censorship).

• May work in collectives (e.g., Anonymous).

• May blur the line between activism and cybercrime.

Examples:

1. Anonymous – Known for attacks on Sony (2011), the Church of Scientology, and governments in support of free speech.

2. WikiLeaks Supporters – Hackers who targeted institutions to expose classified documents (e.g., Chelsea Manning leaks).

3. Phineas Fisher – A hacktivist who breached Hacking Team and Gamma Group, exposing surveillance tools sold to oppressive regimes.

Hacker Profiles Summary Table

Type	Legal?	Motivation	Methods	Examples
White Hat	✅ Yes	Improve security	Authorized pentesting, bug bounties	Kevin Mitnick, Troy Hunt
Grey Hat	❌ No	Fame, forced fixes	Unauthorized hacking, extortion	Marcus Hutchins, iOS exploiters
Black Hat	❌ No	Profit, destruction	Malware, fraud, ransomware	Albert Gonzalez, Lazarus Group
Hacktivist	❌ No	Political/social change	DDoS, leaks, defacements	Anonymous, Phineas Fisher

Each hacker group has distinct motivations, but the legality of their practices and their moral ethics separate them most clearly. While white hats work within the legal system, grey hats operate in a moral grey zone, black hats are outright criminals, and hacktivists prioritize ideology over law.

Other perspectives on hacker ethics

The pioneering historical work of Steven Levy (1984) on hacker culture and hacker ethic (Hackers: Heroes of the Computer Revolution) presents one of the earliest theorizations of hacker ethic (what hackers thought it meant to be a hacker), particularly in the early decades of computer technology in the 1950s and 1960s. Levy (1984) distilled the hacker ethic into six bullet points:

• Access to computers—and anything that might teach you something about the way the world works—should be unlimited and total. Always yield to the Hands-On Imperative!

• All information should be free.

• Mistrust authority—promote decentralization.

• Hackers should be judged by their hacking, not criteria such as degrees, age, race, sex, or position.

• You can create art and beauty on a computer.

• Computers can change your life for the better.

Coleman and Golub (2008) offer an anthropological taxonomy of various hacker ethic (hacker groups) based on idioms and practices. Coleman and Golub (2008) see various hacker ethic as representative of the subjective self. They conceptualize three liberal moral expressions of hackers and hacking (cultural sensibilities or hacker ethics) revealed variably in the context of computer hacking: Cryptofreedom, free and open source software, and the hacker underground (see Table 14: Profiles of Hackers).

Key takeaways

• Ethical hacking is unambiguously legal: The fundamental characteristic that distinguishes ethical (white hat) hacking from all other forms is that it is conducted with explicit, prior authorization from the system owner, within a legal and contractual framework. Without authorization, hacking is an illegal activity.

• The legal distinction: Professional ethical hackers are classified as white hat hackers, who are distinguished from grey hats, black hats, and hacktivists by their strict adherence to the legal imperative.

• Governed by a web of professional codes: Professional ethical hackers do not rely on personal moral judgment alone. They are bound by a structured ecosystem of ethical codes from industry certifications (e.g., EC-Council, (ISC)²), professional associations (e.g., ACM, IEEE), and technical standards (e.g., OSSTMM, OWASP).

• Core ethical pillars are universal: Analysis of various codes and standards reveals a consistent set of core ethical principles. These include:

  • Authorization and Legal Compliance: The absolute baseline for all activities.

  • Trust and Integrity: Being honest and reliable, even when unobserved.

  • Confidentiality: Protecting all client information encountered during testing.

  • Responsible Disclosure: Reporting vulnerabilities only to authorized client contacts.

  • Protecting System Integrity: Avoiding unnecessary damage or disruption to systems.

  • Protecting the Public: Acknowledging a broader duty to society's safety and security.

• Professionalism is cultivated through training: University programs accredited by bodies like the Canadian Engineering Accreditation Board (CEAB) are required to teach ethics, instilling a systematic, engineering-based mindset and the professional codes of conduct that graduates must follow in their careers.

• Trust is paramount: Ethical hackers are granted privileged access to an organization's most sensitive systems and data. Their trustworthiness is the foundation of the client relationship, ensuring they will not exploit findings for personal gain or malicious purposes.

References

Andrasik, J. (2016). Penetration testing: A guide for business and IT management. CreateSpace Independent Publishing Platform.

Bodhani, A. (2013). Hacking it. Engineering & Technology, 8(6), 64–67. https://doi.org/10.1049/et.2013.0614

Chandler, A. (1996). The changing definition and image of hackers in popular discourse. International Journal of the Sociology of Law, 24(2), 229–251. https://doi.org/10.1006/ijsl.1996.0012

Coleman, E. G., & Golub, A. (2008). Hacker practice: Moral genres and the cultural articulation of liberalism. Anthropological Theory, 8(3), 255–277. https://doi.org/10.1177/1463499608093814

Coleman, G. (2014). Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. Verso.

Denning, D. (2010). "Cyber Conflict as an Emergent Social Phenomenon." Corporate Cyber Security.

Graves, K. (2010). Certified ethical hacker study guide. John Wiley & Sons.

Harper, A., Harris, S., Ness, J., & Eagle, C. (2011). Gray hat hacking: The ethical hacker's handbook (3rd ed.). McGraw-Hill Education.

Harris, A. (2021). Penetration testing essentials. John Wiley & Sons.

Jordan, T., & Taylor, P. (2004). Hacktivism and cyberwars: Rebels with a cause? Routledge. https://doi.org/10.4324/9780203637997

Levy, S. (1984). Hackers: Heroes of the computer revolution. Anchor Press/Doubleday.

Logan, P. Y., & Clarkson, A. (2005). Teaching students to hack: Curriculum issues in information security. In Proceedings of the 36th SIGCSE technical symposium on Computer science education (pp. 157–161). https://doi.org/10.1145/1047344.1047405

Palmer, C. C. (2001). Ethical hacking. IBM Systems Journal, 40(3), 769–780. https://doi.org/10.1147/sj.403.0769

Pashel, B. A. (2006). Teaching students to hack: Ethical implications in teaching students to hack at the university level. In Proceedings of the 4th annual conference on Information security curriculum development (pp. 197–200). https://doi.org/10.1145/1231047.1231086

Pike, G. H. (2013). The law and ethics of hiring hackers. Information Today, 30(9), 1, 34.

Rid, T. (2013). Cyber War Will Not Take Place. Oxford University Press.

Samuel, A. (2004). Hacktivism and the future of political participation. Harvard Law Review, 117(8), 2714–2727. https://doi.org/10.2307/4093405

Schneier, B. (2020). Click here to kill everybody: Security and survival in a hyper-connected world. W.W. Norton & Company.

Sharma, S., & Sefchek, J. (2007). Teaching information systems security courses: A hands-on approach. Computers & Security, 26(4), 290–299. https://doi.org/10.1016/j.cose.2006.11.005

Tavani, H. T. (2016). Ethics and technology: Controversies, questions, and strategies for ethical computing (5th ed.). John Wiley & Sons.

Thomas, T., Andrasik, F., & Morato, E. (2018). Ethical hacking: A comprehensive beginner's guide. CRC Press.

Walker, M. (2017). CEH certified ethical hacker all-in-one exam guide (4th ed.). McGraw-Hill Education.

Xu, Z., Hu, Q., & Zhang, C. (2013). Why computer talents become computer hackers. Communications of the ACM, 56(4), 64–74. https://doi.org/10.1145/2436256.2436272

Young, R., Lixuan, Z., & Prybutok, V. R. (2007). Hacking into the minds of hackers. Information Systems Management, 24(4), 281–287. https://doi.org/10.1080/10580530701585823