Video Version:
Introduction
For the past several years, we’ve posted annual blogs on how to become an ethical hacker. Given that these blogs have been well received, we have brought back yet another edition. So, without further ado, let’s chat about how you can break into the field of ethical hacking in 2025.
A Few Things Before We Begin…
Before jumping into the resources, there are a few things we need to address. First, it’s crucial to build a strong foundation in IT before diving into the cool, hacky stuff. Think of your hacking career like building a house—if you throw it up on a weak foundation, it won’t stand for long. The same goes for hacking: if you skip over essential IT fundamentals, you’ll likely find yourself overwhelmed and lost, which could derail your journey altogether. Mastering networking, system administration, and security basics might not seem glamorous, but without them, even the best exploit techniques won’t get you far.
Second, let’s be real—ethical hacking is an exciting field. You get paid to legally break into networks, applications, and even physical buildings (how awesome is that?). On top of the fun, it pays very well. But here’s why: not everyone has the drive or skills to succeed in this space. High demand and a small talent pool create the opportunity for lucrative careers. But if your only motivation is the paycheck, you’re setting yourself up for frustration.
We’ve seen it too many times—people jump into hacking because it sounds cool or because they’re chasing the money. That mindset won’t get you far. Hacking is a grind. Breaking into the field is tough, and even after you’ve made it, you have to keep learning to stay relevant. New exploits and defenses are constantly emerging, and if you stop sharpening your skills, your peers will leave you behind.
The key takeaway? Choose this field because it excites you, because it sparks your curiosity, and because you want to be a lifelong learner. The money is a fantastic bonus, but it can’t be your only motivation. If you put in the work and commit to constant learning, you’ll not only be well-compensated—you’ll have a blast along the way.
If you are interested, we go into more detail and why you should (and should not) be an ethical hacker in this video.
Lastly, it’s important to mention that this article is brought to you by TCM Security, a training and certification company dedicated to building the next generation of cybersecurity professionals. While you may find our training mentioned throughout, our goal here is to provide honest, unbiased recommendations to help you on your path. We’re committed to giving you real value, whether that’s through our resources or those we genuinely believe will set you up for success. Being a hacker in 2025 is all about skills, knowledge, and community—and this article is designed to guide you, no matter where you decide to start or continue your journey. We will mark any references to TCM Security in this article as self-promotion as to be as transparent as possible when we are mentioning a training provided by our company.
The Foundations
With that out of the way, let’s discuss the foundational skills that we feel are necessary to mold a good hacker. With each of the skills, we will link the resources and courses to help improve your skillset. Some of the links will be related to certifications. You do not have to take the certification unless you want to (though, it could help with landing a job). If you’re tight on funds, just focus on the trainings themselves.
Now, the foundational skills:
Learn the Basics of IT – Networking, Linux, Security
1) Basic IT Skills
By this, we mean your standard break/fix help desk skillset. Can you build a computer and identify its parts? Can you troubleshoot and fix issues? In the certification world, this would be equivalent to the CompTIA A+ certification (current version 220-1101 & 220-1102). If you’re brand new to IT and starting here, we strongly recommend picking one of the following resources:
- FREE (self-promotion) – TCM Security Academy – Practical Help Desk
- The 19-hour Practical Help Desk course by TCM Security Academy is a free, hands-on program designed to prepare students for entry-level IT roles. It covers essential skills needed to excel at a help desk position, including troubleshooting common technical issues, managing tickets, and customer service fundamentals. The course emphasizes practical, real-world scenarios to build confidence in resolving hardware, software, and networking challenges. Ideal for beginners, it offers a straightforward path to building foundational IT knowledge and experience, making it an excellent starting point for those pursuing a career in tech.
- FREE – Professor Messer – 220-1101 and 220-1102 A+ Courses
- Professor Messer’s 220-1101 and 220-1102 A+ courses cover essential knowledge needed for passing the CompTIA A+ certification, focusing on both hardware and software fundamentals.
- The 220-1101 (Core 1) course dives into hardware technologies such as networking devices, cables, and peripherals, along with virtualization and mobile device management. It emphasizes practical troubleshooting, from understanding network configurations to managing hardware components like motherboards and storage systems.
- The 220-1102 (Core 2) course shifts focus to operating systems, security, and software troubleshooting. It includes modules on Windows, Linux, and macOS features, explores physical and logical security best practices, and provides strategies for tackling malware, social engineering, and mobile device security. Core 2 also highlights practical IT skills like Active Directory management and securing SOHO networks.
- PAID – Mike Meyers – 220-1101 and 220-1102 A+ Courses
- The Total CompTIA A+ Certification courses (220-1101 and 220-1102) by Mike Meyers on Udemy provide a comprehensive path to passing both Core 1 and Core 2 exams, essential for earning the A+ certification. Similar to Professor Messer, these courses cover foundational IT knowledge, with 220-1101 focusing on hardware, networking, and mobile devices, while 220-1102 emphasizes software, operating systems, and cybersecurity concepts. Both include hands-on labs, troubleshooting exercises, and practical scenarios, equipping students with real-world skills for IT roles. With engaging lectures and practice tests, these courses are ideal for beginners looking to break into IT and pass their A+ exams on the first attempt
2) Networking Skills
Networking is an essential part of penetration testing. Can you describe the OSI model? Do you know what service runs on port 22? Can you explain CIDR notation or walk through the TCP three-way handshake? If these concepts feel foreign, then it’s time to build your networking knowledge. In the certification world, this would align with the CompTIA Network+ certification (N10-008 or N10-009). If you’re starting here, we recommend the following resources:
- FREE – Professor Messer – N10-008 or N10-009 Network+ Course
- Professor Messer offers a free, beginner-friendly course covering the Network+ certification objectives. It walks you through networking essentials, including protocols, IP addressing, routing, and troubleshooting. This course is ideal if you’re looking for a solid introduction to networking concepts without any financial investment. You can choose either the N10-008 or N10-009 course. Both are good starting points and cover a lot of the same topics. In our opinion, going with the newer version of a course is almost always more ideal.
- FREE – Cisco Networking Academy – Packet Tracer
- Packet Tracer by Cisco is a free network simulation tool that provides a hands-on experience with network configuration and troubleshooting. It allows you to build virtual networks, making it an excellent supplement to theoretical learning. You can explore Packet Tracer here.
- PAID – Mike Meyers – Network+ Course
- Mike Meyers’ comprehensive Network+ course on Udemy provides everything you need to pass the N10-008 exam. The course features detailed lectures, hands-on labs, and real-world examples to reinforce key concepts. It’s perfect for anyone serious about mastering networking fundamentals and preparing for the certification exam.
Side note: If you’re already familiar with networking, you might be wondering about the CCNA (Cisco Certified Network Associate) certification. While CCNA is valuable, it focuses heavily on Cisco’s technologies and commands. We recommend starting with a vendor-neutral certification like Network+ to build a strong foundation. You can always pursue vendor-specific certs like the CCNA later, especially if your career path or job role demands it.
3) Linux Skills
Linux is a cornerstone of ethical hacking—like, a lot of it. Most hackers rely on Debian-based distributions, with Kali Linux and Parrot OS being the most popular. While some prefer building their own custom Linux distros, Kali and Parrot remain the go-to choices for many. Fortunately, there are plenty of free resources available to help you master Linux.
Learning Linux is much like learning a foreign language. You can gain a lot from following an instructor, but full immersion makes all the difference. Try installing Linux and commit to using it exclusively for a week. The initial struggle will give way to faster learning and improved confidence in the environment.
- FREE (self-promotion) – TCM Security Academy – Linux 100: Fundamentals
- This free course introduces essential Linux concepts, including file management, permissions, and basic scripting. It’s a great starting point for beginners wanting a structured introduction to the operating system. You can enroll in Linux Fundamentals here.
- FREE – Linux Journey
- This site offers interactive lessons covering everything from basic commands to more advanced topics. It’s a great way to ease into Linux at your own pace. You can check out Linux Journey here.
- FREE – OverTheWire – Bandit
- OverTheWire: Bandit Wargame: Bandit is a fantastic series of challenges designed to teach you Linux through practical problem-solving, helping you build both knowledge and troubleshooting skills. Explore OverTheWire’s Bandit.
- PAID (self-promotion) – TCM Security Academy – Linux 101
- For those seeking deeper, structured learning, TCM Security Academy offers Linux 101, which builds upon the Linux 100 course mentioned above. This course covers the foundations needed to become comfortable using Linux, with practical exercises that prepare you for real-world scenarios. Whether you aim to use Linux in hacking or IT administration, this course will build the confidence you need.
4) Coding/Scripting Skills
In cybersecurity, being able to read and understand code is essential, even if becoming a professional developer isn’t the goal. While advanced coding skills can make tasks easier, a basic understanding is often sufficient to succeed in this field. Many professionals, including ethical hackers, thrive with only foundational programming knowledge.
Python is the recommended starting point due to its beginner-friendly syntax and wide adoption across industries. Many educational institutions now teach Python as the primary language in their introductory courses. It’s essential to focus on Python 3, as Python 2 is outdated and no longer supported. Below are some recommended resources to get started:
- FREE (self-promotion) – TCM Security – Programming 100: Fundamentals
- For those completely new to programming, Programming 100 Fundamentals offers a beginner-friendly introduction. This course covers the basics of coding with Python, including variables, loops, and control structures, providing a solid foundation for further programming studies.
- FREE – FreeCodeCamp
- A hands-on, project-based platform that teaches all sorts of programming languages, including Python, through interactive coding challenges and videos. You can check out FreeCodeCamp here.
- FREE TRIAL (No credit card required) – Codecademy
- Offers structured, interactive lessons with guided exercises to help beginners build foundational Python skills. You can check out Codecademy here.
- PAID (subscription) – Team Treehouse
- A subscription-based platform with in-depth courses that include projects and challenges designed to reinforce coding concepts. You can check out Team Treehouse here.
- PAID (self-promotion) – TCM Security – Programming Classes
- For those interested in taking a deeper dive into programming, TCM Security offers a slew of programming classes that focus on practical applications for cybersecurity. Those classes include Python 101 for Hackers, Python 201 for Hackers, C# 101 for Hackers, Rust 101, and Programming with AI.
5) Security Skills
Before starting a cybersecurity career, having a solid foundation in security concepts is essential. If there’s one certification worth pursuing early on, it’s the CompTIA Security+. This certification builds on networking fundamentals, introducing core security principles like cryptography, risk management, and incident response—think of it as “Network++.”
A solid understanding of security fundamentals not only ensures long-term success but also opens doors to entry-level roles, such as a SOC Analyst. Below are top resources to help you prepare for Security+ and gain essential security skills:
- FREE – Professor Messer – SY0-701 Security+ Course
- Professor Messer offers a comprehensive Security+ video series covering all exam objectives, including topics like network security, incident response, and access control. You can check it out here.
- PAID (self-promotion) – TCM Security – Security Operations (SOC) 101
- The 30-hour SOC 101 course offers a detailed introduction to Security Operations Centers (SOCs) and the role of a SOC Analyst. It covers core topics such as log analysis, incident response, and monitoring tools, providing practical skills to excel in entry-level security roles. Ideal for those pursuing a career as a SOC Analyst or wanting to learn to become a better hacker by learning how to defend, this course bridges the gap between theoretical knowledge and real-world operations.
You’ve Got the Foundations, Now What?
Hacking Basics and Foundational Skills
Learning the Basics of Ethical Hacking
Now that you’ve built a solid foundation, it’s time to dive into hacking. For a comprehensive starting point, we recommend the Practical Ethical Hacking course by TCM Security Academy (self-promotion). This course covers the essential skills you’ve learned (Linux, Python, and Networking) and takes them a step further into real-world hacking scenarios including Active Directory and Web Application hacking, which we will expand on in a bit.
The first 15 hours of this course are available for free on YouTube, broken into two parts for easy access:
Beyond courses, it’s important to practice hacking on intentionally vulnerable machines—systems designed to be hacked. These machines follow a “Capture the Flag (CTF)” style, teaching the fundamentals, tools, and problem-solving persistence required to become a successful hacker. Here are three top platforms to practice on:
- TryHackMe: Best for beginners, this platform offers a range of free/paid labs and guides you through hacking techniques, explaining each step.
- Hack The Box: An alternative to, and often more challenging than, TryHackMe, this platform offers a variety of vulnerable machines for intermediate users to hone their skills.
- VulnHub: A free platform with downloadable, intentionally vulnerable machines, great for practicing offline.
If you enjoy CTF-style hacking, you might also want to participate in live CTF events. These competitions are excellent for improving your hacking skills in a team-based environment. Check out CTFTime for the latest CTF events and read write-ups from past challenges to enhance your learning. Find CTF events at CTFTime.
Beyond the Basics
Breakdown of Foundational Skills, Hacking Basics, and Beyond the Basics
Once you are feeling comfortable with the basics, there are several additional areas of hacking that you should familiarize yourself with, especially if you want to be a pentester. Those areas are:
1) Active Directory
Active Directory (AD) hacking is one of the most overlooked areas by individuals entering the cybersecurity field. Yet, with more than 95% of Fortune 1000 companies relying on AD for their business environments, it’s a critical skill to master.
AD hacking frequently comes up in job interviews, especially for security roles. Many candidates with impressive certifications but limited hands-on experience struggle with this topic, revealing a gap in practical knowledge. Understanding AD is essential not only for passing interviews but also for excelling in real-world security roles, where navigating AD environments and identifying vulnerabilities are key components of the job.
For Active Directory, beyond the Practical Ethical Hacking course mentioned above, there are some pretty fantastic resources.
Here are people (and blogs) you should follow if you’re interested in Active Directory hacking:
@PyroTek3 – https://adsecurity.org/
@_dirkjan – https://dirkjanm.io/
@Haus3c – https://hausec.com/
Additionally, anything by @SpecterOps, @CptJesus, @byt3bl33d3r, @gentilkiwi, and @harmj0y
2) Web and Mobile Application Hacking
Web and mobile application hacking is one of the most in-demand skills in cybersecurity. Many of the high-profile bug bounty programs revolve around vulnerabilities in web or mobile apps, and entire roles are dedicated solely to web application penetration testing. If you want to be a pentester, mastering application hacking is essential for leveling up your skills. Below are some excellent (mostly free) resources to help you get started:
- PortSwigger Web Security Academy: A comprehensive platform with labs and tutorials focused on web security concepts.
- Hacker101: Free online training by HackerOne, covering web application security fundamentals and more.
- Bugcrowd University: Offers educational content to help you develop the skills needed to succeed in bug bounty programs.
- PentesterLab: A hands-on platform for learning web security through practical exercises and labs.
Self-Promotion:
Since the previous release of this article, TCM Security Academy has released a slew of web application hacking content.
- Practical Bug Bounty – 9.5 hour course – If you’re new to web application hacking, we recommend starting here. The course covers essential topics of web application hacking and bug bounty programs, including how bug bounty programs work, finding and reporting vulnerabilities, and the use of key tools like Burp Suite. It focuses on real-world applications to help students transition from theory to practice, with step-by-step guidance on identifying common web vulnerabilities and submitting successful bug reports. This training leads directly to the Practical Web Pentest Associate (PWPA) certification.
- Practical Web Hacking – 10+ hour course – Building upon the Practical Bug Bounty course, this course covers both fundamental and advanced web vulnerabilities, including SQL injection, cross-site scripting (XSS), authentication flaws, and command injection. Students learn through real-world scenarios, with practical exercises designed to build confidence in using tools like Burp Suite. This training leads directly to the Practical Web Pentest Professional (PWPP) certification.
- Practical API Hacking – This course focuses on the growing field of API security, teaching students how to identify and exploit vulnerabilities in Application Programming Interfaces. The course covers key attack techniques, including broken authentication, authorization flaws, and injection attacks specific to APIs. It provides hands-on experience with real-world scenarios, equipping learners with practical skills for penetration testing and bug bounty hunting involving APIs. This training leads directly to the Practical Web Pentest Professional (PWPP) certification.
- Advanced Web Hacking – Building upon the Practical Web Hacking and Practical API Hacking courses, this course dives deeper into complex web vulnerabilities and sophisticated attack techniques. This course covers advanced topics like server-side request forgery (SSRF), XML external entities (XXE), deserialization attacks, and advanced SQL injection. It’s designed for those with prior experience in web security who want to refine their skills and tackle real-world challenges in penetration testing and bug bounty programs.
- Mobile Application Penetration Testing – For those interested in hacking mobile applications, this course offers practical training on securing mobile apps by identifying and exploiting vulnerabilities specific to Android and iOS platforms. The course covers reverse engineering, insecure data storage, API vulnerabilities, and mobile-specific security flaws. Through hands-on exercises and real-world scenarios, students gain the skills needed to conduct thorough mobile app assessments for penetration testing and bug bounty hunting. This training leads directly to the Practical Mobile Pentest Associate (PMPA) certification.
- Additionally, we offer a free course on YouTube for beginner web application hacking
When learning web app security, it’s also helpful to familiarize yourself with the OWASP project. Pay special attention to the OWASP Top 10 vulnerabilities and the OWASP Web Security Testing Guide:
Finally, reviewing bug bounty write-ups offers valuable insights into real-world vulnerabilities. Many bounty platforms, such as HackerOne, maintain archives of these write-ups:
3) Wireless Hacking
You can learn to hack wireless networks pretty quick. In fact, a lot of the hackers started out tinkering with wireless hacking before jumping into other areas of ethical hacking due to the simplicity of it. You can easily pick up the skillset needed to hack WPA2 Personal by having the right equipment and reading a short blog post, such as this one.
WPA2 Enterprise is a little trickier, but hey, there are blogs for that too, such as this one.
4) Certifications
The next thing to discuss are certifications, which can be useful for standing out in the job application process. Below are some of the top entry-level hacking certifications that can be found on job postings, sorted by price. If you’re interested in taking a certification, we recommend researching each certification individually and finding one that best suits your journey.
Categories in the table above are as follows:
- Multiple Choice – The exam format is multiple choice. When multiple choice is marked along with CTF-Style Exam, this means the exam is multiple-choice but has a hands-on component.
- CTF-Style Exam – The exam format is hands-on, but not practical. This means that the exam has more of a gamified experience as opposed to an exam that mimics a real-life engagement.
- Practical Exam – The exam format mimics a real-life engagement, requiring hacking techniques found in real penetration tests to be used in an environment that is modeled after real-world clients. These exams are often several days long to accommodate the format, whereas most multiple choice exams often have a time restriction of a few hours.
- Government – The exam is recognized by the United States government and can be beneficial when applying to government jobs.
- Cost – Relevant to the specific certifications listed, $ assumes a cost of $500 or less, $$ assumes a cost of $1,000-$3,000, $$$ assumes a cost of $8,000 or more. All costs assume the cost of training being included.
5) Privilege Escalation
This is a topic many new hackers struggle with. You land on a machine, but you’re not the admin/root user. How can you elevate your privileges? You’ll find this area tested in many popular certification exams, so it’s a topic you should know.
TCM Security does have courses on the topic:
Windows Privilege Escalation – https://academy.tcm-sec.com/p/windows-privilege-escalation-for-beginners
Linux Privilege Escalation – https://academy.tcm-sec.com/p/linux-privilege-escalation
As does @0xTib3rius:
Windows Privilege Escalation – https://www.udemy.com/course/windows-privilege-escalation/
Linux Privilege Escalation – https://www.udemy.com/course/linux-privilege-escalation/
Plus, there are a million guides out there for PrivEsc. We will leave you to your Googling skills to find these, but here is just one example of a great guide.
Content Creators
Content creators play an important role in educating the next generation of hackers looking to break into this field and this article would be incomplete if we did not include some of our favorite content creators.
Note: Anyone online can claim to have expertise in a field. Due diligence and research should be performed on any content creator(s). Below are vetted industry experts that have active YouTube channels.
General Hacking:
The Cyber Mentor (self-promotion) – https://youtube.com/c/thecybermentor
John Hammond – https://youtube.com/c/JohnHammond010
HackerSploit – https://youtube.com/c/HackerSploit
IppSec – https://youtube.com/c/ippsec
Conda – https://youtube.com/c/c0nd4
Tyler Ramsbey – https://www.youtube.com/@TylerRamsbey
Web App/Bug Bounty:
NahamSec – https://youtube.com/c/Nahamsec
InsiderPhD – https://youtube.com/user/RapidBug
Farah Hawa – https://youtube.com/c/FarahHawa
Rana Khalil – https://youtube.com/c/RanaKhalil101
Communities
Being part of a community is essential to becoming a skilled hacker. Communities provide opportunities to ask questions, share knowledge, and connect with others in the field or those starting their journey. Networking with like-minded individuals not only enhances learning but can also open doors to new opportunities. A strong community can accelerate your growth and keep you motivated along the way.
- TCM Security Community: Our Discord community, with over 60,000 members, is a vibrant space to connect, learn, and collaborate. Join here.
- VetSec Community: For military veterans, VetSec offers a dedicated community to support your transition into cybersecurity. Learn more at VetSec.
Conclusion
This article provides a solid starting point, though it’s by no means exhaustive. The resources shared here have guided many professionals in their journeys, but every path in cybersecurity is unique. It’s recommended to explore additional materials and resources along the way. With the content provided, there’s more than enough to keep you engaged throughout 2025. Stay curious, keep learning, and—happy hacking!
About the Author
Heath Adams, also known as “The Cyber Mentor,” is the CEO of TCM Security. While Heath is an ethical hacker by trade, he also loves to teach! Heath has taught courses to over 1,000,000 students on multiple platforms, including TCM Academy, Udemy, YouTube, Twitch, and INE.
Heath has held many certifications, including CISSP, PNPT, QSA, GSNA, OSCP, ECPTX, and eWPT. He also holds an MBA degree.
Finally, Heath is also a husband, animal dad, tinkerer, and military veteran.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.