Chapter 1 · Lesson 2

What Is Ethical Hacking?

Ethical and malicious hacking use the same skills — authorization and intent draw the line — and this lesson maps the hat colours, team colours, and how bug bounties, pentests, and red teams differ.

12 min read Text Updated 2 hours ago Free preview
In this lesson you'll learn
  • Distinguish ethical hacking from malicious hacking by authorization and intent.
  • Classify hackers across the white, black, and grey hat spectrum.
  • Explain the roles of red, blue, and purple teams.
  • Compare bug bounty, penetration test, and red-team engagements.

Ethical vs malicious hacking

An ethical hacker uses offensive techniques to find and fix security weaknesses before a real attacker can exploit them — always with explicit permission from the system's owner. A malicious hacker uses the very same techniques without permission, for personal gain, disruption, or harm. The tools, commands, and creativity are often identical; what separates the two is authorization and intent. This is why this course treats the legal framework (next lesson) as inseparable from the technical material: the skill is neutral, but the act is not.

Ethical hacking goes by several names you'll meet in job listings — penetration testing, offensive security, and the broader red teaming. All share the goal of thinking like an attacker in order to strengthen the defender.

Hacking skill Ethical + Authorization Malicious No permission Intent + permission decide the path
Identical skill, two very different paths. Authorization and intent are the fork in the road.

Hat colours: white, black, and grey

The community borrows old Western-film shorthand to describe motivation:

  • White hat — works with permission to improve security. Professional penetration testers and bug-bounty researchers operating within program rules.
  • Black hat — operates illegally for profit, espionage, or destruction. The criminal end of the spectrum.
  • Grey hat — acts without explicit authorization but without clearly malicious intent — for example, probing a stranger's server and then reporting the flaw. Well-meaning or not, this is still typically illegal, because permission was never granted. Good intentions do not create authorization.

Team colours: red, blue, and purple

Inside an organization, security work is often framed by colour too. The red team plays the attacker, simulating realistic adversaries to test defenses. The blue team defends — monitoring, detecting, and responding. A purple team isn't a separate group so much as a way of working: red and blue collaborate tightly so every attack the red team lands becomes a new detection the blue team builds. You'll experience both sides in this course, because the strongest offensive practitioners understand exactly how defenders will see them.

RED BLUE PURPLE collaborate attack
Red attacks, blue defends, and where they overlap — sharing findings — is the purple-team way of working.

Bug bounty vs pentest vs red team

  • Bug bounty — open or invited researchers test a defined scope under published rules and get paid per valid finding (e.g. via HackerOne or Bugcrowd). Continuous and crowd-sourced.
  • Penetration test — a scoped, time-boxed, contracted engagement (usually a few weeks) producing a formal report. Breadth across the agreed scope.
  • Red team — a goal-oriented, stealthy simulation of a specific adversary ("can we reach the crown-jewel data without being caught?"), testing detection and response as much as raw vulnerabilities.
Scenario

One flaw, two destinies

Imagine two researchers independently discover the same vulnerability in a popular web application — say, a way to read other users' private data by tampering with a request. Both have the identical technical finding. Their next move decides everything.

The first reports it through the vendor's HackerOne bug-bounty program. Because she stayed inside the published scope and rules, her work is authorized: she receives a payout, public credit, and the bug gets fixed. She is a white hat, and the disclosure makes everyone safer.

The second quietly sells the exploit on a criminal marketplace. The same keystrokes, the same flaw — but no authorization and clear malicious intent make him a black hat committing a crime. The vulnerability is identical; only the choices differ. This is the entire point of ethical hacking: the power is real, so the responsibility must be too.

Hands-on Exercise

Build the habit of asking two questions of any action: Was it authorized? and What was the intent?

  1. Read each scenario and label it as white, black, or grey hat — and whether it's legal: 
    A) Tests a client's app under a signed contract  # white hat, legal
B) Scans a random company "to help," unsolicited # grey hat, usually illegal
C) Steals and sells a database for profit        # black hat, illegal
D) Finds a bug within a published bounty scope    # white hat, legal
  2. For each one, also name which team mindset it reflects (red, blue, or purple).
  3. Write a one-sentence rule of your own that separates ethical from unethical action. Hint: it should mention permission.
Lesson Summary
  • Ethical and malicious hacking use the same skills; authorization and intent separate them.
  • White hats have permission, black hats are criminal, grey hats act without permission — usually still illegal.
  • Red teams attack, blue teams defend, and purple teaming makes them share what they learn.
  • Bug bounty, pentest, and red team differ in scope, duration, and goal — but all require authorization.
Sign up to track progress