What Is Ethical Hacking: Types and Certifications

Ethical hacking is the authorised use of offensive techniques to discover vulnerabilities before a malicious attacker does. It runs with a formal contract, scoped engagement and the objective of improving security, using the same level of skill and tooling as the real attacker but with a defensive purpose. In 2026 it's one of the most in-demand disciplines in the Spanish cybersecurity job market, with structural scarcity of senior profiles and rising salaries.

This guide explains what ethical hacking really is, the types of hackers that show up in any professional conversation (white, grey, black, red, blue, purple), the certifications actually requested in the Spanish market (OSCP, OSWE, CEH, PNPT, eJPT, HTB CPTS), the typical career path to senior profile, the difference with pentesting and Red Team, the legal framework in Spain (Criminal Code and GDPR) and how to enter the sector without getting lost in generic courses.

What ethical hacking is

Ethical hacking is the authorised use of offensive techniques and tooling to identify vulnerabilities, validate defensive controls and improve the security posture of an organisation. The four properties that define it and separate it from cybercrime:

1. Formal written authorisation. Without contract and documented scope, it's not ethical hacking; it's a crime.
2. Bounded scope. Defines which assets, which techniques, which time window, which information the executor can look at.
3. Responsible reporting. Findings get delivered to the owner first, with a remediation plan and reasonable timelines before any publication.
4. Defensive improvement as objective. The end product is a more secure system, not a personal trophy or a commercial commitment from the client.

What it brings operationally:

• Empirical validation that defensive controls work against real TTPs.
• Investment prioritisation based on what a real attacker would exploit first.
• Compliance with frameworks that demand penetration testing (NIS2, DORA, PCI DSS, ENS).
• Cyber insurance coverage, which in 2026 increasingly requires periodic pentesting.
• Attack surface reduction before a real incident.

Four situations that don't count as ethical hacking even if the person thinks they do:

• Investigating third-party systems without authorisation, even out of curiosity or benign motive (criminal offence in most jurisdictions).
• Buying exploits for use outside a contract.
• "Hacking" an ex-partner's account or investigating a family member (serious offence).
• Reporting vulnerabilities demanding money before public disclosure (extortion, not responsible disclosure).

Types of hackers

The "hat" taxonomy is cultural, but useful for quick conversations. The six categories that come up.

White hat

Ethical professional contracted by the system-owning organisation. Pentester, Red Teamer, bug bounty researcher with authorisation. The activity is covered by contract and law. This is where Secra and most cybersecurity boutiques operate.

Black hat

Cybercriminal. Acts without authorisation seeking personal benefit: extortion, data theft, fraud, sabotage. Punishable by criminal law with penalties that can reach several years of imprisonment.

Grey hat

The grey zone. Researcher who finds vulnerabilities in systems they don't own and reports them to the owner without prior authorisation. Their intent is benign but their method is strictly illegal. Many cases end in legal dispute because the owner reacts badly and reports them.

Red team

Not an individual hat but a function inside an organisation: authorised offensive team that runs complex exercises against the rest of the company. Detail in the Red Team comparison guide.

Blue team

Defensive team. SOC, threat hunters, detection engineers. The Red Team's counterpart inside the organisation. Not offensive, but shares technical culture and vocabulary.

Purple team

Exercise or team where Red Team and Blue Team work collaboratively: the attacker executes a technique, the defender validates live whether detection fires, both tune on the spot. The fastest and most cost-effective way to raise defensive maturity in a few weeks.

Certifications requested in Spain

The sector is full of certifications, many with little real signal. The ones that show up in actual RFPs and that clients value in 2026:

OSCP (Offensive Security Certified Professional)

The most globally recognised pentesting certification and the one most cited in Spanish senior job postings. 24-hour hands-on exam against a controlled network, plus a professional report. Marks a minimum level of real capability, not just theory. The filter many clients require to validate vendor team profiles.

OSWE (Offensive Security Web Expert)

Specialisation in deep web application exploitation. 48-hour exam. Quite a bit more demanding than OSCP and highly valued in critical web audit projects. Detail in web application penetration testing.

CEH (Certified Ethical Hacker)

From EC-Council. Better known in public sector and administrative RFPs. Multiple-choice exam, less hands-on than OSCP, criticised in the technical community for low practical demand. Still appears in Spanish administrative tenders, mainly in TIBER-EU and public administration projects.

PNPT (Practical Network Penetration Tester) and eJPT (eLearnSecurity Junior Penetration Tester)

PNPT (TCM Security) and eJPT (INE) are modern alternatives with good recognition. More affordable than OSCP and well designed for junior-mid profiles.

HTB CPTS (Hack The Box Certified Penetration Testing Specialist)

Newer certification (2023+) that has gained traction quickly. High-quality hands-on exam at a reasonable price. Increasingly mentioned in job postings.

CRTO, CRTP and CRTE

CRTO (Certified Red Team Operator) from Zero-Point Security, focused on Red Team operations with C2 (Cobalt Strike, Mythic, Sliver) and modern evasion.

CRTP (Certified Red Team Professional) and CRTE (Certified Red Team Expert) from Altered Security, focused on deep Active Directory exploitation and forest attacks.

The three are highly valued in serious Red Team projects and complement each other. Environment detail in infrastructure penetration testing.

GIAC (SANS)

GPEN, GXPN, GWAPT, GMOB, GCIH. Expensive, rigorous, strong recognition in US public sector and multinationals. Appears in Spain but less than OSCP due to cost.

Burp Suite Certified Practitioner and other vendor-specific

Useful as complement. Don't replace OSCP or equivalent.

What matters in 2026 is not the certification itself, but the combination of certification with demonstrable CV (CTFs, write-ups, public projects, contributions to open source tools).

Typical career path

The usual trajectory to senior ethical hacking profile in Spain.

0-12 months. Fundamentals: networking (CCNA or equivalent), Linux (LFCS), basic programming (Python). Introductory CTFs on TryHackMe, HackTheBox starting point, OverTheWire. First job in SOC L1, IT support or junior consulting. Intensive reading: The Web Application Hacker's Handbook, OWASP Testing Guide, Red Team Field Manual.

1-3 years. Junior certification (eJPT, PNPT) and initial specialisation (web, infrastructure, mobile, OT). First role as junior pentester or security auditor. Regular participation in CTFs (HTB, root-me, national CTFs). Community: H4ckPlayers, Hackplayers, INCIBE Bug Bounty where applicable.

3-5 years. OSCP ideally. Clear specialisation in one or two verticals (AD red team, cloud security, mobile, advanced web). Full projects as technical lead. Public write-ups or talks at community events (No cON Name, Hackplayers Talks, Hack&Beers, Mundo Hacker).

5+ years. Advanced certification (OSWE, CRTO, OSCE3 grouping OSWE+OSED+OSEP from Offensive Security, GXPN by specialisation). Team leadership, complex project management, ability to communicate to the executive committee. Profiles get scarce here and the market pays well.

10+ years. Public research with published CVEs, international talks (Black Hat, DEF CON, RootedCON), or research/founder/CTO role in a boutique consultancy. Few people, competitive hiring, profile well identified in the community.

Ethical hacking, pentesting and Red Team

Common confusion for newcomers. The differences.

• Ethical hacking is the general discipline: any authorised offensive use.
• Pentesting is a concrete service: scoped offensive audit on specific assets in a defined time window, with detailed report of findings.
• Red Team is a full silent adversarial exercise: simulation of a real attacker over weeks, without the defending organisation knowing it's happening, with a concrete objective (reach a critical system, get to the CEO, exfiltrate sensitive data).
• Bug bounty is a modality of ethical hacking with a specific contractual frame: the company publishes a programme with scope and rewards, independent hackers find and report vulnerabilities, get paid per finding by severity.

In Spain, the professional ethical hacking market splits mostly across these modalities, with pentesting as entry and Red Team as the peak of complexity.

Legal framework in Spain

Key practice that separates professional from criminal.

Formal written authorisation

The contract must specify: technical scope (URLs, IPs, systems), time scope (dates and hours), allowed and prohibited techniques, communication mechanism during the exercise, kill switch to stop if something goes wrong, responsibilities of both parties, confidentiality over what's discovered, responsible disclosure timeline. Without this, there is no legal defence.

Applicable Criminal Code

• Article 197: discovery and disclosure of secrets. Penalties of one to four years imprisonment.
• Article 197 bis: computer intrusion. Accessing a third-party system without authorisation is a crime in itself, even without causing damage.
• Article 197 ter: production and commercialisation of programmes to commit the above offences. Applicable to tool developers if criminal intent gets demonstrated.
• Article 264: computer damage. Erasure, alteration, deterioration of data.
• Article 264 bis: specific aggravating factors when damage affects critical information systems or causes serious harm.

GDPR

If the pentest touches personal data (almost always the case), the contract must include data processing clauses. The provider acts as data processor; technical and organisational measures must be documented; data extracted during the exercise gets deleted at closure. Without this, GDPR infringement sanctionable by the data protection authority.

Bug bounty with clean legal framework

Formal programmes (HackerOne, BugCrowd, Intigriti, YesWeHack) offer Safe Harbor: a clause that legally protects the researcher who follows the rules. Cases like the proof of concept by the Spanish Ministry of Economic Affairs (pioneering public Spanish programme) or INCIBE's voluntary initiatives are examples. Without a formal programme, reporting to a company without a prior channel is a grey area that has ended in complaints.

Responsible research and CVE publication

The standard is responsible disclosure: notify the vendor, wait for a patch within a reasonable timeline (90 days is Google Project Zero's norm), publish afterwards. Formal registration via CNA (INCIBE-CERT is umbrella CNA in Spain) protects the researcher. Detail in what is a CVE.

Typical mistakes when entering the sector

What gets observed in mentoring and hiring processes.

Stacking certifications without real practice. Three certifications without a demonstrable project are worth less than one with public write-ups and documented CTFs.

Specialising too early. Jumping into advanced Red Team without mastering web and basic infrastructure pentesting leaves gaps that show up in any serious project.

Ignoring the defensive side. The best pentester understands how they'll be detected. Spending 6 months in SOC or as threat hunter drastically improves the offensive work that follows.

Underestimating communication. Technique opens the door; clients who renew are the ones who understand the report. Knowing how to write and present to the executive committee is what separates senior from mid.

Crossing legal lines under social pressure. Underground community, forums, unethical challenges: a trap that has truncated careers. A late complaint at 22 shows up at 35 when the client runs a background check.

Living only on tutorials. Courses teach guided machines; real projects are ambiguous and chaotic. Adding real experience (junior at a company, bug bounty programmes with clear authorisation) is what professionalises.

Forgetting OSINT. The reconnaissance phase is half the work in Red Team and due diligence. Those who ignore OSINT stay as technical pentesters, don't reach full operator.

Typical career outcomes

Where people who enter the sector in Spain end up.

• Boutique consultancy (Secra, Tarlogic, A2Secure, S2 Grupo). Varied projects, fast learning, exposure to multiple sectors. Competitive salaries from mid onwards.
• Big 4 and large consultancies (Deloitte, PwC, KPMG, EY, Accenture). More process and less pure technique, better for hybrid compliance + technical profiles.
• In-house at banking, telco, energy. Higher salary, stability, risk of technical stagnation if the organisation doesn't invest in internal Red Team.
• Full-time bug bounty. Few profiles worldwide make a living solely on bug bounty. More realistic as a complement.
• Research and vendor. Research teams at Microsoft, Google, Mandiant, CrowdStrike, EDR vendors. Selective, international.
• Senior freelance. Possible from 7-8 years with an established client network. Unstable in the first years.
• Training and content. Spanish-speaking instructors on platforms, YouTube content, books, mentoring. Combinable with consulting.

Compliance fit

Ethical hacking is explicitly or implicitly part of several frameworks:

• NIS2 (article 21). Security testing as part of the technical measures required for essential and important entities. More in NIS2 in Spain: a compliance guide for 2026.
• DORA (articles 24-27). Advanced threat-led penetration testing (TLPT) mandatory for financial entities. More in DORA compliance guide for financial entities 2026.
• ISO 27001:2022 (control 8.29). Security testing in development and acceptance.
• ENS Royal Decree 311/2022 (mp.s.x). Periodic penetration testing for medium and high category systems.
• PCI DSS v4.0 (req. 11.4). Mandatory annual pentesting for environments processing card data.
• GDPR (article 32). Testing, verification and periodic evaluation as a mandatory technical measure.

Frequently asked questions

Is ethical hacking legal in Spain?

Yes, always with formal written authorisation from the system owner and within the agreed scope. Without those two elements, any offensive testing against third-party systems is a crime under article 197 bis of the Criminal Code.

Difference between ethical hacking and pentesting?

Ethical hacking is the general discipline. Pentesting is a concrete scoped service within that discipline. Every pentest is ethical hacking; not every ethical hacking exercise is a pentest.

How much does an ethical hacker earn in Spain?

Varies a lot with experience, specialisation and employer. Public ranges in Hays, Page, ICSA and Manfred reports place junior pentesters with OSCP in mid bands, seniors with specialisation in high bands, and research or leadership profiles in executive bands. Senior scarcity pushes upwards year after year. More on pricing logic in penetration testing pricing in Spain.

Which certification to start with?

For junior profile without track record, eJPT or PNPT open the door. CompTIA Security+ is overrated for offensive hacking. CEH opens administrative RFPs but is technically criticised. OSCP remains the standard mid-senior filter. HTB CPTS is a quality modern alternative.

Ethical hacking without university degree?

Possible and common. A degree in computer engineering or telecommunications accelerates but isn't a requirement. CV with real certifications (OSCP, OSWE), demonstrable projects (CTFs, write-ups, published CVEs, open source contributions) replace a degree at serious employers.

Is bug bounty a real job?

For most it's a complement, not a full salary. Only a small percentage make a living from bug bounty exclusively. Serious platforms (HackerOne, BugCrowd, Intigriti, YesWeHack) pay per finding. In Spain there's a formal state programme (Vulnerability Team) and active private programmes from telco, banking and SaaS.

Will generative AI replace the ethical hacker?

In 2026, no. It accelerates specific phases (OSINT query generation, code review aid, first sample analysis), but the work of exploiting complex chains, business logic and running Red Team operations still requires human experience. What does change is that profiles not incorporating AI in their workflow become less competitive.

Related resources

• What is a penetration test: the most common service within ethical hacking.
• Penetration testing vs Red Team: the advanced adversarial modality.
• Web application penetration testing: frequent web specialisation.
• Infrastructure penetration testing: the vertical of Active Directory and corporate networks.
• What is OSINT: cycle, sources, tools: the discipline that opens any offensive exercise.
• What is a CVE: vulnerabilities explained: the standard vulnerability identifier an ethical hacker investigates and publishes.
• OWASP Top 10 2025 business vulnerabilities: the technical base any web profile must master.

Professional ethical hacking at Secra

At Secra we run ethical hacking as a service for Spanish B2B clients in four main modalities: web, mobile and API pentesting; internal and external infrastructure pentesting with Active Directory focus; multi-week Red Team exercises with agreed business objectives; and specific audits (cloud, OT, mobile, containers). Every project follows a documented methodology, reproducible deliverable and mapping to regulatory frameworks when applicable. If your organisation wants to empirically validate its defensive controls before a real incident or needs to meet NIS2, DORA, PCI DSS or ENS requirements, get in touch through contact or check our red team service.