What Does an Ethical Hacker Do? | Business-Focused Guide

by | Mar 25, 2026

What does an ethical hacker do? – And why it is a business question

Spoiler: an ethical hacker – aka pentester – is not sitting in a dark basement wearing a black hoodie. Even if Hollywood has done a remarkably good job convincing us otherwise. So what does an ethical hacker actually do?

My name is Barna Szeghy, COO of Whiteshield and a penetration tester. And I can assure you: our work is far closer to structured risk analysis than to anything you would see in a film.

An ethical hacker is not a criminal, but a control point

The term “hacker” is still heavily loaded. For many, it implies illegal access, data theft, or deliberate damage. This perception is not accidental; it is the dominant narrative in media and popular culture.

The reality, however, is far less dramatic and significantly more relevant from a business perspective. A pentester uses the same methods and mindset as an attacker: mapping systems, identifying entry points, and understanding weaknesses. The difference lies not in the technique, but in the intent and the framework.

An ethical hacker:

  • works under formal engagement;
  • operates within a clearly defined scope;
  • follows documented and controlled processes;
  • and does not exploit vulnerabilities, but eliminates them.

This is why it is more accurate to think of a penetration tester not as a “good hacker”, but as a control point.

A well-executed penetration test is not merely a technical exercise. It is a reality check that

  • shows what an attacker can see from the outside;
  • reveals how far a compromise could go;
  • and helps prioritise real risks.

At the leadership level, the question is no longer whether vulnerabilities exist, but:

Which of them represents actual business risk – and what do we do about it?

Ethical hacking is not a series of dramatic clicks. It is a structured, multi-phase process designed to produce reliable, reproducible results.

Step 1: Reconnaissance

Every penetration test begins with mapping the target. This phase is often underestimated, yet it determines a significant portion of the outcome. We rely on publicly available information

  • domains and IP ranges;
  • leaked configurations;
  • employee profiles;
  • exposed infrastructure elements.

In many cases, this alone provides enough insight for a potential attacker to begin.

A brief note on Shodan:
If one were slightly cynical, Shodan could be described as a live inventory of exposed systems. It is a search engine, not for websites but for devices – cameras, routers, industrial control systems – many of which are, unfortunately, accessible without proper protection. From an ethical hacker’s perspective, it shows exactly what an attacker would see before taking any further steps.

Step 2: Port Scanning – identifying entry points

At this stage, we examine which parts of a system are accessible from the outside. In simple terms, we “knock on every door” and see which ones open.

Open services, outdated software, or unnecessary processes often create entry points that can be leveraged. Identifying these is essential to reducing the attack surface.

Step 3: Vulnerability analysis

When something unusual or promising is identified, we assess it further.

  • Is there a known vulnerability (CVE)?
  • Is there a working exploit?
  • What would be the impact if it were exploited?

Crucially, ethical hacking operates within strict boundaries. Any active testing beyond passive analysis requires prior authorisation. Every step is controlled, documented, and traceable. This is where the line between professional security testing and illegal activity becomes clear.

Step 4: Password testing

Despite ongoing awareness, weak passwords remain one of the most common entry points. Examples such as:

  • “Password1!”
  • “admin123”

are not theoretical. They still appear in real environments, including large organisations.

In practice, this means that even a well-designed system can be compromised by something as simple as a fundamental flaw. Password policies and regular testing are therefore not technical details – they are shared responsibility.

Where technical findings become business decisions: The report

Perhaps counterintuitively, one of the most valuable parts of an ethical hacker’s work is not the testing itself, but the reporting. A well-prepared penetration test report does not simply list vulnerabilities. It:

  • explains them;
  • places them into context;
  • and translates them into business risk.

It demonstrates:

  • how access was gained;
  • how far it could have gone;
  • and what the real-world consequences would be.

At this point, a technical issue becomes a management-level decision.

What a penetration tester never does

Ethical hacking operates within strict contractual and legal boundaries. If the scope defines three systems, then only those three systems are tested – even if other weaknesses are visible. This is not just an ethical consideration, but a legal one.

Of course, any additional risks observed are communicated. But the boundaries themselves are never crossed.

A short note from a senior pentester

Many organisations still assume they are unlikely to be targeted. In reality, most attacks are automated, indiscriminate, and driven by vulnerability, not by company size.

If an organisation does not have a clear view of what is exposed externally, the vulnerabilities present, and the business risks they represent, then the system is not necessarily secure.

It has simply not yet been tested under real conditions. A system’s resilience is not proven by the absence of incidents, but by how it behaves when someone actively attempts to break in.

Closing thought

If you do not know what your systems look like from an attacker’s perspective, this question has not yet been properly asked. And it is better to ask it in a controlled environment than to have it answered in production.