Ethical hacking: at the heart of modern cybersecurity

The term “eth­i­cal hack­ing” may seem para­dox­i­cal at first glance, as it jux­ta­pos­es two con­cepts that are per­ceived as antag­o­nis­tic. This appar­ent para­dox deserves some pre­lim­i­nary clarification.

His­tor­i­cal­ly, in the 1960s at MIT, the term “hack­ing” referred to the tech­ni­cal inge­nu­ity of pas­sion­ate stu­dents who mod­i­fied or improved com­put­er and elec­tron­ic sys­tems for explorato­ry or cre­ative pur­pos­es. This play­ful and curi­ous approach to com­put­er sys­tems grad­u­al­ly evolved with the emer­gence of the first com­put­er virus­es, fol­lowed by mal­ware, lead­ing to a neg­a­tive per­cep­tion of “hack­ers” in the col­lec­tive imag­i­na­tion, often asso­ci­at­ed with ille­gal, fraud­u­lent or destruc­tive acts¹.

Land­mark events, such as the spread of the “Mor­ris Worm” in 1988, which paral­ysed a sig­nif­i­cant por­tion of the Inter­net at the time, and oper­a­tions car­ried out by groups such as the “Legion of Doom”, con­tributed to this alarmist per­cep­tion².

Today, in con­trast to these ille­gal prac­tices, “eth­i­cal hack­ing” is a dis­ci­pline in its own right – struc­tured, legal­ly reg­u­lat­ed and requir­ing advanced cyber­se­cu­ri­ty skills. The experts involved, known as “eth­i­cal hack­ers” or “white hats”, use tech­niques sim­i­lar to those of cyber­crim­i­nals, but with the oppo­site aim: to strength­en the resilience of infor­ma­tion sys­tems by iden­ti­fy­ing and cor­rect­ing their vul­ner­a­bil­i­ties before they can be exploit­ed for mali­cious purposes.

Eth­i­cal hack­ing is now a fun­da­men­tal strate­gic tool in cyber risk man­age­ment. Its main objec­tive is to proac­tive­ly iden­ti­fy vul­ner­a­bil­i­ties with­in IT sys­tems in order to pre­vent them from being exploit­ed by mali­cious third par­ties. This approach com­ple­ments and enhances tra­di­tion­al pro­tec­tion mea­sures in a con­text marked by an expo­nen­tial increase in cyber threats.

In prac­ti­cal terms, eth­i­cal hack­ing involves sim­u­lat­ing real­is­tic attack sce­nar­ios, repli­cat­ing the tech­niques used by attack­ers (recon­nais­sance, priv­i­lege esca­la­tion, piv­ot­ing, data exfil­tra­tion, etc.) to antic­i­pate poten­tial points of fail­ure in the sys­tem being test­ed. This sim­u­la­tion, car­ried out by pro­fes­sion­als from out­side the organ­i­sa­tion, requires a pre­cise and legal­ly sound con­trac­tu­al frame­work that guar­an­tees the pro­tec­tion of both par­ties and defines the scope of the inter­ven­tion³.

Beyond sim­ply search­ing for vul­ner­a­bil­i­ties, this approach helps to raise the cyber matu­ri­ty lev­el of organ­i­sa­tions. It con­tributes to the imple­men­ta­tion of long-term cor­rec­tive mea­sures, the con­sol­i­da­tion of secure devel­op­ment prac­tices (such as DevSec­Ops), and the ongo­ing train­ing of inter­nal teams. In this sense, eth­i­cal hack­ing is a lever for organ­i­sa­tion­al trans­for­ma­tion and a fac­tor in dig­i­tal resilience⁴.

Fur­ther­more, by iden­ti­fy­ing the risks of sen­si­tive data leaks or com­pro­mise, eth­i­cal hack­ing plays a major role in reg­u­la­to­ry com­pli­ance (GDPR, NIS2, etc.) and the pro­tec­tion of crit­i­cal assets, both for busi­ness­es and pub­lic insti­tu­tions⁵.

Con­trary to the sen­sa­tion­al­ist view pro­mot­ed by cer­tain media out­lets, eth­i­cal hack­ing is not a mar­gin­al, anar­chic or intu­itive activ­i­ty. It is based on a rig­or­ous method­ol­o­gy, found­ed on estab­lished stan­dards (such as PTES – Pen­e­tra­tion Test­ing Exe­cu­tion Stan­dard or OSSTMM – Open Source Secu­ri­ty Test­ing Method­ol­o­gy Man­u­al), and requires advanced tech­ni­cal skills.

An eth­i­cal hack­ing mis­sion gen­er­al­ly con­sists of three main phas­es⁶:

• Scop­ing phase (or legal recon­nais­sance): this step involves defin­ing the objec­tives, the exact scope of the audit, the rules of pro­fes­sion­al con­duct, the tools that can be used, and the func­tion­al and tech­ni­cal tar­gets of the test. The sys­tem to be eval­u­at­ed is thus under­stood in all its oper­a­tional com­plex­i­ty (infra­struc­ture, appli­ca­tions, net­work lay­ers, etc.).
• Sim­u­lat­ed attack phase (or con­trolled exploita­tion): the “pen­testers” [Editor’s note: or eth­i­cal hack­ers] car­ry out vul­ner­a­bil­i­ty tests, using data­bas­es of known vul­ner­a­bil­i­ties (CVE, CWE) or their own tech­niques. This phase often includes par­tial – but non-destruc­tive – exploita­tion of the iden­ti­fied vul­ner­a­bil­i­ties, some­times accom­pa­nied by the plant­i­ng of traces prov­ing the intru­sion, for evi­dence purposes.
• Feed­back phase (or tech­ni­cal and man­age­r­i­al report­ing): this involves writ­ing a for­mal audit report doc­u­ment­ing the vul­ner­a­bil­i­ties iden­ti­fied, their crit­i­cal­i­ty (often using CVSS scores), the pro­posed reme­di­a­tion meth­ods, and strate­gic rec­om­men­da­tions to strength­en the secu­ri­ty posture.

This approach is based on a strict code of ethics. Eth­i­cal hack­ers are bound to respect the con­fi­den­tial­i­ty and integri­ty of the audit­ed sys­tem and to be trans­par­ent with the client. All of their actions are logged, super­vised and often audit­ed after the fact.

The appli­ca­tions of eth­i­cal hack­ing go far beyond sim­ple tech­ni­cal audits. In the field of inci­dent response, their exper­tise is reg­u­lar­ly called upon in cri­sis sit­u­a­tions, par­tic­u­lar­ly to analyse proven com­pro­mis­es, iden­ti­fy attack vec­tors and pro­pose effec­tive cor­rec­tive mea­sures⁷.

For exam­ple, dur­ing the coor­di­nat­ed attack against TV5Monde in 2015, which paral­ysed the chan­nel and com­pro­mised sev­er­al servers, secu­ri­ty spe­cial­ists – from state agen­cies such as ANSSI, but also inde­pen­dent experts – helped to rebuild the com­pro­mised archi­tec­ture and bet­ter under­stand the tech­niques used by the attack­er⁸.

The devel­op­ment of “Bug Boun­ty” pro­grammes is also part of this approach: organ­i­sa­tions open their sys­tems to vol­un­teer eth­i­cal hack­ers, who are paid or recog­nised for the vul­ner­a­bil­i­ties they iden­ti­fy. This col­lec­tive intel­li­gence strat­e­gy makes it pos­si­ble to detect com­plex flaws that are often not iden­ti­fied by inter­nal audits. The pub­lic pro­gramme launched in 2024 by France Iden­tité is a recent and emblem­at­ic exam­ple⁹.

Final­ly, the prospects for eth­i­cal hack­ing are set to expand with the rise of crit­i­cal tech­nolo­gies such as arti­fi­cial intel­li­gence (AI), blockchain and quan­tum com­put­ing. Eth­i­cal hack­ers will be called upon to audit not only tra­di­tion­al tech­ni­cal infra­struc­tures, but also AI mod­els them­selves, data sup­ply chains, and zero trust archi­tec­tures in cloud envi­ron­ments. Explorato­ry work is already under­way to secure machine learn­ing algo­rithms, pre­vent data poi­son­ing, and audit the trans­paren­cy of gen­er­a­tive models.

In con­clu­sion, eth­i­cal hack­ing is now an essen­tial pil­lar of the cyber­se­cu­ri­ty ecosys­tem, com­bin­ing tech­ni­cal exper­tise, pro­fes­sion­al ethics and a proac­tive approach to risk man­age­ment. It allows dig­i­tal defences to be test­ed in a con­trolled man­ner, reveals the blind spots in a cyber­se­cu­ri­ty strat­e­gy and strength­ens organ­i­sa­tion­al resilience in the face of increas­ing­ly sophis­ti­cat­ed threats.

How­ev­er, this prac­tice can­not devel­op ful­ly with­out a del­i­cate bal­ance between eth­i­cal hack­ers’ free­dom of action and rig­or­ous over­sight of prac­tices. It is up to pub­lic and pri­vate deci­sion-mak­ers to fos­ter envi­ron­ments con­ducive to inno­va­tion in cyber­se­cu­ri­ty, where experts can express their cre­ativ­i­ty with­out com­pro­mis­ing secu­ri­ty or ethics.