01
π
Agreement and scope
Before touching any system: signed contract, clear scope of which domains and applications are in, time window and rules of engagement. Without this, nothing happens.
100% online training
β’
Clear legal framework
β’
Authorized practice
Ethical Hacking Academy.
Learn to audit with authorization, judgment and method.
SixHack Academy is an ethical hacking academy built around real practice. We don't teach how to "attack" systems: we teach how to audit them under authorization, report vulnerabilities professionally and operate within the legal framework that defines the profession.
What is ethical hacking?
The line between ethical hacker and cybercriminal is authorization
Ethical hacking is the practice of identifying and exploiting vulnerabilities in systems with explicit permission from the owner, with the goal of reporting them so they can be fixed. Technically, the tools and methods are the same a malicious attacker would use. What changes β significantly β is the legal context and the intent.
An ethical hacker always operates within three frames: a written authorization (audit contract, public bug bounty program or owned system), a clear scope of what can and can't be touched, and a responsible disclosure process for what's found. Skipping any of the three turns the activity into a crime, even if the technique is identical.
That's why a real ethical hacking academy doesn't just teach techniques: it teaches the framework that makes them legitimate. At SixHack Academy all the content is delivered with that lens from the very first lab, because without that framework technical training doesn't prepare you to work professionally β it just gets you into trouble.
Legal framework (Spain)
Learning and practicing ethical hacking in Spain is legal β with conditions
What matters isn't "ethical" intent, but authorization and scope.
Yes, it's legal when practiced on your own systems, in controlled labs or on third-party systems with explicit authorization and within the permitted scope. Spain ratified the Council of Europe Convention on Cybercrime (Budapest Convention), and the Spanish Criminal Code (CΓ³digo Penal) penalizes unauthorized access, interception, damage, alteration or interruption of third-party systems and data.
Specifically, article 197 bis covers unauthorized access to information systems and the unauthorized interception of non-public communications; articles 264 and 264 bis penalize computer damage and the serious obstruction of third-party information systems. Articles 197 ter and 264 ter also penalize the production or facilitation of tools and credentials with the purpose of committing those offenses β what matters here is the purpose and context, not the use of tools in training environments.
In practice, owned environments, contracted audits or bug bounty programs can be legal provided the rules are respected: in-scope domains, authorized techniques, no exfiltration of unnecessary data, no service disruption, no persistent access. Going out of scope, affecting non-included systems or exceeding the agreed limits can lead to criminal, civil or contractual liability β regardless of the researcher's intent.
At SixHack Academy all labs are hosted in isolated environments built specifically for you to learn. Every time you launch a challenge, that instance is yours. Working inside the platform is in the safe zone: you learn real techniques without touching third-party systems or operating outside authorization, and that's exactly the best preparation to operate with judgment later in the real world.
This is general information referring to the legal framework in Spain. It does not constitute legal advice. For specific cases, consult a qualified legal professional. If you operate from a different jurisdiction, the applicable rules may differ.
Profession
How an ethical hacker works day to day
The full professional cycle, not just "find the bug".
02
π
Reconnaissance and enumeration
Mapping the attack surface within scope: subdomains, technologies, endpoints, application logic. Methodical work, not random.
03
π
Identification and exploitation
Detecting real vulnerabilities (not false positives), exploiting them to confirm impact, capturing reproducible evidence. The whole OWASP Top 10 lives here.
04
π
Impact analysis
Evaluating what each finding lets you do: scope of compromise, exposed data, business risk. Prioritizing by real severity, not by textbook listing.
05
π
Responsible disclosure
Reporting professionally to the affected team, giving reasonable time to fix, validating the patch when ready. Only after that do you consider publishing details.
06
π
Final report
Professional deliverable with executive summary, detailed findings, reproducible evidence and remediation recommendations. The visible face of the ethical hacker's work.
Career paths
Career options for an ethical hacker
The real options in the market. Not all of them go through traditional employment.
Pentester at consultancy or in-house team
The most stable path: working at a security consultancy or on a large company's internal team. Scheduled audits, employment contract.
Red team operator
More complex offensive operations: simulating real adversaries against an entire organization, evading defenses. Usually for large companies or government.
Bug bounty hunter
Working independently against public programs on HackerOne, Bugcrowd, Intigriti and others. Variable income but high ceiling. Personal discipline.
Vulnerability researcher
Finding bugs in widely used software and reporting through programs like MSRC or ZDI. Published CVEs become technical credibility.
Independent consultant
Project-based audits for small and medium companies. More flexibility, requires building portfolio and reputation. Often combined with bug bounty.
Application security engineer
Working inside large dev teams helping build secure software. Mix of offensive and defensive. Very in-demand at tech companies.
Community
Bug bounty: the practical entry to ethical hacking
How to start working as an ethical hacker without a formal job.
A bug bounty program is a public initiative through which a company authorizes ethical hackers to look for vulnerabilities in their systems in exchange for a reward per valid finding. It's the most direct way to start working as an ethical hacker without needing an employment contract: you read the program, study the rules, start hunting and, if you find something, you report it and get paid.
The most well-known platforms are HackerOne, Bugcrowd, Intigriti and YesWeHack. Each one hosts programs from hundreds of companies with different scopes and reward tables. Some programs reward $50 per medium bug; others pay up to $100,000 for critical vulnerabilities in critical infrastructure.
To operate professionally in bug bounty you need judgment: knowing how to read a scope, understanding what's in and out, mastering the techniques (especially OWASP Top 10 if you're going for web), and above all knowing how to report. A good report multiplies the reward; a bad one shrinks it or kills it. We teach that in the WXJ track from day one.
Curriculum path
The SixHack Academy path
Three progressive courses to train as an ethical hacker from scratch.
Active
WXJ
Web eXploitation Junior
The entry point to ethical hacking. Assumes zero experience. Covers networking, HTTP/HTTPS, Burp Suite, OWASP Top 10 and real vulnerabilities (SQLi, XSS, IDOR, SSRF). Ethical framework and professional reporting from the first lab.
Active
WXE
Web eXploitation Expert
Continuation of WXJ. Advanced techniques, complex vulnerability chains and realistic professional auditing scenarios. For those with a foundation who want to operate at mid-level pentester or to add quality reports in bug bounty.
Active
MXS
Mobile eXploitation Specialist
Ethical hacking applied to the mobile ecosystem. Static and dynamic analysis, common flaws and platform-specific exploitation techniques on Android and iOS. Complements the web track opening mobile bug bounty and app pentesting.
How an ethical hacker's work is recognized
In the industry there are three usual ways to acredit work and experience: published CVEs (vulnerabilities with officially recognized identifier), Hall of Fame mentions from companies you've reported to, and training certifications. The three combine to build a verifiable technical profile.
SixHack Academy delivers its own certification with a unique identifier publicly verifiable via QR and token at cert.sixhackacademy.com. That lets you prove your level to recruiters and companies with a direct, verifiable link β no third-party dependency.
Practice ethical hacking free with CTF Labs
Before signing up for any course, you can train for free with our CTF Labs: real web hacking challenges with multiple difficulty levels, global ranking and free access after a quick sign-up. A direct way to check the methodology before investing.
SQL injection, XSS, IDOR, SSRF and other OWASP techniques in a fully legal environment.
FAQ
Frequently asked questions about ethical hacking
The most common questions about legality, profession and training.
What is ethical hacking?
It's the practice of identifying and exploiting vulnerabilities in systems with
explicit authorization, with the goal of improving security. The difference with
malicious hacking are authorization and purpose: ethical reports for a fix,
malicious exploits for personal benefit.
Is it legal to learn ethical hacking in Spain?
Yes, when practiced on your own systems, in controlled labs or on third-party
systems with explicit authorization and within the permitted scope. The Spanish
Criminal Code penalizes unauthorized access, damage or interruption of third-party
systems (arts. 197 bis, 264 and 264 bis). SixHack Academy labs are isolated
environments built for learning, so working inside the platform is in the safe
zone. General information, not legal advice. Rules may differ if you operate from
a different jurisdiction.
What's the difference between an ethical hacker and a cybercriminal?
Authorization and intent. Techniques can be identical. What changes is that the
ethical one has written permission and reports for a fix; the cybercriminal has
no permission and seeks personal benefit or damage.
What is responsible disclosure?
It's the process of reporting first to the affected team and giving them
reasonable time to fix before publishing. It's industry standard and we teach
it from the first SixHack Academy course.
Do I need previous technical knowledge?
No. WXJ assumes zero experience. We start with networking fundamentals, HTTP and
web applications before any offensive technique. The only thing we ask for is an
ethical mindset: the responsible-use framework applies from the first lab.
What career paths does ethical hacking offer?
Pentester (junior/senior), red team operator, bug bounty hunter, vulnerability
researcher, independent consultant, application security engineer. The sector has
a structural shortage of professionals with demonstrable hands-on experience.
What is a bug bounty program?
It's a public initiative where a company invites ethical hackers to look for
vulnerabilities in exchange for a reward. Known platforms: HackerOne, Bugcrowd,
Intigriti, YesWeHack. Direct path for ethical hackers without needing formal
employment.
Start your ethical hacking journey
WXJ is the entry point: technique, legal framework and professional reporting from day one.