How to Start Learning Ethical Hacking from Scratch in India (2026)

Let me be honest with you — when I started learning ethical hacking back in 2019, I had absolutely no idea where to begin. I kept Googling things like “how to become a hacker in India” and ended up with a bunch of YouTube videos that either showed sketchy stuff or went straight to Kali Linux commands without any context.

If you want to start learning ethical hacking in India from scratch, this guide is exactly what you need.

Three years later, I cleared my CEH (Certified Ethical Hacker) exam and landed a cybersecurity internship. So I know exactly what works and what doesn’t — especially in the Indian context, where we have budget constraints, limited lab access, and very few localised resources.

This guide is everything I wish someone had given me when I was starting out. No fluff, no generic advice. Just a clear roadmap from zero to job-ready ethical hacker.

What is Ethical Hacking in India (and Why You Should Learn It)

Ethical hacking — also called penetration testing or pen testing — is the practice of legally breaking into computer systems to find security vulnerabilities before the bad guys do. Companies hire ethical hackers to test their networks, apps, and infrastructure.

The demand for ethical hacking in India has exploded in recent years. After incidents like the CoWIN data breach, the AIIMS ransomware attack, and multiple banking system compromises, both government and private companies are scrambling to hire cybersecurity professionals. The Indian cybersecurity market is expected to cross ₹20,000 crore by 2027, and qualified ethical hackers are commanding salaries between ₹6 LPA (fresher) to ₹30+ LPA (experienced professionals).

Step 1: Build Your Foundation First (Don’t Skip This)

Here’s where most beginners in ethical hacking in India go wrong — they jump straight into hacking tools without understanding what they’re actually hacking. This is like trying to do surgery without knowing basic anatomy.

Before you touch Kali Linux or Metasploit, you need solid basics in three areas:

Networking Fundamentals

You must understand how computers talk to each other. Concepts you need to know: TCP/IP protocol stack, how HTTP/HTTPS works, DNS resolution, subnetting and IP addressing, how firewalls and routers work, what ARP is and why it matters.

Resources in India: Cisco Networking Academy (netacad.com) offers free networking courses. The CCNA Introduction to Networks course is excellent and free. Also check out Professor Messer’s CompTIA Network+ notes on YouTube — completely free and very clear.

Linux Command Line

Almost every hacking tool runs on Linux. You don’t need to be a Linux expert, but you should be comfortable navigating the terminal, reading/writing files, managing permissions, running scripts, and understanding processes.

Start with Ubuntu (easier for beginners) before switching to Kali Linux. Spend 2-3 weeks just living in the terminal — ls, cd, cat, grep, chmod, ps, netstat. These commands will save you more than any hacking tool.

Free resource: OverTheWire.org has a game called Bandit that teaches Linux through progressive challenges. It’s completely free and extremely effective.

Basic Programming (Yes, You Need This)

You don’t need to become a full-stack developer, but you should be able to read and write basic Python scripts. Focus on: variables, loops, functions, file handling, sockets for networking, and HTTP requests using the requests library. Once you can write a basic port scanner in 15 lines of Python, you’re ready to move forward.

Step 2: Set Up Your Home Lab (India-Specific Budget Guide)

You need a practice environment. Hacking real systems without permission is illegal under the IT Act 2000 — Section 43 and Section 66 specifically. Don’t be careless about this.

Option A: Virtual Machine Lab (Recommended)

If you have a laptop with at least 8GB RAM (16GB preferred), you can run a full hacking lab for free:

• VirtualBox — Free VM software from Oracle. Works on Windows and Linux.
• Kali Linux — Free, the standard OS for ethical hackers.
• Metasploitable 2 — A deliberately vulnerable Linux VM from Rapid7. Set it as your target machine.
• DVWA (Damn Vulnerable Web Application) — A web app full of intentional vulnerabilities for safe practice.
• VulnHub (vulnhub.com) — Free download of 500+ vulnerable VMs to practice on.

Total cost: ₹0. You just need electricity and an internet connection.

Option B: Online Labs (No Hardware Needed)

If your laptop is old or underpowered, use online platforms:

• TryHackMe — Guided learning paths with in-browser machines. Premium is about ₹1,160/month. Has a free tier with limited rooms.
• Hack The Box — More challenging, CTF-style. Free tier available.
• PentesterLab — Focused on web application security.

Indian budget tip: Use the TryHackMe free tier and supplement it with HackTheBox free machines. Six months of solid practice without spending a rupee is completely possible.

Step 3: Learn the Core Hacking Skills (In This Order)

Phase A: Reconnaissance (Weeks 1-3)

Before attacking anything, spend time gathering information. Learn passive recon (OSINT, WHOIS lookups, Google dorking, Shodan) and active recon (Nmap port scanning, DNS enumeration). Master Nmap — spend a full week just on its options. It is the most-used recon tool in the industry by a wide margin.

Phase B: Vulnerability Scanning (Weeks 4-5)

After finding open ports and services, find vulnerabilities. Learn Nessus Essentials (free for 16 IPs), OpenVAS, Nikto for web servers, and how to search the National Vulnerability Database at nvd.nist.gov to understand known CVEs.

Phase C: Exploitation (Weeks 6-10)

Learn Metasploit Framework — the industry standard exploitation tool. But understand why exploits work, not just how to run them. Key areas: EternalBlue (MS17-010) on Metasploitable, buffer overflow basics, SQL injection using DVWA, XSS, and command injection.

For web hacking, OWASP Top 10 is your bible. Learn all 10 vulnerability categories. Every bug bounty program and every professional pen test report references OWASP Top 10.

Phase D: Post-Exploitation and Reporting (Weeks 11-12)

Getting in is only half the job. Ethical hackers also need to know what to do after access (privilege escalation, lateral movement testing) and then — critically — how to document findings clearly. Report writing is a skill nobody teaches but every employer cares about. Practice writing professional reports from day one.

Step 4: Get Certified (Indian Perspective on Costs)

CompTIA Security+ (~₹30,800)

The global standard for entry-level cybersecurity and a great starting point for ethical hacking in India. Recognized even by Indian government departments and PSUs. This is your first certification goal. Prepare for free using Professor Messer’s materials on YouTube and pass in 3-4 months of study.

CEH — Certified Ethical Hacker (~₹79,000)

EC-Council’s CEH is the most-recognized certification for ethical hacking in India. ISRO, DRDO, Indian banks, and most large IT firms list CEH as preferred or required. The exam is theory-heavy (multiple choice), not hands-on. Watch for discount vouchers during October (National Cyber Security Awareness Month) — I saved over ₹50,000 this way.

OSCP (~₹1.25 lakh)

The gold standard for hands-on penetration testers. The 24-hour exam is purely practical — you hack machines and write a report. Increasingly Indian MNCs treat OSCP as proof of real skill. Don’t attempt it until you’ve completed at least 50 Hack The Box machines. Budget 6-12 months of preparation.

Step 5: Practice on Bug Bounty Programs

Bug bounty is where theory meets real money for anyone learning ethical hacking in India. Companies publicly invite hackers to find vulnerabilities and pay cash rewards for valid findings.

• HackerOne — Largest bug bounty platform. Many Indian companies run programs here.
• Bugcrowd — Good for web application testing programs.
• Indian company programs — Paytm, Zerodha, PhonePe, HDFC Bank run responsible disclosure programs.

Your first bounty might be $50 or a “Hall of Fame” mention. That’s fine — it’s real-world proof. Put it on your resume immediately. Never test without a written scope document.

Step 6: Legal Framework You Must Know

India’s primary cybercrime law is the Information Technology Act, 2000 (amended 2008). Key sections: Section 43 (unauthorized access, civil liability up to ₹1 crore), Section 66 (computer offenses done dishonestly, imprisonment up to 3 years), and Section 72 (breach of confidentiality, imprisonment up to 2 years).

The golden rule: always have written authorization before testing anything. A proper penetration testing agreement or bug bounty program scope is your legal protection. This is not optional.

Step 7: Build Your Portfolio and Get Hired

• CTF writeups — Document every challenge you solve. Post on a blog. Recruiters Google your name.
• Penetration test reports — Treat VulnHub machines like real client engagements. Write proper reports.
• Bug bounty acknowledgments — Screenshot every Hall of Fame mention.
• GitHub — Post scripts you’ve written. Even a 20-line Python port scanner counts.

Companies actively hiring for ethical hacking in India include Wipro Cybersecurity, TCS Cyber, HCL Security, Infosys Cyber Next, Deloitte India, PwC India, and specialized firms like K7 Computing, Quick Heal, and SAFE Security. Government roles at DRDO, ISRO, NIC, and CERT-In require Indian citizenship and typically prefer CEH or CISSP certifications.

Fresher salary range: ₹4-8 LPA in Tier 2 cities, ₹7-15 LPA in Bangalore/Hyderabad/Pune/Mumbai.

Realistic 12-Month Timeline

• Month 1-2: Networking fundamentals + Linux basics. Set up VirtualBox with Kali + Metasploitable.
• Month 3: Python basics + first TryHackMe rooms (Pre-Security path — free).
• Month 4-5: TryHackMe Jr Penetration Tester path. CompTIA Security+ study begins.
• Month 6: Security+ exam. Start Hack The Box free machines.
• Month 7-8: OWASP Top 10 deep dive. DVWA practice. Start writing CTF writeups.
• Month 9: CEH study begins. First bug bounty submissions.
• Month 10-11: CEH exam. Portfolio building. Apply to internships.
• Month 12: Active job applications. OSCP preparation if ready.

Free Indian Communities to Join

• null — The Open Security Community (null.community) — India’s largest security community for ethical hacking in India with chapters in Bangalore, Mumbai, Delhi, Pune, Hyderabad, Chennai.
• OWASP India chapters — Free local security events and workshops.
• r/indiancybersecurity — Active Reddit community for Indian infosec professionals.
• ISACA India chapters — Useful for networking with hiring managers.

Frequently Asked Questions

Do I need a B.Tech degree to become an ethical hacker in India?

No. Many top ethical hackers pursuing ethical hacking in India are self-taught or come from non-CS backgrounds. Certifications (CEH, OSCP) carry more weight than degrees in most private sector hiring decisions. Government roles may still prefer a CS degree.

Is ethical hacking legal in India?

Yes, ethical hacking in India is completely legal with proper authorization. Bug bounty program scope documents and signed penetration testing contracts provide that authorization. Testing without permission violates the IT Act 2000 regardless of intent.

How much does an ethical hacker earn in India?

Salary for ethical hacking in India varies by experience. Entry-level (0-2 years): ₹4-10 LPA. Mid-level (3-5 years): ₹12-20 LPA. Senior with OSCP/CISSP (5+ years): ₹20-40+ LPA. Experienced bug bounty hunters can earn ₹5-50 lakh annually depending on findings.

What laptop do I need?

Minimum: 8GB RAM, dual-core processor, 256GB storage. Recommended: 16GB RAM with SSD. An i5 laptop in the ₹50,000-₹70,000 range is perfectly sufficient for 90% of ethical hacking work.

Final Thoughts

Ethical hacking in India is one of the few technical careers where actual skill matters more than your college brand. The cybersecurity field does not care whether you went to IIT or a tier-3 college — it cares whether you can find vulnerabilities that others miss.

The roadmap above works. It’s not quick — expect 12-18 months of consistent effort before you land your first role. But every month you put in brings you closer to a career where you’re paid to legally break things, protect critical systems, and never stop learning. This is the best guide to start learning ethical hacking in India for beginners in 2026.

Start tonight. Set up VirtualBox. Create a TryHackMe account. Check out our guide on Kali Linux for beginners to get started. The only thing stopping most people from getting into cybersecurity is actually starting.

If you have questions specific to your situation — your current background, your city, your budget — drop them in the comments below. I read every single one.