How can a complete beginner learn ethical hacking in 2026? A step-by-step roadmap for India

This guide shows how to learn ethical hacking in 2026 from zero, with foundations, lab setup, a 90 day plan, portfolio rules, and job search tactics for Indian students.

What will you learn in this guide?

This guide gives a practical, India focused path to learn ethical hacking in 2026 from zero to job ready.

You will find the exact skills to learn, safe lab setups, platform choices, a 90 day study plan, portfolio templates, and outreach tactics that recruiters respect. Use the 90 day plan as a template, adapt the weekly hours to your schedule, and prioritise reproducible evidence over certificates alone.

What is ethical hacking and who should learn it?

Ethical hacking is authorised security testing to find and fix vulnerabilities before attackers do.

Ethical hackers use the same techniques as attackers but operate with permission and a clear ruleset to protect systems and users. This path suits students and early career professionals who enjoy problem solving, careful investigation, and continuous learning.

Typical entry roles include SOC analyst, junior penetration tester, vulnerability assessor, and bug bounty researcher. Do not confuse ethical hacking with illegal hacking or account takeover; the correct approach is authorised testing, documented evidence, and responsible disclosure.

What foundational IT skills do beginners need?

Beginners need five foundations: networking basics, Linux command line, HTTP and web basics, basic scripting, and Windows fundamentals.

These foundations let you understand attack paths and follow labs without getting stuck on tool syntax. Spend the first 4 to 6 weeks focused on these building blocks before jumping to advanced exploits.

• Networking basics: IP addressing, subnets, TCP versus UDP, common ports, and basic packet flow.
• Linux basics: file system, permissions, package management, and Bash commands.
• HTTP and web: request and response lifecycle, cookies, headers, common status codes.
• Scripting: simple Python or Bash scripts for parsing output and automating repetitive tasks.
• Windows fundamentals: user accounts, services, and basic PowerShell commands.

Quick 1 week checklist: set up a VM, complete a Linux tutorial, run basic network scans, and write a 20 line script that parses command output. These small wins keep momentum going.

What learning timeline gives the best ROI for 2026?

A phased timeline gives the best return: foundations, hands on labs and projects, then specialisation and placement prep.

Typical timeline and weekly hours:

• Phase A (0–3 months): 8–12 hours per week on foundations and simple labs.
• Phase B (3–6 months): 10–15 hours per week on guided labs, one small project, and basic CTFs.
• Phase C (6–12 months): 10–20 hours per week on specialisation, advanced labs, certifications, and internships.

Set measurable milestones for each phase: complete TryHackMe beginner room in Phase A, finish two full lab projects in Phase B, and attempt a recognised certification or a public CTF score in Phase C. This staged approach reduces overwhelm while building demonstrable evidence.

How do you set up a legal, safe lab at home?

Set up isolated virtual machines or use authorised cloud labs to practice safely and legally.

Local lab basics:

• Install VirtualBox or VMware and create isolated networks for your VMs.
• Use Kali Linux or Parrot as your attacker VM and spin up target VMs like Metasploitable or OWASP Juice Shop.
• Use snapshots before experiments so you can revert quickly if something breaks.

Cloud labs are a good alternative if your laptop cannot run multiple VMs, and they provide pre configured environments that avoid local network risks. Always follow the legal rule: only test systems you own or have written permission to test, and record lab logs, timestamps, and commands so your work is reproducible and verifiable.

Which hands-on platforms and exercises should you use first?

Start with beginner friendly platforms that teach concepts and give step by step guidance.

Recommended early platforms and exercises:

• TryHackMe: complete the Complete Beginner and Web Fundamentals rooms to build confidence.
• OverTheWire: play Narnia or Bandit to learn Linux and basic exploitation in small steps.
• OWASP Juice Shop: a safe web app for practising common web vulnerabilities.
• Metasploitable: a vulnerable VM for learning scanning and exploitation basics.
• Beginner CTFs: short, focused challenges that enforce the learn then apply loop.

Practice flow: Learn the concept, attempt the lab, document each step, then repeat with a variation. Deliverable after this stage: complete two beginner rooms and create a 90 second demo video showing one solved challenge with commands and outcomes.

How should beginners choose courses and certifications in 2026?

Choose courses that prioritise hands on labs, mentor feedback, and assessed projects over theory alone.

When comparing courses, check these criteria:

• Number of lab hours and the lab platform used.
• Mentor to student ratio and access to doubt clearing sessions.
• Assessed projects or timed practicals that produce demonstrable reports.
• Placement or internship support and clear deliverables you can show recruiters.

For beginners, certified options that include practical labs are useful because they combine structure and verification. If you plan to list an accredited practical course on your resume, look for assessed outcomes rather than attendance certificates. Appin’s certified ethical hacking training is one example of a mentor led, lab focused option that many students find fits this criteria.

How to build a hiring-ready portfolio and demonstrable evidence?

Recruiters want reproducible proof: one page project summaries, GitHub repos, lab logs, and short demo videos.

Portfolio ingredients and how to produce them:

• One page project: title, problem statement, tools used, key commands, result, and reproduction steps in five lines.
• GitHub or repo link: scripts, parsed outputs, and a clear README that explains how to run the demo.
• Lab logs: dated notes with commands and screenshots. Store logs in a single PDF or repo folder.
• 90 second demo: a short screen recording showing the exploit flow and the final proof of concept.

Employers prefer tangible evidence over vague claims. For structured learning paths that include projects and certificates, review cybersecurity certification programs that provide assessed outcomes and lab logs to help you present verified work during interviews.

How to get internships and first jobs once you have proof?

Targeted outreach with clear evidence and consistent follow up produces better responses than mass applications.

Actionable steps for landing internships or entry roles:

1. Identify 10 companies or teams that hire juniors in your city or remotely.
2. Personalise your message: two lines on why your project is relevant and a link to the one page summary.
3. Use alumni, LinkedIn, and GitHub to find contacts and request a 10 minute walkthrough of your demo.
4. Apply to bug bounty scopes and share validated findings or reports as proof of practical skill.

Another useful route is modular programmes that produce public proof points and project based outcomes. For example, a focused add on like the bug bounty diploma program helps you convert practice into visible public reports that recruiters trust. Keep outreach calm, track responses, and follow up after one week if you do not hear back.

What soft skills and interview questions should you practise?

Clear explanation, structured thinking, and concise demo presentation beat long technical monologues.

Practice these interview elements:

• Two minute demo script: problem, approach, commands used, and result.
• STAR answers for behavioural questions: Situation, Task, Action, Result.
• Technical scenario questions: explain how you would triage a suspicious login, or how you would approach a web app pentest.

Sample technical prompts to practise: explain a SQL injection in three sentences, list the steps for a black box reconnaissance, and outline how you would prioritise vulnerabilities. Practice with peers or mentors and record mock interviews to refine clarity and timing.

How to stay ethical and avoid legal traps?

Always get written permission before testing, follow responsible disclosure guidelines, and avoid targeting systems you do not own.

Ethics checklist:

• Obtain written authorisation that specifies scope and duration.
• Do not exfiltrate or publish sensitive data; follow disclosure timelines agreed with the owner.
• Keep logs and evidence for audits, and redact sensitive details when sharing reports publicly.

Learning to be ethical not only keeps you out of legal trouble but also signals professionalism to recruiters and hiring managers in India and abroad.

90 day sample study plan for complete beginners (detailed week by week)

A focused 90 day plan with weekly milestones will make you demonstrably interview ready if you follow it consistently.

Overview and time estimate: 10 to 15 hours per week, with a heavier lab focus in weeks 3 to 10. Use a lab platform and local VMs for practice. If you prefer a structured lab bundle to accelerate practice, consider a lab heavy course such as the CEH v13 AI-powered course for assessed, timed practice during Weeks 4 to 8.

Weeks 1–2: Foundations and setup

• Install VirtualBox and set up Kali and a target VM like Metasploitable.
• Complete a Linux basics tutorial and write 10 common Bash commands into your lab log.
• Learn basic networking: IP addressing, nmap scanning, and interpreting results.
• Deliverable: lab log with screenshots of VM setup and a 5 line Bash script saved in a repo.

Weeks 3–4: Introductory labs and beginner CTFs

• Complete TryHackMe Complete Beginner and one OWASP Juice Shop challenge.
• Record commands and the remediation notes for each vulnerability you find.
• Deliverable: 90 second demo video of one solved TryHackMe challenge and a one page project summary.

Weeks 5–6: Web and exploitation basics

• Study HTTP, sessions, and common web flaws: XSS, SQL injection, auth bypass.
• Practice with OWASP Juice Shop and a simple SQLi lab. Document payloads and responses.
• Deliverable: GitHub repo with scripts and README, plus a demo link.

Weeks 7–8: Scripting and automation

• Learn a short Python scripting module for parsing scan outputs and automating triage steps.
• Automate a basic reconnaissance pipeline and log the commands run.
• Deliverable: script in repo with usage notes and sample output files.

Weeks 9–10: Timed practicals and pentest report practice

• Attempt a timed lab or CTF room under 2 to 4 hour constraints to simulate real practical exams.
• Write a concise pentest style report for one challenge: scope, steps, proof, impact, and remediation.
• Deliverable: PDF report and a one page summary suitable for recruiters.

Weeks 11–12: Outreach, mock interviews, and polish

• Prepare targeted outreach emails with your one page summary attached and apply to internships or junior roles.
• Run 4 mock interviews with peers or mentors and refine your two minute demo.
• Deliverable: updated resume, LinkedIn with project links, and at least 8 personalised applications sent.

Evaluation checkpoints: end of Week 4 (demo ready), Week 8 (report ready), Week 12 (applications and mock interviews complete). Maintain a daily habit: 90 minutes focused skill work, 30 minutes outreach, 30 minutes review or rest.

What next after 90 days: specialisation and career paths

After 90 days choose a specialisation such as web application security, cloud security, IoT security, or bug bounty research and plan a 6 to 12 month progression.

Next step suggestions:

• Deepen knowledge in your chosen track through advanced labs and try to contribute to open source security tools.
• Attempt an entry level certification that matches your track, or collect public bug bounty reports to show real world findings.
• Target internships that map directly to your specialisation and continue to build a portfolio of reproducible reports and demos.

Keep learning, keep documenting, and join local meetups or community CTFs to stay visible. Over time these proven deliverables matter more than a long list of course names.

Conclusion

To learn ethical hacking in 2026 you need a structured foundation, safe labs, reproducible deliverables, and a focused 90 day plan that produces interview ready proof.

Follow the weekly milestones, prioritise demonstrable work, and practice ethical habits. If you want feedback on your 90 day plan or a demo lab walkthrough, consider booking a skills audit or a demo session to find the fastest path from your current level to a hiring ready portfolio.