Not all hackers are criminals, and not all of them are heroes. The single thing that decides which side of the law a hacker sits on is authorization, and the security industry sorts people into types of hackers based on that one line. This guide breaks down every category you will hear about: white hat, black hat, and grey hat, plus script kiddies, hacktivists, state-sponsored crews, and insider threats. For the underlying mechanics of the craft itself, see our pillar guide on what hacking is. Want to practice the legal kind? Start in HackerDNA's Ethical Hacking course.
The "hat" colors come from old Western films, where the hero wore white and the villain wore black. The industry borrowed the shorthand because it captures the only distinction that matters in a courtroom: did the system owner say yes. Everything else, the tools, the techniques, the skill level, can be identical between a paid penetration tester and a ransomware operator.
TL;DR: The main types of hackers are white hat (authorized, legal, paid to find bugs), black hat (unauthorized, criminal, profit or sabotage), and grey hat (unauthorized but non-malicious, still illegal). Beyond the three hats you will meet script kiddies, hacktivists, state-sponsored APT groups, and malicious insiders. The defining line between every type is authorization, not technique. Learn the legal path through sandboxed labs, never production systems.
The Three Hats: White, Black, and Grey
The main types of hackers are white hat, black hat, and grey hat. White hat hackers test systems with written permission to fix vulnerabilities and get paid for it. Black hat hackers break in without permission for profit, sabotage, or theft, which is a crime. Grey hat hackers act without authorization but disclose what they find instead of abusing it, sitting in a legal gray zone.
These three categories cover the ethics axis of hacking. Where a person lands has nothing to do with how skilled they are and everything to do with whether they had consent. A grey hat who finds the same SQL injection bug as a white hat used identical skill, but only one of them can put it on a resume.
White Hat Hackers
White hat hackers, also called ethical hackers, work under a signed contract that defines exactly what they may test and when. Their job is to find weaknesses before criminals do, then hand the findings to the people who can fix them. The work is fully legal because authorization exists in writing before any probe is sent.
Motivation: salary, reputation, and the satisfaction of strengthening defenses. Legality: legal, governed by a Statement of Work or a bug bounty program's terms. Real examples: the researchers behind coordinated disclosures like Heartbleed and Spectre, the bug bounty hunters who earn six figures on HackerOne and Bugcrowd, and teams like Google's Project Zero. Senior penetration testers in the United States earned roughly $130,000 to $200,000 in 2025 according to multiple salary surveys. Our breakdown of whether cybersecurity is a good career covers the demand side.
Black Hat Hackers
Black hat hackers attack without permission, full stop. They steal data, deploy ransomware, run phishing operations, and sell access to compromised networks. Their tools often match what white hats use, but the missing authorization turns the same keystrokes into felonies under laws like the US Computer Fraud and Abuse Act.
Motivation: money, almost always. The modern black hat economy runs on extortion and fraud. Legality: criminal everywhere, with penalties reaching a decade or more in prison. Real examples: ransomware crews like LockBit and the now-disrupted Conti group, the attackers behind the 2017 Equifax breach that exposed 147 million records, and individual fraudsters running phishing kits. The 2024 IBM Cost of a Data Breach Report put the average breach at $4.88 million globally, much of it tied to criminal hacking.
Grey Hat Hackers
Grey hat hackers live in the awkward middle. They probe systems they were never invited to test, but instead of exploiting what they find, they report it, sometimes to the vendor privately, sometimes by publishing it openly. Their intent is usually benign. The access itself is still unauthorized, which keeps them on the wrong side of the law.
Motivation: curiosity, recognition, or a belief that the vendor needs to be forced into action. Legality: illegal in most jurisdictions even when nobody is harmed, because the law cares about access, not outcome. Real examples: researchers who scan the public internet for exposed databases and email the owners, and the long history of "I found this bug and got threatened with a lawsuit" stories. The honest advice: if grey hat work appeals to you, channel it into a structured bug bounty program. Same thrill of finding real bugs in real systems, with a contract that keeps you out of court.
White Hat vs Black Hat: The Authorization Line
The clearest way to understand types of hackers is to compare the two ends of the spectrum. White hat and black hat hackers can run the identical Nmap scan against the identical server. One has a signed scope document open in another tab. The other does not. That document is the difference between a paycheck and a prosecution.
Consider a concrete scenario. A tester finds an authentication bypass on a banking app. The white hat documents it, writes a report, and walks the developers through a fix, getting paid. The black hat uses the same bypass to drain accounts. Same vulnerability, same exploit, opposite legal worlds. Intent matters morally, but the first question a prosecutor asks is whether you had permission.
In practice, this line is also what makes the white hat career sustainable. You build a public portfolio of disclosed CVEs and CTF rankings without ever looking over your shoulder, while a black hat's best work can never be shown to anyone and a grey hat's portfolio is a liability waiting to be subpoenaed.
Beyond the Hats: Other Types of Hackers
The three-hat model captures ethics, but the security world uses several more labels for skill level, motivation, or who is paying. These categories cut across the hats: a hacktivist is usually a black hat by law, a script kiddie can wear any hat badly. The vocabulary helps you read threat reports and understand who is behind an attack.
Script Kiddies
Script kiddies run pre-built tools and public exploits without understanding how they work. The name is dismissive on purpose. They download a ready-made DDoS booter or copy a Metasploit command and point it at whatever target catches their attention. Motivation: usually bragging rights or boredom. Legality: their attacks are still crimes, and the lack of skill often means they get caught fast because they leave obvious traces. When the Mirai botnet source code leaked in 2016, it put powerful DDoS capability into the hands of thousands of low-skill imitators overnight.
Hacktivists
Hacktivists hack to push a political or social cause rather than for money, usually through website defacements, denial-of-service attacks, and data leaks meant to embarrass a target. Motivation: ideology, protest, or activism. Legality: almost always illegal, regardless of how sympathetic the cause sounds. Real examples: the loose collective Anonymous and its offshoots, which have targeted everything from government agencies to extremist forums. A cause does not grant authorization, and hacktivists are prosecuted under the same computer crime laws as anyone else.
State-Sponsored Hackers and APTs
State-sponsored hackers work for or on behalf of a government. Threat-intelligence reports track them as Advanced Persistent Threats (APTs): numbered groups with long-term funding, custom tooling, and patience measured in months or years. Motivation: espionage, intellectual-property theft, sabotage of critical infrastructure, and geopolitical advantage. Legality: illegal under the laws of the victim country, but the attackers operate with effective immunity at home. Real examples: the Stuxnet worm that damaged Iranian centrifuges around 2010, and the 2020 SolarWinds supply-chain compromise attributed to a Russian state group that reached thousands of organizations. These are the best-resourced attackers on the planet.
Malicious Insiders
Insiders already have legitimate access. The threat comes when an employee or contractor abuses it to steal data, sabotage systems, or sell credentials. Motivation: financial pressure, revenge after being passed over or fired, or recruitment by an outside group. Legality: criminal, and often easier to prosecute because the access logs point straight at a named account. Real examples: employees who exfiltrate customer lists before resigning, and the credential abuse the 2024 Verizon DBIR repeatedly flags as a top breach driver. Insider risk is why "least privilege" and access logging are core security controls.
Red, Blue, and Purple: Team Colors, Not Hats
One source of confusion: the industry also uses colors for roles inside an organization, and those have nothing to do with the ethical hats. Everyone on a red, blue, or purple team is a white hat working under authorization. The colors describe what side of a simulated fight they are on.
Red team operators play the attacker. They simulate a real adversary against their own employer's systems, often over weeks, to test whether the defenders can detect and respond to a determined intruder. Red teaming goes deeper than a standard penetration test, which is usually a shorter, scope-bound bug hunt.
Blue team defenders are the SOC analysts, incident responders, and threat hunters who watch the logs, tune detections, and chase down alerts. They build and maintain the defenses the red team tries to slip past.
Purple team is less a group than a way of working. It puts red and blue in the same room so every attack the red team lands becomes a new detection the blue team writes. You will also hear "green hat" for a newcomer learning the basics. None of these are about legality: they are job functions, all firmly white hat.
Which Type of Hacker Should You Become?
If you are reading this to figure out where you fit, the answer is almost certainly white hat, and the reasons are practical, not just moral. The legal path is the only one with a career attached: it pays well, demand is enormous, and the skills transfer straight from a lab to a job. The illegal paths offer no resume, constant legal exposure, and an ending that is statistically grim.
The technical learning is identical no matter which hat you imagine wearing. You study the same vulnerabilities, run the same tools, and think the same adversarial way, only against targets that are explicitly yours to attack. For a roadmap of how working hackers built their skills, read how hackers learn to hack, and if competitions appeal to you, the CTF for beginners guide. When you are ready to prove the skill to an employer, the OSCP is the most respected entry-level offensive credential; our OSCP preparation guide covers it. Get fluent with the core tools through our Nmap cheat sheet and Burp Suite tutorial.
Legal and Ethical Considerations
Critical reminder: The type of hacker you become is decided by one thing: authorization. Accessing any system without explicit written permission from its owner is a criminal offense in every developed country. In the United States, the Computer Fraud and Abuse Act (18 USC 1030) carries penalties of up to 10 years in federal prison per violation; the UK uses the Computer Misuse Act 1990 and the EU enforces Directive 2013/40/EU. Good intentions do not make grey hat access legal. Get permission in writing, signed by someone with authority to grant it, before you touch anything.
Every ethical line in this article reduces to the same rule. White hats stay legal because they have written scope. Black hats are criminals because they have none. Grey hats get into trouble because they assume good intent is a substitute for consent, and it is not. The legitimate places to practice are unambiguous: sandboxed CTF platforms, vulnerable VMs you own, and lab providers whose targets are authorized for attack. Bug bounty programs extend that to production systems, but only within each program's published rules.
Your Next Steps
You now know the full taxonomy of hacker types, from the three hats to APTs and insiders, and the one factor that separates a respected professional from a defendant: authorization. The labels help you read threat reports, but for your own path only one of them is a career. Pick white hat and the rest of the journey is about skill, not legal risk.
The fastest way to build white hat skills is to do the thing legally, today, in a sandbox. HackerDNA's Ethical Hacking course walks you through reconnaissance, scanning, and exploitation against authorized targets in your browser. From there, the cybersecurity labs give you hundreds of vulnerable machines, and the bug bounty fundamentals course shows how to turn the skill into paid work. For the mechanics of how attacks actually run, the pillar guide on what hacking is goes deep on methodology and tools. The free tier needs no credit card and no local setup, so open a browser, pick a lab, and start hacking the legal way.
Frequently Asked Questions About Types of Hackers
What are the three main types of hackers?
The three main types of hackers are white hat, black hat, and grey hat. White hat hackers test systems legally with permission to improve security. Black hat hackers break in illegally for profit or harm. Grey hat hackers act without authorization but disclose flaws instead of exploiting them, which is still illegal despite the good intent.
What is the difference between white hat and black hat hackers?
White hat hackers work legally with written authorization to find and fix vulnerabilities, and they get paid for it. Black hat hackers break into systems without permission for malicious purposes or financial gain. The technical skills can be identical. The difference that matters in court is authorization: white hats have it, black hats do not.
Are grey hat hackers illegal?
Yes, grey hat hacking is illegal in most jurisdictions even when the hacker means no harm. The law cares about unauthorized access, not the outcome, so accessing a system you were not invited to test is a crime regardless of whether you report the bug afterward. Bug bounty programs offer a legal alternative with the same kind of real-world targets.
What is a script kiddie?
A script kiddie is a low-skill attacker who runs pre-built tools and public exploits without understanding how they work. They rely on ready-made software like DDoS booters or copied Metasploit commands. Their attacks are still illegal, and the lack of skill often means they leave obvious traces and get caught quickly.
What is a state-sponsored hacker?
A state-sponsored hacker works for or on behalf of a government, usually tracked as an Advanced Persistent Threat (APT). These groups have long-term funding, custom tools, and patience, and they focus on espionage, intellectual-property theft, and sabotage of critical infrastructure. Stuxnet and the SolarWinds compromise are well-known examples of state-level operations.
Are red team and blue team hackers different from white hats?
No. Red, blue, and purple teams are all white hat roles working under authorization. Red teams simulate attackers against their own organization, blue teams defend and respond, and purple teams coordinate between the two so attacks become new detections. The team colors describe job function, not legality.
Part of our hacking guide: What Is Hacking? The Complete Guide
- How Do Hackers Learn to Hack?
- Types of Hackers: White Hat vs Black Hat
- CTF for Beginners
