White-hat hacker work, salary, and career path [2026]: from no experience to practice, and on to projects and freelance

Suppose you've become a white-hat hacker — how do you make a living? This article explains that reality — job content, career path, how to think about salary, and how to win projects — based on official statistics (METI / IPA), without exaggeration.

First, an important premise. "White-hat hacker" is not a single occupation. It's a "bundle" of roles with different ways of defending. Which way of defending you create value with changes the required skills, the salary, and the career.

This is a spoke that goes deep on the career part of how to become a white-hat hacker (complete roadmap).

1. The white-hat hacker's "bundle of roles"

If you aim from no experience, it's realistic to first build a foundation as a "vulnerability assessor" or "security engineer/SOC," then expand to "penetration tester (offense)" or "audit (defense)" by interest. People with development experience transition especially fast to security engineer — a developer who knows attacks can write "defensible code" from the start.

2. The reality of demand — an institutional tailwind is blowing

"Security talent is in short supply" is often said, but let's back it up with official numbers.

• In its May 2025 "Final Report of the Study Group on Promoting the Development of Cybersecurity Talent", METI clearly set a goal of growing the national qualification Registered Information Security Specialist to 50,000 by 2030 (about 24,000 as of April 2025). It's a national policy to roughly double it.
• Centered on SMBs, a shortage of personnel who can handle security in-house is repeatedly pointed out (IPA). The more budget- and talent-constrained a company, the harder it is to secure specialist talent internally.
• With active cyber defense (the Cyber Response Capability Enhancement Act), promulgated in 2025 and taking effect in 2026, society as a whole has entered a phase of investing seriously in security.

In other words, rightly aiming to be a white-hat hacker now means being in a structural tailwind. Demand is backed not by feeling but by policy and numbers.

3. How to think about salary — look at the "determinants" rather than a fixed figure

There's no single correct answer to "how much does a white-hat hacker earn?" Because it varies greatly by role, experience, specialization, and scope of responsibility. Don't swallow fixed figures online; understand the determinants of salary and confirm the latest range on job sites.

The factors that push salary up are roughly this multiplication.

年収 ≒ 土台（基礎スキル・開発力）
        × 実績（CTF順位 / バグバウンティ確定 / 公開ツール / 登壇）
        × 専門性（クラウド / Web / モバイル / OT・制御 / AI など希少領域）
        × 責任範囲（個人の手 → チームリード → 監査・意思決定）
        × 資格（信用の共通言語：OSCP+ / 登録セキスペ / CISSP）

What's especially effective is "track record." Certifications get you into the ring, but CTF results, confirmed bug-bounty reports, and published verification tools are immovable proof that "you can actually do the work." Certifications and track record are a multiplication — with only one, your market value won't fully grow.

4. [Template] A "track-record portfolio" that earns trust

Hiring managers and commissioning companies want to know "can this person actually do the work." Showing a structured trail of hands-on work is many times more effective than listing certifications. Below is a track-record-portfolio template you can use as-is.

# 〇〇（ホワイトハッカー / セキュリティエンジニア）

## 強み（30秒で伝わる一文）
Web アプリの認可・RLS の設計レビューと、CI への診断自動化が得意。

## 資格
- 登録セキスペ（国家資格）/ CompTIA Security+ / （学習中）OSCP+

## 実績（“手を動かした”証跡）
- バグバウンティ：HackerOne で IDOR を計N件確定（協調的開示済み）
- CTF：picoCTF / TryHackMe で〇〇ランク、writeup を公開
- OSS：自作の〇〇スキャナ（GitHub）/ セキュリティ記事の執筆・登壇

## できること（案件として承れる範囲）
- 脆弱性診断（SCA/SAST/DAST の自動化と CI 統合）
- 認可・RLS・テナント分離の設計レビュー
- セキュリティ要件定義・受け入れ基準（ASVS 準拠）の策定

The point is to write "certifications," "track record," and "what you can do (value offered)" separately. The buyer looks at the last "what you can do" to judge whether they can entrust a project.

5. Ways of working — employment, freelance, side work (projects)

There are broadly two stages to building a career.

Stage 1: gain "practical experience" through employment

The most reliable path from no experience is to get a job in a security company, SIer, or an operating company's security department and gain practical experience. Experiencing the field of assessment, operations, and incident response builds "real-world judgment" you can't reach by self-study. Registered Information Security Specialist and Security+ pay off at this entry.

Stage 2: win "projects" via side work / freelance

Once practical experience and track record accumulate, the side-work/freelance path opens. Spot projects like vulnerability assessment, security review, and technical advisory are in strong demand. Here, the track-record portfolio of Section 4 pays off.

My (Tomoda's) own position: with one-person × generative AI (Claude Code), I've built an award-winning B2B SaaS and a payments platform with 0 double charges in production. The power to build fast and the power to build securely are two sides of the same coin. Precisely because I know attacks, I can design something defensible from the start — I believe this is the differentiating axis of the AI-era developer.

6. The company's perspective — "grow in-house" or "entrust externally"

From here, for companies on the side that hire/commission white-hat hackers. With the talent shortage continuing structurally, it's not realistic to do all security functions in-house. The decision axis is simple.

The last row — authorization, RLS, tenant separation, business logic — is a vertical risk whose correctness can only be judged by a human who understands "the meaning of the business rules," no matter how many tools you run. Rather than holding this in-house amid a talent shortage, entrusting an expert who understands the design is faster, more reliable, and more cost-efficient. I draw that boundary honestly in what does a security audit look at.

7. In the AI era, do security jobs have a future?

"Won't AI take my job?" — rather, the opposite.

• Generative AI accelerates recon, code reading, and report writing, but the judgment of "is this a vulnerability or a spec," "is this an authorized act" is held by humans.
• AI-mass-produced code easily yields specific vulnerabilities, and detecting them is an area whose demand will grow from here (→ vulnerability assessment of AI-generated code).
• Precisely because it's an era of "building fast with AI," the value of talent who can "see through AI's holes and defend" rises.

Far from being replaced by AI, security jobs are one of the few occupations that can amplify value by teaming up with AI.

8. Summary — build skill and trust in the tailwind

• A white-hat hacker is a bundle of roles. The inexperienced first build a foundation on the defense side (assessment/operations) and expand to offense.
• Demand has an institutional tailwind (the 50,000-by-2030 goal / the talent shortage). Backed by numbers, not feeling.
• Salary is a multiplication of certifications × track record × specialization × responsibility. Show a structured track-record portfolio.
• Ways of working are two stages: employment for practice → side work/freelance for projects.
• Companies choose "grow vs. entrust" by purpose. Guaranteeing design holes is faster entrusted to an expert.

Connecting the certifications, law, self-study lab, and bug bounty so far into one line reveals the road from no experience to projects. The rest is just getting hands-on every week.

References (official primary sources)

• METI, Final Report of the Study Group on Promoting Cybersecurity Talent Development (May 2025)
• IPA Information Security / IPA Registered Information Security Specialist
• Cabinet Secretariat, Cybersecurity (active cyber defense)