# White-hat hacker work, salary, and career path [2026]: from no experience to practice, and on to projects and freelance

> A realistic explanation of white-hat (ethical) hacker job content, career path, and how to think about salary, based on official statistics (Japan's METI / IPA). The differences between roles like vulnerability assessor, penetration tester, security engineer, and auditor; how to build practical experience from no experience; the options of employment, freelance, and side work (projects); and the company-side decision axis of 'grow in-house vs. entrust externally' — presented without exaggeration.

- Published: 2026-06-28
- Author: 友田 陽大
- Tags: セキュリティ, ホワイトハッカー, キャリア, 年収, フリーランス
- URL: https://tomodahinata.com/en/blog/ethical-hacker-career-path-salary-job-roles-freelance-guide
- Category: Intro to ethical hacking
- Pillar guide: https://tomodahinata.com/en/blog/white-hat-hacker-ethical-hacker-how-to-become-certification-roadmap-guide

## Key points

- A white-hat hacker is not a single occupation but a bundle of roles: vulnerability assessor, penetration tester, red team, SOC analyst, security engineer, audit/consulting. Your career branches by which 'way of defending' you create value with.
- Demand has an institutional tailwind: METI's May 2025 final report set a goal of growing Registered Information Security Specialists to 50,000 by 2030 (about 24,000 as of April 2025), and Japan's security-talent shortage continues structurally.
- Salary is decided by 'certifications × track record × specialization × scope of responsibility.' Don't swallow fixed figures; confirm the latest range on job sites. Track record (CTF/bug bounty/GitHub/talks) matters more than certifications.
- How to build a career: employment to gain practical experience → specialization, and side work/freelance for projects — two stages. For the inexperienced, it's realistic to first build a foundation on the defense side (assessment/operations) and then expand to offense (pentesting).
- Company-side judgment: if in-house is hard due to the talent shortage, entrusting external experts is faster and more reliable. Pre-release verification of authorization, RLS, and tenant separation can only be judged by a human who understands the design.

---

Suppose you've become a white-hat hacker — **how do you make a living?** This article explains that reality — job content, career path, how to think about salary, and how to win projects — based on official statistics (METI / IPA), without exaggeration.

First, an important premise. **"White-hat hacker" is not a single occupation.** It's a "bundle" of roles with different ways of defending. Which way of defending you create value with changes the required skills, the salary, and the career.

> This is a spoke that goes deep on the career part of [how to become a white-hat hacker (complete roadmap)](/blog/white-hat-hacker-ethical-hacker-how-to-become-certification-roadmap-guide).

---

## 1. The white-hat hacker's "bundle of roles"

| Role | Job content | Offense/defense | Ease of entry |
|---|---|---|---|
| **Vulnerability assessor** | Comprehensively probe known holes in apps/infrastructure, tool-centric | Somewhat offense | ◎ (best as an entry) |
| **Penetration tester** | Demonstrate "you can break in" from the attacker's perspective | Offense | △ (requires real combat skill) |
| **Red team** | Test the organization long-term and stealthily, including detection/response | Offense (advanced) | × (for the experienced) |
| **SOC analyst** | Monitoring, detection, initial incident response | Defense | ○ (can enter from operations) |
| **Security engineer** | Design/implement defense, code review, build infrastructure | Defense | ○ (development experience pays off) |
| **Audit/consulting** | Evaluate and advise whether design and operations defend "correctly" | Defense (advanced) | △ (requires knowledge and trust) |

**If you aim from no experience, it's realistic to first build a foundation as a "vulnerability assessor" or "security engineer/SOC,"** then expand to "penetration tester (offense)" or "audit (defense)" by interest. **People with development experience transition especially fast to security engineer** — a developer who knows attacks can write "defensible code" from the start.

---

## 2. The reality of demand — an institutional tailwind is blowing

"Security talent is in short supply" is often said, but let's back it up with **official numbers.**

- In its May 2025 ["Final Report of the Study Group on Promoting the Development of Cybersecurity Talent"](https://www.meti.go.jp/press/2025/05/20250514002/20250514002.html), METI clearly set a goal of growing the national qualification **Registered Information Security Specialist to 50,000 by 2030** (about 24,000 as of April 2025). It's **a national policy to roughly double it.**
- Centered on SMBs, **a shortage of personnel who can handle security in-house** is repeatedly pointed out ([IPA](https://www.ipa.go.jp/security/)). The more budget- and talent-constrained a company, the harder it is to secure specialist talent internally.
- With [active cyber defense (the Cyber Response Capability Enhancement Act)](/blog/ethical-hacker-law-japan-unauthorized-access-act-active-cyber-defense-disclosure-guide), promulgated in 2025 and taking effect in 2026, society as a whole has entered a phase of investing seriously in security.

In other words, **rightly aiming to be a white-hat hacker now means being in a structural tailwind.** Demand is backed not by feeling but by policy and numbers.

---

## 3. How to think about salary — look at the "determinants" rather than a fixed figure

There's **no single correct answer** to "how much does a white-hat hacker earn?" Because it varies greatly by role, experience, specialization, and scope of responsibility. Don't swallow fixed figures online; understand the **determinants of salary** and confirm the latest range on job sites.

The factors that push salary up are roughly this multiplication.

```text
年収 ≒ 土台（基礎スキル・開発力）
        × 実績（CTF順位 / バグバウンティ確定 / 公開ツール / 登壇）
        × 専門性（クラウド / Web / モバイル / OT・制御 / AI など希少領域）
        × 責任範囲（個人の手 → チームリード → 監査・意思決定）
        × 資格（信用の共通言語：OSCP+ / 登録セキスペ / CISSP）
```

What's especially effective is **"track record."** Certifications get you into the ring, but **CTF results, confirmed bug-bounty reports, and published verification tools** are immovable proof that "you can actually do the work." Certifications and track record are a **multiplication** — with only one, your market value won't fully grow.

---

## 4. [Template] A "track-record portfolio" that earns trust

Hiring managers and commissioning companies want to know **"can this person actually do the work."** Showing **a structured trail of hands-on work** is many times more effective than listing certifications. Below is a track-record-portfolio template you can use as-is.

```markdown
# 〇〇（ホワイトハッカー / セキュリティエンジニア）

## 強み（30秒で伝わる一文）
Web アプリの認可・RLS の設計レビューと、CI への診断自動化が得意。

## 資格
- 登録セキスペ（国家資格）/ CompTIA Security+ / （学習中）OSCP+

## 実績（“手を動かした”証跡）
- バグバウンティ：HackerOne で IDOR を計N件確定（協調的開示済み）
- CTF：picoCTF / TryHackMe で〇〇ランク、writeup を公開
- OSS：自作の〇〇スキャナ（GitHub）/ セキュリティ記事の執筆・登壇

## できること（案件として承れる範囲）
- 脆弱性診断（SCA/SAST/DAST の自動化と CI 統合）
- 認可・RLS・テナント分離の設計レビュー
- セキュリティ要件定義・受け入れ基準（ASVS 準拠）の策定
```

The point is to **write "certifications," "track record," and "what you can do (value offered)" separately.** The buyer looks at the last "what you can do" to judge whether they can entrust a project.

---

## 5. Ways of working — employment, freelance, side work (projects)

There are broadly two stages to building a career.

### Stage 1: gain "practical experience" through employment

The most reliable path from no experience is to **get a job in a security company, SIer, or an operating company's security department** and gain practical experience. Experiencing the field of assessment, operations, and incident response builds "real-world judgment" you can't reach by self-study. **Registered Information Security Specialist and Security+ pay off at this entry.**

### Stage 2: win "projects" via side work / freelance

Once practical experience and track record accumulate, the **side-work/freelance** path opens. **Spot projects** like vulnerability assessment, security review, and technical advisory are in strong demand. Here, the track-record portfolio of Section 4 pays off.

> **My (Tomoda's) own position:** with one-person × generative AI (Claude Code), I've built an award-winning B2B SaaS and a payments platform with 0 double charges in production. **The power to build fast and the power to build securely are two sides of the same coin.** Precisely because I know attacks, I can design something defensible from the start — I believe this is the differentiating axis of the AI-era developer.

---

## 6. The company's perspective — "grow in-house" or "entrust externally"

From here, for companies on the side that **hire/commission white-hat hackers.** With the talent shortage continuing structurally, it's not realistic to do all security functions in-house. The decision axis is simple.

| Situation | The rational choice |
|---|---|
| Want to operate security continuously, directly tied to the core business | **Develop/hire in-house talent** (centered on Registered Information Security Specialist, etc.) |
| Want to first sweep "horizontal holes" for free | **Automate with OSS tools** ([how to do vulnerability assessment](/blog/web-application-vulnerability-assessment-owasp-zap-sast-dast-guide)) |
| Want to guarantee even "design holes" before release, for an RFP, or for compliance | **Commission an audit from an external expert** (fastest, most reliable) |

The last row — **authorization, RLS, tenant separation, business logic** — is a vertical risk whose correctness **can only be judged by a human who understands "the meaning of the business rules,"** no matter how many tools you run. Rather than holding this in-house amid a talent shortage, **entrusting an expert who understands the design is faster, more reliable, and more cost-efficient.** I draw that boundary honestly in [what does a security audit look at](/blog/nextjs-supabase-security-audit-scope-when-needed-guide).

---

## 7. In the AI era, do security jobs have a future?

"Won't AI take my job?" — rather, the opposite.

- Generative AI **accelerates** recon, code reading, and report writing, but **the judgment of "is this a vulnerability or a spec," "is this an authorized act" is held by humans.**
- AI-mass-produced code easily yields **specific vulnerabilities**, and detecting them is an area whose demand will grow from here (→ [vulnerability assessment of AI-generated code](/blog/ai-generated-code-vulnerability-assessment-vibe-coding-security-guide)).
- **Precisely because it's an era of "building fast with AI," the value of talent who can "see through AI's holes and defend" rises.**

Far from being replaced by AI, security jobs are one of the few occupations that can **amplify value by teaming up with AI.**

---

## 8. Summary — build skill and trust in the tailwind

- A white-hat hacker is a **bundle of roles.** The inexperienced first build a foundation on the defense side (assessment/operations) and expand to offense.
- Demand has an **institutional tailwind** (the 50,000-by-2030 goal / the talent shortage). Backed by numbers, not feeling.
- Salary is a multiplication of **certifications × track record × specialization × responsibility.** Show a structured track-record portfolio.
- Ways of working are two stages: **employment for practice → side work/freelance for projects.**
- Companies choose **"grow vs. entrust"** by purpose. Guaranteeing design holes is faster entrusted to an expert.

Connecting the [certifications](/blog/ethical-hacker-certification-comparison-ceh-oscp-security-plus-pentest-plus-toroku-sec-guide), [law](/blog/ethical-hacker-law-japan-unauthorized-access-act-active-cyber-defense-disclosure-guide), [self-study lab](/blog/ethical-hacking-home-lab-kali-juice-shop-ctf-self-study-roadmap-guide), and [bug bounty](/blog/bug-bounty-getting-started-hackerone-bugcrowd-scope-report-disclosure-guide) so far into one line reveals the road from no experience to projects. The rest is just getting hands-on every week.

---

### References (official primary sources)

- [METI, Final Report of the Study Group on Promoting Cybersecurity Talent Development (May 2025)](https://www.meti.go.jp/press/2025/05/20250514002/20250514002.html)
- [IPA Information Security](https://www.ipa.go.jp/security/) / [IPA Registered Information Security Specialist](https://www.ipa.go.jp/jinzai/riss/index.html)
- [Cabinet Secretariat, Cybersecurity (active cyber defense)](https://www.cas.go.jp/jp/seisaku/cyber_anzen_hosyo_torikumi/index.html)