Bulletproof’s range of cyber security, data protection and compliance services are your best defence against threats to your business. With nearly a decade of providing trusted security services, we’re continuing our mission of solving the greatest cyber security & compliance challenges through innovation and simplicity. Explore our range of services and find out how Bulletproof can help your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you.
Discover CREST penetration testing & continuous security
Internal & external infrastructure, network & system testing
Manage multiple tests & get external security assurance
Thoroughly assess your web apps & APIs for security flaws
Test your response to a simulated real-world cyber attack
All cloud platforms & services tested, including Azure & AWS
Test your human cyber defences with social engineering
Android, iOS & custom mobile application security testing
Find out more about penetration testing – what it is, when you need it, and why it’s a core component of any business. Discover how pen test helps with compliance, powers best practices, and helps your organisation win new business.
Gap analysis, implementation, audits & more from GDPR experts
On-going support to easily manage your data protection obligations
Consultant-led support to meet all levels of DSPT submission
Flexible & engaging data protection training from certified experts
Get peace of mind that your data protection is being managed by trusted, certified consultants. All Bulletproof data protection services are delivered by our highly trained, experienced and qualified staff.
Gap analysis, implementation, audits & more from dedicated ISO consultants
Find the next step in your strategy with this consultant-led assessment
Get quick & easy CE certification with a range of feature-packed packages
Flexible access to top-tier information security strategy & management
Experienced SOC 2 consultants, AICA audits & compliance automation platform
On-site, remote and video-based security training to boost your resilience
Affordable expertise & support to help you meet & maintain PCI DSS compliance
Go beyond compliance with information security services that are designed to give real operational benefits to your business. All delivered by seasoned, certified Bulletproof security consultants.
24/7 defence against cyber attacks with proactive threat detection
Get help responding & recovering from cyber incidents
Detect, analyse and stop cyber attacks with real-time prevention
Forensic support & data recovery following cyber attacks
Stay on top of new vulnerabilities with powerful, flexible scanning
Evaluate your wireless network for security weaknesses
Discover how your business can identify & manage cyber threats
Comply with regulations, meet certification standards & best practices
Train and test your staff for security resilience, data protection & compliance
No matter what your cyber or compliance challenges, Bulletproof is here to help. We like to work with you as a trusted partner to solve problems, not sell services. No pressure tactics and no false promises.
Learn about our mission to make cyber & compliance accessible to all
Grow your business with high-margin, high-value & partner-ready services
Become part of the Bulletproof team & supercharge your career
Bulletproof’s in-house SOC powers our Managed SIEM & MDR services
We love to talk. Tell us about your cyber & compliance challenges
At Bulletproof we love to solve problems with simplicity & innovation. It’s our mission to make compliance & cyber security services accessible to all. We take pride in building and nurturing teams of exceptional talent, so we’re confident that our cyber security & compliance services are the best way to stay one step ahead of the hackers and protect your business.
Helping people solve their security challenges is what we do, so we’re always keen to hear from you, no matter what you have to say.
Get the latest news, views & expert insight in the world of cyber security, data protection & compliance
A helpful index of cyber security terms, compliance acronyms and industry terminology to make life easy
Discover what we have to say about the threat landscape & what businesses need to know to get ahead
Find out how we can make companies like yours Bulletproof. Don’t take our word for it, hear direct from our clients
Detailed insights & helpful tips for understanding penetration testing, data protection & more
Interesting data & top tips at a glance, with insightful infographics covering all areas of cyber security & compliance
Watch our experts talk through their thoughts & opinions on a variety of security & compliance topics
See when & where we’re going to be bringing Bulletproof insight to an event near you
Ayisha Bari
Find out what ransomware is, how attacks work & types of attack to help you get started with keeping ransomware out of your business.
Read More
The term "hacker" gets thrown around in a variety of contexts and in a multitude of different ways nowadays. While it's great that cybersecurity is gaining more and more awareness across the globe, the technical nature of cybersecurity means that terms are often used interchangeably, in different contexts, and sometimes incorrectly. Popular culture has certainly played its part, with movies and television shows portraying hackers as super-smart criminal masterminds, or underachieving geniuses who get by in life by committing petty theft from their parents' basements. The truth is very different -- more often than not, hackers are actually just like you and me.
Their job also isn't solely restricted to criminal activities. Practices such as penetration testing and other security assessment activities are legitimate, fundamental aspects of cyber security at any company, big or small. There are also various institutions out there whose whole business is testing security professionals and providing them with certifications in ethical hacking to back-up their good intentions.
'Hacking', as we think of it, can be thought of as a synonym for ‘defeating security’, as soon as there were people wanting to keep messages secret, there were people trying to read them.
Cryptography has a history that stretches back thousands of years, but a good place to start understanding it is in the Roman Empire. Julius Caesar invented the Caesar Cipher. This was a simple substitution cipher, where one letter was replaced with another. Unsurprisingly, the concept has been improved over the intervening two thousand years, though in today’s world it cannot be considered anything more than a novelty.
The earliest ‘modern’ implementation of what we typically think of as hacking stretches back to the cryptographers of World War 2. In much the same way that hackers can try to decode encrypted passwords, the cryptographers' job was to decode the secret messages of foreign intelligence services (though in strict terms it's pure mathematics). Most famously, this involved a British team at Bletchley Park cracking the Enigma code. The Enigma machine was used by the Germans for high-security military communications and was thought to be unhackable, thanks to its mathematical permutations on top of linguistic ciphering. A combination of ingenuity, cutting-edge technology and human error enabled the Enigma code to be broken. Those same three principles still hold true today for hackers trying to unscramble passwords or de-obfuscate lines of code.
As technological progress continued to push more and more aspects of human activity into the digital sphere, hackers in turn expanded their reach beyond cryptography. Tapping into phone systems, known as phreaking, is where ‘hacking’ starts to get more recognisable as its modern term and relied on miscreants mis-using existing access/configuration settings for their own ends. In this way, it’s similar to modern penetration testing practices.
Throughout the 1970s and 80s, computer hacking became a legitimate concern. As banks, schools and corporations slowly digitised their records and processes, hackers came up with new ways to gain access. It wasn't until the invention of the Internet though that hacking has made its way into the mainstream and revealed the fragility of our sense of security and anonymity in the digital sphere.
In early 2000, Dell, Amazon, CNN, eBay and others were taken offline by a string of denial-of-service attacks. The list of affected companies included Yahoo!, who at the time were the world’s largest search engine. The hacker managed to do all of the above at 15 years of age, in the span of just one week. His name is Michael Calce, and though a DoS attack didn't put any data at risk, his cyber attacks exposed the wider lack of knowledge about the Internet.
By 2020, everyone and their mother have become acquainted with Anonymous, the far-reaching, loosely organised group of hackers and sympathisers known for taking a public stance on just about every socio-political issue there is. If not for them, the term 'hacktivist' would have never been born. Anonymous' origins can be traced back to 2003 on 4chan, the infamous message board platform. They rose to fame five years later, in 2008, with a coordinated attack on the Church of Scientology -- they brought down multiple websites belonging to the organisation and destroyed their fax machines with all-black images. On top of that, an in-person protest was organised, with attendees all wearing Guy Fawkes' masks (V for Vendetta), which quickly became the group's most recognisable symbol.
Although Anonymous cannot be considered ethical, there is no denying the fact that they are extremely well-versed in the art of capturing the world's attention. The group has also inspired many young computer wizards to use their skills for something more than just personal gain.
Not every hacker is the same. They differ in their methods, skill sets, and preferred hardware. The most fundamental categorisation of hackers, however, stems from their motivations. Some are motivated purely by self-interest, and others have a more sophisticated agenda. Beware of jumping to conclusions when it comes to malicious and ethical hackers. There have been cases of cyber-criminals who have gone on to work in penetration testing for some of the world's biggest companies.
Those are the "good guys", more commonly called penetration testers. They use their skills and intellect to uncover security flaws in a professional, ethical way. You'll usually find them in corporate offices in the security or IT departments. White hat hackers are employed by firms to constantly try to break down its cybersecurity measures, test its resilience, and suggest improvements. A white hat's motivations are clear-cut, and their work is backed up by the right certifications in ethical hacking and penetration testing.
The essence of their work isn't much different from how black hats would go about their tasks, with one basic difference – they never break into computer systems without the owner's permission.
Just like in classic literature, villains of the hacking world are also clad in black. They break into networks, computers and infrastructure for personal gain, or to advance the goals of the hacking collective they belong to. Black hat hackers wrote most of the malware commonly found on personal computers. They never ask owners for permission to explore their systems, and often get entangled in the business of stealing sensitive data and selling it on the black market. Make no mistake, they are the bad guys. At one end of the scale are ‘script kiddies’ – opportunistic hackers who will fire out attacks en masse designed to exploit simple security flaws. It’s low effort but, because of the mind-boggling numbers of systems, servers, apps, mobile devices, PCs (etc) that are connected to the internet, don’t think that it’s low reward. Often a script kiddie’s knowledge is so basic that they won’t even understand the tools that they’re using. At the other end of the scale are highly organised hacking teams. These are well-resourced, focussed teams of elite hackers that treat hacking as a serious professional business, often going after specific, lucrative targets.
Like some twisted hacking freelancers, the grey hats operate on their own terms, sometimes disregarding ethics to get to where they want to be. For example, as a grey hat hacker, you might break into the network of a big corporation without permission, mess around in there for a while, and bring a report of your activity to their IT desk, expecting reimbursement. An example of a grey hat hacker might be a legitimate penetration tester who, when not at work, is involved with Anonymous.
Learn how a Bulletproof pen test helped Traced create a chain of trust, improve its security posture, and inspire customer confidence.
Ethical hacking is the domain of white hat hackers, who work tirelessly in a loop of breaking into systems, pointing out vulnerabilities and making sure that malicious actors don't find them first. There is no agreed-upon, textbook definition of ethical hacking, but it can be explained as the practice of getting around security systems with their owner’s authorisation, in hopes of finding weaknesses before wrongdoers get to them. On top of that, ethical hacking also entails finding disclosed security vulnerabilities and identifying looming threats. If you’re thinking this sounds like penetration testing, it’s because it is.
A lot of business owners are reluctant to employ an ethical hacker because of the negative connotations of the term "hacker" itself. That's a big mistake on their side. As soon as you learn more and more about the subject, you'll come to the realisation that hiring a hacker isn't only safe for your company, but also essential for maintaining information security in the office, as well as on the computers of your remote workers.
You could go down the private hire route, weeding out any potentially malicious elements by asking for an up-to-date ethical hacking certificate or at least the recommendation of previous employers during the hiring process.
However, a much more efficient, and not to mention safer approach, is to go to a penetration testing company. They have teams of white-hats ready and waiting to test an organisation’s infrastructure. They’ll have teams of trustworthy ethical hackers, most of whom will be salaried employees. By choosing a penetration testing company you’ll benefit from peace of mind that you’re getting a comprehensive security assessment from truly ethical hackers. Their broad experience will mean they’re also able to work with you to assess things like your scope – basically what you want tested. Getting this stage right is often the difference between a meaningful test and a waste of money.
Look for companies with ISO 27001 and ISO 9001 qualifications, which shows they’re taking their business seriously. There are also security-specific qualifications to look for. One of the most well-known and well-respected is CREST.
If you want to use your passion and skills in that area to bring about positive changes in the security of companies and individuals, there aren't many better avenues to go into than ethical hacking. It also helps if you like breaking stuff.
First off, there are sets of laws that every aspiring ethical hacker needs to familiarise themselves with, in order to know what they can and can't do when tapping into a computer or network. For the UK there is the Computer Misuse Act (1990). While a singular code of ethics doesn't really exist when it comes to ethical hacking, there are a few rules that professionals in this area generally abide by:
Most ethical hackers use their powers for good and find employment as salaried or freelance penetration testers.
You won't just get hired off the spot without the right experience or education. A bachelor's degree in computer science or a related subject is an advantage, unless you've already got a year or two of real-life experience under your belt. Remember – malicious hacking doesn't count as experience, and you'd be wise not to brag about such exploits on your CV – especially if you're trying to get hired as an ethical hacker.
Although there are various documents and diplomas you can get to prove your skills and motivations, you should really aim for CREST certification.
Increasing numbers of companies are recruiting for penetration testers, and Bulletproof has its accelerator/grad scheme to help young talent get a leg up in the industry. However, some will find it more challenging to break into the cyber security industry, and aspiring white-hat ethical hackers might have to start off as a systems administrator or a web developer. Don't treat it as a setback though, as these positions will prepare you well for the future with valuable knowledge of networks, apps and systems.
The short answer is that being a penetration tester is fun, rewarding, and pays well. The longer answer is that ethical hacking is the answer to many pressing security questions that stem from the accelerated transition of most human activity to the digital realm. The work of every single penetration tester is invaluable when it comes to patching up holes that could be otherwise exploited to ruin businesses and livelihoods. Automated technologies do exist, such as VA scans, and they absolutely serve a vital purpose in maintaining good security. But they’re no replacement for the human insight and ingenuity that goes into a penetration test, so automation is unlikely to make a pen tester redundant anytime soon.
Ethical hackers can find your security flaws before a malicious cyber criminal does. This gives you a chance to fix the weaknesses, meaning your data stays where it should do – inside your business.
Penetration testing is perhaps the single most fundamental aspect of good business security. Infrastructure, network and application testing need to be performed regularly to continuously catch and report on loopholes and imperfections that might be vulnerable to hacking. Automated tools such as VA scans can be performed more frequently, but they serve a different purpose to full penetration tests. Yearly pen tests are standard, though increasingly the argument for 6-monthly testing is being made.
Not all of your employees are hackers or trained computer experts, and that's okay. Running a business requires personnel with various areas of expertise. But everyone in your organisation needs to have a basic knowledge of the cyber risks they face and responsibilities they have to their employer. A vast number of hacking attempts include social engineering, typically phishing, which is where a hacker tries to manipulate human psychology. In a world where all technical cyber controls can be undone by a single click from a malicious link in an email, the right cyber awareness training is absolutely vital.
Social engineering attacks such as phishing often result in immense financial losses, to say nothing of the reputational damage. And all because a staff member could not distinguish a scam email from a genuine one. The time and effort it takes to train people to recognise these dangers is typically less than you think. Once again, ethical hackers can come to the rescue by simulating a phishing attack on your business. The results of this can feed into your security awareness training – essentially a human penetration test instead of a technical one. A simple exercise, but one that could save your organisation from ruin.
If there is one lesson to draw from the history of hacking it is the fact that hackers prey on ignorance and laziness more than any computer exploit. Whether it is to steal credit card information, grab sensitive personal data or just to cause havoc, every time a successful attempt is carried out it’s because of an unremediated technical flaw or a gullible human. And, excluding the work of nation-state hacking teams and rare 0-day flaws, preventing both of these attack vectors is well within a business’ reach. But it relies upon using the skills of ethical hackers to be proactive and secure your business before a malicious hacker strikes.
Kieran is a security tester who’s contributed to articles on a range of pen testing topics, including industry insights and best practices.
Get a prioritised list of the security flaws in your apps and infrastructure with expert penetration tests from Bulletproof.
If you are interested in our services, get a free, no obligation quote today by filling out the form below.
I'd like to receive Bulletproof communications about relevant services and events
For more information about how we collect, process and retain your personal data, please see our privacy policy.