10 Questions to Ask Before You Hire a Security Professional

Type "hire a hacker" into a search engine and you will get two very different kinds of results. One is a legitimate industry of penetration testers, security consultants, and ethical hackers for hire who test systems with written permission and deliver professional reports. The other is a swamp of scammers who promise to break into an ex-partner's Instagram, take payment in cryptocurrency, and disappear.

The fastest way to tell them apart is to interview them. A legitimate professional has been asked every question below hundreds of times and answers comfortably. A scammer stumbles, deflects, or gets pushy. This guide gives you the ten questions, and just as importantly, what a good answer sounds like for each one.

1. Is what I am asking for legal, and will you work under written authorization?

This is the question that filters out ninety percent of the market, so ask it first. Ethical hacking is legal for exactly one reason: the owner of the system gave written permission. In the United States that line is drawn by the Computer Fraud and Abuse Act, and nearly every country has an equivalent, such as the UK Computer Misuse Act. Accessing an account or device you do not own, even your spouse's, even "just to check," is a crime for both the hacker and the person who hired them.

What a good answer sounds like: "Yes, and we will not start without it. You will sign an authorization and rules-of-engagement document confirming you own or control the systems in scope. If you are asking us to access something you do not own, we will decline." A legitimate firm raises the legality issue before you do.

Walk away if: they say authorization is not necessary, that "everyone does this," or that legality is your problem rather than theirs.

2. What certifications and verifiable experience does your team hold?

Certifications are not everything, but they are checkable, and checkability is the point of due diligence. The respected ones include OSCP (a hands-on penetration testing exam widely seen as the practical benchmark), CREST accreditations (common in the UK and required for some regulated work), GIAC certifications like GPEN, and CEH (more entry-level, but at least independently issued). For firm-level credibility, look for CREST membership or published methodology aligned with standards like OWASP and PTES.

What a good answer sounds like: specific names, specific certifications, and no irritation at being asked. Many certification bodies offer online verification, and a professional will point you to it.

Walk away if: the only credential offered is a claim of being a "certified dark web hacker" or screenshots of past "hacks." Real professionals never prove skill by showing you someone else's compromised account.

3. How will you define and limit the scope of the engagement?

Scope is the contract term that keeps testing safe and legal. It defines which systems, applications, IP ranges, or accounts are in bounds, which techniques are permitted, and when testing can occur. Scope protects you from outages, protects third parties from being swept into a test, and protects everyone legally.

What a good answer sounds like: "Before we start, we will agree a written scope listing every asset in bounds, the testing windows, what is explicitly out of bounds, and an emergency contact on both sides. If we find something that leads outside scope, we stop and ask." If you are not sure what should be in scope, a good vendor will help you figure that out during a free scoping call, which is exactly how our ethical hacking service begins every engagement.

Walk away if: they do not know what scoping means, or they propose to "just get in and see what we find" with no boundaries.

4. Will we sign a contract and an NDA?

A penetration test gives an outsider a guided tour of your weaknesses. The findings are among the most sensitive documents your organization will ever hold, so the engagement must sit on real paper: a services contract covering liability and deliverables, and a non-disclosure agreement covering everything the tester learns.

What a good answer sounds like: "Of course. We have standard agreements, or we can work from yours." Expect them to also explain how long they retain your data after the engagement and how it is destroyed.

Walk away if: they resist contracts, want to operate only through Telegram or other anonymous channels, or refuse to disclose a real business identity. Anonymity is the single most consistent marker of the scams we see, something we explore further in our look at freelance hackers for hire.

5. What deliverable will I receive at the end?

The product of an ethical hacking engagement is not the hacking, it is the report. A professional pentest report contains an executive summary in plain language, a technical findings section with severity ratings, evidence and reproduction steps for each issue, and concrete remediation guidance. Good firms also include a debrief call and a remediation retest.

What a good answer sounds like: "Here is a redacted sample report." That single artifact tells you more about a vendor than any sales pitch. Check that findings are explained, prioritized, and actionable rather than a raw scanner dump.

Walk away if: there is no report, or the promised deliverable is "access" or "results" with no documentation. Deliverables you cannot show your lawyer are deliverables you should not buy.

6. How much does it cost to hire an ethical hacker, and how is pricing structured?

Legitimate pricing is structured and explainable. Common models include fixed-price engagements scoped by size (a small web application test often falls somewhere in the low-to-mid four figures, while complex or multi-asset engagements run five figures), day rates for consultants (commonly several hundred to a couple of thousand dollars per day depending on seniority and region), and retainers for ongoing work. When you hire a professional hacker on an hourly basis, certified ethical hackers typically charge $100 to $300 per hour, while freelance marketplace rates often run $40 to $60 per hour. Bug bounty platforms offer a pay-per-finding alternative for mature organizations.

What a good answer sounds like: a quote tied to scope, with a clear explanation of what drives the price up or down, payable by invoice to a registered business.

Walk away if: payment is demanded entirely upfront in cryptocurrency or gift cards, the price is suspiciously tiny for the promised outcome, or new fees keep appearing after you have paid. The escalating-fee pattern, where "the job is nearly done" but one more payment is always needed, is the signature move of hire-a-hacker fraud.

7. Do you carry professional liability and cyber insurance?

Even careful testing carries risk. A test can knock over a fragile service, and findings data could itself be breached. Established firms carry professional indemnity insurance and errors-and-omissions cover precisely because their work touches critical systems.

What a good answer sounds like: "Yes, we carry professional indemnity cover, and we can provide a certificate of insurance." For business engagements, asking for that certificate is normal procurement, not rudeness.

Walk away if: the concept of insurance is alien to them. An individual or firm with no insurance, no contract, and no business registration leaves you holding all the risk.

8. Can you provide references from past clients?

Confidentiality is real in this industry, and many clients will not be named publicly. But established vendors can still offer something verifiable: referenceable clients who have agreed to take calls, published case studies, CREST or platform memberships, conference talks, published CVEs and research, or long-standing business records.

What a good answer sounds like: "Most clients are under NDA, but we have two references who will speak with you, and here is our public research." The shape of the answer matters: verifiable somethings rather than impressive nothings.

Walk away if: all the proof on offer is anonymous reviews on their own website or claims of having hacked famous companies. Real professionals do not brag about unauthorized access, because it would end their careers.

9. What happens if you find something critical mid-engagement?

This question tests operational maturity. Suppose the tester discovers, on day one, that your customer database is already exposed to the internet, or finds evidence that a real attacker has been there before them. What happens next?

What a good answer sounds like: "We have a critical-finding protocol. Anything severe gets reported to your emergency contact immediately, not held back for the final report. If we find signs of an existing compromise, testing pauses and we advise you on incident response." This answer demonstrates they understand the difference between a test and an incident.

Walk away if: they have never thought about it. Improvisation during a live security emergency is not what you are paying for.

10. Will you only test assets I own or am authorized to have tested?

End where you began, because scammers sometimes pass the early questions and reveal themselves here. State plainly what you want tested and ask them to confirm, in writing, that they will only touch assets you control. If your real goal involves someone else's account, a partner's phone, or a competitor's website, a legitimate professional will refuse, and it is worth understanding why the demand for that kind of "service" exists at all, which we unpack in why people look for website hackers.

What a good answer sounds like: an unambiguous yes, backed by the authorization paperwork from question one. Many will also explain lawful alternatives for your underlying problem: account recovery channels, law enforcement, civil discovery, or forensic specialists.

Walk away if: they hint that the rules can bend for the right price. A person who will break the law for you will also break it against you, usually by blackmailing you with the evidence of what you asked for.

How to use these questions

You do not need to run all ten as a formal interrogation. Raise the first one in your opening message, then work the rest into a scoping call. Take notes on the answers. The pattern matters more than any single response: legitimate vendors are transparent, documented, insured, and slightly boring. Scammers are fast, vague, anonymous, and exciting. In security procurement, boring is exactly what you want. For a deeper look at why this profession exists and what good engagements achieve, see our piece on why ethical hackers are essential. If your next step is to contact a hacker for lawful, fully authorized testing, the Spy and Monitor team typically replies within hours.

Frequently asked questions

Is it legal to hire a hacker?

It is legal to hire a security professional to test systems you own or are authorized to have tested, under a written agreement. It is illegal almost everywhere to hire anyone to access accounts, devices, or systems belonging to someone else, and the person paying can be prosecuted alongside the person doing the hacking.

How much does it cost to hire an ethical hacker?

Small, tightly scoped engagements such as a single web application test typically start in the low four figures. Larger assessments, internal network tests, and red team exercises run from five figures upward. Consultant day rates commonly range from several hundred to around two thousand dollars depending on seniority and region, with certified ethical hackers typically charging $100 to $300 per hour and freelance marketplace rates often sitting at $40 to $60 per hour. Be suspicious of anyone dramatically cheaper than that with grand promises.

What certifications should an ethical hacker have?

OSCP is the most respected hands-on penetration testing certification. CREST accreditation matters for regulated and enterprise work, GIAC GPEN is well regarded, and CEH indicates baseline knowledge. Verify any claimed certification through the issuing body rather than taking a logo on a website at face value.

What are the biggest red flags of a hire-a-hacker scam?

Guaranteed access to a specific person's account, payment only in cryptocurrency or gift cards, full payment upfront, contact exclusively through Telegram or similar, no real business identity, no contracts, and fees that keep escalating after you pay. Any one of these is a warning; two or more is a certainty.

Can I hire someone to get into my own account that I lost access to?

You generally do not need a hacker for that, and anyone claiming they can force their way into a platform like Google or Instagram is lying. The lawful route is the platform's own recovery process, which a legitimate account recovery service can help you navigate correctly with the right evidence of ownership.

What is the difference between a penetration tester and an ethical hacker?

In practice the terms overlap heavily. Penetration testing usually refers to a formal, scoped engagement with a report as the deliverable. Ethical hacking is the broader umbrella covering pentesting, red teaming, bug bounty research, and security consulting, all conducted with authorization.