At the end of 2025, the Cyber Police Department of the National Police of Ukraine published a report, according to which the most common cyber threats continue to be phishing, online fraud, database theft, interference with the work of web resources, and the like [ 1 ]. Quite often, the reason for this is technical and organizational vulnerabilities, such as insuficient system protection, software vulnerabilities, and incorrect access management. Of course, the human factor also plays an important role in this.

What can companies do to prevent this from happening? Of course, it is always necessary to start with a well-developed cybersecurity policy at the enterprise, as well as staf training. It is also important to search for vulnerabilities in the systems themselves. For this, business entities increasingly turn to "ethical hackers" for help. However, can hacking be considered legal? In this article, we will answer the question posed.

Nevertheless, its basic concepts should be defined before proceeding to the regulatory support of such a topic.

Thus, hacking, according to the definition of A. Gupta and A. Anand, is a technique for searching for loopholes and weak spots in ICT systems and networks with the subsequent use of such "soft spots" for unscrupulous purposes (in particular, obtaining unauthorized access to certain information, modifying the functions of systems or networks, and the like). That is, the subject committing the act of hacking pursues clearly diferent goals than those of an ordinary user [ 2 ]. Accordingly, a hacker is a person who commits the actions mentioned.

The previous formulation clearly indicates the unscrupulousness of the hacker’s goals. However, does he always act unscrupulous, and can his actions sometimes be helpful for companies and other business entities? Legality of Activity

Legal and authorized

Semi-legal Purpose of Activity

Hired to find holes and vulnerabilities White Hat Hacker

Grey Hat Hacker Cannot be clearly called bad; typically act due to ideological reasons or “for fun” Motivation Typical Actions

Professional activity; le- Disagreement with politgal and ethical motiva- ical position or company tion policy; entertainment Penetration testing, vulnerability scanning with permission

Hack without permission, then disclose vulnerabilities found Other titles

Ethical hackers

Hacktivists

Crackers Black Hat Hacker Unethical and illegal Act with a negative, malicious purpose Usually economic incentives; less often – revenge, gaining popularity Destroy data, disable systems, violate organizational confidentiality/integrity

Today, many types of hacking are known, and, accordingly, types of hackers. Thus, 10Guards, in particular, lists 15 such "specialists" (from black hackers to botnet hackers) [ 3 ]. According to the definition of the already mentioned A. Gupta and A. Anand, there are three main ones - black, gray and white (Black Hat Hackers, Grey Hat Hackers, White Hat Hackers) [ 2 ]. Zoran Cekerevac and others came to a similar classification, who, in particular, note that both motivated women and men with basic knowledge and desire, as well as a large reserve of patience and the ability to plan goals, can engage in hacking, depending on the "classification" such individuals can pursue diferent goals [ 1, 4 ]. Saachi Joshi also divides them into three types "by color" [ 5 ].

Summarizing the existing approaches [ 5, 6, 7, 8 ] to the identification of types of hackers, we note the following: • black hackers - always act with a negative, malicious purpose, usually with economic incentives (less often - for revenge, gaining popularity, and the like.), they are also called crackers. These attackers try to penetrate a protected network to destroy data, turn of the network, etc. Unethical ofenders often violate the confidentiality, integrity, or availability of systems and data of a company or other organization; • gray hackers - they cannot be unequivocally called bad guys. Usually, their goal is ideological motives (for example, speaking out against a hostile political position or company policy alien to them) or "have fun." They are often known as hacktivists. That is, they do not pursue a negative goal but do not have the appropriate permissions to access information, communication systems, and networks. Usually, they inform the hacked party about the vulnerabilities found; • white hackers - they are specially hired to search for holes and other vulnerabilities. They are also called ethical hackers. They do not violate the law because access is provided to them directly by the owners, but the methods they use for testing are, in particular, the same as those of black hats (see Table 1).

In conclusion, we note that black hackers are clearly ofenders, gray ones too, however, they do not have a useful purpose, but also act without appropriate permission, and white ones are specially hired individuals who commit hacking on behalf of the organization, network and system that needs to be tested for vulnerability. The latter and their activities are the subject matter of this article.

White hats are hired to perform penetration testing. It is a comprehensive vulnerability testing, with a thorough analysis of the system, particularly for poor or incorrect system configuration, hardware, software deficiencies, and operational weaknesses in the process. Testers can suggest technical countermeasures [ 9, 10 ]. Therefore, ethical hackers are oficially called pentesters.

In Ukraine, the attitude towards hacking is quite specific. The existing legislation does not define ethical or other types of hackers and generally does not fully regulate this area. An analysis of US and EU legislation indicates the absence of such definitions in relevant international entities.

In the context of this issue, the following regulatory acts should be mentioned as of our state: the Criminal Code of Ukraine, the Laws of Ukraine "On Information", "On Information Protection in Information and Communication Systems", "On the Basic Principles of Ensuring Cybersecurity in Ukraine", and the like.

Thus, Chapter XVI of the Criminal Code consists of six articles devoted to ofenses in the field of using computers, systems, and networks.

• Its Article 361 regulates the issue of hacking and deals with unauthorized interference with the operation of computers, systems, and networks, for which a fine of 1-3 tax-free minimum incomes of citizens (hereinafter - TFMI), or from 1 to 3 years of restriction of liberty or probationary supervision (without isolation from society) is provided. • If hackers commit such an ofense by prior conspiracy or repeatedly, the fine will increase to 3-7 thousand TFMI or 2-5 years of restriction or imprisonment. • If, as a result of the above actions, data is leaked, blocked, forged, or lost, then the fine increases to 7-10 thousand TFMI, and imprisonment will last 3-8 years; the guilty party may also be prohibited from working in certain positions and engaging in certain types of activities for a period of up to 3 years. • The latter is also provided with imprisonment for 8-12 years if the relevant hacking caused the danger of serious man-made accidents or environmental disasters, death, or mass illness of people [ 11 ].

Given the martial law regime introduced in Ukraine, it is important to consider Part 5 of Article 361, which concerns cases 3 and 4 above. Accordingly, during such a period, the commission of the above actions will entail the imposition of liability on the guilty person in the form of imprisonment for 10-15 years [ 11 ]. These norms apply, first of all, to black and gray hats.

As for pentesters, there is a particular Part 6 of Article 361, which directly provides that the listed actions will not be considered unauthorized interference if they were committed “following the procedure for searching and identifying potential vulnerabilities of such systems or networks” [ 11 ] (see Figure 1).

For unauthorized actions with data on computers, systems, and networks, namely their modification, destruction, or blocking, as well as interception or copying, one can receive a fine in the amount of 2-4 thousand TFMI or be sent to 2 years of corrective labor or be deprived of liberty for a term of up to 3 years, respectively. Suppose such an act is committed again or by a group with prior consent or leads to significant damage. In that case, the punishment will be more serious - deprivation of liberty for 3-6 years. Such is provided for in Article 362 [ 11 ].

Table 2 below summarizes the sanctions mentioned, which are applicable to unauthorized interference and data manipulation as outlined in Articles 361 and 362 of the Criminal Code.

According to Article 20 of the Law on Information, the latter is divided into open and information with limited access. Article 21 clearly states that there is information with limited access, which is divided into oficial, secret, and confidential. Collecting, using, distributing, and storing the latter is prohibited. Nevertheless, there are exceptions: national security, protection of human rights, and economic well-being. Also, Article 29 allows the dissemination of information with limited access if it is a subject of public interest [ 12 ].

Article 1 of the Law on Information Protection in Information and Communication Systems defines unauthorized actions regarding information in the system. These are performed in violation of the established access procedure [ 13 ]. Accordingly, such actions can be called hacking.

According to Article 9 of the said law, the owner of the system or its administrator must ensure the protection of information in the system. According to Article 1, it is necessary to ensure information integrity, availability, and confidentiality. Article 11 imposes liability under the law on those guilty of the relevant violations [ 13 ]. That is, this law covers the activities of black and gray hats, and violations will be considered, in particular, disruption of work or unauthorized access to system resources, as well as the distribution of malicious programs. Therefore, the system must provide for the possibility of user identification and authentication, measures to counter potential threats, and registration of security events. The so-called Law on Cybersecurity (2163-VIII) defines the legal framework for cybersecurity but does not directly mention the terms "hacking," "pentester," or "ethical hacker." Nevertheless, the document contains several provisions directly related to countering hacking and regulating the possibility of lawful security testing.

Thus, Article 1 of the aforementioned Law defines a cyberattack as an example of hacking. These are targeted malicious actions in cyberspace using electronic communications, committed to violating the confidentiality, integrity, availability, or unauthorized access to electronic information resources, breaking the security and normal functioning of systems, or using such systems to carry out cyberattacks on other objects of protection in cyberspace. Article 10 of the Law provides for public-private interaction in the relevant field, which includes, in particular, the development and operation of a system for timely detection, prevention, and neutralization of threats in cyberspace, "including with the involvement of volunteer organizations" and interaction with individuals and organizations and companies to implement cyber defense measures [ 14 ]. That is, there is a permission to involve pentsters in checking systems. Three types of liability are provided for illegal actions: civil, administrative, and criminal.

In contrast, we will point to the experience of leading players in the international arena in this matter. As already noted above, the legislation of the United States also does not contain a legislative definition of ethical hacking. However, this practice has gained wide recognition in the cybersecurity community. The key American legal instrument, the Computer Fraud and Abuse Act, criminalizes

Aggravated circum- Fine (3-7 TFMI) / 2-5 years of liberty stances restriction or imprisonment leak/block/361(3)

Consequential dam- Fine (7-10 TFMI) or 3-8 years imprisonage caused ment + optional disqualification (up to

3 years) Danger of man-made accident, environmental disaster, death, or mass illness 8-12 years imprisonment + optional disqualification (up to 3 years) Under martial law – 10-15 years imprisonment + optional danger to public disqualification (up to 3 years) With prior authoriza- NOT punishable – exempted explicitly tion for testing 362(1)

Basic ofense

Fine (2-4 TFMI) / corrective labor (up to 2 years) Consequential dam- Up to 3 years imprisonment + disqualiage caused fication (up to 3 years) Aggravated circum- 3-6 years imprisonment + disqualificastances tion (up to 3 years) exactly unauthorized access. Nevertheless, in practice, courts have already begun to distinguish between malicious hacking and authorized testing. The issue of pen testing is also afected to one degree or another by the norms of the following documents: Digital Millennium Copyright Act, Electronic Communications Privacy Act, Health Insurance Portability and Accountability Act, and Children’s Online Privacy Protection Act [ 15 ].

Note: TFMI refers to Tax-Free Minimum Income (a unit used for calculating fines under Ukrainian law).

The European Union has a special NIS 2 Directive (Directive 2022/2555) that establishes measures to “achieve a high common level of cybersecurity across the Union” [ 15 ]. Although it does not contain the word “pentesting,” it does provide for appropriate procedures.

Such a measure simulates a cyber attack on an organization’s assets to identify vulnerabilities. Systems should be tested once a year after significant IT infrastructure changes or after cyber incidents. It is worth emphasizing that system testing is not a choice; it is a direct obligation under the Directive and applies, in particular, to essential entities (providing critical infrastructure), important entities (not critical but important for the economy), and non-European companies operating in the EU [ 16 ].

So, although Ukrainian legislation does not contain direct regulation of the activities of pentesters as a separate category of specialists, this issue is indirectly regulated. The situation is similar with gray and black hackers. Nevertheless, there is no direct ban on conducting pentesting, the main thing is that such relations are regulated at the contractual level between the company that needs to check the system for vulnerability, and the ethical hacker himself. Otherwise, his activities will already be considered illegal.

We agree with Brian Smith, who insists on the following rules for pentesters: • first of all, it is necessary to obtain written permission to conduct testing; • clearly set limits on the scope of testing; • perform all actions with maximum protection of Sensitive Data; • avoid interception of communications; • document all actions; • provide high-quality reports on the results of testing [ 15 ].

Summing up the above, hacking activities can indeed be ethical and legal, but only if the owner of the system or network has previously granted permission for the relevant actions. Agreeing clearly on technical and legal aspects between the parties is mandatory. Otherwise, the tester’s actions will be qualified as a criminal ofense.

Ukrainian legislation does not suficiently regulate this issue; it is fragmentary. However, the analysis of existing regulatory legal acts allowed us to identify the legal framework of ethical hacking. In particular, it was determined that, following Part 6 of Article 361 of the Criminal Code, the activities of pentesters, if they act with prior consent of the owner of the system or network, are legitimate.

Nevertheless, the existing legislation requires significant improvements; in particular, it is considered necessary to provide an oficial concept of ethical hacking, with a clear definition of the legal status of pentesters, and to develop and implement a standardized procedure for security testing. In this regard, for the sake of legal certainty and protection of the rights of the relevant parties, it is advisable to develop regulatory documents and instructions for conducting pentesting in the public and private sectors.

A separate document should be developed to determine the requirements for pentesters, particularly the qualifications, prerequisites, and rules for issuing written consent to conduct testing with a record of permitted actions. Also, a professional standard for ethical hackers in Ukraine is needed.

Finally, it is worth pointing out the importance of educational activities in society, both in the ethical aspects of hacking and in general, to raise awareness among citizens in cyber hygiene.

In this dificult time for Ukraine, when the enemy is everywhere using not only conventional methods of warfare but also cyber warfare means, a qualitative analysis of systems and networks for vulnerability, especially for critical infrastructure facilities, with the subsequent elimination of such "holes" can become the basis for obtaining significant advantages for our state.