Hacker Tradecraft Volume 9 — The Green Hat: The Newcomer — Hacker Tradecraft · Hacking

CTFs, home labs, TryHackMe, HackTheBox, and the RF starter kit from RTL-SDR through Flipper Zero to HackRF — how people actually enter the field

Section	Topic
1	Definition and boundary
2	Origin and how the term is actually used
3	Tools of the trade — the learner’s starter kit
4	Methods and tradecraft — the lab loop
5	A day in the life
6	How they get hired — entry-level reality
7	Famous figures — five self-taught arcs
8	Callouts and cross-references
9	Resources

About this volume. Green hat is the newest of the seven-hat vocabulary and the most hopeful of them: it describes a learner who hasn’t yet done anything on Axis 1 at all. The green hat is pre-ethical, in the sense that no unauthorized access has occurred; the question isn’t whether they’re white or grey or black, it’s whether they’ll ever get there. This volume treats the archetype from the outside — it describes the learner population, the institutions that grew up to serve them, the realistic arc from zero to first professional role, and five public careers that started where every working professional started. The tone is neither condescending nor aspirational-poster; most of the people doing the senior roles in this field came up exactly this way. The reader (tjscientist, 45+-year EE/SW engineer) is emphatically not a green hat — but recognizes the archetype, worked with its products, and probably passed through a version of it decades before the vocabulary existed.

1. Definition and boundary

The green hat is the learner — defined by trajectory, not by ethics. Position on Vol 5 §6.1’s Axis 1 is “pre-engagement”: the green hat hasn’t yet made a meaningful choice between authorized and unauthorized work because they haven’t yet reached the operational sophistication where such choices are practically available. This is not a permanent exemption from the legal and ethical framework — it’s a description of where someone is in the learning curve.

The Vol 5 §6 master taxonomy diagram is worth pausing on here. Axis 1 maps from black (unauthorized and malicious) through grey (unauthorized but constructive) to white (authorized and constructive). The green hat sits below that axis — not yet a point on it. The typical green-hat mistake mode is neither malicious nor constructive in the grey-hat sense; it’s incautious: applying a technique learned in a CTF to a live target out of curiosity, without thinking through what “without authorization” means under the CFAA. That specific error — sanctioned-lab technique applied without authorization to a real target — is the transition that converts a learner into a grey-hat actor (at best) or a CFAA defendant (at worst). The Vol 8 §1.1 load-bearing legal frame applies fully: intent doesn’t carve out a defense.

Three features distinguish the green-hat position in the taxonomy:

It is defined by trajectory, not current skill. A green hat is someone who is actively learning the craft, working in sanctioned environments, and hasn’t yet made the authorized/unauthorized choice at an operational level. A 45-year-old sysadmin who just started working through TryHackMe rooms is a green hat by this definition; a 16-year-old who has been writing Metasploit modules for two years and is running them against CTF boxes is also a green hat by this definition, but one who is further along the trajectory. Skill level is not the discriminator; direction of travel is.

The canonical destination is white. The Vol 5 §5.3 snapshot is explicit: green hat “is the newcomer / learner, placed at the bottom of the Axis-1 diagram not because it is ‘below’ white in ethical standing, but because it is pre-operational.” The on-ramp leads toward white-hat work — certification, engagement paperwork, authorized scope. Most green hats follow this path even if they meander, take wrong turns, or stop before reaching the professional endpoint.

It is not permanent. The green-hat designation is not a life sentence. Most security practitioners spent time here and don’t use the term to describe their current selves. The arc runs: green hat → (white-hat professional, grey-hat independent researcher, or both at different times) → sometimes back to green for new domains. A 15-year pentester picking up RF tradecraft for the first time is wearing a green hat in RF even while they’re firmly white in their established domain. The boundary is domain-specific, not person-specific.

1.1 What the green hat is not

Three things the term is sometimes confused with, which it is not:

Not “script kiddie.” Script kiddie is a derogatory term describing someone who runs tools they don’t understand against targets without authorization, often without learning anything from the exercise. The script kiddie is a grey-hat or black-hat actor (unauthorized use of others’ targets) who happens to be unskilled; the green hat is a learner who is staying inside sanctioned environments. The two populations overlap when a learner ventures outside those environments, but the terms describe different things: script kiddie describes the technical-and-legal conduct; green hat describes the learning stage.

Not “amateur.” Amateur can be a permanent identifier (“I do this as a hobby and have no interest in professional work”) or a skill-level description. A green hat can be building toward a career or just satisfying curiosity — either trajectory is consistent with the term. And some of the most technically sophisticated people in the field are hobbyists who never wanted the professional title.

Not “low ethical standing.” The green hat who works exclusively in sanctioned environments is operating with full ethical integrity. The volume’s posture throughout is that the green-hat learner is doing exactly the right thing: building capability inside the lines, learning the tools in authorized contexts, accumulating the skills that will eventually let them do something useful. The condescension would be misplaced.

2. Origin and how the term is actually used

The green hat terminology entered information-security vocabulary later than the original three (white, black, grey) and through a different mechanism. Where those three emerged from trade-press migration in the early 1990s and were cemented by the 1997 Black Hat Briefings (Vol 5 §3), green hat emerged from the learner-community side of the field — Reddit threads, Discord servers, and online training platforms — somewhere in the 2010–2015 window, reaching something close to standardization as CompTIA and EC-Council began building out beginner-track curricula and needed vocabulary for “not yet skilled.”

Vol 5 §5.3 locates the first recognizable uses in learner-community contexts around 2013–2015, around the same time that TryHackMe (founded 2018) and HackTheBox (founded 2017) were either launching or in their pre-launch period — the platforms that would ultimately institutionalize the beginner-accessible CTF-and-guided-learning model that makes the green-hat arc a tractable thing to navigate. The timing is not coincidental: green hat as vocabulary needed an audience, and the audience materialized when purpose-built learning platforms made the beginner experience concrete and community-visible.

2.1 The vocabulary choices that didn’t win

Before green hat settled as the learner-community term, several other labels circulated for the same population:

“Noob” / “n00b” — the older hacker-culture term for newcomer, carrying a mild derogatory valence when used externally and a neutral or even affectionate valence when used within the community. Still widely used informally but carries cultural baggage that makes it unsuitable for training-materials vocabulary.

“Beginner” — clean, unambiguous, widely used in instructional materials, but lacks the hat-taxonomy coherence that makes green hat useful for the Vol 5 framework. “Security beginner” is fine in everyday speech; “green hat” is useful when you need to place someone on the seven-hat map.

“Wannabe hacker” or “junior hacker” — vendor-marketing language that drifted in and out of use. Neither survived into the current vocabulary.

“Script kiddie” — sometimes used by critics to describe beginner-track learners unfairly, as §1.1 noted. The community itself distinguishes the two; the outsider sometimes doesn’t. The distinction is important enough that it appears in most beginner-track curricula: you are not a script kiddie if you are learning how tools work and staying inside sanctioned environments.

2.2 Institutional pedigree

Of the seven hat colors, green has the least institutional pedigree in the sense that no single conference event or professional publication crystallized the term the way Black Hat Briefings crystallized white/black in 1997. The vocabulary stabilization was organic — gradual coalescence across Reddit (r/hacking, r/netsec, r/AskNetSec, r/HowToHack), Discord communities, and YouTube comment sections, with the training-platform ecosystems eventually adopting it as descriptive vocabulary. EC-Council’s CEH curriculum uses it explicitly; CompTIA’s career-path marketing uses “green hat” or equivalent beginner framing; OffSec uses “newcomer” and “beginner” without the hat language but maps cleanly to the same population.

The result is a term that is widely understood in the learner community, reasonably understood in the practitioner community, and occasionally puzzling to executive or non-specialist audiences who know white and black and grey but haven’t encountered the full seven-hat taxonomy. That’s fine. Vol 9 is for people who want to understand the full map, and the full map has seven colors.

3. Tools of the trade — the learner’s starter kit

The green-hat toolset is defined by two constraints that don’t apply to the other hats: everything has to be affordable enough for a learner to acquire without organizational budget, and everything has to work in a sanctioned environment. The platforms, VMs, and hardware covered in this section are the ones that meet both constraints, in rough order of the sequence a learner encounters them.

3.1 Lab environment — the virtualized baseline

Almost every green-hat learner starts here: a laptop running a hypervisor hosting a Kali or ParrotOS VM, pointed at a purposefully-vulnerable target machine.

Hypervisors: VirtualBox (free, cross-platform, the default recommendation for cost-constrained setups), VMware Workstation Pro (commercial, roughly $200/yr subscription as of early 2026 — now free for personal non-commercial use after Broadcom’s 2024 licensing change; verify against Broadcom’s current terms), Hyper-V (built-in to Windows Pro/Enterprise, free, less popular in the learner community). The choice between them rarely matters for early learning; what matters is having network-isolation discipline — the vulnerable targets go on an internal/host-only network, not the default NAT or bridged mode.

Attacker distributions: Kali Linux (the default recommendation; Offensive Security-maintained Debian-based distro with the full pentesting toolchain pre-installed; free; runs well in a VM; most tutorials assume it) and ParrotOS (lighter-weight, better for older hardware or day-to-day use on the same machine). Both are fine; Kali has more tutorial coverage and a larger community, which matters for learners who will spend significant time following guides.

Target environments (deliberately vulnerable):

Metasploitable 2 and 3 — Linux VMs intentionally configured with dozens of exploitable services; the classic first “own something” experience. Free download, isolated VM.
DVWA (Damn Vulnerable Web Application) — PHP/MySQL web app with deliberately vulnerable endpoints for every major OWASP category (SQLi, XSS, CSRF, command injection, file upload, etc.). Installable in a local LAMP stack or Docker. The standard first web-pentest target.
WebGoat — OWASP’s guided-lesson vulnerable web app; more structured than DVWA; includes explanations alongside the vulnerable endpoints.
VulnHub — archive of downloadable vulnerable VMs contributed by the community, ranging from beginner to expert difficulty. The community writeup culture (see §4) is well-established around VulnHub machines.
HackTheBox (local/offline import) — HTB’s machines can be imported locally for some purposes, though most learners use them through the platform rather than offline.

3.2 Learning platforms — the structured on-ramp

The platform ecosystem that didn’t exist before ~2015 is now the main on-ramp for most green-hat learners.

Platform	Cost	What it provides	Best for
TryHackMe	Free / ~$14/mo VIP (as of early 2026)	Guided learning paths (“Cyber Defense”, “Jr. Penetration Tester”, “Complete Beginner”), browser-in-browser so no VM setup needed, structured exercises	Absolute beginners; guided progression
HackTheBox	Free (limited) / ~$14/mo VIP	Machine-and-challenge library, “Starting Point” guided tier for beginners, active competitive leaderboard	Learners ready to try-on-their-own after TryHackMe basics
PortSwigger Web Academy	Free	200+ web-security labs on every OWASP topic, accompanying teaching material, expert-level depth available	Web-focused learners at any level
picoCTF	Free	Annual CMU-run CTF competition + permanent archive of past challenges; rated as beginner-accessible; backed by Carnegie Mellon’s Cybersecurity Education initiative	Students and younger learners; CTF entry
OffSec PEN-100 / PEN-200	~$800/yr subscription (as of early 2026; verify)	PEN-100 is the explicit pre-OSCP on-ramp; PEN-200 is the OSCP-exam-prep course with 70+ lab machines	Learners committing to the OSCP pathway
TCM Security (PNPT pathway)	~$30/course or subscription	Practical Ethical Hacking (network), Web App Hacking, Python basics; video + guided labs	Budget-conscious learners targeting PNPT cert

Table 9.1 — Learning platforms in the green-hat starter kit, as of early 2026. Pricing fluctuates; verify against platform sites before quoting.

The platform progression that most learner-community guides recommend: TryHackMe’s structured paths first (1–3 months), then HackTheBox Starting Point, then HTB VIP machines or CTF competition. PortSwigger Academy runs in parallel with whatever else the learner is doing — it’s the best free web-security curriculum and doesn’t require network infrastructure to use.

3.3 The RF starter kit — from RTL-SDR to HackRF

This series is an RF-weighted tradecraft reference, and the green hat’s entry into RF deserves its own treatment. The RF stack has a natural cost-and-complexity progression that maps cleanly onto the learner arc:

RF Starter-Kit Progression
─────────────────────────────────────────────────────────────────────────────

  ┌──────────────────┐
  │  RTL-SDR V3      │  ~$30    Receive only. Wideband 100 kHz – 1.75 GHz.
  │  (the foot-in-   │          FM broadcast, APRS, ADS-B, weather satellite,
  │   the-door)      │          pager traffic, 433 MHz ISM devices. SDR#/
  │                  │          GQRX/GNU Radio Companion. Lowest barrier to
  └──────────────────┘          RF observation. See Vol 13 and RTL-SDR deep
           │                    dive (../../RTL-SDR/CLAUDE.md).
           ▼
  ┌──────────────────┐
  │  Flipper Zero    │  ~$170   Multi-tool: sub-GHz (300–928 MHz) TX+RX,
  │  (the multi-     │          RFID (125 kHz LF), NFC (13.56 MHz HF), IR
  │   tool)          │          TX+RX, iButton, BadUSB, GPIO. Beginner-
  │                  │          accessible UI. Excellent for touching a wide
  └──────────────────┘          surface without deep RF expertise.
           │                    See Flipper Zero deep dive
           │                    (../../Flipper Zero/03-outputs/
           │                     Flipper_Zero_Complete.html).
           ▼
  ┌──────────────────┐
  │  HackRF One      │  $300-   Transmit + receive, 1 MHz – 6 GHz. The step
  │  (the full SDR)  │  $340    up once RF fundamentals are established.
  │                  │          GNU Radio Companion, complex signal analysis,
  │                  │          signal generation. More toolchain overhead.
  └──────────────────┘          See HackRF One deep dive
           │                    (../../HackRF One/03-outputs/
           │                     HackRF_One_Complete.html).
           ▼
  ┌──────────────────┐
  │  Proxmark3 RDV4  │  ~$400   RFID/NFC lab instrument. LF + HF research,
  │  (RFID lab tool) │          card emulation, reader emulation, Lua
  │                  │          scripting. The Proxmark is for RFID-specific
  └──────────────────┘          depth; see Proxmark3 RDV4 deep dive
                                (../../Proxmark3 RDV4/CLAUDE.md).

  Total commitment if bought in sequence: ~$900 over months/years, not at once.
  The RTL-SDR alone is sufficient for 6–12 months of meaningful RF learning.
─────────────────────────────────────────────────────────────────────────────

Figure 9.1 — RF starter-kit progression. Cross-references to the Hack Tools deep dives per device are inline. The progression is not a mandate — a learner with a specific interest in RFID access-control research might start with a Proxmark rather than an RTL-SDR. The sequence above is the general-purpose one.

RTL-SDR V3 USB dongle — the standard entry point for RF learning

Figure 9.2 — RTL-SDR V3, the $30 receive-only SDR that is the standard first step in RF learning. Listening before transmitting is not just good practice; it’s the correct order of operations for understanding a signal environment before acting on it. Photo: File:Rtl-sdr.jpg by Joeceads. License: CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0). Via Wikimedia Commons (https://commons.wikimedia.org/wiki/File%3ARtl-sdr.jpg).

The RF progression mirrors the general security-learning progression: passive observation first (RTL-SDR, Wireshark), then interaction in controlled environments, then gradually more sophisticated tooling. A learner who has spent time decoding 433 MHz ISM device traffic with an RTL-SDR has developed intuition for RF signal structure that makes the Flipper’s sub-GHz replay module much more comprehensible when they encounter it.

3.4 Tools summary table

Resource	Cost (early 2026)	What it teaches	Skill level	Forward-ref
TryHackMe	Free / $14/mo	Guided paths across web, network, DFIR, basics	Absolute beginner	§4 lab loop
HackTheBox	Free / $14/mo	Self-directed machine exploitation, CTF challenges	Post-basics	§4 lab loop
PortSwigger Web Academy	Free	OWASP web vulnerability classes, Burp Suite	All levels	Vol 14 (Wi-Fi) indirectly
Kali Linux + VirtualBox	Free	Attacker-distro toolchain, lab environment setup	Beginner	Vol 13, 14
DVWA / Metasploitable	Free	Web + network vulnerable-target practice	Beginner	—
RTL-SDR V3	~$30	Passive RF observation, signal decoding	RF beginner	Vol 13, RTL-SDR deep dive
Flipper Zero	~$170	Multi-protocol RF/RFID/NFC/IR/BadUSB	RF intermediate	Vol 13, 14, 15; Flipper Zero deep dive
HackRF One	$300–340	Wideband TX+RX SDR, GNU Radio	RF intermediate-advanced	Vol 13; HackRF One deep dive
Proxmark3 RDV4	~$400	LF/HF RFID/NFC lab research	RF/RFID specialized	Vol 15; Proxmark3 deep dive
picoCTF	Free	CTF problem-solving across all categories	Beginner	§4 CTF table
OffSec PEN-200	~$800/yr	Full OSCP exam prep, 70+ lab machines	Pre-professional	Vol 6 §6, Vol 18
TCM Security courses	~$30/course	Practical pentest (network, web)	Beginner-to-intermediate	Vol 18

Table 9.2 — Green-hat starter-kit tools and platforms. Costs fluctuate; verify against vendor sites. The RF progression (RTL-SDR → Flipper Zero → HackRF One → Proxmark3 RDV4) is treated at depth in Vols 13–15 and in the individual Hack Tools deep dives for each device.

4. Methods and tradecraft — the lab loop

The green hat’s tradecraft is the learning process itself. It doesn’t look like the engagement lifecycle (Vol 6 §4) or the disclosure decision point (Vol 8 §4); it looks like a cycle of building and breaking repeated until something clicks.

4.1 The core learning loop

The method that most practitioners, looking back, describe as the thing that actually worked:

┌─────────────────────────────────────────────────────────────────────────┐
│                                                                         │
│                     THE GREEN-HAT LEARNING LOOP                        │
│                                                                         │
│  ┌───────────┐    ┌───────────┐    ┌───────────┐    ┌───────────┐      │
│  │   BUILD   │───►│   BREAK   │───►│ UNDERSTAND│───►│ WRITE UP  │      │
│  │           │    │           │    │           │    │           │      │
│  │ Stand up  │    │ Exploit   │    │ Trace why │    │ Document  │      │
│  │ a lab,    │    │ it, get   │    │ it worked │    │ what you  │      │
│  │ deploy a  │    │ the flag, │    │ at the    │    │ learned.  │      │
│  │ CTF box,  │    │ pop the   │    │ protocol  │    │ Publish   │      │
│  │ set up a  │    │ shell, or │    │ or binary │    │ if you    │      │
│  │ platform  │    │ fail and  │    │ level.    │    │ can.      │      │
│  │ challenge │    │ figure out│    │           │    │           │      │
│  │           │    │ why       │    │           │    │           │      │
│  └───────────┘    └───────────┘    └───────────┘    └───────────┘      │
│        ▲                                                  │            │
│        └──────────────── next challenge ──────────────────┘            │
│                                                                         │
│  The UNDERSTAND step is the one most learners skip.                     │
│  The WRITE UP step is the one that compounds into a career.             │
│                                                                         │
└─────────────────────────────────────────────────────────────────────────┘

Figure 9.3 — The green-hat learning loop. The build-break-understand-write-up cycle is the canonical method practitioners describe when asked how they learned. The write-up step is not just pedagogical — it is the artifact that hiring managers, bug-bounty triage teams, and conference program committees use to evaluate candidates with no formal credential.

The UNDERSTAND step deserves emphasis. The temptation in CTF and platform work is to collect flags — to get the answer and move to the next challenge without tracing why the technique worked. The learner who traces why gets the compound return: each new technique reinforces a growing mental model of how systems work, which means the next technique takes less time to internalize. The flag-collector is accumulating a list of recipes; the understander is building a model. After 12 months, the difference is visible.

4.2 The walkthrough trade-off

Every learning platform has a community producing detailed writeups and video walkthroughs of its machines and challenges. This creates the classic educational tension: reading a walkthrough solves the immediate problem but may short-circuit the learning.

The working guidance from the practitioner community: try the challenge or machine on your own for at least 30–60 minutes before looking at a walkthrough; if you get completely stuck, look at a hint rather than the full solution; use walkthroughs to compare your approach after you’ve solved something, not just to confirm you got the same answer. The write-up culture on HackTheBox in particular (writeups for active machines are embargoed; retired machine writeups are freely available, which is why starting with retired machines is the standard recommendation) is explicitly designed to support this discipline.

4.3 CTF categories

Capture-the-Flag competitions organize challenges into categories. Understanding the categories helps a learner build a deliberate portfolio of skills rather than accidentally overweighting their strongest domain.

Category	What it covers	Starter resources
Web	SQLi, XSS, CSRF, SSRF, deserialization, authentication bypass, IDOR, API abuse	PortSwigger Web Academy, DVWA, WebGoat
Crypto	Classical ciphers, modern crypto misuse, hash attacks, padding oracles, RSA attacks	CryptoHack (cryptohack.org), picoCTF crypto category
Pwn (binary exploitation)	Buffer overflows, format strings, ROP chains, heap exploitation	pwn.college (Arizona State), pwntools library, GDB/pwndbg, CTF101
Reverse engineering	Static and dynamic analysis of binaries, firmware, obfuscated code	Ghidra (NSA, free), IDA Free, Radare2, crackmes.one
Forensics	Disk images, memory dumps, network captures, steganography	Autopsy, Volatility, Wireshark, FTK Imager, CyberChef
OSINT	Open-source intelligence — finding information about targets from public sources	OSINT Framework (osintframework.com), Google dorking, Shodan, Maltego CE
Misc / RF	Protocol challenges, hardware CTFs, RF-category problems (some competitions)	GNU Radio, URH (Universal Radio Hacker), gqrx

Table 9.3 — CTF categories with starter resources. Most CTF competitions run 3–7 of these categories in parallel; a learner who can contribute to three or four categories becomes the team member everyone wants for competition season. The RF/misc category is rare in beginner CTFs but growing; Vol 13 (RF tradecraft I) covers this domain at depth.

4.4 The role of writeups

A public writeup is the green hat’s portfolio artifact. It demonstrates not just that the challenge was solved but that the solver understood what happened — why the vulnerability existed, what the exploit chain was, what the mitigation would be. For a learner with no professional experience and no certifications, a well-written writeup of a retired HTB machine or a CTF challenge is more useful than most credentials when applying for an entry-level role.

The write-up culture also creates a community knowledge base. Every publicly-posted writeup of a retired machine is a tutorial someone else can learn from. The learners who become known in a community — who get Discord DMs from strangers saying “I learned from your writeup” — typically credit this feedback loop as a significant accelerant in their own progression.

CTFtime.org tracks competitions globally; writeups posted there or to team blogs, personal sites, or GitHub repositories are the canonical public record of a learner’s activity. A GitHub repository containing 12 months of CTF writeups, a personal blog documenting TryHackMe rooms, and a HackTheBox profile page with a visible progress history collectively constitute a portfolio that hiring managers in technical roles know how to read.

4.5 Realistic time-to-competency estimates

The security-learning community is plagued with “I went from zero to OSCP in 90 days” marketing narratives. These exist. They are not the median case. More honest estimates from the practitioner community:

6 months (comfortable with CTF basics): A motivated learner spending 10–15 hours per week can expect to be comfortable with TryHackMe beginner-path material, able to complete easy-rated HTB retired machines with occasional hints, and contributing in a CTF team across at least 1–2 categories. This is the “I know what I’m doing in a lab environment” milestone.

12 months (entry-level-adjacent): With continued pace, a learner can reasonably expect a completed PNPT or eJPT cert, a portfolio of 10–20 writeups, and readiness to attempt the OSCP-adjacent OffSec PEN-100/PEN-200 coursework. This is the “I could apply for junior/entry-level roles and not embarrass myself” milestone.

24 months (professional-entry-capable): A sustained learner is now OSCP-eligible (or OSCP-complete), has at least one public CTF placement or bug-bounty submission, and has accumulated enough hands-on hours to hold a technical conversation in an interview. This is the “I can realistically get an entry-level security job” milestone.

These estimates assume sustained self-directed learning without a formal program. Bootcamps and structured curricula (OffSec coursework, TCM Security, SANS beginner tracks) can compress the timeline at higher cost. Formal degree programs typically don’t compress it relative to self-directed learning — they add credentials alongside the knowledge, which matters for certain employer categories.

Learning-Path Roadmap
─────────────────────────────────────────────────────────────────────────────

 Month 0        Month 6        Month 12       Month 18       Month 24+
    │               │               │               │               │
    ▼               ▼               ▼               ▼               ▼
  Entry           CTF-            Cert            Bug             Professional
                comfortable     baseline        bounty/         entry
                                                CVE/
                                                conference
  • TryHackMe    • HTB retired   • Security+    • First bug      • OSCP or
    beginner       machines        or eJPT        bounty           PNPT
    paths                          complete       submission     • Junior
  • Kali + VM    • 1-2 CTF      • 10+ public   • First BSides   analyst/
    setup          categories      writeups       talk or CFP      SOC T1/
  • DVWA/                       • Basic          submitted        Jr. PT
    Metasploitable              network +      • HTB Pro Lab   • Real-world
  • RTL-SDR                     web fluency    • RF: Flipper     scope +
    (optional                   • RF: RTL-SDR    + HackRF         paperwork
    RF track)                     → Flipper      if RF track      = white hat

─────────────────────────────────────────────────────────────────────────────

Figure 9.4 — Realistic learning-path roadmap. The horizontal axis is calendar time at a sustained 10–15 hrs/week pace. The RF track is optional but indicated — for a Hack Tools reader with RF hardware already on the bench, it runs in parallel with the web/network track rather than instead of it.

5. A day in the life

Three composite narratives for three distinct flavors of the green-hat learner. None of these are real individuals; all are recognizable to anyone who has spent time in the community.

5.1 The bootcamp or degree student — structured path

Maya is 27 and a first-year student in a 12-month cybersecurity certificate program at a community college. She spent five years as a network administrator for a regional healthcare system and decided to formalize the security knowledge she’d been picking up on the job. The program has structured it: CompTIA Security+ in the first semester, then a practical-hacking course in the second, covering Metasploit and basic web exploitation in a controlled lab environment.

Her Tuesday is a scheduled lab session: the course has spun up a VirtualBox environment with Metasploitable 2, and the week’s exercise is exploiting a known Samba vulnerability with Metasploit. The exploitation step takes ten minutes; the instructor’s insistence on reading the CVE writeup and tracing the vulnerable code path takes another 90. This is the part that distinguishes her program from a tool-recipe bootcamp — the lab is woven through with “why does this work” questions that won’t be on any certification exam but will be on every technical interview she takes.

She has the Security+ scheduled for next month. She’s studied for it in the evenings using Professor Messer’s free video series — the benchmark free resource for the cert — and feels ready. She’s more interested in the OSCP eventually, but the Security+ is the floor that her state’s DoD contractor job postings require. Box checked first, then build.

5.2 The evening self-taught learner — full-time job plus 1–2 hours per night

Tomás is 33, works in IT support at a logistics company, and has been spending his evenings on TryHackMe for eight months. He has a subscription. He’s worked through the “Jr. Penetration Tester” learning path and is most of the way through the “Web Fundamentals” path. He’s been posting short writeups to a personal GitHub repository after each completed room — nothing polished, mostly just notes to himself, but public.

A hiring manager at a local MSP noticed the GitHub and sent him an email last week about a junior security analyst role. The listing said “Security+ preferred.” Tomás doesn’t have a Security+ yet. The manager was more interested in the GitHub than the cert.

Tonight he’s working on a retired HackTheBox machine — the first one he’s tried without a guided path. He spent 45 minutes getting the initial foothold, found the privilege escalation vector after another hour, and then spent another 30 minutes reading about why the misconfiguration existed in the first place. He is, to his own mild surprise, having a good time. He writes it up.

5.3 The hobbyist-curiosity learner — engineering overlap

Elena is 58, recently retired from a 30-year career as an RF systems engineer for an aerospace contractor. She has an RTL-SDR V3 on her desk and has been using it to decode APRS packets and ADS-B aircraft signals. She bought a Flipper Zero three months ago, mostly out of curiosity after reading about sub-GHz signal capture, and has been using it to examine the 315 MHz remote for her garage door opener and the 433 MHz sensors on her home weather station.

She has no career ambitions. She is, by every technical measure, not a green hat — she has decades of RF engineering experience. But in the specific domain of security research, she is absolutely a newcomer, and she is wearing the hat correctly: working exclusively with her own equipment, using authorized environments (the CTF platform she signed up for out of curiosity after her RF experiments led her to read Vol 13 of this series), and building a mental model of where her RF background intersects with the security-tradecraft vocabulary she’s encountering.

This is the population that the Hack Tools project is most directly adjacent to. The EE or RF engineer who arrives at security from the hardware side, with deep technical foundations and a curiosity about how the tradecraft intersects with the physics they know. Elena is a green hat in a domain. She will, probably, stop being one within a year — not because she’ll get an OSCP, but because the domain boundaries will dissolve and she’ll just be an engineer who understands security in the RF domains she’s always worked in. This is a perfectly reasonable outcome that doesn’t require a career change, a certification, or a CTF win.

6. How they get hired — entry-level reality

The most honest thing to say upfront: most of the working security professionals who came up in the last 15 years did not follow a tidy progression from green hat through a defined credential path to a professional role. They came from sysadmin roles, software development, military IT, network engineering, IT support, undergraduate computer science programs that had no security track, and self-taught backgrounds with no formal credentials at all. The field absorbs what it can find; it has had a consistent shortage of qualified people for as long as it has existed as a profession.

6.1 The cert ladder for entry

Certifications are HR filters first and competence signals second. Knowing which is which matters for prioritizing effort.

Cert	Cost (early 2026)	Signal type	What it gates	Notes
CompTIA Security+	~$390 exam	HR filter (DoD 8140 baseline, many gov/contractor jobs)	Entry-level analyst roles at defense contractors and federal agencies	Professor Messer’s free video series is the standard prep; multiple-choice; theory-heavy; not a hands-on competence signal
eJPT (eLearnSecurity)	~$200	Hands-on competence	Nothing in particular; voluntary baseline signal	Genuinely practical; not widely HR-recognized yet; good first hands-on cert
CompTIA PenTest+	~$400	HR filter (lighter than OSCP)	Pentest-adjacent roles at organizations that require it	Multiple-choice + performance items; less respected than OSCP in the practitioner community but recognized in HR systems
TCM Security PNPT	~$400	Hands-on competence	Nothing mandatory; practitioner-respected	Practical: report-based, live network engagement; TCM-community recognition; good cost-to-credibility ratio
OffSec OSCP (PEN-200)	~$1,500+	Hands-on competence (industry gold standard)	Many pentest roles explicitly require it	24-hour exam, live machines; the credential most practitioners respect; the target for serious entrants to the pentest path
GIAC GSEC	~$2,000–$3,000 with SANS course	HR filter (enterprise SOC roles)	SANS-ecosystem enterprise SOC	Expensive; organization-sponsored path in most cases

Table 9.4 — Cert ladder for entry-level and pre-professional learners. Costs are exam fees; training costs add substantially. Cross-reference Vol 6 §6 for the post-entry professional ladder and Vol 18 for the full career-path synthesis.

The sequencing most commonly recommended: Security+ first if the target is government/defense/contractor roles where it’s a hard requirement; PNPT or eJPT first if the target is practitioner-track roles and you want to demonstrate hands-on capability quickly; OSCP as the medium-term target for pentest track regardless of what comes before it.

6.2 The portfolio for newcomers

The hiring signal that HR systems recognize is the cert; the hiring signal that technical hiring managers weight is the portfolio. Both matter; they matter to different people in the hiring process.

A useful entry-level portfolio:

Public CTF writeups (GitHub repository, personal blog, or CTFtime.org profile) — 10+ writeups demonstrating methodical problem-solving
HackTheBox or TryHackMe profile showing completed machines and earned badges
First CVE (optional but notable) — even a low-severity CVE in a small open-source project demonstrates the full cycle from discovery through coordinated disclosure
First BSides talk or lightning talk (optional but high-leverage) — the security conference circuit has a lower barrier to first-talk than most technical fields; a 20-minute BSides talk on a CTF technique or a tool you built is a credible credential
GitHub repositories showing tool work: a custom Python script for a CTF, a modified exploit proof-of-concept, a write-up generator, anything that shows you write code

The portfolio earns the technical conversation; the cert gets past the resume-filter layer. For entry-level roles at smaller organizations, the portfolio often outweighs the cert because small teams hire for demonstrated capability, not credentialing compliance.

6.3 First-job pathways

The most common first jobs in security, and the realistic entry paths to each:

Pathway	Entry job	Comp (US, 2026 est.)	Skill gates	Notes
Direct security hire	SOC analyst Tier 1	$55,000–$75,000	Security+, some HTB/CTF portfolio	The most common direct-entry path; alert triage, IR level-1, SIEM work; the “pay your dues” role
IT support → security transition	IT support / helpdesk → lateral move	Varies	Baseline IT literacy, voluntary cert	The modal path; most working professionals went through some form of this
Sysadmin / network engineer → security	Internal security team, cloud security	$70,000–$95,000	Platform expertise + a cert or two	Faster trajectory because of existing infrastructure knowledge
Developer → AppSec / product security	Application security engineer	$85,000–$110,000	Development background + OWASP fluency	Growing track as organizations build internal AppSec teams
Bug-bounty → contract pentest	Junior pentest associate / consulting	$60,000–$90,000	Bug-bounty track record, PNPT or OSCP	Less common direct-entry; more common as a transition from bug-bounty-as-side-income
Military / government IT	Federal SOC, government contractor	Varies by clearance	Clearance + baseline IT credential	Clearance is the differentiator; opens government and contractor roles unavailable otherwise
Apprenticeship (UK/EU)	Security apprentice	Varies by country	Variable	More common in UK/EU than US; explicitly structured entry without degree requirement

Table 9.5 — First-job pathways for entry-level security professionals. Compensation figures are US market estimates as of early 2026; verify against current salary surveys (SANS, ISC², LinkedIn). Cross-reference Vol 18 for the full career-path synthesis and Vol 6 §6 for the mid-career professional ladder.

6.4 The non-traditional path reality

The industry data on this is consistent and has been consistent for over a decade: the majority of working security professionals did not start in a security-specific degree program. The field draws from:

IT and system administration (most common)
Software development and engineering (second most common)
Network engineering
Military and government IT backgrounds (including military intelligence and signals roles, which carry direct overlap)
Self-taught backgrounds with no formal CS education at all
Crossover from adjacent technical fields — electrical engineering, RF engineering, embedded systems, hardware reverse engineering

What this means practically for a green hat planning a trajectory: the credential that opens the door matters, but the experience path that gets you the credential and the portfolio is flexible. A sysadmin with 10 years of Windows Active Directory experience who adds a Security+ and takes the OffSec PEN-200 course is, at the end of that 12 months, more hireable for most roles than a fresh computer science graduate with no hands-on exposure. The field does not gatekeep by degree in the way that, for example, medicine or law does. The green hat’s advantage is that the on-ramp is genuinely accessible — expensive in time, moderately expensive in money, but not gated by a 4-year prior commitment.

The non-traditional-path note. This field absorbed sysadmins, devs, networkers, IT support staff, military veterans, RF engineers, and self-taught people across its entire existence. It continues to do so. The person who says “I don’t have a security background” is usually describing their previous job title, not their relevant skill set. The certification-and-portfolio path described in §6.1 and §6.2 is the on-ramp; the destination is a field that is, empirically, comfortable with non-linear histories.

7. Famous figures — five self-taught arcs

Five figures whose public careers illustrate the green-hat-to-professional arc — specifically the “started from nothing, demonstrated learning publicly, became professional” trajectory that this volume is about. Each profile includes an “as of early 2026” qualifier on current-role claims; all professional histories are sourced from public record (YouTube channels, HackerOne profiles, publicly-given talks and interviews, published journalism).

7.1 John Hammond — YouTube educator and Huntress senior researcher

John Hammond’s public career arc is the canonical self-taught-CTF-player-to-professional-security-researcher trajectory. He built a large YouTube channel¹ covering CTF walkthroughs, malware analysis, and security tooling — the video series that a substantial fraction of the current learner community cites as an entry point. His approach on the channel is pedagogical in the best sense: he works problems live, narrates his reasoning process including the dead ends, and treats the viewer as someone capable of following technical detail rather than as a passive audience.

His career moved from content creation and competition (he was an active CTF competitor and part of the team Team America on CTFtime) to professional work at Huntress, the managed detection and response (MDR) company focused on SMB and MSP markets, where he holds the Principal Security Researcher role on the Adversary Tactics / Threat Operations team (promoted from Senior; verified active as of early 2026²). The trajectory — CTF community → content creation → professional researcher → senior IC — is the green-hat arc made visible: public demonstration of learning compounds into a professional reputation, which converts to a professional role, which then advances into senior-IC seniority.

His channel is worth flagging to a Hack Tools reader specifically because he covers the exact surface area that the RF starter kit described in §3 eventually leads into: post-exploitation, malware behavior, and the technical detail that connects CTF-style exploitation to real-world defensive and offensive work.

7.2 STÖK / Frans Rosén — bug-bounty hunter and Detectify advisor

Frans Rosén, known in the bug-bounty community as STÖK, is a Swedish security researcher who entered bug bounty work through HackerOne and became one of the platform’s top-ranked researchers³. He is known in the community for high-impact web vulnerabilities — particularly subdomain takeover and OAuth/SSO attack chains — and for extensive public writing and speaking about his methodology.

His public trajectory illustrates the grey-to-white pathway via bug bounty: an independent researcher operating within program scope, demonstrating capability publicly through disclosed reports and conference talks, and transitioning to advisory and commercial work. His connection to Detectify — a Swedish automated security scanning company — moved him from pure independent research into the commercial security ecosystem (verify current relationship as of early 2026⁴). His YouTube channel and Twitter/X presence are oriented toward making advanced bug-bounty methodology accessible to learners, which places him at the intersection of the bug-bounty world and the content-creation-as-on-ramp model.

For a Vol 9 reader: STÖK’s public work is the most direct illustration of what the bug-bounty pathway — the Vol 8 §6 grey-to-white conversion mechanism — looks like in practice for a web-focused practitioner.

7.3 NahamSec / Ben Sadeghipour — live-hacking champion and educator

Ben Sadeghipour, known as NahamSec, is a bug-bounty hunter, educator, and live-hacking event participant with a significant presence across YouTube and Twitch⁵. He has been a recurring participant in HackerOne’s live-hacking events — the invitation-only competitions where top-ranked researchers are put in a room with a company’s infrastructure and a time limit — and has been public about both his methodology and his learning arc from newcomer to ranked researcher.

His particular contribution to the learner ecosystem is the explicit documentation of how he learned: blog posts, video walkthroughs, and interviews that trace the “I was bad at this once and then I got better by doing X” arc rather than presenting a polished expert persona. He has organized and run free training resources for the bug-bounty community, including beginner guides and tool walkthroughs aimed explicitly at learners with no prior background.

The Twitch live-hacking format he helped popularize is worth noting for a Vol 9 reader: watching a skilled practitioner work through a bug-bounty target in real time, with live chat interaction and visible reasoning process including failed attempts, is a different kind of learning from reading a polished writeup. The format makes the intermediate steps — the guesses, the dead ends, the “oh, I should check this” moments — visible in a way that finished writeups typically compress out.

7.4 InsiderPhD / Katie Paxton-Fear — academic and bug-bounty educator

Katie Paxton-Fear, known as InsiderPhD, is a UK researcher whose public profile spans an academic career (PhD research focused on API security) and a bug-bounty track record developed publicly alongside the academic work⁶. Her YouTube channel is oriented toward learners entering bug bounty from no-technical-background starting points — a distinct and underserved part of the green-hat population — and has been explicit about the “I was a history student, now I do security research” arc.

Her contribution to the Vol 9 framing is the non-technical-background version of the green-hat arc. Most of the “famous figures” in security came from CS, EE, or IT backgrounds. Katie’s public arc started from a social sciences background and moved through self-directed learning into academic research and practical security work. The green-hat arc is available to people who didn’t grow up writing C or building electronics.

She is also notable for her focus on API security — a domain that has grown substantially in the 2020s as APIs became the primary attack surface for web applications — which connects her academic work directly to practical research tradecraft. The InsiderPhD channel is worth pointing at for any learner who feels excluded from security by their lack of a technical background.

7.5 LiveOverflow / Fabian Faessler — European CTF educator

Fabian Faessler, known as LiveOverflow, runs one of the most technically substantive security YouTube channels in the learner ecosystem⁷. Based in Germany, his channel covers CTF challenge analysis, binary exploitation, browser security research, and occasional hardware/RF topics with a consistent style: deep technical explanations that treat the viewer as capable of following complex material, with explicit attention to how the researcher reasons through problems rather than just presenting the solution.

His arc is less of a zero-to-professional narrative and more of a researcher-as-educator who built a substantial audience and professional reputation through the quality of his public work. He has been involved in real-world browser security research (covering topics like Chrome V8 exploitation and web platform edge cases) that cross the line from CTF-technique-catalog into frontline security research.

For a Hack Tools reader, LiveOverflow’s channel is the canonical European analog to John Hammond’s US-audience channel — deep technical content, accessible framing, and a style that models how expert practitioners think about novel problems. The CTF analysis videos specifically are the best single resource for understanding the gap between “I know how buffer overflows work conceptually” and “I can exploit this specific binary in this CTF environment.”

Figure	Channel / Handle	Specialty	Employer / status (early 2026)	Arc type
John Hammond	YouTube: JohnHammond, @_JohnHammond	CTF, malware analysis, security education	Huntress, Principal Security Researcher (Adversary Tactics / Threat Operations team)²	CTF → content → professional researcher → senior IC
STÖK / Frans Rosén	YouTube: STOKfredrik, HackerOne: stök	Web, OAuth/SSO, subdomain takeover	Detectify advisor (verify⁴)	Bug-bounty independent → commercial security ecosystem
NahamSec / Ben Sadeghipour	YouTube/Twitch: NahamSec	Bug bounty, live-hacking, web	Independent; HackerOne live-hacking participant	Bug-bounty learner → community educator → ranked hunter
InsiderPhD / Katie Paxton-Fear	YouTube: InsiderPhD	API security, beginner outreach	Academic (PhD); bug-bounty practitioner	Non-technical background → academic + practical security
LiveOverflow / Fabian Faessler	YouTube: LiveOverflow	CTF analysis, binary exploitation, browser security	Independent researcher / educator	Technical educator; European community anchor

Table 9.6 — Five self-taught figures illustrating the green-hat-to-professional arc. Current-role claims carry “as of early 2026” qualification; verify against primary sources before quoting. Channel links in the Resources section.

8. Callouts and cross-references

8.1 The non-linear path

The path is non-linear. The 24-month roadmap in §4.5 is a template, not a prediction. Security careers are among the most heterogeneous in the technology industry. The practitioner who says “a year ago I was teaching high school biology; now I’m a SOC analyst at a healthcare system” is describing the modal path with different prior-job nouns, not an exception. People arrive at security from IT support, from the military, from software development, from RF engineering, from entirely non-technical careers, from self-taught backgrounds with no formal education in any adjacent field. The credential path (§6.1) and the portfolio path (§6.2) are the structured components of the arc; the prior that gets you to the starting line of those paths can be almost anything. The green hat is not defined by where you came from.

8.2 Authorization — the non-negotiable

Authorization callout — the mistake mode that ends careers early. Labs you own, platforms you’ve agreed to terms with, and bug-bounty programs with published scope: legal. Networks, systems, and applications you don’t own or haven’t been explicitly granted permission to test: a federal felony under the CFAA regardless of your intent (Vol 8 §1.1; Vol 19). The green-hat mistake mode — “I’ll just try it on a real site to see if it works” — is not a grey area. TryHackMe, HackTheBox, PortSwigger Academy, CTF competitions, and bug-bounty programs exist precisely to provide the authorized environment where the same techniques are legal to apply. Use those. The technique you want to practice almost certainly has a platform that lets you practice it legally. The 2022 DoJ policy revision on good-faith security research (Vol 4 §5.3) provides prosecutorial discretion, not legal immunity. State law runs in parallel and is not bound by the federal policy. The authorization stack (Vol 6 §1) is what makes the same technical activity white-hat; the absence of it makes it grey-hat at best and criminal at worst.

8.3 Cross-references within this series

Vol 1 §3 — the decision graph for navigating the series; the hat-spectrum table from which Vol 9’s position derives.
Vol 5 §5.3 — green hat’s emergence as a learner-community vocabulary term (~2015); the Axis-1 pre-operational positioning.
Vol 5, Figure 5.5 — the master taxonomy diagram; green hat’s placement below the Axis-1 ethical-stance continuum.
Vol 4 §5.3 — the 2022 DoJ policy revision on good-faith security research.
Vol 6 §6 — the professional cert ladder (mid-career through senior); §6.1 above cross-connects at the OSCP/PNPT level.
Vol 8 §6 — the grey-to-white conversion pathway via bug bounty; the STÖK/NahamSec type arcs run through this.
Vol 18 — Careers (full treatment): cert ladder synthesis, portfolio strategy, salary benchmarks, interview frameworks. Vol 9 §6 is the green-hat entry point; Vol 18 is the destination.
Vol 19 — The legal line and ethics: CFAA statutory treatment, Van Buren, DoJ 2022 policy, international equivalents. The authorization callout in §8.2 points here for depth.

8.4 Cross-tool references (RF starter kit)

The RF starter-kit progression (§3.3) cross-links to the Hack Tools hardware deep dives. The paths below resolve from Hacker Tradecraft/03-outputs/HackerTradecraft_Complete.html:

RTL-SDR — ../../RTL-SDR/CLAUDE.md (deep dive not yet authored as of early 2026; CLAUDE.md is the placeholder).
Flipper Zero — ../../Flipper Zero/03-outputs/Flipper_Zero_Complete.html (full deep dive; see sub-GHz, RFID, NFC, IR volumes).
HackRF One — ../../HackRF One/03-outputs/HackRF_One_Complete.html (full deep dive; see Vol 13 for SDR fundamentals).
Proxmark3 RDV4 — ../../Proxmark3 RDV4/CLAUDE.md (deep dive not yet authored as of early 2026; CLAUDE.md is the placeholder).

8.5 Cheatsheet bullets for Vol 20

Green hat = learner; defined by trajectory (toward white), not ethics.
Pre-operational on Axis 1: hasn’t yet faced the authorized/unauthorized choice at scale.
The mistake mode: applying CTF-lab technique to unauthorized live targets.
Term emerged ~2013–2015 in learner communities; CompTIA/EC-Council adopted it ~2015.
RF starter kit: RTL-SDR ($30) → Flipper Zero ($170) → HackRF One ($300–340) → Proxmark3 ($400).
Core learning platforms: TryHackMe (guided), HackTheBox (self-directed), PortSwigger Web Academy (web), picoCTF (beginner CTF), OffSec PEN-100/200 (pre-professional).
The learning loop: build → break → understand → write up (the write-up step compounds into a career).
Realistic timeline: 6 mo = CTF comfortable; 12 mo = entry-level-adjacent; 24 mo = OSCP-eligible.
First-job certs: Security+ (HR filter, DoD 8140), eJPT (hands-on), PNPT (practitioner-respected), OSCP (industry gold standard).
First job: SOC T1 ($55–75k), IT-to-security transition (most common path), developer-to-AppSec, bug-bounty to contract.
The field absorbs non-linear histories: sysadmins, devs, RF engineers, military, self-taught — all in.
Famous arcs: Hammond (CTF→educator→Huntress), STÖK (bug bounty→Detectify), NahamSec (learner→live-hacking champion), InsiderPhD (humanities→API security PhD+bounty), LiveOverflow (European CTF educator, technical depth).

9. Resources

Core references for this volume, with annotations.

Learning platforms and infrastructure:

Certification bodies:

Famous figures — primary sources:

Legal and regulatory (cross-references):

RF starter kit (Hack Tools deep dives):

Salary and career data:

John Hammond, YouTube channel. CTF walkthroughs, malware analysis, security tooling; consistent pedagogical approach with live problem-solving. https://www.youtube.com/@_JohnHammond ↩
John Hammond at Huntress. Huntress Labs company page and LinkedIn profile are the primary sources for current-role verification. As of early 2026, verify at https://www.huntress.com and Hammond’s public LinkedIn. Current-role claims in §7.1 carry “as of early 2026” qualifier. ↩ ↩²
STÖK (Frans Rosén), HackerOne profile. Multiple top-10 rankings. Bug-bounty track record sourced from HackerOne’s public leaderboards and Frans Rosén’s public blog and conference talks. https://hackerone.com/stok ↩
STÖK and Detectify. Rosén’s relationship with Detectify (Swedish automated security scanning company) described in public talks and his own blog posts; current status as of early 2026 should be verified against Detectify’s team page and Rosén’s current public profiles. ↩ ↩²
NahamSec (Ben Sadeghipour), YouTube channel. Bug-bounty methodology, live-hacking events, beginner-accessible content. https://www.youtube.com/@NahamSec ↩
InsiderPhD (Katie Paxton-Fear), YouTube channel. API security focus, beginner-outreach orientation, non-technical-background entry-point framing. https://www.youtube.com/@InsiderPhD ↩
LiveOverflow (Fabian Faessler), YouTube channel. Binary exploitation, CTF analysis, browser security; deep technical treatment, European community anchor. https://www.youtube.com/@LiveOverflow ↩

Hacker Tradecraft Volume 9 — The Green Hat: The Newcomer

Contents