One spring day in 2010, a hacker named Kevin Finisterre knew he had hit the jackpot. A network he had been casing finally broadcast the live video and audio feed of a police cruiser belonging to a US-based municipal government. His jaw dropped as a computer in his home office in Columbus, Ohio showed the vehicle—with flashing blue lights on and siren blaring—charging down a road of the unnamed city.

A burly 31-year-old with glasses and pork-chop sideburns, Finisterre has spent more than a decade applying his combination of street smarts and technical skills to pierce digital fortresses. For instance, he once accessed the work account of an engineer for a large utility company. Finisterre used a pilfered profile from Hotjewishgirls.com to trick the engineer into thinking he was interacting with a flirtatious 26-year-old woman, until the engineer finally coughed up enough personal information to make an attack on his corporate account successful.

It's not a bad way to earn a living.

Thrill of the hunt

Finisterre is one of the "good guys." He works as a penetration tester who gets paid to hack into Fortune 1000 casinos, banks, and energy companies; exploits like these are all in a day's work.

"I really, really love it," he says of his job—currently senior research consultant at security firm Accuvant Labs. "I've been able to get exposed to a lot of things that I wouldn't get exposed to unless I was trying to get myself arrested. What other opportunity are you going to get to try to hack into a bank?"

It's a common sentiment.

"There is a thrill," agreed Billy Rios, the 33-year-old leader of a team at Google acting as the company's front line of defense. "You're going up against some of the largest organizations in the world. They're basically hiring you to thwart them and circumvent all their security mechanisms."

Rios' team at Google has an inauspicious name—Web or Other Product Security—but he and his colleagues review every advisory sent to the security@google.com e-mail address. They analyze reported bugs throughout the entire range of Google software and services, from the Chrome browser to Google+ and Gmail. When they determine the validity of a given bug report, they often exploit the flaw so they can assess its severity. Finally, Rios's group will repair the flaw or assign the fix to an engineering team.

Alex Lanstein also knows the feeling of adrenaline surging through his veins when chasing down malicious hackers. But the 26-year-old also enjoys the satisfaction of knowing his work has made a difference to literally hundreds of millions of Internet users. Over the past four years, he's been instrumental in taking down botnets pumping out tens of billions of spam e-mails each day.

It all started in 2008. Lanstein and his colleagues at security firm FireEye reverse engineered a botnet dubbed Srizbi, which used a date-based algorithm to periodically generate new sets of domains from which the botnet's shadowy controllers could issue new orders to their network. Lanstein soon discovered that when the Internet names used to host one of Srizbi's command and control channels were severed—as would later happen with the November 2008 shutdown of a notorious Web hosting company called McColo—the malware was programmed to dynamically produce new names with pseudo-random strings. It then instructed all infected machines to begin taking orders from servers located at these addresses. By dynamically changing the command and control domains, the Srizbi operators planned to stay one step ahead of those trying to disrupt their botnet.

Recognizing that Srizbi differed from most of the other botnets hosted by McColo, Lanstein took his findings to one of his contacts at VeriSign (one of the gatekeepers for the .com addresses used exclusively by Srizbi's domain generation algorithm). Verisign set aside the names that the botnet would generate for the next year or two, and the 500,000 machines that belonged to the botnet became orphans, no longer under the influence of the botnet's operators. The result: Srizbi was incapacitated, with the exception of a brief resurrection attempt that ultimately proved futile.

"Even though the other bots that were at McColo—Rustock and Pushdo—were able to come back up, we were holding Srizbi down," Lanstein said. "That showed as long as you really understand the way the malware works, you can hold it off pretty effectively."

In the coming years, Lanstein's analysis and contacts proved crucial in taking down other prolific spam botnets. His victories included Mega-D and Rustock, which at their height were among the Internet's biggest sources of junk messages. When he was unable to convince several domain registrars to suspend Mega-D domain names that violated their terms of service, Lanstein relied on webhost contacts who agreed to turn off the botnets' servers. The FireEye research was cited in legal papers filed against operators of both botnets.

"I got to go to court with Microsoft and the Justice Department and go in front of a federal judge and say those are bad guys doing bad things," Lanstein said. "It's pretty cool to be a part of that."

For 38-year-old Arian Evans, the satisfaction of being vice president of operations at WhiteHat Security lies in the opportunity to deliberately break the applications that banks, social media providers, and other businesses use to deliver online services.

"I was the kid who would take apart the VCR and figure out how to put it back together," Evans said. "Taking it apart was for me just as fun, if not more fun, than putting it back together."

His team of 82 inflicts daily pain on Web apps used by more than 7,000 sites. He compares this grueling hacker brutality to the rigorous series of collision tests car manufacturers inflict on their automobiles to make sure they're safe.

"We're building the modern crash test dummies for the Internet," he says. "We're trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash."