Regardless of the method of entering the profession (courses or self-education), it is important for a hacker to update his knowledge: read articles about common problems, communicate with colleagues on forums. For example, a popular website run by the OWASP foundation is used by many ethical hackers as a guide. Here white hackers can share details of the problems they have discovered, and you can get a lot of valuable information.
But the OWASP list is not an axiom: the security problem included in it may not be critical for a particular site. For example, there are pages where it says that disclosing information about the brand of the server or the version number of the software is dangerous, because it informs the attacker about what problems to look for. But a real hacker attack uses all possible exploits without checking the brand of the server or the version number of the software.
Useful practical tools for a hacker are Burp Suite and Metasploit, which are used to automate testing.
They allow you to quickly carry out a lot of checks, but their use alone will not make a person a good analyst. Any tools have limitations, and the results they produce need to be carefully checked.
It’s a little more difficult with tools for studying application code, because one software is not like another. And things that are exploited in one application may be inappropriate in another. The fuzzing testing method can be used here, when a non-standard data stream is transmitted to the program in order to identify possible problems during the execution of the process.
But in order to use the tools for this method, you need to thoroughly understand how they work. Therefore, they are often not suitable for beginners in hacking.
Tools often warn about possible problems that can be used for their own purposes only in very specific circumstances. For example, a site may not have protection against clickjacking, but it is not dangerous, unless damage can be caused by clicks. You should always check the relevance of the problem before reporting it to the site owner.