Facebook X Instagram
Get in Touch
Subscribe

Cybersecurity intelligence delivered directly to your inbox.

By pressing the Subscribe button, you confirm that you have read and are agreeing to our Privacy Policy and Terms of Use
Subscribe
Facebook X Instagram
Practice / Home Lab
Updated 2026 · 18 min read

Build a cybersecurity home lab.

Every cybersecurity job posting wants hands-on experience. Every certification rewards practical skill. The cheapest way to build both — for less than the cost of a single exam — is a home lab. This guide walks you through what to buy, what to install, and what to do with it once it's running.

Why a home lab matters

Three things a home lab does that nothing else can.

Reading about security and watching videos teaches you concepts. A home lab teaches you what those concepts feel like in practice — and gives you something concrete to put on a resume. Most successful career-changers in cybersecurity built one. Most failed candidates didn't.

Reason 01
Resume signal
"Built a home SOC with Wazuh and Sysmon" beats any cert summary on a junior resume.
Reason 02
Real practice
Tools behave differently in production than in tutorials. Discover that here, not in your first job.
Reason 03
Interview leverage
"Tell me about your home lab" is a real interview question. Be ready to answer it well.
Important · Read this first

A home lab is for learning, not for attacking real targets.

Every offensive technique in this guide is for use only against systems you own or have explicit written permission to test. Running scans, exploits, or attacks against systems you don't own is illegal in most jurisdictions and can cost you your career and freedom. Isolate your lab on its own network segment, never bridge it to your employer's VPN, and never test against production systems — yours or anyone else's.

01 / The Hardware

Three hardware tiers, by budget.

$0–$1,500

You don't need expensive hardware to learn cybersecurity. You need RAM and the discipline to use it. Pick the tier that matches your budget and learn what it teaches before upgrading.

Tier 01 · Free

Cloud-only lab

$0To start

Use cloud free tiers and browser-based ranges to practice without any local hardware. The fastest way to start tonight, the easiest to abandon.

  • AWS / Azure / GCP free tiers
  • TryHackMe free rooms
  • Hack The Box Starting Point
  • OverTheWire wargames
  • PortSwigger Web Security Academy
Best for: Absolute beginners, students, anyone who isn't sure cybersecurity is for them yet.
Tier 02 · Recommended

Repurposed laptop / desktop

$200–$500Used market

A used business-class laptop or desktop with 32GB RAM is the sweet spot. Run 5–6 VMs simultaneously, build a small network, simulate real attack scenarios.

  • Used ThinkPad / Dell Latitude / EliteBook
  • 32GB RAM (non-negotiable)
  • 500GB+ SSD
  • i5 / Ryzen 5 or better
  • VMware Workstation Pro (free) or VirtualBox
Best for: Career-changers, cert candidates, anyone serious about practice. The realistic choice.
Tier 03 · Serious

Dedicated mini PC / NUC

$800–$1,500New build

A dedicated machine running Proxmox or ESXi as a hypervisor, with enough RAM to run a real lab — domain controller, multiple endpoints, attacker box, SIEM, all simultaneously.

  • Mini PC (Beelink, Minisforum) or NUC
  • 64GB RAM minimum
  • 1TB NVMe SSD
  • Proxmox VE (free) or ESXi
  • Optional: pfSense for network segmentation
Best for: Established practitioners, advanced cert prep (OSCP, OSEP), red/blue team specialists.
02 / The Build

Four stages, in order.

Beginner → Advanced

Build your lab in four stages. Don't skip ahead — each stage teaches something the next one assumes you know. The whole progression takes most people 6–12 weeks alongside other commitments.

01
Stage 01 · Foundation

Get a single VM running.

Goal: Install your first virtual machine and become comfortable with hypervisors before adding complexity.
~ 1 week

Install VMware Workstation Pro (free for personal use as of 2024) or VirtualBox. Download a Kali Linux ISO and create your first VM with 4GB RAM, 2 CPU cores, and a 40GB disk. Boot it. Take a snapshot. Break things. Restore the snapshot. Repeat.

This stage isn't about cybersecurity — it's about getting comfortable with the underlying platform. Most home labs fail at stage 2 because the builder didn't truly understand stage 1.

  • Install a hypervisor (VMware Workstation Pro or VirtualBox)
  • Create a Kali Linux VM with networking set to NAT
  • Practice taking snapshots before risky operations and reverting
  • Update the system, install one tool from APT, run it
  • Configure a host-only network for future isolation
02
Stage 02 · Network

Add a victim, isolate the network.

Goal: Build a two-VM lab with a Kali attacker and an intentionally vulnerable victim, on an isolated network you control.
~ 2 weeks

Add a vulnerable target — Metasploitable 2, OWASP Juice Shop, or DVWA. Put both VMs on the same host-only network so they can talk to each other but not to the internet. This is your safe playground.

Practice the basics: run nmap against the target, identify open ports, manually verify what each service is, look up known vulnerabilities. The point isn't to "win" — it's to learn how reconnaissance and enumeration actually feel.

  • Deploy Metasploitable 2 or OWASP Juice Shop as a victim VM
  • Configure both VMs on a host-only network (isolated from internet)
  • Run nmap against the victim and document what you find
  • Exploit at least one identified vulnerability manually
  • Document your steps in a personal blog or GitHub README
03
Stage 03 · Defense

Add visibility — build the blue team side.

Goal: Add a SIEM and endpoint logging so you can watch your own attacks happen in the logs. The single most valuable stage for SOC analyst aspirants.
~ 3 weeks

Add a Wazuh server VM. Install Wazuh agents on your other VMs. Install Sysmon on a Windows victim VM with the SwiftOnSecurity config. Now run an attack from Stage 02 again and watch what shows up in Wazuh.

This single experience — attacking your own machine and seeing the alerts fire — teaches more about how SOC work feels than weeks of reading. It's also the moment when "blue team" stops being abstract.

  • Deploy Wazuh manager on a dedicated VM (4GB RAM minimum)
  • Install Wazuh agents on all other VMs
  • Add a Windows 10/11 VM with Sysmon and SwiftOnSecurity config
  • Generate attack telemetry by running scans and exploits against your own VMs
  • Investigate the resulting alerts and correlate them to your actions
  • Write up one detection scenario as a portfolio piece
04
Stage 04 · Active Directory

Build a small AD environment.

Goal: Spin up a domain controller, join a workstation, and practice AD attack and defense — the single most-tested skill set in mid-level pentesting and SOC roles.
~ 4 weeks

Most enterprise networks run on Active Directory, and most enterprise attacks pivot through AD. Build a small domain: one Windows Server domain controller, one Windows 10 workstation joined to the domain, your Wazuh server collecting from both, and Kali for the attacker side.

The "Game of Active Directory" project (free GitHub repo) provides a ready-to-deploy vulnerable AD lab. From there, practice with BloodHound, Kerberoasting, and lateral movement — and watch every step in your SIEM.

  • Deploy Windows Server 2022 as a domain controller (free 180-day eval)
  • Join a Windows 10 client to the domain
  • Use the Game of Active Directory repo for a pre-made vulnerable setup
  • Run SharpHound and explore in BloodHound
  • Practice Kerberoasting and ASREPRoasting attacks
  • Detect the same attacks in Wazuh and Sysmon logs
03 / The Stack

What to install, by category.

All free tier

Every tool below is genuinely free for personal use. The flagship in each category — highlighted in accent — is the one most worth your time if you have to choose.

Hypervisor

Where your VMs run

The platform that hosts every other VM. Pick one, learn it, stick with it for at least the first six months.

VMware Workstation Pro VirtualBox Proxmox VE Hyper-V
Attacker OS

Your offensive toolkit

Pre-loaded Linux distros with hundreds of security tools. Use one, customize it, take snapshots before experiments.

Kali Linux Parrot OS BlackArch Commando VM
Vulnerable Targets

Things to attack legally

Deliberately vulnerable systems designed for practice. Each teaches different vulnerability classes safely.

Metasploitable 2/3 OWASP Juice Shop DVWA VulnHub VMs HackTheBox
SIEM

Where you watch attacks land

Centralized log collection and analysis. The blue team's main interface — every SOC analyst lives in one of these.

Wazuh Splunk Free (500MB/day) Security Onion Graylog
Endpoint Telemetry

What your endpoints report

Sensors on your endpoints that generate the events your SIEM ingests. Without these, your SIEM is blind.

Sysmon + SwiftOnSecurity config OSQuery Velociraptor Auditd (Linux)
Active Directory

For real-world realism

Once basics are solid, AD adds the realism most enterprise attacks need. Use evaluation licenses or community projects.

Windows Server 2022 (180-day eval) Game of Active Directory BadBlood Samba 4 (Linux)
Network & Routing

Segmenting the lab

Once your lab grows past 3–4 VMs, dedicated network segmentation matters. Build the muscle memory now.

pfSense OPNsense VyOS Mikrotik CHR
Container & Cloud

Modern attack surface

Most modern attacks involve containers or cloud. Add these once your VM-based lab is stable.

Docker Kubernetes (kind, k3s) AWS Free Tier CloudGoat
04 / First Exercises

Eight things to do this month.

By difficulty

Once your lab is running, these are the practical exercises worth doing first. Each one teaches something specific that maps to real interview questions or job tasks.

01
Scan Metasploitable with nmap, document everything
Run nmap with -sV -sC -p- against your Metasploitable VM. Write up what each open port runs, what version it is, and one known vulnerability per service. This is the foundational pentesting exercise — every subsequent skill builds on enumeration.
nmap Metasploitable
Beginner
02
Capture and analyze your own login traffic
Open Wireshark, start a capture, log in to a service over HTTP (deliberately, in your lab), and find your credentials in the packets. Then repeat over HTTPS to see why TLS matters. Foundational network analysis lesson in 15 minutes.
Wireshark DVWA
Beginner
03
Solve OWASP Juice Shop's first 10 challenges
OWASP Juice Shop has gamified web vulnerabilities organized by difficulty. The first 10 challenges teach you XSS, SQL injection, and authentication flaws hands-on. Use Burp Suite Community to intercept and modify requests.
Burp Suite Juice Shop
Intermediate
04
Build a Wazuh detection for a specific attack
Pick one specific attack (e.g., PowerShell base64 encoded command execution), trigger it in your Windows lab VM, identify the Sysmon event that captured it, and write a Wazuh rule that alerts on it. This is real detection engineering work.
Wazuh Sysmon PowerShell
Intermediate
05
Run BloodHound on your AD lab
After deploying Game of Active Directory, run SharpHound from a domain-joined workstation and import the data into BloodHound. Find the shortest path to Domain Admin. This single exercise teaches more about AD security than any book chapter.
BloodHound SharpHound AD
Advanced
06
Perform a Kerberoasting attack and detect it
Use Rubeus or Impacket's GetUserSPNs.py to extract Kerberos service tickets, crack one offline with hashcat, then check Wazuh and Sysmon logs to identify the detection signal. Red team and blue team perspectives in one exercise.
Rubeus Hashcat Wazuh
Advanced
07
Acquire and analyze a memory dump
Use FTK Imager (or LiME on Linux) to dump RAM from a compromised lab VM. Analyze it with Volatility — find running processes, network connections, and any injected code. The DFIR foundational exercise.
Volatility FTK Imager
Advanced
08
Compromise an AWS account with CloudGoat
CloudGoat (from Rhino Security Labs) deploys deliberately vulnerable AWS environments you can attack. Walk through the IAM privilege escalation scenario end-to-end. The cheapest way to get cloud red team experience on a resume.
CloudGoat Pacu AWS CLI
Expert
05 / Avoid These

Five mistakes that derail home labs.

From experience

Most home labs fail for the same reasons. Recognize the patterns early and you'll keep yours running.

01
Buying expensive hardware before knowing what to do with it
A $1,500 NUC in a closet doesn't teach you anything. A $300 used ThinkPad you actually use teaches a lot. Start with the smallest setup that works for the next stage, not the biggest setup you can imagine needing later.
02
Skipping the documentation
A lab that nobody can see produces nothing for your career. Document each stage on a personal blog or GitHub README. Include screenshots and what you learned. This is the artifact that wins interviews — not the lab itself.
03
Bridging the lab to your real network
Vulnerable VMs on the same network as your phone, smart TV, and work laptop are an actual risk. Use host-only networks. If your lab grows, segment it with pfSense. Never, ever expose lab VMs to the public internet.
04
Trying to learn everything at once
Pick one path: defense or offense. Build that path's stack first. Once you can demonstrate end-to-end skill on one side, then add the other. People who try to learn red and blue simultaneously usually quit before mastering either.
05
Treating it as a project instead of a habit
A home lab isn't a one-month project — it's an ongoing practice space. Schedule 2–3 hours a week of structured lab time. Set a goal each session. The people who get cybersecurity jobs treat their home lab like a gym: small, frequent, sustained.

Not sure which path your lab should focus on?

Take the 2-minute career fit quiz — find your track first, then build the lab that matches it. A focused lab beats a broad one every time.

Take Career Quiz
Practice. Document. Repeat. · 2026 edition
4 stages 8 exercises ~18 min read