Continue your mission
A home lab is a controlled, isolated environment where a cybersecurity practitioner practices offensive and defensive techniques without legal risk, without business impact, and without waiting for permission.
# Building a Home Lab for Security Training
A home lab is a controlled, isolated environment where a cybersecurity practitioner practices offensive and defensive techniques without legal risk, without business impact, and without waiting for permission. It is the private training ground where someone who wants to break into the industry, or advance within it, builds the demonstrable, hands-on skill that certifications alone cannot confer.
The home lab has been a rite of passage in cybersecurity for two decades. The practitioners who run them universally report that their lab work accelerated their skills faster than any other preparation method except live incident response. The reason is simple: the lab removes the gap between knowing how something works and having done it. You can read about Active Directory attacks for months. You can build an Active Directory environment, attack it, watch it fail, rebuild the detection rules, re-attack it, and understand in a day what months of reading would not have produced.
Within CDA's Planetary Defense Model (PDM), a home lab is a microcosm of the full six-domain model. The data you store in it is a DPS (Data Protection and Sovereignty) concern. The vulnerabilities you intentionally introduce and practice against are VSD (Vulnerability and Surface Defense) problems. The endpoint configurations, SIEM rules, and hygiene practices you build are SPH (Security Posture and Hygiene) work. The Active Directory you build and abuse is an IAT (Identity Access and Trust) exercise. The detection logic you write is TID (Threat Intelligence and Defense) applied. The policies you develop to govern the lab reflect RGA (Risk Governance and Assurance) principles. A well-designed lab does not train you for one domain. It trains you for all six simultaneously.
This guide covers hardware choices, virtualization platforms, essential virtual machines, pre-built vulnerable environments, network architecture, blue team tooling, and how to build progressive projects that produce a documented portfolio. The goal is not to spend the most money. The goal is to build the most skill with the resources available.
The biggest barrier people cite is cost. It is mostly false. Enterprise hardware that was state-of-the-art five years ago is available on eBay today for $200 to $600. A Dell PowerEdge R620, a Cisco UCS C220 M3, or an HP ProLiant DL380 Gen8 will run six to ten virtual machines simultaneously on hardware that was built for exactly that purpose. These machines are power-hungry (plan for 150 to 300 watts at load, which adds $15 to $30 per month to an electricity bill in the US) and loud enough that they should not run in a bedroom. But for raw compute, memory, and storage capacity per dollar, used enterprise 1U/2U servers are unmatched.
Mini PCs are the alternative for practitioners who want quiet, low-power hardware. An Intel NUC or a Beelink SER5 Max with a Ryzen 7 5800H, 64GB RAM, and a 2TB NVMe drive will run four to six VMs comfortably and consumes 35 to 65 watts at load. These are available new for $400 to $700 depending on spec. Two of them on a home network, with a $30 managed switch, create a credible multi-node lab environment.
Cloud-based labs are the zero-hardware option. AWS Free Tier provides 750 hours per month of t2.micro or t3.micro instances, enough to run a small lab environment with careful management. Azure Free Account provides $200 in credit for the first 30 days and then 12 months of free-tier services. Neither free tier is powerful enough for a serious multi-VM lab, but both are viable for learning cloud-specific security skills: IAM policy misconfigurations, EC2 security groups, CloudTrail log analysis, Azure AD, and Defender for Cloud. Cloud labs also teach the infrastructure as code (IaC) skills that are increasingly required in cloud security roles. AWS CloudShell, Azure Portal scripting, and Terraform are practical skills for a cloud security engineer.
Proxmox Virtual Environment is the recommended platform for a dedicated lab machine or server. It is free, open source, and runs on bare metal. Proxmox uses KVM for full virtualization and LXC for lightweight containers. The web interface is accessible from any browser on the network. Proxmox supports snapshots (the essential lab feature: break something, restore a snapshot, try again), templates (build a Windows Server template once and clone it in minutes), and clustering (run multiple Proxmox nodes as a single managed environment). For a dedicated lab server, Proxmox is the right choice.
VirtualBox is the free option for practitioners who want to run a lab on an existing workstation without dedicating hardware. Oracle VirtualBox supports Windows, macOS, and Linux hosts and handles most lab VMs without issues. Performance is lower than Proxmox on equivalent hardware because VirtualBox runs as an application rather than on bare metal, but for a first lab or a budget-constrained setup, VirtualBox is fully functional.
VMware Workstation Player is free for non-commercial use on Windows and Linux hosts. The full Workstation Pro version was made free for personal use in 2024. VMware's performance and networking options are slightly better than VirtualBox, and it is the platform most enterprise environments use, so VMware familiarity is professionally relevant.
Windows Server with Active Directory is the single most important VM in a security lab. Active Directory (AD) is the identity backbone of the overwhelming majority of enterprise Windows environments, and AD attacks are the dominant attack path in modern intrusions. Building a Windows Server 2022 VM, promoting it to a domain controller, and creating a small domain with a few user accounts and workstations gives you the target environment for credential attacks, Kerberos attacks (AS-REP roasting, Kerberoasting, Pass-the-Ticket), lateral movement via PsExec and WMI, and privilege escalation through AD ACL abuse. These are not theoretical exercises. They are the techniques that appear in incident reports every week.
Kali Linux is the standard offensive toolkit. Kali comes pre-installed with hundreds of tools including Nmap, Metasploit, Burp Suite Community Edition, BloodHound, Impacket, Responder, CrackMapExec, and Gobuster. It is the platform for practicing enumeration, exploitation, and post-exploitation techniques against your lab targets. Run it from a VM snapshot so you can reset to a clean state between exercises.
Windows 10 or Windows 11 workstations (two or three, domain-joined) complete the Active Directory environment. These are the endpoints you will attack from your Kali VM and detect attacks on from your SIEM. Keep these VMs snapshotted at a clean baseline.
Ubuntu Server serves multiple purposes: a target for Linux privilege escalation exercises, a host for open source tools (Wazuh, ELK stack), and a general-purpose server platform for web application labs.
Building lab targets from scratch has value, but pre-built environments accelerate skill development in specific areas.
DVWA (Damn Vulnerable Web Application) is a PHP/MySQL web application built to be exploited. It covers SQL injection, XSS, CSRF, file inclusion, command injection, and more, with difficulty levels adjustable per vulnerability type. Run it in a Docker container on your Ubuntu VM for the easiest setup.
GOAD (Game of Active Directory) is an open-source multi-machine Active Directory lab environment that is intentionally misconfigured with realistic enterprise vulnerabilities. It simulates a five-server AD environment with multiple domains, trusts, and a library of attack paths. GOAD is the most advanced free AD attack lab available and is used widely for OSCP preparation and red team training.
DetectionLab is the blue team equivalent: a pre-built, well-configured Windows lab environment with logging configured, Sysmon deployed, and a Splunk or ELK instance ready to ingest events. DetectionLab was designed specifically so that detection engineers could have a realistic, well-instrumented target environment without spending hours on deployment. It is the fastest path to a functional blue team lab.
HackTheBox and TryHackMe are cloud-based platforms that provide structured, guided attack exercises without requiring local infrastructure. TryHackMe is better for beginners: it provides walkthroughs and context. HackTheBox is better for intermediate practitioners: the machines are harder and the community write-ups come after you complete the box. Both platforms have active communities, structured learning paths, and certificates of completion that carry weight in interviews.
VulnHub provides downloadable vulnerable VM images you can run locally in VirtualBox or VMware. The library covers hundreds of machines at varying difficulty levels and allows fully offline practice.
Isolated network architecture is not optional. Vulnerable VMs, by definition, have exploitable vulnerabilities. Running them on your home network alongside devices you care about is a risk. The correct architecture isolates lab VMs on a dedicated virtual network that has no route to your home network, your personal computers, or the internet (except through a firewall you control).
pfSense is the recommended software firewall for lab network segmentation. Run it as a VM in Proxmox or VirtualBox. Configure it with at least two virtual NICs: one facing your home network (WAN), one facing your lab network (LAN). Create firewall rules that block all traffic from lab VMs to your home network. Allow outbound internet access from the lab only from specific VMs that need updates or package installation, not from intentionally vulnerable targets.
VLAN segmentation adds another layer. If your home switch supports VLANs (most managed switches in the $30 to $100 range do), create a dedicated VLAN for lab traffic. This enforces isolation at the network layer rather than relying solely on software firewall rules.
Wazuh is the recommended open source SIEM for a home lab. It is free, it installs on a single Ubuntu server VM, and it provides endpoint detection and response (EDR) capabilities, log aggregation, file integrity monitoring, and vulnerability detection in a single platform. Deploy Wazuh agents on your Windows Server and workstation VMs. Then attack the environment and watch the detections fire. That loop (attack, detect, tune, repeat) is the core blue team training exercise.
The ELK Stack (Elasticsearch, Logstash, Kibana) is the alternative for practitioners who want to build their log ingestion, parsing, and visualization pipeline from components rather than a pre-integrated platform. ELK is harder to configure than Wazuh but teaches more about how a SIEM works at the architecture level. Elastic also provides pre-built detection rules for Windows, Linux, and cloud environments.
Sysmon (System Monitor) is a Windows service that provides far more detailed event logging than the default Windows Event Log. Deploy Sysmon with the SwiftOnSecurity configuration on every Windows VM in the lab. With Sysmon running, you will capture process creation with command lines, network connections, file creation, registry modifications, and WMI activity: the events that matter for detecting the attack techniques you are practicing.
Velociraptor is an open source endpoint visibility and digital forensics platform used by enterprise incident response teams. Running Velociraptor in the lab alongside Wazuh provides experience with a tool that appears frequently in mid-to-large enterprise environments and that is asked about in senior SOC and IR interviews.
The home lab closes the gap between theoretical knowledge and demonstrated capability. Every cybersecurity practitioner knows the gap is real. Reading about Pass-the-Hash does not prepare you to use Impacket's secretsdump.py, interpret the output, understand why the hash is captured, and then write a detection rule in your SIEM that catches the specific event pattern. Doing it in a lab does.
The portfolio impact is direct. Candidates who can point to a documented lab project, a blog post with screenshots showing a completed attack chain and the SIEM detections that fired, a GitHub repository with detection rules they wrote, or a VulnHub/HackTheBox writeup, are demonstrably more compelling than candidates with identical certifications who cannot show their work.
Lab work also builds confidence in interviews. Technical interview questions about specific attack techniques, specific log events, or specific tool behaviors are not abstract to someone who has done the work. "What does a Kerberoasting attack look like in Windows event logs?" is a question you answer from memory if you have done it in your lab and written the detection. It is a question you guess at if you only read about it.
The blue team loop (build, attack, detect) is the most transferable skill set in the industry. Organizations do not just need red teamers or just need blue teamers. They need practitioners who understand both sides of the conflict. A candidate who has built an Active Directory environment, attacked it, detected the attacks, and documented the full chain is demonstrating exactly that dual-side capability.
CDA.Institute lab environments extend the home lab concept into a structured curriculum framework. The Institute provides guided lab scenarios that align to PDM domains: DPS labs focus on data classification and encryption controls, VSD labs run through vulnerability scanning and remediation workflows, SPH labs deploy and tune endpoint security tooling, IAT labs cover Active Directory security and Zero Possession Architecture (ZPA) principles, TID labs build detection engineering and threat hunting workflows, and RGA labs run through compliance documentation and audit simulations.
CDA's Zero Possession Architecture (ZPA) methodology, with its tagline "Trust nothing. Possess nothing. Verify everything," has a direct application in the home lab context: the AD environment you build should be designed to enforce ZPA principles, then tested against credential theft techniques to validate (or break) those controls. That is not a theoretical exercise. It is the kind of controlled proof-of-concept work that a security architect does before recommending a design to a client.
The progressive project structure described in this article reflects CDA's operational training philosophy. Build the environment. Attack it. Detect the attacks. Write the detections. Hunt for the artifacts. Document every step. The documentation is not bureaucratic overhead. It is the intelligence product, the incident report, the detection specification, that makes the work professionally valuable.
CDArmy mission deployments build on top of home lab foundations. The lab produces the skills. The CDArmy missions provide the structured operational context, defined objectives, documented outcomes, and real deliverables, that converts lab experience into verifiable professional experience. The combination is what CDA.Nexus members export as a portfolio.
CDA Theater missions that address topics covered in this article.
A realistic hour-by-hour account of what SOC analyst work actually looks like across a full shift, from handoff review to alert triage, investigation, escalation, and shift reporting. Includes the career progression path and an honest assessment of the demands and burnout realities of the role.
A comprehensive guide for the Certified Information Systems Security Professional credential, covering the CAT exam format, all eight CBK domains, experience requirements, the management mindset the exam rewards, study resources, and how CISSP aligns with the Planetary Defense Model.
A comprehensive preparation guide for the Offensive Security Certified Professional certification, covering the current PEN-200/OSCP+ exam format, Active Directory requirements, preparation timeline, resources, and what the 'try harder' philosophy actually means in practice.
Written by Evan Morgan
Found an issue? Help improve this article.