Skip to main content
Project HomeLab Intermediate

Building a Cybersecurity Home Lab

Jason J. Boderebe
4 min tutorial
#homelab #virtualization #hands-on

If you want to get good at cybersecurity, you need somewhere to break things safely. That is what a home lab is for. Mine started with an old desktop and VirtualBox, and it has grown into something I use almost daily for testing tools, researching techniques, and trying out ideas before I touch anything production.

This guide walks through setting up a functional lab environment that will not blow your budget or require enterprise hardware.

What you actually need

I started with 16GB of RAM and a basic Intel i5. It worked, but running more than two or three VMs at once got slow. If you are serious about this, aim for 32GB of RAM and at least a quad-core CPU with virtualization support (Intel VT-x or AMD-V). Storage matters too — get at least a 500GB SSD. Spinning disks work, but they make everything painful.

If you are building from scratch or upgrading an older machine, check that your motherboard supports VT-d (Intel) or AMD-Vi for hardware passthrough. You probably will not need it right away, but it opens up better network monitoring setups later.

Picking your hypervisor

I have used all three of these at different times. Here is what I learned:

VirtualBox — Free, simple, runs on Windows/Mac/Linux. Good for getting started. Performance is fine for small labs. I still use it when I need to spin up something quick on my laptop.

VMware Workstation Pro — Faster than VirtualBox, better snapshot management, and more reliable networking. Used to cost around $250, but Broadcom made it free for personal use in May 2024. If you are on Windows or Linux, grab this.

Proxmox VE — Web-based, runs on bare metal, feels like managing an actual data center. Free, powerful, but the learning curve is steeper. I switched to Proxmox for my main lab because managing everything through a web UI from any device is convenient.

Start with VirtualBox or VMware Workstation. You can always migrate later.

Core VMs to build

Kali Linux (attacker box)

Download the pre-built VM from offensive-security.com. Default credentials are kali / kali. Change them.

Kali has most tools you need pre-installed, but I always add a few extras:

sudo apt update
sudo apt install gobuster seclists feroxbuster

Ubuntu Server 22.04 (target/web host)

Use this to host vulnerable web apps, run services you want to attack, or practice privilege escalation. Grab the ISO from ubuntu.com and install it manually. Do not enable automatic updates — you want control over when things change.

Windows 10 (evaluation)

Download a 90-day eval ISO from Microsoft. You will need to rearm it or rebuild it periodically, but it is free and works well for testing Windows-focused attacks. Install with a local account, not a Microsoft account.

pfSense (optional, but useful)

If you want to segment your lab network or practice firewall rules, pfSense is excellent. Grab the community edition ISO from pfsense.org.

I run mine with two network interfaces — one bridged to my home network (WAN) and one on an isolated internal network (LAN) where my vulnerable VMs live.

Network setup that actually makes sense

When I first built my lab, I put everything on one flat network. Bad idea. If you accidentally run something nasty, it can touch your real network.

Here is what I do now:

  • NAT network for most VMs — they can reach the internet but are isolated from my home LAN
  • Internal/isolated network for vulnerable machines — no internet, no access to anything outside the lab
  • Bridged adapter only for pfSense WAN or when I need a VM to act like a real device on my network

In VirtualBox, create a NAT Network under File → Preferences → Network. In VMware, use the Virtual Network Editor to set up custom networks. In Proxmox, create Linux bridges.

Snapshot everything

Before you install something new, break a config, or start a pentest exercise, take a snapshot. I have saved myself hours by rolling back to a clean state instead of rebuilding from scratch.

In VirtualBox and VMware, snapshots are built-in. In Proxmox, you will want to use ZFS or LVM-thin for snapshot support.

What I wish I knew earlier

  • Resource allocation: Do not over-allocate CPU cores or RAM. Give each VM what it actually needs and leave headroom for your host OS.
  • Linked clones: Use them (VMware) or templates (Proxmox) to spin up identical copies of VMs fast without duplicating storage.
  • Backups: Export your VMs periodically. I lost a month of work once when a disk failed.

Next: Deploying Vulnerable Applications