Building a Security Home Lab on a Budget
Table of Contents
Every cybersecurity professional you admire built their skills by breaking things in a lab. Not by watching tutorials. Not by reading textbooks. By actually setting up systems, attacking them, defending them, and learning from what happened. A home lab is where theory becomes skill.
The good news: you do not need a server rack or a massive budget. A functional security lab can run on a single laptop with 16GB of RAM, and the entire software stack is free. If you want dedicated hardware, a used mini PC or workstation from eBay gets you a serious setup for under $200.
Why You Need a Home Lab
Online platforms like TryHackMe and HackTheBox are excellent, but they have limitations. The machines are pre-configured, the attack paths are predetermined, and you never deal with the messy reality of building and maintaining infrastructure. A home lab forces you to:
- Install and configure operating systems from scratch
- Design network topologies and deal with routing issues
- Manage Active Directory - the single most important technology for corporate security
- Deploy and tune security monitoring tools
- Troubleshoot real problems that arise from misconfiguration
- Build custom vulnerable environments tailored to what you want to learn
When an interviewer asks "tell me about your experience with Active Directory," saying "I set up a domain controller with Group Policy, enrolled three workstations, and then compromised the domain through Kerberoasting" is infinitely more compelling than "I completed a TryHackMe room."
Hardware: What to Buy and Where
Option 1: Your Existing Laptop ($0)
If your laptop has at least 16GB of RAM and an SSD, you can run a meaningful lab entirely in virtual machines. This is the lowest barrier to entry. You will be limited in how many VMs you can run simultaneously, but it is enough to get started.
Minimum specs: 16GB RAM, SSD (256GB+), quad-core CPU (anything from the last 5-6 years). Intel VT-x or AMD-V virtualization support must be enabled in BIOS.
Option 2: Used Mini PC ($80-$150)
A used Dell OptiPlex Micro, Lenovo ThinkCentre Tiny, or HP EliteDesk Mini from eBay gives you a dedicated lab machine that runs 24/7 without tying up your main computer. Look for models with:
- Intel i5 or i7 (6th generation or newer)
- 32GB RAM (buy a 16GB unit and add a $20 stick)
- 256GB SSD (add a second drive if needed)
These machines use minimal power (35-65W), are silent, and take up barely any desk space. A Dell OptiPlex 7060 Micro with an i5-8500T, 16GB RAM, and 256GB SSD regularly sells for $80-$120 on eBay.
Option 3: Used Workstation ($150-$300)
If you want to run many VMs simultaneously (10+), a used Dell Precision tower or HP Z-series workstation with 64GB+ RAM gives you serious capacity. These are often retired from corporate use and sell cheaply. The downside is noise and power consumption.
Networking Hardware
A managed switch ($20-$40 used) lets you create VLANs and practice network segmentation. A cheap wireless router ($10-$20) gives you a target for WiFi security testing. Do not use your production home network for security testing - always isolate your lab.
graph TD
subgraph Budget["Budget Tiers"]
B1["$0 - Existing Laptop\n16GB RAM, VM-only"]
B2["$80-150 - Used Mini PC\n32GB RAM, Dedicated"]
B3["$150-300 - Workstation\n64GB+ RAM, Full Lab"]
end
subgraph Capabilities["What You Can Run"]
C1["2-3 VMs\nBasic Attack/Defend"]
C2["5-8 VMs\nAD Domain + SIEM"]
C3["10-15+ VMs\nFull Enterprise Sim"]
end
subgraph AddOns["Optional Add-ons"]
A1["Managed Switch $20-40"]
A2["Test Router $10-20"]
A3["BLEShark Nano $37"]
A4["USB WiFi Adapter $15-30"]
end
B1 --> C1
B2 --> C2
B3 --> C3
C1 --> A1
C2 --> A1
C2 --> A2
C2 --> A3
C3 --> A1
C3 --> A2
C3 --> A3
C3 --> A4
Home lab hardware tiers - start with what you have and upgrade as needed
Virtualization Setup
Virtualization is the backbone of any home lab. You will run multiple operating systems simultaneously on a single physical machine. Here are your options:
VirtualBox (Free, All Platforms)
Oracle VirtualBox runs on Windows, macOS, and Linux. It is free, well-documented, and handles the basics well. For a beginner lab, VirtualBox is perfectly adequate. The main downsides are performance (slower than alternatives for VM-heavy workloads) and occasional quirks with networking.
VMware Workstation Player (Free for Personal Use)
VMware's free tier runs on Windows and Linux. Performance is noticeably better than VirtualBox, especially with multiple VMs. If you can run only one hypervisor, VMware Player is the better choice for lab work.
Proxmox VE (Free, Dedicated Server)
If you have dedicated hardware, Proxmox is a bare-metal hypervisor that turns your machine into a VM server. You manage everything through a web interface. Proxmox supports both KVM (full virtualization) and LXC (containers), making it the most flexible option for larger labs. Installing Proxmox is itself a useful learning exercise in server administration.
Getting OS Images
- Windows Server: Microsoft offers free 180-day evaluation ISOs for Windows Server 2019/2022. Plenty of time for lab work, and you can re-arm or rebuild.
- Windows 10/11: Microsoft provides free development VMs (90-day evaluation) specifically for testing.
- Kali Linux: Free download, pre-built VM images available for VirtualBox and VMware.
- Ubuntu/Debian: Free, lightweight, good for running services and tools.
- Security Onion: Free Linux distribution built for network security monitoring.
Network Architecture
graph TD
subgraph HomeNetwork["Your Home Network - Do Not Touch"]
Router[Home Router]
Laptop[Your Laptop]
Phone[Other Devices]
end
subgraph LabNetwork["Isolated Lab Network"]
subgraph AttackSeg["Attack Segment - 10.0.1.0/24"]
Kali[Kali Linux\nAttack Machine]
Parrot[Parrot OS\nSecondary Attack]
end
subgraph TargetSeg["Target Segment - 10.0.2.0/24"]
DC[Windows Server\nDomain Controller]
WS1[Windows 10\nWorkstation 1]
WS2[Windows 10\nWorkstation 2]
WebSrv[Ubuntu\nWeb Server]
end
subgraph MonitorSeg["Monitoring Segment - 10.0.3.0/24"]
SIEM[Security Onion\nSIEM + IDS]
Wazuh[Wazuh Manager\nEndpoint Detection]
end
end
Router -.->|"NAT/Isolated"| LabNetwork
Kali --> DC
Kali --> WS1
Kali --> WebSrv
DC --> WS1
DC --> WS2
SIEM -->|"Mirror Traffic"| TargetSeg
Wazuh -->|"Agent Data"| WS1
Wazuh -->|"Agent Data"| WS2
A properly isolated lab network with attack, target, and monitoring segments
Network isolation is critical. You will be running vulnerable services and launching attacks - this traffic must never reach your production network or the internet. Here is how to set it up:
Internal-only networking: In VirtualBox or VMware, create an "internal network" or "host-only network" that connects VMs to each other but not to your physical network. This is the simplest and safest approach.
NAT with firewall: If your lab VMs need internet access (for updates, downloading tools), use a NAT configuration with a firewall VM (pfSense or OPNsense) controlling what traffic can leave the lab. Never expose vulnerable VMs directly to the internet.
VLANs (with managed switch): If you have physical lab hardware, VLANs let you create separate network segments on a single switch. This is closer to real enterprise networking and teaches you skills directly applicable to the job.
Vulnerable Targets to Practice On
These are intentionally vulnerable systems designed for security practice. All are free:
Web Application Targets
- DVWA (Damn Vulnerable Web Application): Classic PHP web app with adjustable difficulty levels. Covers SQL injection, XSS, CSRF, file upload, and command injection. Start here.
- OWASP WebGoat: Java-based web app with guided lessons. Each vulnerability includes explanations and hints.
- Juice Shop: Modern JavaScript web application (Node.js/Angular) with 100+ challenges covering the OWASP Top 10 and beyond. The most realistic vulnerable web app available.
- HackTheBox Starting Point: Guided machines that teach methodology step by step.
Full OS Targets
- Metasploitable 2 and 3: Linux and Windows VMs loaded with vulnerabilities. Metasploitable 2 is a single Linux VM; Metasploitable 3 includes both Windows and Linux targets built with Vagrant.
- VulnHub: Community-maintained repository of downloadable vulnerable VMs. Hundreds of machines at every difficulty level, often with writeups available.
- DVCP (Damn Vulnerable Cloud Platform): If you want to practice cloud security, this Terraform-based project deploys intentionally vulnerable AWS infrastructure.
Active Directory Lab
Building your own AD lab is one of the most valuable exercises you can do. Set up:
- Windows Server 2019/2022 as a Domain Controller
- Two or three Windows 10/11 workstations joined to the domain
- Multiple user accounts with varying privilege levels
- Group Policies including password policies, audit policies, and software restrictions
- A file share, a web server (IIS), and a SQL Server Express instance
Then intentionally introduce common misconfigurations: Kerberoastable service accounts, unconstrained delegation, AdminSDHolder abuse paths, and password reuse across accounts. Attack your own domain with tools like BloodHound, Rubeus, and Impacket.
The Defensive Software Stack
A good lab is not just about attacking - you need to see what attacks look like from the defender's perspective. Here is a free defensive stack:
Security Onion: A complete network security monitoring platform that includes Suricata (IDS), Zeek (network analysis), Elasticsearch, Kibana, and various other tools. Deploy it on a VM with access to a mirrored network port, and you can see every attack you launch from the defender's view.
Wazuh: Open-source endpoint detection and response (EDR) platform. Install Wazuh agents on your Windows workstations and the manager on a dedicated VM. You will see file integrity monitoring alerts, log analysis, and vulnerability detection in real time.
Splunk Free: Splunk offers a free tier that indexes up to 500MB per day. That is more than enough for a home lab. Learning Splunk is directly marketable - it is the most common SIEM in enterprise environments.
ELK Stack (Elasticsearch, Logstash, Kibana): The open-source alternative to Splunk. More work to set up, but free without data limits. Writing detection rules in ELK teaches you skills applicable to many SOC roles.
Sysmon: A free Windows tool from Microsoft that provides detailed logging of process creation, network connections, file changes, and more. Combined with a SIEM, Sysmon turns your Windows VMs into visibility goldmines.
Wireless Security Testing
Wireless is an often-overlooked component of home labs, but it is increasingly important as IoT devices proliferate. Adding wireless testing capability to your lab opens up an entire category of skills.
The BLEShark Nano is purpose-built for this. Running on an ESP32-C3 with BLE 5.0 and 2.4GHz WiFi, it gives you:
- WiFi scanning and analysis: See all networks in range, their security settings, connected clients, and signal strengths
- Handshake capture: Capture WPA handshakes for offline password analysis (passive capture only in EU regions)
- BLE scanning: Discover and enumerate Bluetooth Low Energy devices, inspect services and characteristics
- IR blasting: Built-in infrared for testing IR-based access control systems
- Mesh networking: The Shiver mesh protocol connects up to 16 BLEShark Nanos via ESP-NOW for distributed testing across 20-50 meters
At $36.99, it is the most affordable way to add wireless capabilities to your lab. Pair it with your isolated test router for a complete wireless testing environment.
Get the BLEShark Nano - $36.99+Practical Projects to Build
Having the lab is step one. Here are structured projects that build real skills:
Project 1: AD Domain Compromise (2-3 weeks)
Set up a Windows domain, configure it with realistic settings, then compromise it from an unprivileged user to Domain Admin. Document every step. Tools: BloodHound, CrackMapExec, Impacket, Rubeus, Mimikatz. Then rebuild the domain with proper hardening and verify your previous attack paths are blocked.
Project 2: SIEM Detection Lab (2-3 weeks)
Deploy Security Onion or Wazuh, configure log collection from your Windows machines, then execute attacks from your Kali VM while watching the alerts fire. Write custom detection rules for each attack technique. Map your detections to the MITRE ATT&CK framework.
Project 3: Web Application Assessment (1-2 weeks)
Deploy Juice Shop, work through all 100+ challenges, and write a mock penetration testing report as if Juice Shop were a client's application. Include executive summary, technical findings, risk ratings, and remediation recommendations. This practices both technical skills and report writing.
Project 4: Incident Response Simulation (1-2 weeks)
Have a friend (or script) compromise one of your lab machines while you are not watching. Then investigate: find the initial access vector, trace the attacker's movements, identify what data was accessed, and write an incident report. This simulates real IR work.
Project 5: Wireless Security Audit (1 week)
Set up your test router with WPA2, enumerate it with your wireless tools, capture a handshake, and attempt to crack it with hashcat or aircrack-ng. Then set up WPA3 and document the differences. Scan for BLE devices in your environment and analyze what data they broadcast.
Project 6: Malware Analysis Sandbox (2 weeks)
Build an isolated Windows VM with analysis tools (Process Monitor, Wireshark, Regshot, x64dbg) and analyze real malware samples from MalwareBazaar. Document the malware's behavior: what files it creates, what registry keys it modifies, what network connections it makes. Never connect malware analysis VMs to any network.
Each of these projects produces documentation you can show to employers. A GitHub repository with detailed writeups of your lab projects is one of the strongest portfolio pieces a junior security candidate can have. It proves you do not just know theory - you build, break, and understand real systems.
Start small. One VM, one target, one attack. Then expand. Your lab will grow with your skills, and the skills you build in your lab will open doors that certifications alone cannot.