The single best thing I did for learning security was building a home lab โ an isolated playground where I can break things without breaking the law. Here's the cheap version that actually works.
Why a Lab at All
You must never practice on systems you don't own or aren't authorized to test. A lab gives you targets that are yours, so you can attack freely. It also lets you repeat an exploit until you understand it, which a one-shot CTF rarely allows.
The Core Setup
Everything runs as virtual machines on one laptop:
Host machine
โโ Kali Linux โ attacker box (tools)
โโ Metasploitable โ deliberately vulnerable target
โโ A Windows VM โ AD / Windows practice
Free virtualization (VirtualBox) plus free VMs means the whole lab costs nothing but disk space.
Keep It Isolated
The most important setting: put the lab VMs on a host-only / internal network so they can talk to each other but not to the internet or your home network. A deliberately vulnerable VM exposed to the internet is a real risk to everyone, not a lab.
Intentionally Vulnerable Targets
| Target | Teaches |
| Metasploitable | Network/service exploitation |
| DVWA | Web vulnerabilities (XSS, SQLi, etc.) |
| OWASP Juice Shop | Modern web app bugs |
| VulnHub boxes | Full attack chains, CTF-style |
Snapshots Save Hours
Before each session I take a VM snapshot. When I break something โ or successfully root a box and want to try a different path โ I roll back in seconds instead of rebuilding. This one habit turns a fragile lab into a durable one.
Supplement With Online Platforms
The local lab covers network and full-chain practice. For curated, guided learning I pair it with platforms like TryHackMe and Hack The Box. The combination โ your own sandbox plus structured rooms โ is how I went from copying commands to understanding them.
