Here is the uncomfortable truth about the home lab: you are running real services on real infrastructure in a real residential network with no change control. If a security professional's job is to think about threat models, they should start with their own.

Assumption One: The Lab Is Internet-Exposed

"Mine isn't." Yes, it is. Some of the vectors I have seen bite people:

  • UPnP silently opened ports when a new appliance joined the network.
  • A reverse proxy "just for Jellyfin" with a default admin password on the management UI.
  • IPv6 SLAAC assigning a globally routable address to a VM that had only IPv4 firewall rules.
  • A Tailscale node that was meant for access to the lab but ended up routing traffic out through a dodgy exit node.
  • DNS rebinding against a local-only service because the browser didn't know it was local.

Plan as if everything you spin up is discoverable. Because frequently, it is.

Assumption Two: You Will Detonate Malware

That is literally the point of having a lab. So plan for the malware to misbehave — try to phone home, try to scan the LAN, try to pivot into your personal devices. Three rules:

  1. Detonation happens in an isolated VLAN with an explicit-deny default. Egress is allowed only through an inspection proxy you control.
  2. No L2 bridge between the lab and your personal VLAN. None. Ever.
  3. When you are done, revert from snapshot. Do not clean up by hand. Do not trust "looks fine now."

Assumption Three: The Lab Will Get Ransomwared

Self-inflicted or otherwise. Your backup strategy has to survive it.

What I run:

  • Primary backup: Proxmox Backup Server on a separate host, pull-mode (PBS pulls from PVE, PVE has no credentials to push). So a ransomed PVE cannot poison the backups.
  • Offline copy: Monthly rsync to a USB drive that lives unplugged in a drawer.
  • Offsite encrypted copy: Backblaze B2 with restic and a key stored in the cloud password manager. Different credential than the lab admin.
  • Restore drills: Twice a year, pick a random VM, restore it to a fresh host, boot it. If you have never restored, you do not have backups.

Assumption Four: The Admin Password Will Leak

Because it will. A commit that should have been git reset, a pastebin you forgot about, a phishing email that catches you when you are tired.

Mitigations:

  • The lab's admin password is unique. It is not your personal password manager master, not your work AD password, not the WiFi passphrase, not the NAS password.
  • Every service gets its own credential. SSO into a single IdP within the lab is fine; but the lab's IdP credential is not your personal IdP credential.
  • MFA with a hardware token on anything that is Internet-reachable. YubiKey 5C NFC at $55 is the cheapest insurance you will ever buy.
  • Break-glass: a printed admin password sealed in a tamper-evident envelope in a drawer. Yes, paper. It survives ransomware.

Segmentation Cheat Sheet

My current layout:

VLAN 10 - Trusted (laptops, phones)
VLAN 20 - IoT (TVs, cameras, thermostat)
VLAN 30 - Lab management (Proxmox, PBS UI)
VLAN 40 - Lab detonation (malware runs here)
VLAN 50 - Lab services (reachable from trusted, read-only)
VLAN 99 - Guest (WAN-only)

Default rule between any two: deny.
Exceptions documented in firewall comments.

The Questions to Ask Yourself Quarterly

  • If my lab were compromised tonight, what is the blast radius?
  • Which service in my lab has not been updated in 90+ days?
  • Is there any service exposed to the Internet that I have forgotten about?
  • Could my partner, kids, or roommate accidentally reach the detonation VLAN?
  • If my house burned down tomorrow, do I have the keys to restore this?

Home labs teach by breaking. Plan for them to break badly at least once. The lab you treat like production will, over time, actually resemble production. That is the goal.