Home Security Lab: Minimum Viable Stack

Most home labs I see on Reddit are over-engineered museums. Three Dell R730s humming in a closet because "more is better," but the owner has never actually detonated malware or replayed a phishing chain end-to-end. The point of a security lab is to break things safely and learn from the breakage — not to rack-mount for Instagram.

Here is the minimum viable stack I recommend. Anything beyond this is a nice-to-have until you are hitting 80% utilization on what you already have.

1. One Hypervisor Host Running Proxmox VE 8

Pick a single box. A used Lenovo ThinkCentre M920q with 64 GB RAM and a 1 TB NVMe is around $450 on eBay. Install Proxmox VE 8.2. Done.

• Proxmox ships ZFS, LXC, and KVM out of the box.
• Snapshots are free, unlike VMware workstation.
• Clustering comes later — single-node is fine for years.

If you want truly tiny, a Beelink SER5 with 32 GB will run five concurrent VMs comfortably.

2. A Routed, Tagged VLAN Segment

Your lab must live on its own Layer 2 segment. Do not bridge lab VMs to your home LAN. Ever.

The cheap approach: a used MikroTik hEX (RB750Gr3) or a UniFi Dream Machine plus one managed switch that speaks 802.1Q. Configure VLAN 99 as the lab, block it from initiating traffic to your residential VLAN, allow internet egress through a dedicated firewall rule set.

# Example MikroTik rule
/ip firewall filter
add chain=forward src-address=10.99.0.0/24 \
    dst-address=192.168.1.0/24 action=drop \
    comment="lab cannot talk to home"

3. EDR Trial Instances on a Rotating Basis

CrowdStrike, SentinelOne, and Microsoft Defender for Endpoint all offer 30-to-90 day trials for qualified testers. Request one, deploy it on two Windows 11 VMs (one clean, one victim), run Atomic Red Team tests against it, record what fires and what does not. Rotate every quarter.

You learn more from one week of "does T1059.001 actually alert on default policy?" than from a year of reading vendor whitepapers.

4. A Small Active Directory Test Forest

One Windows Server 2022 domain controller, two member workstations, one service account deliberately configured with SPN for Kerberoasting practice. GOAD (Game of Active Directory) automates almost all of this with Terraform and Ansible — clone it from GitHub and run ./scripts/start.sh.

This is where you test:

• BloodHound collection and analysis
• NTDS.dit extraction with secretsdump
• LAPS rollout mistakes
• ADCS misconfigurations (ESC1 through ESC8)

5. Packet Capture Capability

A virtual Security Onion 2.4 instance with a SPAN port mirrored from your lab VLAN. That is the whole requirement. Zeek logs plus Suricata alerts plus full PCAP retention for 7 days is enough to answer 90% of "what actually happened on the wire" questions.

If your switch cannot span, a dedicated Proxmox bridge with a promiscuous-mode Zeek sensor will do the job.

What You Do Not Need Yet

Skip these until you are genuinely out of capacity:

• A Kubernetes cluster. You have no security workload that requires it.
• A separate SIEM appliance. Splunk Free (500 MB/day) or Wazuh-on-a-VM handles everything.
• A 42U rack. Noise, heat, and a divorce are not learning outcomes.
• 10GbE anything. 1GbE saturates on packet capture long before your learning does.

Build this stack for under $800 and you will have done more hands-on security work than most analysts do in their first two years on the job. That is the actual win.