At some point, TryHackMe rooms and HackTheBox machines are not enough. You have learned the basics on someone else’s infrastructure, and now you want something you control — an environment where you can break things on purpose, study what happens, rebuild, and repeat. A home lab is that environment.
The barrier is lower than most people think. You do not need server racks or enterprise hardware. Here is what the practical setup actually looks like.
## The Hardware Decision
You have three realistic options: repurposed enterprise gear, a consumer mini PC, or Raspberry Pi. Each has a legitimate use case.
**Repurposed enterprise hardware** is the best value at the moment. Used Dell OptiPlex 7060/7070 or HP EliteDesk 800 G4 machines from 2018-2020 run $60-120 on eBay, typically come with an i5 or i7, and can be upgraded cheaply. They are x86, which means full compatibility with every VM image and container you will encounter. The only downside is power consumption — expect 40-80W idle versus 10-15W for a mini PC.
**Mini PCs** like the Beelink SER5 or MINISFORUM UM560 give you modern Ryzen silicon, NVMe storage, and quiet operation in a $200-350 package. They are the best choice if energy efficiency or desk space matters. Most support up to 64GB of RAM with aftermarket upgrades, which is plenty for running 4-6 VMs simultaneously.
**Raspberry Pi** (or equivalent ARM SBCs) belongs in a supporting role, not as your primary lab machine. It is excellent for lightweight network devices — a Pi-hole, a Zeek sensor, a low-power router, a Kali instance for wireless work. It is not where you want to run Metasploit against a Metasploitable target with a full Wireshark capture running.
**Minimum useful spec:** Quad-core CPU, 16GB RAM (32GB preferred), 500GB NVMe SSD. With 16GB you can run your attacker VM and two targets comfortably. With 32GB you can add a SIEM and a vulnerable web server simultaneously without everything grinding.
## The Hypervisor
**VirtualBox** is the right starting point. It is free, it runs on Windows, Mac, and Linux, it handles snapshots well, and the community documentation is extensive. For a home lab, the feature gaps between VirtualBox and commercial hypervisors do not matter.
When you outgrow it — and you will know when you do — **Proxmox VE** is the logical next step. It is free, enterprise-grade, runs on bare metal, and gives you a proper web UI for managing dozens of VMs. The learning curve takes a weekend. The control you gain is worth it.
Avoid running everything on your daily-use machine. The isolation matters — not just for security, but for sanity. A dedicated lab machine means you can leave experiments running, blow everything up without consequences, and keep your work environment clean.
## The VM Stack
**Attacker:** Kali Linux is the standard. It comes pre-loaded with everything you need — Nmap, Metasploit, Burp Suite, Wireshark, enum4linux, John the Ripper, and several hundred other tools. Download the VirtualBox OVA image from the official Offensive Security site and import it. Done.
**Vulnerable targets:**
– **Metasploitable 2** is the classic. Intentionally vulnerable Linux box with exploitable services on nearly every port. Good for learning Metasploit exploitation, service enumeration, and privilege escalation basics.
– **DVWA (Damn Vulnerable Web Application)** covers the OWASP Top 10 in an intentional training environment — SQL injection, XSS, CSRF, file inclusion, command injection. Run it as a Docker container or a dedicated VM.
– **VulnHub** has hundreds of community-created challenge machines at varying difficulty levels. Download, import, hack. No account required.
**Network monitoring:**
– **Wireshark** on your attacker VM captures everything on the virtual network.
– **Security Onion** deserves its own VM once you are ready. It is a full network security monitoring distribution — Zeek, Suricata, Elasticsearch, and Kibana pre-configured. Run it as a passive tap on your lab network and you get a full IDS/SIEM for free.
## Network Architecture
The most important decision in your lab design is isolation. Your lab network should have no path to your home network unless you explicitly build one.
In VirtualBox: create a Host-Only network adapter. VMs on this adapter can communicate with each other and with your host machine, but they have no internet access and no access to your home LAN. This means malware you deploy on a Metasploitable target during an exercise stays contained.
If you want your attacker VM to have internet access for tool updates while your targets stay isolated, use two adapters: NAT for internet, Host-Only for lab network. Your attacker has both. Your targets have only Host-Only.
When you graduate to a managed switch, add VLAN segmentation. Lab VLAN, management VLAN, Internet VLAN — each isolated at the network level, with pfSense controlling inter-VLAN routing. This mirrors what enterprise environments actually look like.
## Where to Get More Targets
**HackTheBox** publishes new machines weekly. The free tier gives you access to retired machines — there are hundreds of them, all community-rated by difficulty and technique. The subscription unlocks active machines and ProLabs, which are multi-machine environments that mimic real Active Directory environments.
**TryHackMe** is more guided — rooms walk you through technique by technique. Better for structured learning, particularly for people newer to the field.
**CTF archives** at CTFtime.org let you download and replay past competitions in your own environment.
Your home lab is the place where you put all of that into practice on your own infrastructure, at your own pace, without a timer.
—
**Sources:**
1. Offensive Security Kali Linux downloads — https://www.kali.org/get-kali/
2. HackTheBox community machines — https://www.hackthebox.com/
3. VulnHub vulnerable VM archive — https://www.vulnhub.com/
4. Security Onion documentation — https://securityonionsolutions.com/