Thanks for subscribing. This is a standalone starter checklist pulled from the complete home cybersecurity lab guide — bookmark or print it as your build sequence, and refer to the full guide for the reasoning and detail behind each step.
The Home Cybersecurity Lab Starter Checklist
The order that actually works, based on what breaks if you skip a step: segmentation first, then the tooling built on top of it. Trying to run offensive tools or malware analysis on a flat network is the single most common mistake new lab builders make.
Phase 1 — Network foundation (do this first)
- Router/firewall capable of VLANs and per-zone firewall rules (Protectli + OPNsense, or a UniFi Dream Machine)
- Managed switch supporting 802.1Q VLAN tagging
- At minimum: a separate Security Lab VLAN, isolated from personal and IoT zones by default-deny rules
- DNS resolver per zone (Pi-hole or OPNsense’s built-in Unbound) — and confirm outbound DNS is actually blocked except to your resolver, not just configured
Phase 2 — Hardware and virtualization
- A host machine with enough RAM to run multiple VMs simultaneously — 32GB is a more realistic starting point than the “16GB minimum” most guides quote
- A hypervisor (VirtualBox for free/simple, VMware Workstation Pro or Proxmox for more capability)
- Snapshot discipline from day one — snapshot before every meaningfully different exploitation attempt, not just at major milestones
Phase 3 — The modules, in order
- CTF / offensive practice: Kali or Parrot VM, HackTheBox/TryHackMe access, the core tool stack (Burp Suite, pwntools, Ghidra)
- Malware analysis: start with cloud sandboxes (Any.run, Hybrid Analysis) before building a self-hosted CAPEv2 setup — and build a convincingly “used” Windows analysis VM, not a sterile fresh install, or samples will detect the sandbox and refuse to run
- Detection/monitoring: logging on the firewall for inter-VLAN traffic attempts — this alone is genuinely useful threat visibility, not just a compliance checkbox
Before you plug anything in
- Confirm default-deny is actually the default between VLANs, not just configured and unverified
- Block outbound DNS from every VLAN except to your designated resolver specifically — this is the single most common gap
- Budget a full weekend for the first real setup, not an afternoon — the device-discovery process takes longer than the technical configuration
For the full reasoning, hardware options at every price point, and the mistakes to avoid at each phase, see the complete home cybersecurity lab guide.
Hardware: The Protectli Vault FW4B is the reference firewall platform for this build, paired with a Netgear GS308E managed switch.