Your First Cybersecurity Lab: Step-by-Step Walkthrough

Why Hands-On Practice Matters From Day One

According to the NIST National Initiative for Cybersecurity Education (NICE) Framework (NIST SP 800-181r1), cybersecurity competency requires a combination of knowledge, skills, and abilities — and skills can only be developed through practice, not just reading or watching videos. The Australian Signals Directorate (ASD) echoes this guidance, recommending that aspiring cybersecurity professionals build practical experience alongside theoretical study.

This walkthrough is your very first hands-on cybersecurity exercise. You do not need any prior experience. You do not need to install anything on your computer. You just need a web browser, an internet connection, and about 60 to 90 minutes of focused time.

By the end of this exercise, you will have navigated a Linux terminal, run basic commands, performed your first network scan, and documented your findings — exactly the workflow that SOC analysts and penetration testers use in their daily work.

I remember my first time opening a terminal in Kali Linux. I had been reading about cybersecurity for weeks — threat actors, the CIA triad, risk frameworks — but I had never actually typed a command. I sat there staring at a blinking cursor, terrified that I would break something. I typed ls, hit enter, and saw a list of folders appear. That was it. That tiny moment — running a command and seeing it work — was the first time cybersecurity felt like something I could actually do, not just something I was reading about. If you are feeling that same fear right now, I promise you: every single person in this field started exactly where you are. The commands below will not break anything. Just follow along, type what you see, and let yourself be surprised by how quickly it starts making sense.

Quick Answer

What will I learn? How to navigate a Linux terminal, run basic commands, perform a network scan with Nmap, read scan results, and document your findings.

What do I need? A computer with a web browser and internet access. Nothing to install — this exercise uses TryHackMe’s free browser-based environment.

How long will it take? Approximately 60 to 90 minutes, working at a comfortable pace with no rushing.

Key framework: This exercise follows the standard reconnaissance and enumeration methodology used by cybersecurity professionals, as described in the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment.

Legal notice: Only scan systems you own or have explicit written permission to test. TryHackMe provides legal target machines for this purpose. Unauthorised scanning of systems you do not own is a criminal offence under the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), the Criminal Code Act 1995 (AU), and equivalent laws worldwide. The exercises in this walkthrough use TryHackMe’s authorised practice environments exclusively.

What You Will Learn

By the end of this exercise, you will be able to:

1. Navigate a Linux filesystem using the terminal — the same environment that 90%+ of cybersecurity tools run in
2. Run basic Linux commands that every security professional uses daily
3. Perform a network scan using Nmap — the most widely used network scanning tool in the industry
4. Read scan results and understand what open ports and services mean
5. Document your findings in a format that builds good professional habits from the start

These are not abstract concepts. These are the exact skills that SOC analysts, penetration testers, and security engineers use every day.

Prerequisites

You need exactly three things:

Requirement	Details
A computer	Any laptop or desktop with a web browser (Windows, Mac, or Linux)
Internet access	A stable connection — TryHackMe streams a virtual machine to your browser
A TryHackMe account	Free account at tryhackme.com — no credit card required

You do not need to install anything. TryHackMe provides a browser-based Kali Linux environment called the AttackBox. Everything you need is pre-installed and runs in your browser.

If you prefer to set up your own local environment instead, see the Virtual Machine Setup Guide — but that is optional and not needed for this exercise.

The Lab Exercise Workflow

Every cybersecurity lab exercise follows a similar pattern. Understanding this workflow helps you approach any future lab with confidence:

Lab Exercise Workflow

The standard approach to any cybersecurity hands-on exercise

Pause

Setup

5-10 minutes

Log into TryHackMe

Launch the AttackBox

Start the target machine

Connect

2-5 minutes

Verify your connection

Confirm target IP address

Open a terminal

Explore

15-20 minutes

Navigate the filesystem

Run basic commands

Get comfortable with the terminal

Scan

15-20 minutes

Run Nmap against the target

Identify open ports

Determine running services

Document

10-15 minutes

Record your commands

Note what you found

Write up your observations

Idle

This is the same methodology that professional penetration testers and SOC analysts use — setup, connect, explore, investigate, document. You are building professional habits from your very first exercise.

Step 1: Set Up Your TryHackMe Environment

Create Your Account (If You Have Not Already)

1. Go to tryhackme.com and click Sign Up
2. Create a free account using your email, Google, or GitHub
3. Choose a username — pick something professional if you plan to share your profile with employers later
4. Complete the brief onboarding questionnaire

Navigate to the Tutorial Room

1. From the TryHackMe dashboard, search for “Tutorial” in the search bar
2. Open the Tutorial room — this is TryHackMe’s official introductory room
3. Read the room description to understand what you will be doing

Launch the AttackBox

1. Click the “Start AttackBox” button at the top of the room page
2. Wait approximately 1-2 minutes for the browser-based Kali Linux machine to load
3. You will see a full Linux desktop appear in your browser — this is your attack machine
4. Click the “Start Machine” button within the room to deploy the target machine
5. Note the target IP address that appears (it will look something like 10.10.x.x) — you will need this later

Take a breath. You now have a real Linux machine running in your browser and a target machine to practise against. Everything from here is hands-on.

Step 2: Get Comfortable With the Terminal

Opening the Terminal

On the AttackBox desktop, look for the terminal icon (it looks like a black rectangle) in the taskbar at the top or bottom of the screen. Click it to open a terminal window.

You will see something like this:

┌──(root㉿attackbox)-[~]
└─$

That blinking cursor is waiting for your commands. This is where the learning starts.

Your First Commands

Type each command below, press Enter, and observe what happens. Take your time — there is no rush.

whoami — Who am I?

whoami

This tells you which user you are logged in as. You should see root — the superuser (administrator) of this Linux system. In real-world security work, knowing which user you are operating as is always the first thing you check.

pwd — Where am I?

pwd

This stands for “print working directory.” It shows you which folder you are currently in. You should see something like /root — this is the home directory of the root user.

ls — What is in this folder?

ls

This lists the files and folders in your current directory. You will see folders like Desktop, Documents, Downloads, and others. This is the same concept as opening a folder in Windows Explorer or macOS Finder — you are just doing it with text commands instead of clicking.

ls -la — Show me everything, including hidden files

ls -la

The -l flag shows a detailed list (permissions, owner, size, date). The -a flag shows hidden files (files starting with a dot). In cybersecurity, hidden files are often important — configuration files, history files, and sometimes evidence of malicious activity.

cd Desktop — Move to the Desktop folder

cd Desktop

Then confirm where you are:

pwd

You should now see /root/Desktop. The cd command changes your directory, just like double-clicking a folder.

cd .. — Go back up one level

cd ..

This takes you back to the parent directory. Verify with pwd — you should be back in /root.

cat /etc/hostname — Read a file

cat /etc/hostname

The cat command displays the contents of a file. /etc/hostname contains the name of this machine. In security work, reading files is how you investigate systems — checking logs, configuration files, and evidence.

ip a — What is my network address?

ip a

This shows all network interfaces and their IP addresses. Look for an interface called eth0 or tun0 — the IP address listed there is your machine’s address on the network. Understanding network addresses is fundamental to everything in cybersecurity.

Key Definition

IP address is a numerical label assigned to each device on a computer network. Think of it like a postal address for computers — it tells the network where to send data. Every device that communicates on a network has at least one IP address. In cybersecurity, IP addresses help you identify machines, trace connections, and understand network layout. Source: IETF RFC 791.

Command Reference

Here is a quick reference for the commands you just learned:

Command	What It Does	Example
whoami	Shows your current username	root
pwd	Shows your current directory	/root
ls	Lists files in current directory	Desktop Documents Downloads
ls -la	Lists all files with details	Shows permissions, sizes, hidden files
cd [folder]	Changes to a folder	cd Desktop
cd ..	Goes up one directory level	Back to parent folder
cat [file]	Displays file contents	cat /etc/hostname
ip a	Shows network interfaces and IPs	Your machine’s network addresses

Congratulations. You have just used eight Linux commands that cybersecurity professionals use every single day. These are not beginner commands that you will outgrow — ls, cd, cat, pwd, whoami, and ip a are used by senior security engineers and junior analysts alike.

Step 3: Your First Network Scan With Nmap

Now comes the part that makes this feel like real cybersecurity work. You are going to scan the target machine to discover what services it is running — exactly what a penetration tester or SOC analyst does when investigating a system.

What Is Nmap?

Nmap (Network Mapper) is the most widely used network scanning tool in cybersecurity. According to the NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, network scanning is a foundational technique for identifying hosts, open ports, and running services on a network.

When you scan a machine with Nmap, you are asking: “What doors are open on this computer, and what is behind each door?” Each open port represents a service — a web server, an SSH server, a database, or something else. Knowing what services are running is the first step in any security assessment.

Running Your First Scan

Make sure you have the target machine’s IP address from Step 1. Replace MACHINE_IP in the command below with that IP address.

nmap -sV MACHINE_IP

What this command does:

• nmap — runs the Nmap scanning tool
• -sV — tells Nmap to detect the version of each service it finds (not just that the port is open, but what software is running and which version)
• MACHINE_IP — the IP address of the target machine (e.g., 10.10.123.45)

The scan will take 30 seconds to 2 minutes. You will see output appearing as Nmap discovers open ports and services.

Reading Your Scan Results

Your Nmap output will look something like this (exact results depend on which TryHackMe room you are in):

Starting Nmap 7.94 ( https://nmap.org ) at 2026-03-20 10:30 UTC
Nmap scan report for 10.10.123.45
Host is up (0.032s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1
80/tcp   open  http    Apache httpd 2.4.41
443/tcp  open  https   Apache httpd 2.4.41

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.34 seconds

Let us break down what each part means:

Column	Meaning	Example
PORT	The port number and protocol	22/tcp — port 22 using TCP
STATE	Whether the port is open, closed, or filtered	open — accepting connections
SERVICE	What type of service is running	ssh — Secure Shell (remote access)
VERSION	The specific software and version	OpenSSH 8.2p1

What Do Common Ports Mean?

Port	Service	What It Does	Security Relevance
22	SSH	Secure remote access to the machine	If open, someone can log in remotely — need to check for weak passwords
80	HTTP	Web server (unencrypted)	Hosts a website — check for web vulnerabilities
443	HTTPS	Web server (encrypted)	Hosts a secure website — still check for web vulnerabilities
21	FTP	File transfer	Often misconfigured — check for anonymous access
3306	MySQL	Database server	Should never be exposed to the internet — common misconfiguration
3389	RDP	Remote Desktop (Windows)	Remote access to Windows — common attack target

Understanding this output is genuinely useful. When a SOC analyst receives an alert about suspicious network activity, one of the first things they do is check what services are running on the involved systems. You just did exactly that.

Try Additional Scan Flags

Once you have completed your basic scan, try these variations to see different output:

# Quick scan — faster but less detailed
nmap MACHINE_IP

# Scan specific ports only
nmap -p 22,80,443 MACHINE_IP

# Operating system detection (requires root)
nmap -O MACHINE_IP

Each flag changes what Nmap looks for. As you progress in your cybersecurity journey, you will learn dozens of Nmap options — but -sV is the one you will use most often and the one that provides the most useful output for beginners.

Step 4: Document Your Findings

Documentation is the habit that separates good security professionals from great ones. Start building this habit now, from your very first exercise.

Write Up What You Found

Open a text editor (on the AttackBox, you can use mousepad or nano in the terminal) or simply write notes on paper or in a document on your own computer. Use this template:

=== Lab Exercise: First Network Scan ===
Date: [today's date]
Platform: TryHackMe
Room: Tutorial
Target IP: [the IP address you scanned]

Commands Used:
1. whoami → confirmed I am root user
2. pwd → confirmed home directory /root
3. ls -la → listed files including hidden files
4. ip a → found my IP address: [your IP]
5. nmap -sV [target IP] → network scan with version detection

Scan Results:
- Port 22/tcp: SSH (OpenSSH [version])
- Port 80/tcp: HTTP (Apache [version])
- Port 443/tcp: HTTPS (Apache [version])

What I Learned:
- How to navigate a Linux filesystem using terminal commands
- How to run a basic Nmap scan and interpret the results
- What open ports mean and why they matter for security
- The scan-enumerate-document workflow used by professionals

What Surprised Me:
- [Write something genuine here — what was unexpected?]

What I Want to Learn Next:
- [What questions did this exercise raise?]

Time Spent: [how long this took you]

Why does documentation matter? Three reasons:

1. It reinforces learning. Writing down what you did forces you to process it more deeply than just doing it and moving on.
2. It builds portfolio evidence. When you apply for security jobs, you can point to documented exercises as proof of your hands-on experience.
3. It is a core professional skill. SOC analysts write incident reports. Penetration testers write assessment reports. Security auditors write audit findings. Documentation is not extra work — it is the work.

This lab exercise pairs perfectly with the beginner guide — the guide explains the concepts, and this lab lets you practise them hands-on.

Intro to Cybersecurity for Non-ITAvailable Now

Complete beginner guide to cybersecurity for career changers with zero IT background.

Get the Guide → $19

Common Fears and How to Overcome Them

If you felt nervous during any part of this exercise, you are not alone. Here are the fears that almost every career changer experiences — and why they are not as scary as they feel.

”I am going to break something”

The TryHackMe environment is completely sandboxed. The virtual machines are disposable — they get destroyed and rebuilt for every user. You literally cannot break anything permanently. Type any command. Make mistakes. That is how you learn.

”I do not understand the output”

Nobody understands all the output the first time. When you ran ls -la, the permissions column (drwxr-xr-x) probably looked like nonsense. That is completely normal. You will learn to read permissions, and it will make perfect sense within a few weeks. For now, focus on the parts you do understand and let the rest become familiar over time.

”Real hackers are way smarter than me”

Real security professionals started exactly where you are. Every CISSP holder, every senior penetration tester, every SOC analyst once typed ls for the first time and felt uncertain. The difference between them and someone who never makes it is persistence, not intelligence.

”The terminal is intimidating”

The terminal is just a different way to interact with a computer. Instead of clicking icons, you type commands. Once you have used 10-15 commands a few times each, the terminal starts to feel natural. Most security professionals actually prefer the terminal because it is faster and more precise than clicking through menus.

I spent a full week avoiding the terminal after my first attempt. I would open it, stare at the cursor, close it, and go back to watching YouTube videos about cybersecurity instead. It took a friend telling me “just type ls and see what happens” to get me past the fear. One command. That was all it took to break the paralysis. If you are reading this and have not opened the terminal yet — just type ls. That is your only job right now.

What to Do Next

You have completed your first cybersecurity lab exercise. Here is what to do with that momentum:

Immediate Next Steps (This Week)

1. Complete the full TryHackMe Tutorial room if you have not already — answer all the questions to earn your first badge
2. Start the Pre-Security learning path on TryHackMe — it expands on everything you did here with more structured learning
3. Complete Linux Fundamentals Part 1 — this deepens the terminal skills you just started building

Short-Term Next Steps (Next 2-4 Weeks)

4. Work through the Pre-Security path — covers networking, Linux, and web fundamentals
5. Complete the Introductory Networking room — builds on the Nmap scanning you did here
6. Start documenting every room you complete using the template from Step 4

Medium-Term Next Steps (Next 1-3 Months)

7. Set up a home lab with VirtualBox and Kali Linux for unrestricted practice
8. Move to the Complete Beginner path on TryHackMe
9. Start studying for a certification — either ISC2 CC (free) or CompTIA Security+

Recommended TryHackMe Learning Paths After This Exercise

Learning Path	Difficulty	Duration	What It Builds On
Pre-Security	Beginner	10-15 hours	Everything in this exercise — deeper Linux, networking, web
Introduction to Cyber Security	Beginner	10-15 hours	Offensive and defensive security concepts with hands-on
Complete Beginner	Beginner-Intermediate	40+ hours	Full foundation including exploitation and web hacking
Jr Penetration Tester	Intermediate	50+ hours	Professional penetration testing methodology
SOC Level 1	Intermediate	40+ hours	Security operations centre analyst skills

For a detailed guide to TryHackMe, see the TryHackMe Beginner Guide.

Summary and Key Takeaways

You have just completed your first cybersecurity lab exercise. That is a genuinely significant step — most people talk about getting into cybersecurity but never actually open a terminal.

• You navigated a Linux terminal using whoami, pwd, ls, cd, cat, and ip a — commands that every cybersecurity professional uses daily.
• You performed your first network scan with nmap -sV and learned to read the results — identifying open ports and running services.
• You followed the professional workflow of setup, connect, explore, scan, and document — the same methodology used by SOC analysts and penetration testers.
• You documented your findings in a structured format that builds professional habits from day one.
• You used a legally authorised practice environment on TryHackMe — always scan only systems you own or have explicit written permission to test.

The commands you learned today are not beginner-only commands. They are the same commands used by senior security engineers. The only difference is experience — and you just started building yours.

---

TryHackMe room names and features verified in March 2026. Room availability may change — check tryhackme.com for current information.

Individual results vary based on location, experience, market conditions, and effort invested. This guide provides general guidance and does not guarantee employment outcomes.

Technical content verified in March 2026 against Nmap official documentation (nmap.org), NIST SP 800-115 Technical Guide to Information Security Testing and Assessment, and TryHackMe platform documentation.

Frequently Asked Questions

Do I need any experience to do this lab exercise?

No. This exercise is designed for complete beginners with zero prior IT or cybersecurity experience. You just need a computer with a web browser and an internet connection. Everything else is provided through TryHackMe's free browser-based environment.

Will I break anything by running these commands?

No. TryHackMe's virtual machines are completely sandboxed and disposable. They are rebuilt for every user. You cannot damage your own computer or any real system by following this exercise. Feel free to experiment and make mistakes.

Do I need to install Linux on my computer?

No. TryHackMe provides a browser-based Kali Linux environment called the AttackBox. Everything runs in your web browser. If you later want your own Linux setup for unrestricted practice, see the Virtual Machine Setup Guide and Home Lab Setup pages.

Is it legal to scan machines on TryHackMe?

Yes. TryHackMe provides legally authorised practice environments specifically designed for learning. All target machines are owned and operated by TryHackMe for this purpose. Never use these techniques against systems you do not own or do not have explicit written permission to test.

How long does this exercise take?

Approximately 60 to 90 minutes working at a comfortable pace. There is no time pressure — take as long as you need. The AttackBox on a free TryHackMe account has a 1-hour daily limit, so you may need to complete the exercise across two sessions.

What should I do if a command does not work?

Check for typos first — Linux commands are case-sensitive. Make sure you are typing exactly what is shown, including spaces and dashes. If a command returns an error, read the error message carefully — it usually tells you what went wrong. If you are stuck, the TryHackMe room hints and community Discord are helpful resources.

What does it mean if Nmap shows a port is open?

An open port means a service on that machine is actively listening for connections on that port number. For example, port 80 open means a web server is running, port 22 open means an SSH server allows remote access. In security assessments, open ports are potential entry points that need to be evaluated for vulnerabilities.

What should I do after completing this exercise?

Complete the full TryHackMe Tutorial room, then start the Pre-Security learning path. This expands on everything in this exercise with more structured, guided practice. Within 2-4 weeks, you will have a solid foundation in Linux, networking, and web fundamentals.

Related sections

Labs Overview

All available hands-on labs and practice environments.

Explore Home Lab Setup

Set up your own cybersecurity lab at home for free practice.

Explore TryHackMe Guide

The best beginner-friendly platform for guided cybersecurity labs.

Explore Virtual Machine Setup

Set up VirtualBox and Kali Linux for local practice.

Explore

More resources

TryHackMe

Create your free account and start the Tutorial room to begin this exercise.

Visit Nmap Official Documentation

Complete reference for Nmap commands, flags, and scanning techniques.

Visit NIST SP 800-115

Technical Guide to Information Security Testing and Assessment — the framework behind this exercise's methodology.

Visit Linux Command Reference

Comprehensive reference for Linux commands used in cybersecurity.

Visit