How to Set Up a Home Cybersecurity Lab for Free

What Is a Home Cybersecurity Lab and Why Does It Matter?

A home cybersecurity lab is a self-contained virtual environment where learners can safely practise offensive and defensive security techniques on systems they own. The NIST NICE Framework (SP 800-181) identifies hands-on practice in controlled environments as a core pathway to developing cybersecurity workforce competencies.

A home lab is where cybersecurity knowledge becomes real skill. Reading about how Nmap works is useful. Running Nmap against a target in your own isolated lab environment is what builds the muscle memory that employers want.

This guide walks you through building a functional home lab for free using VirtualBox and two virtual machines: Kali Linux (attacker) and Metasploitable (intentionally vulnerable target).

Legal notice: All testing in this guide is performed in an isolated virtual network you control. Never scan, probe, or attack systems on the internet or on any network without explicit written permission from the system owner. Unauthorised access to computer systems is a criminal offence under the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), and equivalent laws worldwide. This lab exists so you can practise legally.

Quick Answer

What is a home cybersecurity lab? A virtual environment on your own computer where you can safely practise network scanning, vulnerability testing, and other security skills using tools like Kali Linux and intentionally vulnerable targets. Why it matters for beginners: Employers want hands-on evidence of practical skills, and a home lab gives you a legal, free environment to build that experience. Key framework: VirtualBox (virtualbox.org) provides free Type 2 hypervisor virtualisation, and Kali Linux (kali.org) bundles over 600 pre-installed security tools.

What Is a Home Lab and Why Does It Matter?

Certifications open doors; skills get you hired. Employers increasingly ask interview candidates to demonstrate practical knowledge. A home lab gives you hands-on experience to talk about.

You control the environment. Unlike shared practice platforms, your home lab runs on your own hardware. You can break things, restart them, and experiment without consequences beyond your own time.

It is free. VirtualBox is free. Kali Linux is free. Metasploitable is free. The only cost is electricity and the time you invest.

It builds your portfolio. Documenting what you learn in your home lab — what you tried, what worked, what did not — is evidence of practical skill you can show to employers.

What You Need

Hardware Requirements

• A computer (Windows, Mac, or Linux) with at least 8 GB of RAM — 16 GB is more comfortable
• At least 50 GB of free disk space — 100 GB gives more room to work
• A reasonably modern processor (2015 or newer is generally fine)

If your machine has only 8 GB of RAM, the lab will work but may feel slow when running two VMs simultaneously. Consider starting with just Kali Linux first, then adding Metasploitable later.

Software You Will Download

• VirtualBox — Free virtualization platform from Oracle (virtualbox.org)
• Kali Linux ISO — Official download from kali.org
• Metasploitable 2 — Intentionally vulnerable VM from SourceForge (search “Metasploitable 2 download” at sourceforge.net)

Download these from their official sources only. Do not download virtual machine images from unofficial sources.

Step 1: Install VirtualBox

1. Go to virtualbox.org and navigate to the Downloads section
2. Download the installer for your operating system (Windows, macOS, or Linux)
3. Also download the VirtualBox Extension Pack from the same page — it adds USB support and other useful features
4. Run the installer and accept the defaults. On Windows, it may temporarily disconnect your network adapter during installation — this is normal
5. After installation, open VirtualBox Extension Pack installer and install it (File → Preferences → Extensions in VirtualBox)

Verify: Open VirtualBox. You should see the main window with no virtual machines listed.

Step 2: Install Kali Linux

Kali Linux is available as a pre-built VirtualBox image, which is the easiest approach.

1. Go to kali.org/get-kali/ and select “Virtual Machines”
2. Download the VirtualBox image (the .ova or .7z file — choose the one labeled “VirtualBox”)
3. Once downloaded, open VirtualBox and go to File → Import Appliance
4. Select the downloaded Kali file and click Next
5. Review the appliance settings. The defaults are fine for most people. Click Import
6. Wait for the import to complete (may take 5–10 minutes)

Default credentials: Kali’s pre-built VM uses kali / kali as username/password. Change this after first login.

First boot:

1. Select the Kali VM in VirtualBox and click Start
2. When the desktop loads, open a terminal (right-click desktop → Open Terminal)
3. Run sudo apt update && sudo apt upgrade -y to update all packages
4. Change the default password: run passwd and set a new one

Step 3: Set Up Network Isolation

This is the most important safety step. You must configure your virtual network so the vulnerable machines cannot reach your real network or the internet.

In VirtualBox, you will create a Host-Only Network — a virtual network that exists only between your VMs and your host computer, with no internet access.

1. In VirtualBox, go to File → Host Network Manager (or File → Tools → Network Manager in newer versions)
2. Click Create to add a new host-only network. Note the name (usually vboxnet0)
3. The defaults (192.168.56.1 for the adapter, DHCP enabled) are fine

Now configure both VMs to use this network:

4. Select your Kali VM, click Settings → Network
5. Set Adapter 1 to Host-Only Adapter and select vboxnet0
6. Repeat this for Metasploitable when you install it

Why this matters: Metasploitable is intentionally full of vulnerabilities. If it were on your normal network, it would be a security risk to everything else on that network. The host-only configuration ensures it cannot communicate with anything outside VirtualBox.

Key Definition

Network isolation (in the context of virtualisation) means configuring virtual machines to communicate only with each other and the host system, with no access to the internet or the host’s production network. VirtualBox’s host-only adapter mode creates this isolation. Source: Oracle VirtualBox documentation, Chapter 6 — Virtual Networking.

Home Lab Architecture

Visual Explanation

Home Lab Architecture

Layered containment: your host OS isolates everything through VirtualBox

Pause

Host OS

Your main operating system (Windows/Mac/Linux)

VirtualBox Hypervisor

Type 2 hypervisor — runs VMs on your hardware

Host-Only Network

Isolated virtual network — no internet exposure

Kali Linux VM

Attacker machine — penetration testing tools

Metasploitable2 VM

Intentionally vulnerable target machine

Idle

Step 4: Install Metasploitable 2

Metasploitable 2 is a virtual machine built by Rapid7 that is intentionally vulnerable to dozens of known attacks. It is the standard practice target for beginners.

1. Download Metasploitable 2 from SourceForge (search “Metasploitable 2” on sourceforge.net — it is a .zip file containing a .vmdk disk image)
2. Unzip the downloaded file
3. In VirtualBox, click New to create a new virtual machine
4. Name it “Metasploitable2”, Type: Linux, Version: Ubuntu (64-bit)
5. RAM: 512 MB is sufficient
6. For the hard disk, choose Use an existing virtual hard disk file and select the .vmdk file you unzipped
7. Click Create
8. Before starting it, go to Settings → Network and set Adapter 1 to Host-Only Adapter (vboxnet0)

Start Metasploitable: 9. Select the Metasploitable VM and click Start 10. Log in with msfadmin / msfadmin 11. Run ifconfig to see its IP address — you will use this IP as your target in exercises

Verify connectivity from Kali: 12. In your Kali VM, open a terminal and run ping [Metasploitable IP] 13. You should see replies, confirming the two VMs can communicate

Step 5: First Exercises

With your lab running, try these introductory exercises to verify everything is working and start building skill.

Exercise 1: Network Discovery with Nmap

In your Kali terminal, scan your host-only network:

nmap 192.168.56.0/24

This discovers all hosts on your virtual network. You should see your Metasploitable VM in the results with many open ports.

For a more detailed scan of Metasploitable:

nmap -sV -sC [Metasploitable IP]

The -sV flag detects service versions and -sC runs default scripts. The output reveals many vulnerable services — this is intentional for practice purposes.

Exercise 2: Capture Traffic with Wireshark

1. Install Wireshark on Kali if not already present: sudo apt install wireshark
2. Run wireshark & to open it
3. Select your network interface (likely eth0) and start capturing
4. From another terminal, run nmap [Metasploitable IP]
5. Watch the packets appear in Wireshark
6. Stop the capture and filter by icmp or tcp to explore specific traffic

Exercise 3: Browse Metasploitable’s Web Services

Metasploitable runs a web server on port 80. In your Kali browser, go to http://[Metasploitable IP]. You will see a deliberately vulnerable web application (DVWA — Damn Vulnerable Web Application) and other services. These are legal targets for your practice.

Safety Checklist

Before running any scanning or exploitation exercises, verify:

• Both VMs are set to Host-Only network adapter
• Metasploitable has no internet access (ping 8.8.8.8 from Metasploitable should fail)
• You are scanning Metasploitable’s IP address, not any real machine
• Your Kali VM is not simultaneously on a bridged adapter connected to your real network

Snapshot your VMs. Before attempting any exercises that might break a VM, take a snapshot in VirtualBox (Machine → Take Snapshot). This lets you restore the VM to a known good state if something goes wrong.

Next Steps After Setup

For a structured roadmap that pairs certification study with hands-on lab work, see the Career Roadmap + Study Tracker.

Once your lab is running, here is a learning progression:

1. Complete TryHackMe Pre-Security path — It gives you guided exercises that you can supplement with your home lab
2. Work through TryHackMe’s “Jr Penetration Tester” path — Teaches Nmap, Metasploit, and web application testing with structured guidance
3. Practice on Metasploitable — Use Metasploit’s msfconsole to find and exploit vulnerabilities in your target
4. Document everything — Keep notes on what you tried, what worked, and what you learned. This documentation becomes portfolio material

The Cybersecurity Tools Overview page describes the tools you will use in these exercises in more detail. For a quick-start walkthrough of setting up your lab, see the blog post How I Set Up My Home Cybersecurity Lab for Free. For your first tool deep-dive, start with the Wireshark guide.

Practice Platforms to Pair With Your Lab

TryHackMe vs HackTheBox

TryHackMe

• Guided learning — Step-by-step rooms with instructions
• Beginner-friendly — Pre-Security and Introduction paths
• Browser-based — No VPN setup required for most rooms
• Structured paths — Clear progression from basics to advanced

VS

HackTheBox

• Challenge-based — Minimal guidance, figure it out yourself
• Intermediate+ — Assumes foundational knowledge
• VPN required — Connect to their lab network via OpenVPN
• Real-world feel — Machines simulate actual environments

Verdict: Start with TryHackMe alongside your home lab. Move to HackTheBox when you can solve TryHackMe medium rooms without hints.

Use case

Use your home lab for tool practice (Nmap, Wireshark). Use TryHackMe/HackTheBox for structured challenges and portfolio evidence.

Expanding Your Lab Later

Once comfortable with the basics:

• Add more vulnerable VMs from VulnHub (vulnhub.com) — a library of intentionally vulnerable machines at various difficulty levels
• Add a Windows VM — Many real-world attacks target Windows environments. Microsoft offers free evaluation VMs at developer.microsoft.com
• Add a SIEM — Install Wazuh or Elastic SIEM to practice log analysis and alerting
• Add more RAM — A 16 GB machine can comfortably run three or four VMs simultaneously

---

VirtualBox version numbers, Kali Linux release details, and download locations change over time. Verify download sources at the official sites (virtualbox.org, kali.org) before downloading. Always check the SHA256 hash of downloaded files against the official checksums to verify integrity.

Legal reminder: This lab is for practicing on systems you own and control. Never use these tools or techniques against systems without explicit written authorization. If you are unsure whether you have authorization, you do not have authorization.

Australian Considerations

Internet speeds in Australia vary significantly by location and connection type. NBN fixed-line connections in metropolitan areas generally handle large VM downloads (Kali Linux images are typically 3-4 GB) without issue, but regional and satellite connections can be considerably slower. Plan to download VM images overnight or during off-peak hours if your connection is limited. Pre-built VirtualBox images are smaller than full ISOs, which helps reduce download time.

The legal framework for computer security testing in Australia centres on the Criminal Code Act 1995 (Cth), which criminalises unauthorised access to, modification of, or impairment of computer systems and data under Part 10.7. State and territory legislation also applies — for example, the Crimes Act 1900 (NSW) and the Crimes Act 1958 (Vic) contain computer offence provisions. The critical point for home lab users is that all your testing must remain within your isolated virtual environment. Scanning or probing systems outside your lab without explicit written permission is a criminal offence under Australian law, regardless of your intent.

The ACSC provides free cybersecurity resources for Australian home users and small businesses at cyber.gov.au, including step-by-step guides and the ACSC’s Personal Security Guides. These resources complement your lab learning by explaining the real-world threats that Australian individuals and organisations face. Bookmarking cyber.gov.au alongside your lab documentation is a practical habit.

TryHackMe and Hack The Box are both accessible from Australia with reasonable latency for most interactive exercises. TryHackMe’s browser-based labs avoid VPN latency entirely, making them particularly smooth on Australian connections. Hack The Box requires an OpenVPN connection to their lab network, which works well from Australian metropolitan areas. Neither platform has Australian-hosted servers, but the latency is generally manageable for the types of exercises involved.

Documenting your home lab work is especially valuable for Australian job interviews. Australian employers — from government agencies to consulting firms — appreciate candidates who can walk through specific exercises they have completed, explain what they learned, and describe how they troubleshot problems. A well-documented lab portfolio demonstrates initiative and practical skill, which carries significant weight in Australian hiring where hands-on competence is highly valued.

Frequently Asked Questions

How much does a home cybersecurity lab cost?

A basic home lab is completely free. VirtualBox, Kali Linux, and Metasploitable are all free downloads. The only requirement is a computer you already own with enough RAM and disk space.

Can I build a cybersecurity lab on a laptop?

Yes. Any laptop with at least 8 GB of RAM, 50 GB of free disk space, and a processor from 2015 or newer can run a basic two-VM lab. 16 GB of RAM makes the experience smoother.

Is it safe to run vulnerable VMs on my computer?

Yes, as long as you use a host-only network adapter in VirtualBox. This isolates the vulnerable VM so it cannot communicate with your real network or the internet.

How much RAM do I need for a home lab?

8 GB is the minimum for running two VMs simultaneously. 16 GB is recommended for comfortable performance, and 32 GB allows you to run four or more VMs at once.

What is the difference between NAT and host-only networking in VirtualBox?

NAT gives a VM internet access through your host's connection. Host-only creates an isolated network between VMs and the host with no internet access, which is what you want for security labs with vulnerable machines.

Do I need to know Linux before setting up a home lab?

No. You will learn Linux as you go. Kali Linux has a graphical desktop, and this guide walks you through the terminal commands you need. Basic familiarity develops quickly with practice.

Can I use VMware instead of VirtualBox?

Yes. VMware Workstation Player (free for personal use) works just as well. The setup steps are similar — create VMs, configure an isolated network, and import the same Kali and Metasploitable images.

What should I practice first in my home lab?

Start with network scanning using Nmap to discover hosts and open ports. Then try packet capture with Wireshark. These two exercises teach you how networks look from a security perspective.

Can I run a home lab on a Mac with Apple Silicon?

VirtualBox has limited Apple Silicon (M1/M2/M3) support. For Macs with Apple Silicon, UTM or VMware Fusion (free personal license) are better options. Kali provides ARM images that work on these platforms.

How do I expand my lab after the basic setup?

Add more vulnerable VMs from VulnHub, install a Windows evaluation VM from Microsoft, or set up a SIEM like Wazuh for log analysis. Each addition gives you new skills to practice and document.

Related sections

Networking Basics

Understand IP addressing, ports, and traffic flow in your lab environment.

Explore Cybersecurity Tools

Learn Wireshark, Nmap, Metasploit, and other tools you will use in your lab.

Explore Security Concepts

Apply CIA triad, defense in depth, and access control in a controlled environment.

Explore

More resources

VirtualBox Downloads

Download VirtualBox — the free virtualisation platform for your lab.

Visit Kali Linux Pre-Built VMs

Download pre-built Kali Linux virtual machines ready for VirtualBox or VMware.

Visit TryHackMe

Browser-based cybersecurity labs with guided learning paths — perfect for supplementing your home lab.

Visit