Table of Contents

How to Build a Cybersecurity Home Lab in 2026 (With Real Detection)

Q: Is Wazuh or Elastic SIEM better for a home lab?

Wazuh is better for beginners and resource-constrained hardware because it installs as a single package with a functioning dashboard and over 3,000 pre-built detection rules. Elastic SIEM offers more query flexibility but needs at least 8 GB RAM dedicated to the stack. For a first lab, start with Wazuh and add Elastic later once you need more analytical depth.

Q: How long does it take to set up a working cybersecurity home lab?

A functional cloud-based lab with Wazuh installed takes three to four hours for a first setup. A self-hosted Proxmox lab with full network segmentation and a complete detection stack takes a weekend. Budget for troubleshooting time; the problems you solve during setup are part of the learning.

Q: What certifications benefit most from cybersecurity home lab practice?

CompTIA CySA+ aligns most directly with the detection and analysis workflow. CompTIA Security+ provides foundational vocabulary. For UK-specific progression, CREST practitioner qualifications in SOC analysis and incident response map closely to the skills built through systematic SIEM practice and documented investigation exercises.

A cybersecurity home lab that only runs Kali Linux and scans a target VM is a decoration. The reason most home labs fail to get you hired or certify your skills is that they stop at the attack layer and skip the part that actually matters to blue team employers: detection, alerting, and incident investigation. This guide builds a two-tier lab that covers both, with zero upfront hardware cost if you need it.

You will finish with a functional SIEM ingesting real logs, a detection pipeline catching simulated attacks, and enough documented experience to talk through it credibly in a job interview or use it as the foundation for a SOC analyst portfolio.

Why Most Home Lab Guides Leave You Stuck

Search for “cybersecurity home lab 2026” and you will find four types of content: hardware shopping lists, hypervisor tutorials, “install Kali and run nmap” walkthroughs, and certification prep checklists. Almost none of them answer the question employers actually ask: can you detect an attack, investigate the alert, and document a response?

The reason detection gets skipped is that tools like Wazuh and the Elastic Stack have a steeper setup curve than firing up a VM. But that steepness is exactly why the skill is valuable. If it were trivial, it would not distinguish your CV from the next candidate who also has a CompTIA Security+ and a home router they once segmented.

The two-tier approach in this guide solves this. Tier 1 uses free cloud infrastructure so you can start tonight without spending anything. Tier 2 describes the self-hosted hardware upgrade path for when you want persistent lab access and more realistic network conditions.

Tier 1: Zero-Cost Cloud Lab You Can Start Tonight

Several cloud providers offer free tiers that are more than adequate for a solo security lab. Oracle Cloud Free Tier is the most generous, giving you two AMD compute instances with 1 OCPU and 1 GB RAM each, plus an Arm-based instance with up to 4 OCPUs and 24 GB RAM permanently free. That Arm instance alone can run a Wazuh all-in-one deployment alongside a vulnerable target VM.

AWS Free Tier gives you 750 hours per month of t2.micro or t3.micro instances for 12 months. That covers a small Elastic SIEM node and a Windows target machine. Google Cloud offers a permanent e2-micro instance in three regions, which works as a log forwarder or lightweight agent target.

The workflow for a cloud-based lab looks like this. You spin up one instance as your monitoring server running Wazuh (or Elastic), one instance as a vulnerable or semi-hardened target, and then generate attack traffic between them using tools like Metasploit, Atomic Red Team, or manual technique simulation. The monitoring server catches and alerts on the activity.

Cloud labs have one real drawback: you pay for egress if you exceed the free tier, and some attack simulations generate enough traffic to do that. Keep your simulations contained within the same cloud region and use private networking between instances. If you are working on cloud security specifically, this is actually a feature rather than a limitation, because securing AWS, Azure, and GCP workloads requires understanding how cloud-native logging and monitoring differ from on-premises equivalents.

Tier 2: Self-Hosted Hardware for Persistent Access

The cloud tier works for practice sessions but loses state between sessions unless you pay to keep instances running. For a persistent lab you can leave running 24/7, you need physical hardware.

The most cost-efficient build in 2026 uses a mini PC or NUC-style device as the hypervisor host. An Intel N100-based mini PC from brands like Beelink or Minisforum costs between £150 and £220 in the UK and delivers 16 GB RAM with 512 GB NVMe storage. That is enough to run three to four concurrent VMs: a monitoring server, a Windows target, a Linux target, and an attacker VM.

For slightly more budget, a used enterprise workstation from eBay, often from Dell, HP, or Lenovo business lines, gives you more RAM expandability. A Dell OptiPlex 7060 with a six-core i5 and 32 GB RAM regularly appears on eBay UK for under £200. That configuration comfortably runs Wazuh with its full stack (manager, indexer, dashboard) plus multiple target machines.

Your hypervisor choices are Proxmox VE (free, bare-metal, recommended), VMware Workstation Pro (now free for personal use as of 2024), or VirtualBox (free, lower performance ceiling). Proxmox is the professional choice because it mirrors what you will encounter in enterprise environments and gives you snapshot and template capabilities that accelerate lab setup significantly.

Network Architecture That Teaches You Something

A flat network where all VMs share the same subnet teaches you almost nothing about real-world security architecture. The moment you add VLANs, you start practising the segmentation skills that matter in production environments.

The recommended topology uses three network segments. First, a management network accessible only from your host machine. Second, an attack and target network where adversary simulation happens, isolated from your home network. Third, a monitoring network that your SIEM uses to receive log data.

In Proxmox, this is implemented with Linux bridges, each mapped to a separate VLAN tag on a managed switch, or simply kept as internal virtual networks if you do not have a managed switch. You do not need a managed switch to start. You add one when you are ready to practise firewall rules and inter-VLAN routing, both of which are covered in the guide on choosing and configuring firewalls for segmented networks.

Installing Wazuh: The Detection Engine That Explains Itself

Wazuh is the right starting point for detection work because it is open source, actively maintained, and used in production by organisations that cannot afford commercial SIEM licensing. Its documentation is thorough and its community is large enough that most problems you encounter have already been solved on their GitHub issues or forum.

The all-in-one installer deploys the Wazuh manager, the Wazuh indexer (built on OpenSearch), and the Wazuh dashboard in a single command. On Ubuntu 22.04 or later, the installation script takes roughly 15 minutes on a machine with 4 GB RAM and leaves you with a fully functional dashboard accessible via browser.

The minimum viable hardware for an all-in-one Wazuh deployment is 4 GB RAM and 2 CPU cores for testing purposes. For a lab ingesting logs from three or four agents simultaneously, 8 GB RAM is more comfortable. The Wazuh documentation explicitly recommends 8 GB RAM for production single-node deployments, so 8 GB in your lab accurately reflects real-world constraints.

After installation, you deploy Wazuh agents on your target machines. The agent packages are available for Windows, Linux, and macOS. Each agent forwards system logs, security events, file integrity changes, and vulnerability data to the Wazuh manager. Within minutes of enrolling an agent on a Windows VM, you will see Windows Event Log data populating the dashboard, including failed login attempts, process creation events, and registry modifications.

Detection Rules and How Wazuh Uses Them

Wazuh ships with over 3,000 pre-built detection rules covering common attack patterns, malware behaviour, compliance requirements, and system anomalies. Rules are written in XML and trigger alerts when log data matches specified conditions. Rule levels run from 1 (low) to 15 (critical), giving you a severity system you can tune to your lab environment.

The most valuable exercise in early lab work is triggering known alerts deliberately and watching how they surface in the dashboard. Run a brute force simulation against an SSH service on your Linux target. Watch the multiple authentication failure alerts aggregate into a higher-severity composite alert. That is the same logic a SOC analyst uses when triaging a real incident, and practising it in a safe environment builds the pattern recognition that makes you faster under pressure.

Elastic SIEM: When You Need More Query Power

The Elastic Stack, specifically Elasticsearch, Kibana, and the Elastic Security plugin, is the other dominant option for home lab detection work. It is more resource-intensive than Wazuh (plan for at least 8 GB RAM dedicated to the Elastic node) but offers substantially more flexibility in log querying and visualisation.

The Elastic Security app inside Kibana provides a SIEM interface with timeline investigation, detection rules, and case management. If you apply for analyst roles at organisations using Elastic-based security products (which includes a significant share of the UK financial services and technology sectors), hands-on familiarity with KQL (Kibana Query Language) and the Elastic Security interface is directly transferable.

The comparison between the two comes down to use case rather than quality. Wazuh wins on resource efficiency and out-of-the-box detection coverage. Elastic SIEM wins on query power, customisation, and ecosystem integrations. Many practitioners run both: Wazuh as the detection and agent management layer, with its alerts forwarded into Elasticsearch for longer-term storage and advanced analysis.

Setting Up Your First Elastic Detection Rule

Elastic Security ships with prebuilt rules mapped to the MITRE ATT&CK framework. Enabling a rule takes three clicks in the UI: navigate to Security, select Detection Rules, and toggle the rules you want active. The framework mapping means every alert tells you not just what happened but which adversary technique it corresponds to.

For a home lab specifically focused on SOC analyst practice, enable the Windows-focused rules first. Windows endpoint telemetry using Sysmon (the free Sysinternals tool) feeds rich process creation, network connection, and file operation events into the stack. With Sysmon running on your Windows target VM and its logs forwarded to Elastic via the Elastic Agent or Winlogbeat, your detection coverage matches what many enterprise SOC teams work with day to day.

Building Your Attack Simulation Toolkit

A detection lab without an attack component is half a lab. You need to generate realistic malicious activity to test whether your detection rules fire and whether your alerting pipeline is working end to end.

Atomic Red Team from Red Canary is the most efficient tool for this. It is a library of small, focused attack simulations mapped to MITRE ATT&CK techniques. Each atomic test runs a specific technique, such as credential dumping from LSASS memory (T1003.001 in ATT&CK notation), and then provides cleanup commands to restore the system to its prior state. You can run individual tests with a single PowerShell command.

The workflow becomes: enable a detection rule in Wazuh or Elastic that covers a specific ATT&CK technique, run the corresponding Atomic Red Team test on your Windows target, verify the alert fires in the SIEM dashboard, and document the detection logic. Repeat this for 20 techniques and you have a portfolio artefact that demonstrates both offensive awareness and defensive capability.

Metasploit Framework on your Kali or Parrot OS VM gives you a more realistic exploitation environment. Use it against intentionally vulnerable targets like Metasploitable 3 or VulnHub machines. The discipline is never pointing attack tools at your host machine, your home network, or any external target. All attack traffic stays inside the isolated lab segment.

UK-Specific Considerations for Your Lab

Power costs matter more than most home lab guides acknowledge. A mini PC running 24/7 at roughly 10 to 15 watts costs approximately £40 to £60 per year in electricity at current UK rates (around 24p per kWh as of early 2026). A full desktop workstation at 80 to 100 watts costs four to six times more to run continuously. The mini PC wins on total cost of ownership for a lab that stays on around the clock.

UK certifications that benefit most from home lab practice include CompTIA Security+, CompTIA CySA+ (Cybersecurity Analyst), and the CREST qualifications used heavily in UK penetration testing and SOC roles. The BCS Professional Certificate in Information Security is another UK-specific credential worth noting. The CySA+ exam maps directly to the detection and analysis workflow this guide builds: threat intelligence, vulnerability assessment, incident response, and reporting.

UK employers in financial services, defence contracting, and managed security service provision (MSSP) roles increasingly list SIEM familiarity as a requirement rather than a preference in job postings. Building documented evidence of Wazuh or Elastic configuration and real detection work gives you a concrete talking point that most candidates cannot match.

Incident Response Practice in Your Lab

The full value of the lab emerges when you treat alerts not as pass/fail test results but as the start of an investigation workflow. This is what separates candidates who can describe security concepts from candidates who have practised responding to them.

The process mirrors real incident response methodology. When an alert fires, your job is to determine scope (what systems are affected), timeline (what happened and in what order), impact (what data or access was compromised), and remediation (how to stop and recover). Practising this structure in your lab builds the habit that carries into actual IR work.

For structured practice, the MITRE ATT&CK framework gives you a vocabulary and a scenario generator. Pick a technique, simulate it with Atomic Red Team, investigate the alert in your SIEM, write a short incident report of one to two pages, and repeat. After ten iterations, you have a portfolio of written investigations you can share with a potential employer or use as a reference during interview answers. This documented output is what most home lab guides never mention, and it is the part that actually closes the gap between studying and practising.

Understanding how attackers think is equally important for effective detection. The guide on how hackers use AI-powered offensive tools provides context on the techniques you should be building detection coverage against in 2026.

Structuring Your Lab as a Portfolio Piece

Document everything from day one. Use a private GitHub repository or a Notion workspace to record your lab topology, the tools you installed, the detection rules you configured, and the simulations you ran. Each simulation becomes a mini write-up: what you simulated, what fired in the SIEM, what did not fire and why, and how you would improve coverage.

Screenshot your dashboard showing real alerts. Include your network diagram. Write one paragraph explaining each detection rule you customised. This documentation is the portfolio. When an interviewer asks for evidence of hands-on experience, you show them the repository, not just the certification.

A well-documented lab with 20 incident simulations and written investigations is a stronger signal than any certification alone. Certifications prove you studied. Documentation proves you built and operated something real.

If your goal is to progress toward incident response roles specifically, the guide on incident response planning for UK organisations explains the formal IR process your lab practice should be preparing you for.

Frequently Asked Questions

How much does a cybersecurity home lab cost in the UK?

The cloud tier costs nothing if you stay within Oracle Free Tier, AWS, or Google Cloud free allocations. A self-hosted lab using a mini PC (Beelink or Minisforum N100-based) costs approximately £150 to £220 in hardware, plus £40 to £60 per year in electricity at current UK rates. The software stack, including Proxmox, Wazuh, Kali Linux, and Metasploitable, is entirely free.

Is Wazuh or Elastic SIEM better for a home lab?

Wazuh is better for beginners and resource-constrained hardware because it installs as a single package with a functioning dashboard and over 3,000 pre-built detection rules. Elastic SIEM offers more query flexibility and better ecosystem integrations but needs at least 8 GB RAM dedicated to the stack. For a first lab, start with Wazuh and add Elastic later once you need more analytical depth.

Can you build a cybersecurity home lab without dedicated hardware?

Yes. Oracle Cloud Free Tier provides a permanent ARM-based instance with up to 24 GB RAM, which runs a complete Wazuh deployment and multiple target machines at no cost. AWS and Google Cloud offer smaller free tiers. Keep all traffic within a single cloud region using private networking to avoid egress charges.

What operating systems should I run in my home lab?

The minimum useful set is one Linux attack platform (Kali Linux or Parrot OS), one Windows target (Windows 10 or 11 evaluation licences are free from Microsoft for 90 days), and one Linux target (Ubuntu Server or Metasploitable for vulnerable practice). Add your SIEM server as a fourth VM. Ubuntu evaluation licences for desktop use are unrestricted.

How long does it take to set up a working cybersecurity home lab?

A functional cloud-based lab using Oracle Free Tier with Wazuh installed takes three to four hours for a first setup, including account creation and following the Wazuh documentation. A self-hosted Proxmox lab with full network segmentation and a complete detection stack takes a weekend. Budget for troubleshooting time; the problems you solve during setup are part of the learning.

What certifications benefit most from cybersecurity home lab practice?

CompTIA CySA+ aligns most directly with the detection and analysis workflow in this guide. CompTIA Security+ provides the foundational vocabulary that makes lab work make sense. For UK-specific progression, CREST practitioner qualifications in SOC analysis and incident response map closely to the skills you build through systematic SIEM practice and documented investigation exercises.