Last reviewed

Lab Methodology Verified May 2026

Penetration Testing Lab Setup

Build practice environments that are isolated, repeatable, and tied to the rest of the Hackers Manifest methodology. Start with a clean attack machine, add targets deliberately, validate each layer, then tear it down or snapshot it before moving on.

Build Rule

If you cannot explain how a lab is isolated, how to prove it works, and how to clean it up, it is not ready to run.

Safety Baseline

Work only on systems you own or have explicit authorization to test.
Keep vulnerable services off your home LAN and off public interfaces.
Take clean snapshots before every exercise and before every vulnerable configuration change.
Use dedicated cloud accounts, subscriptions, and projects with billing alerts before deployment.
Write down the teardown command before you run the setup command.

Lab Planner

Filter the lab catalog into a realistic build plan with safety checks and cleanup steps.

01Low

Kali Attack Machine

Baseline attacker VM with tool hygiene, project structure, wordlists, and snapshots.

RAM: 4 GB minimum, 8 GB preferred

Time: 45-90 min

Cost: Free

02Medium

Web Application Lab

Docker-based vulnerable web and API apps for practicing web testing workflows.

RAM: 2-6 GB

Time: 15-45 min

Cost: Free

03Medium

Vulnerable VMs

Downloadable and containerized targets for network, Linux, Windows, and web exploitation practice.

RAM: 4-12 GB

Time: 30-90 min

Cost: Free

04High

Active Directory Lab

Windows domain lab for Kerberos, AD CS, BloodHound, delegation, and privilege escalation paths.

RAM: 16 GB minimum, 32 GB preferred

Time: 2-4 hr

Cost: Free eval licenses

05High

Wireless Lab

Authorized Wi-Fi testing with known adapters, driver checks, and a practice AP you control.

RAM: 4 GB

Time: 1-2 hr

Cost: $30-60 adapter/AP

06High

Cloud Security Lab

AWS, Azure, GCP, and Kubernetes vulnerable environments with billing guardrails and teardown discipline.

RAM: 4 GB local, provider dependent

Time: 1-3 hr

Cost: Variable

07High

Purple Team / SIEM Lab

Detection-capable enterprise lab using Wazuh, Elastic, Sysmon, Sigma, and attack replay.

RAM: 32 GB+

Time: 3-6 hr

Cost: Free locally

08High

CI/CD Pipeline Lab

GitLab, Jenkins, Gitea, runners, registry, and deliberately vulnerable pipeline scenarios.

RAM: 8-16 GB

Time: 1-3 hr

Cost: Free locally

Recommended operating rhythm

Build one lab at a time, validate it, snapshot it, run the exercise, record evidence, then clean up or revert before moving to the next lab.

Recommended Build Path

Stage 1

Foundation

Build a clean attack VM and learn network isolation.

 Stage 2

Targets

Practice safely against local web apps and vulnerable VMs.

 Stage 3

Enterprise

Add domains, identity, delegation, and lateral movement paths.

 Stage 4

Specialized

Branch into malware, wireless, mobile, cloud, and pipeline labs.

 Stage 5

Detection

Instrument attacks, tune detections, and record coverage gaps.

Choose Your Lab

Each lab is mapped to the outcome it unlocks, not just its hardware requirements.

Plan lab CIDRs
Low risk

Kali Attack Machine

Baseline attacker VM with tool hygiene, project structure, wordlists, and snapshots.

DifficultyBeginner
Time45-90 min
RAM4 GB minimum, 8 GB preferred
CostFree
Isolation: NAT for updates, host-only for targets
Medium risk

Web Application Lab

Docker-based vulnerable web and API apps for practicing web testing workflows.

DifficultyBeginner
Time15-45 min
RAM2-6 GB
CostFree
Isolation: Bind to localhost or isolated lab interface only
Medium risk

Vulnerable VMs

Downloadable and containerized targets for network, Linux, Windows, and web exploitation practice.

DifficultyBeginner
Time30-90 min
RAM4-12 GB
CostFree
Isolation: Host-only or internal network; never bridged to home LAN
High risk

Active Directory Lab

Windows domain lab for Kerberos, AD CS, BloodHound, delegation, and privilege escalation paths.

DifficultyIntermediate
Time2-4 hr
RAM16 GB minimum, 32 GB preferred
CostFree eval licenses
Isolation: Internal AD network, optional Kali NAT adapter for updates
Critical risk

Malware Analysis Lab

Isolated REMnux, Windows victim, and fake internet services for static and dynamic analysis.

DifficultyIntermediate
Time2-4 hr
RAM8-24 GB
CostFree
Isolation: Internal network only; no route to host LAN or internet
High risk

Cloud Security Lab

AWS, Azure, GCP, and Kubernetes vulnerable environments with billing guardrails and teardown discipline.

DifficultyAdvanced
Time1-3 hr
RAM4 GB local, provider dependent
CostVariable
Isolation: Dedicated lab account/subscription/project with budget alerts
High risk

Purple Team / SIEM Lab

Detection-capable enterprise lab using Wazuh, Elastic, Sysmon, Sigma, and attack replay.

DifficultyAdvanced
Time3-6 hr
RAM32 GB+
CostFree locally
Isolation: Internal detection network with controlled log retention
High risk

Wireless Lab

Authorized Wi-Fi testing with known adapters, driver checks, and a practice AP you control.

DifficultyIntermediate
Time1-2 hr
RAM4 GB
Cost$30-60 adapter/AP
Isolation: Only your AP, your clients, and your RF test space
High risk

CI/CD Pipeline Lab

GitLab, Jenkins, Gitea, runners, registry, and deliberately vulnerable pipeline scenarios.

DifficultyAdvanced
Time1-3 hr
RAM8-16 GB
CostFree locally
Isolation: Local Docker network; never bind admin consoles to public interfaces
Critical risk

Kali NetHunter

Mobile Kali path with device fit checks, firmware verification, bootloader risk, and recovery checkpoints.

DifficultyIntermediate
Time2-4 hr
RAMLinux host plus supported phone
CostDevice dependent
Isolation: Use only owned devices and authorized wireless targets

Universal Validation Checklist

Before setup

  • - Document scope and authorization.
  • - Confirm host resources and free disk space.
  • - Create NAT, host-only, or internal networks deliberately.
  • - Download installers from official sources and verify version notes.

Before exercises

  • - Take a clean snapshot or export container state.
  • - Prove the lab is reachable only from intended interfaces.
  • - Run one benign test event and capture evidence.
  • - Write the cleanup command beside the setup command.

Freshness Rule

Treat commands that install cloud tools, mobile firmware, SIEM stacks, Docker images, or security tools as version-sensitive. Check upstream release notes before reuse, then update snapshots and cleanup commands after every major tool upgrade.

Online Practice Platforms

Hack The Box

Retired machines, Pro Labs, AD practice

Intermediate practice after local fundamentals

TryHackMe

Guided rooms and beginner learning paths

Best first online platform

PortSwigger Web Security Academy

Free web vulnerability labs

Pair with the Web App Lab and Burp/ZAP

PentesterLab

Web, API, and badge-driven exercises

Focused vulnerability drills

Pwned Labs

Cloud security scenarios

Cloud practice without building every scenario locally

CyberDefenders

Blue-team and DFIR investigations

Pair with Purple Team and Malware labs

What Makes A Lab Report-Ready?

Evidence

Screenshots, logs, command outputs, timestamps, and hashes are saved outside disposable lab VMs.

Repeatability

The setup, validation, exploitation, and cleanup steps can be rerun from a clean snapshot.

Detection

Whenever possible, the lab records what was detected, missed, and tuned after the exercise.

Practice These Labs With

Web Pentesting

Practice web workflows against your local labs.

AD Attack Paths

Use the AD lab to practice Kerberos, BloodHound, and AD CS paths.

Cloud Pentesting

Apply the cloud lab to AWS, Azure, GCP, and Kubernetes testing.

DFIR

Use lab telemetry for evidence handling and incident response practice.

Internal Pentest

Turn vulnerable VMs and AD into internal assessment practice.

Reporting Templates

Document lab findings with professional reporting structure.