Building a Homelab & Cyber Range: The Foundation – Vision, Hardware, and Virtualization


Part 1: The Foundation – Vision, Hardware, and Virtualization

Every great project starts with a vision and a solid foundation. In this first post, I’ll cover the goals for my lab, the hardware powering it all, and why I chose Proxmox as the hypervisor to bring it to life.

Lab Overview

This security lab environment is designed for practicing both offensive and defensive security techniques in a controlled setting. The infrastructure allows for security tool deployment, attack simulation, vulnerability assessment, and incident response training—providing a complete ecosystem for security research and skill development.

The lab features:

  • Segmented networks with pfSense firewall and VLANs for realistic enterprise simulation
  • Blue team capabilities including SIEM, incident response, and forensics tools
  • Multiple target environments from classic pen-testing to modern containerized applications
  • Isolated malware analysis environment for safe reverse engineering
  • Scalable architecture that grows with your learning objectives

What’s Coming in This Series

This is the first in the series covering every aspect of building and using this cyber range:

  • Part 2: Network Architecture – pfSense configuration, VLAN segmentation, and firewall rules
  • Part 3: Blue Team Operations – Setting up Wazuh, Security Onion, The Hive, and forensics VM
  • Part 4: Red Team Operations – Configuring attack platforms with Kali, Parrot OS, Caldera
  • Part 5: Target Environments – Building vulnerable networks for penetration testing practice
  • Part 6: Malware Analysis Lab – Creating a safely isolated environment for reverse engineering
  • Part 7: Putting It All Together – End-to-end attack scenarios and future enhancements

Introduction & Goals

Like many in cybersecurity, I started with traditional certification grinding—currently working through Hack The Box’s CPTS material. But I hit that familiar wall: burnout. Structured learning began feeling mechanical and repetitive.

While studying drains me, tinkering never does. My project backlog grows faster than my completion rate, but this isn’t a bug—it’s a feature. Each idea builds on the last, creating interconnected learning opportunities that keep the passion alive.

More Than Just Another Lab

This homelab bridges multiple aspects of cybersecurity beyond the typical Kali + Metasploitable setup:

Offensive Security Training: Realistic target environments with multiple attack vectors and complex network topologies that mirror real-world scenarios.

Defensive Security Operations: Blue team capabilities including SIEM deployment, log analysis, incident response workflows, and threat hunting exercises.

Enterprise Simulation: Corporate network structures with Active Directory domains, segmented networks, and business-critical services.

Research & Development: A sandbox for testing tools, developing scripts, and experimenting with new technologies.

Continuous Learning: An evolving platform that grows with my skills, allowing me to pivot between web app security, malware analysis, and cloud security as curiosity strikes.

The Physical Host

Core Components

CPU: Intel i9-12900K
16 cores (8 performance + 8 efficiency) and 24 threads provide ample processing power for multiple VMs without performance degradation. Temperature monitoring is needed during heavy loads—cooling optimization is a future project.

RAM: 96GB
Memory is often the limiting factor in virtualization. 96GB provides comfortable headroom for realistic enterprise scenarios without constantly juggling resources. 128GB would be ideal for running additional services simultaneously, but this is sufficient.

Storage Configuration:

  • 1TB Boot Drive: NVMe storage for Proxmox host OS and frequently accessed VM images
  • 4TB VM Storage Drive: Bulk storage for VMs, ISOs, and lab data

The GPU Situation

GPU: NVIDIA RTX 3080
Complete overkill for a security lab. This was part of a gaming PC conversion and mostly sits idle except for occasional GPU-accelerated password cracking or machine learning experiments. Plan to replace with something cheaper. For most security labs, integrated graphics suffices.

Why These Choices Matter

This configuration provides enough resources for realistic scenarios without artificial constraints. The CPU handles parallel processing for multiple VMs, generous RAM ensures smooth operation during complex exercises, and the storage balances performance with capacity.

Most importantly, there’s room to grow. The lab can evolve and expand without hitting immediate bottlenecks.

The Hypervisor: Why Proxmox?

After evaluating the main options, Proxmox VE emerged as the clear winner for this security-focused environment.

Why Proxmox Won

Open Source Freedom: No licensing headaches, vendor lock-in, or transparency issues.

Dual Virtualization: Native support for both full VMs (KVM/QEMU) and lightweight containers (LXC). Run resource-intensive Windows domain controllers as VMs while deploying Linux services as containers.

Web-Based Management: Intuitive, feature-complete interface accessible from any browser—perfect for late-night troubleshooting.

Clustering Capabilities: Built-in scalability for future multi-host expansion without infrastructure rebuilds.

Active Community: Strong support, regular updates, comprehensive documentation, and well-documented solutions.

Real-World Benefits

Proxmox delivers on these promises. VM deployments are straightforward, snapshots save hours when experiments fail, and resource monitoring provides clear system visibility. The VM/container mix proves particularly valuable for realistic network topologies without resource overhead.

Resource Management Philosophy

The biggest homelab misconception: you need enterprise hardware for enterprise scenarios. Reality is more forgiving thanks to one principle: not everything runs simultaneously.This was a mistake I made with some of the “overkill” selections when looking for a base for my homelab. I dont need everything running and once and until I figure out a better solution to cooling its really not something I want to leave running idle all the time without monitoring

The Reality of Resource Usage

Security labs are scenario-based, not production environments. When practicing AD exploitation, malware analysis VMs can be off. During incident response exercises, penetration testing infrastructure can be dormant.

At idle: ~20% CPU utilization with core services (domain controllers, monitoring, basic targets) maintaining baseline environment.

During scenarios: 70-80% CPU and memory utilization, temporary and focused on specific systems for that exercise.

For optimal performance: VMs activated only when needed, keeping the host responsive and preventing resource contention.

Tips for Smaller Configurations

This approach scales down for constrained resources:

  • Start essential: Build core infrastructure first (DNS, domain controller, basic targets), expand scenario-specific VMs later
  • Embrace snapshots: Use Proxmox snapshots to save states and switch between lab configurations
  • Leverage containers: Use LXC for lightweight services that don’t require full OS isolation
  • Template everything: Create VM templates for common configurations to speed deployment and reduce storage
  • Schedule learning: Plan sessions around specific scenarios, powering only needed systems