Congratulations! If you are reading this, you have likely finished setting up your cyber security home lab. You have the infrastructure, the virtualization, and the network isolation ready. But a lab is only as good as the experiments you run in it.WS
The question now is: What should you hack first?
While classic applications like DVWA and Metasploitable are the “Hello World” of ethical hacking, the cybersecurity landscape in 2026 has evolved. Modern applications rely heavily on APIs, Cloud infrastructure, and now, Artificial Intelligence. To be job-ready, your practice needs to reflect reality.
Below is a roadmap of the latest software and virtual machines you should deploy in your new lab to practice the skills that matter most today.
Phase 1: The Foundations (Web Application Security)
Mastering the OWASP Top 10
You likely already have some of these on your list. These are the “bootcamp” applications where you learn the logic of vulnerability.
- OWASP Juice Shop: This is the absolute gold standard for modern web vulnerabilities. Unlike older PHP apps, Juice Shop is built with Node.js, Express, and Angular, making it a perfect playground for understanding modern Single Page Application (SPA) flaws.
- DVWA (Damn Vulnerable Web App): The classic. It remains the best place to see vulnerability code side-by-side with secure code.
- OWASP WebGoat & Security Shepherd: Excellent for guided, lesson-based learning where you want a “teacher” built into the application.
Phase 2: The Modern Upgrade (API Security)
Where the real bugs live in 2026
Modern apps don’t just “render HTML”; they talk to APIs. If you only practice on DVWA, you are missing half the picture.
- OWASP crAPI (Completely Ridiculous API):
- Why it’s essential: crAPI simulates a modern vehicle management platform. It is designed specifically to teach the OWASP API Security Top 10. You will learn about BOLA (Broken Object Level Authorization), excessive data exposure, and mass assignment—vulnerabilities that cause massive real-world breaches.
- vAPI: A newer, self-hosted API lab that mimics real-world scenarios for API attacks. It is lightweight and perfect for understanding how to use tools like Postman and Burp Suite specifically for APIs.
Phase 3: The Enterprise Standard (Active Directory)
How corporate networks are compromised
Attacking a standalone VM is fun, but real-world hacking involves Active Directory (AD). If you want to work in pentesting or Red Teaming, you must understand AD.
- GOAD (Game of Active Directory):
- The “Boss Level” Lab: This is widely considered the best free AD lab available. It automates the creation of a vulnerable Windows Domain environment (using Vagrant/Ansible).
- What you learn: Kerberoasting, AS-REP Roasting, NTLM relay attacks, and pivoting through a corporate network. It is challenging but incredibly rewarding.
Phase 4: The Cloud Frontier (AWS & Azure)
Moving beyond the local network
Your home lab can (and should) extend to the cloud. Cloud misconfigurations are a leading cause of data breaches.
- CloudGoat (by Rhino Security Labs):
- Concept: Instead of a VM, CloudGoat deploys “vulnerable-by-design” resources into your actual AWS account (use the Free Tier!).
- Scenarios: You will practice exploiting S3 buckets, escalating IAM privileges, and compromising Lambda functions.
- Note: ALWAYS remember to destroy the resources after you practice to avoid unexpected cloud bills!
Phase 5: The Cutting Edge (AI & LLM Security)
The new frontier for 2026
With the rise of Large Language Models (LLMs), a new class of vulnerabilities has emerged.
- Local LLM Poisoning Lab:
- Setup: Use Ollama or LM Studio to run an open-source model (like Llama 3) locally in your lab.
- Practice: Try to perform “Prompt Injection” or “Jailbreaking” against your own local AI. Can you trick it into revealing its system instructions? Can you bypass its safety guardrails?
- Resource: Refer to the OWASP Top 10 for LLM Applications for a list of attacks to try, such as “Model Theft” and “Training Data Poisoning.”
Summary Checklist
If you are just starting, follow this progression:
- Start here: DVWA & Juice Shop (Learn the basics).
- Level up: OWASP crAPI (Learn APIs).
- Go Pro: GOAD (Learn Active Directory).
- Future-Proof: CloudGoat & Local LLMs (Learn Cloud & AI).
Your home lab is a living ecosystem. Don’t just install these tools—break them, patch them, and write reports on how you did it. Good luck!
