After stabilising my mid-range desktop and legacy hardware, I faced a recurring problem: how to build a lab that actually works, without getting buried under tools and logs. My goal was clear — a repeatable, verifiable environment that could support Blue Team, DFIR, and AWS security practice — lightweight, structured, and portfolio-ready.
Part 1: Why “Minimal” Matters
Early on, I fell into the classic trap: installing everything that looked interesting. By the third VM Early on, I fell into the classic trap: installing everything that looked interesting. By the third VM snapshot, I realised I was spending more time troubleshooting the lab than practising security. That’s when I decided to freeze a professional baseline — a curated environment with everything I needed and nothing more.
- Every tool must work in WSL2 + Ubuntu 24.04 (command
-v <tool>confirms OK) - Workflows produce verifiable outputs: logs, captures, scripts, investigations, screenshots
- Lab is portable and remote-friendly, supporting freelance and distributed SOC work
This approach isn’t minimalism for aesthetics — it’s early-career senior thinking: defining scope, verifying assumptions, and moving forward deliberately.
Part 2: Blue Team Foundation — SOC Credibility
I installed only what supports detection, triage, and host/network visibility:
- Audit & logging: auditd, rsyslog, journalctl
- Network & host insight: tcpdump, iftop, lsof, htop, net-tools
- Security hygiene: lynis, chkrootkit, clamav
Small frustration: under WSL2, auditd does not run natively. At first, I panicked — but documenting the limitation became part of my learning. Knowing what doesn’t work is as important as knowing what does.
Validation output confirms the lab is fully operational:
auditctl : OK rsyslogd : OK journalctl : OK tcpdump : OK ... aws : OK git : OK
Structured directories reinforce repeatability.
Part 3: Red Team Tools — Defensive Learning
A limited set of Red Team tools is included purely for learning attacker behaviour:
nmap, gobuster, nikto, sqlmap, hydra, netcat, traceroute, dig
I remind myself every day: “These tools exist to improve defensive intuition, not to chase exploits.” Framing it this way keeps the lab realistic and employable in regulated environments. learning: Blue Team → Cloud → Automation. It’s portfolio-ready by design, not by accident.
Part 5: Lab Architecture — Lightweight, Reliable, Repeatable
After grinding through VirtualBox and VMware, I finally realised: less is more. WSL2 + Ubuntu 24.04 gives me:
- Near-native SSD performance
- Minimal RAM overhead
- Reliable snapshotting (
wsl --export / wsl --import) - Smooth Windows integration
New Labs Structure:
I now maintain two main lab folders — SOC Labs and AWS Labs — each following the same internal architecture:
1. Environment & Scope 2. Baselines 3. Attack Surface & Exposure 4. Logging & Visibility 5. Threats & Techniques 6. Detection & Analysis 7. Response & Hardening 8. Automation & Continuous Improvement
This ensures repeatable, verifiable outputs for both SOC fundamentals and AWS Cloud SOC progression.
Reflection: Professional Maturity
This lab demonstrates:
- Restraint: minimal but verified toolset
- Verification: each component validated under real constraints
- Systems thinking: tools, processes, and outputs integrated into a coherent workflow
Signals to SOC leads and cloud managers that I understand discipline, reproducibility, and operational reality — exactly what remote-first teams value in self-directed engineers. and cloud managers that I understand discipline, reproducibility, and operational reality — exactly what remote-first teams value in self-directed engineers.
Outcome
- Consistent Blue Team operations and log analysis
- Defensive scripting and automation pipelines
- Cloud security monitoring and IAM auditing
- Portfolio-ready artefacts for GitHub and LinkedIn
I now have a safe, repeatable, and verifiable lab that maximises learning while remaining light, disciplined, and remote-friendly — the foundation for sustainable skill growth and career flexibility.
Links & Artefacts
- GitHub Repository:
legacy-laptop-to-repeatable-soc-lab - Portfolio Page: DIY SOC + AWS Lab
- LinkedIn Post: Building a Repeatable SOC & Cloud Lab
Tags: #CyberSecurity #SOC #BlueTeam #AWS #CloudSecurity #ThreatHunting #SecurityOperations #RemoteWork #PortfolioReady