Freezing a Professional-Grade SOC + Cloud Lab: Minimal, Verified, and Repeatable

Summary
Building on my previous work scaling from legacy hardware to modern Windows, this stage focuses on creating a lightweight, reproducible SOC + AWS lab in WSL2 + Ubuntu 24.04. The objective was to freeze a minimum viable professional baseline: a curated, fully functional environment for Blue Team practice, Red Team learning, and cloud security automation.

1. Minimal, Verified Toolset

Every tool in the lab serves a clear, deliberate purpose — no tool-maximalism.

Blue Team Essentials: auditd, rsyslog, journalctl, tcpdump, htop, lynis, clamav
Note: auditd does not run natively under WSL2. Initially, I spent a frustrating hour troubleshooting it before confirming it was a known limitation. Documenting this became part of the lab discipline.

Red Team Learning Tools: nmap, gobuster, nikto, sqlmap, hydra, nc, traceroute, dig
Used exclusively to improve defensive intuition, not for exploitation.

Cloud Security Tools: AWS CLI v2, jq, Python3 + pip3, curl, openssl, Git

Verification: A simple shell loop confirmed all critical tools are operational:

for tool in tcpdump htop lynis aws jq python3 pip3 git; do
  if command -v $tool >/dev/null 2>&1; then
    echo "$tool OK"
  else
    echo "$tool MISSING"
  fi
done

All returned OK, validating a fully operational lab.

2. Lab Architecture: Lightweight, Repeatable, Portfolio-Ready

Structured File System:

~/lab/
    logs/
    captures/
    scripts/
    investigations/
    screenshots/
    notes/

During my first full log capture, the captures/ folder filled faster than expected. I wrote a small Python script to rotate and compress .pcap files automatically, an early demonstration of workflow automation.

WSL2 Advantages:

  • Minimal RAM overhead — even 1 GB+ packet captures run smoothly
  • Near-native SSD performance
  • Clean Windows integration
  • Easy snapshotting: wsl --export / wsl --import

Lab maintenance now takes minutes, leaving maximum time for actual security practice.

3. Practical Examples of Learning & Automation

  • CloudTrail Automation: Parsing logs with Python revealed a misconfigured IAM role. Detection was automated across accounts using boto3 and jq.
  • Network Monitoring: tcpdump + grep tracked SSH attempts, generating timestamped alerts stored in logs/.
  • Web Security Insights: nikto scans against a lab web service showed common HTTP header probes, informing defensive scripting.

These exercises produce repeatable, verifiable outputs, ready for portfolio demonstration.

4. Reflection and Career Relevance

By freezing the lab at a minimum professional baseline, I:

  • Verified tools under real-world constraints
  • Practised structured SOC operations and cloud security automation
  • Built a repeatable, portfolio-ready workflow
  • Developed the habit of producing verifiable artefacts, not just installing tools

This lab demonstrates professional maturity, systems thinking, and deliberate progression — signals that SOC leads and cloud security managers value.

Outcome

  • Consistent Blue Team operations and log analysis
  • Defensive scripting and automation pipelines
  • Cloud security monitoring and IAM auditing
  • Verified, repeatable artefacts ready for GitHub and portfolio

The lab now provides a foundation for advanced SOC and cloud security practice, fully aligned with remote SOC roles across the UK and EU.