A vulnerability assessment home lab is where the skill actually develops. You can read about Nmap flags and CVSS scoring for weeks and still freeze in front of a real target. Put those tools against a live vulnerable machine in your own environment and the knowledge starts to stick in a different way.
The good news: you do not need much. A laptop with 16GB of RAM, free software, and a few hours to set it up properly. Here is exactly how to do it.
What Does a Vulnerability Assessment Home Lab Actually Need?
The minimum viable setup is simpler than most guides suggest.
Hardware: 16GB of RAM is the practical floor. You are running at least two virtual machines simultaneously - your attack machine and your target - and anything less produces the kind of lag that kills concentration. 32GB is comfortable. Storage-wise, an SSD makes a meaningful difference to VM boot times; 256GB free space covers everything here. Processor matters less than RAM.
Virtualisation software: VirtualBox is free and works well on Windows, macOS, and Linux. VMware Workstation Pro is more polished and handles network configuration more cleanly, but it costs money. For a home lab, VirtualBox is the right starting point.
Network configuration: This is the part most guides skip and the part that matters most for safety. Your vulnerable machines must run on a host-only or internal network adapter - completely isolated from your home network and the internet. A misconfigured Metasploitable instance sitting on your normal network adapter is a genuine security risk. Set the network type before you power on any vulnerable VM, not after.
Step 1: Set Up Your Attack Machine (Kali Linux)
Kali Linux is the standard offensive and assessment platform. It ships with every tool you need pre-installed: Nmap, Nikto, Metasploit, OpenVAS, Burp Suite, and several hundred others.
Download the Kali Linux VirtualBox image from kali.org/get-kali. Import it into VirtualBox via File > Import Appliance. Set the network adapter to Host-Only before starting it. Default credentials are kali/kali - change the password immediately.
Allocate at least 4GB of RAM and 2 CPU cores to Kali. It will run on less but the performance difference is noticeable when running multiple tools simultaneously.
Step 2: Add Your Vulnerable Targets
Metasploitable 2
Metasploitable 2 is a deliberately vulnerable Linux VM built to be exploited. It runs a misconfigured stack of services - FTP, SMB, HTTP, databases - each with known, exploitable vulnerabilities. It is the standard first target for anyone learning network-based assessment.
Download from sourceforge.net/projects/metasploitable. Import into VirtualBox, set the network adapter to the same Host-Only network as Kali, and boot it. The login is msfadmin/msfadmin. Do not change anything - the misconfigurations are the point.
DVWA (Damn Vulnerable Web Application)
Metasploitable covers network services. DVWA covers web application vulnerabilities. It runs directly in Docker:
bash
docker run --rm -it -p 80:80 vulnerables/web-dvwa
Access it at http://localhost from your Kali browser. DVWA covers SQL injection, XSS, CSRF, command injection, file inclusion, and brute force across low, medium, and high difficulty settings. The adjustable difficulty is what makes it genuinely useful for building skills progressively rather than just memorising a technique for one specific configuration.
VulnHub Machines
Once Metasploitable feels familiar, VulnHub provides hundreds of community-created vulnerable VMs across every skill level and specialisation. Download a machine, import it, and you have a new target with no guidance and no hints. vulnhub.com - sort by difficulty and start with machines rated as beginner or easy.
Step 3: Install Your Assessment Toolstack
Kali ships with most of what you need. These are the specific tools to get comfortable with for vulnerability assessment work:
Nmap - Host discovery and service enumeration. The foundation of every assessment. Learn the flags that matter: -sV for version detection, -sC for default scripts, -O for OS fingerprinting, -p- for all ports. Nmap's scripting engine (--script vuln) adds lightweight vulnerability detection on top of enumeration.
Nessus Essentials - The industry-standard vulnerability scanner. The free Essentials tier covers up to 16 IP addresses, which is more than enough for a home lab. Download from tenable.com/products/nessus/nessus-essentials. Run a credentialed scan against Metasploitable and compare the output to what you found manually with Nmap. The gap between the two is instructive.
OpenVAS (Greenbone) - Free, open-source alternative to Nessus. More complex to configure but no IP limit. Worth running alongside Nessus to compare outputs and understand why scanners disagree.
Nikto - Web server scanner. Fast, noisy, and comprehensive for identifying outdated software, dangerous files, and common misconfigurations. Run it against DVWA:
bash
nikto -h http://[DVWA_IP]
Burp Suite Community Edition - The standard tool for manual web application testing. Intercept and modify HTTP requests, test authentication flows, probe for injection vulnerabilities. Essential for the web application layer of any assessment.
Metasploit (auxiliary modules only for assessment) - Metasploit's auxiliary modules verify whether scanner findings are genuinely exploitable without running a full exploit. Use auxiliary/scanner modules to confirm vulnerabilities before including them in findings. This is manual verification done efficiently.
Step 4: Run Your First Assessment
The workflow from powered-on lab to documented finding:
1. Discover the target. From Kali, identify your Metasploitable IP:
bash
nmap -sn 192.168.56.0/24
2. Enumerate services and versions.
bash
nmap -sV -sC -p- 192.168.56.101
Read the output carefully. Note every open port, every service version, every detail that looks unusual.
3. Run a vulnerability scan. Point Nessus or OpenVAS at the discovered IP. Let it run. Review the output - do not just export it. Read each finding and understand what it is describing before you move on.
4. Verify findings manually. Pick one high-severity finding from the scanner output. Confirm it is real: look up the CVE, check whether the version is actually affected, and attempt to reproduce the vulnerability manually. A finding you can reproduce is a finding you can report. A scanner result you cannot verify is noise.
5. Document it. Write a finding. Include: the vulnerability name and CVE reference, the affected host and port, your evidence (the scanner output, your manual verification steps, a screenshot), the CVSS score, your assessment of business impact, and a remediation recommendation. One finding, documented professionally. This is the skill that transfers directly to professional work.
What a Home Lab Cannot Give You
A home lab is excellent for building tool familiarity and methodology. It has two limitations worth being honest about.
First, the targets are static. Metasploitable has the same vulnerabilities every time. You learn the environment rather than the skill after a while.
Second, a home lab has no guided learning layer. When you are stuck - when a scan produces output you do not understand or a finding does not make sense - there is no one to explain it.
This is where TryHackMe fills the gap the home lab leaves. The Threat and Vulnerability Management module covers exactly this layer: how to use scanning tools in a defensive context, how to interpret findings, and how to prioritise remediation based on risk. The Vulnerability Scanning Tools room covers Nmap, OpenVAS, and Nikto specifically in guided, hands-on labs that explain what you are seeing and why it matters. The OpenVAS room covers credentialed scanning and vulnerability management workflow in a live environment.
Use the home lab to practise the process. Use TryHackMe to build the understanding that makes the process meaningful. The two work better together than either does alone.
Nick O'Grady