SOC Home Lab

A complete SOC lab I built from scratch — configuring networks, simulating attacks, forwarding logs, monitoring with Splunk, scanning with Nessus, and investigating with Autopsy.

Portrait of Jeeva Kumaradas
pfSense Kali Linux Ubuntu (SSH) Windows 10 Windows Server (AD) Splunk Enterprise Nessus Autopsy
Download the video (MP4)

Overview

To strengthen my hands-on cybersecurity skills, I designed and implemented a Security Operations Center (SOC) home lab. The lab simulates a real-world enterprise environment, allowing me to practice attack simulation, detection, monitoring, vulnerability management, and forensics. This project demonstrates my ability to build, troubleshoot, and operate a SOC environment from scratch using industry-standard tools.

Lab Architecture

  • VMware Workstation with custom VM networks (VMnet2, VMnet3, etc.) for VLAN segmentation.
  • pfSense — Firewall/gateway controlling inbound/outbound traffic; fixed Kali internet via NAT and rules.
  • Windows 10 — End-user workstation.
  • Linux Server (Ubuntu) — SSH target for attack simulation.
  • Windows Server (Domain Controller) — Active Directory.
  • Kali Linux — Attacker box for brute force and recon.
  • Splunk Enterprise — Central log collection, parsing, and monitoring.
  • Nessus Essentials — Vulnerability scanning and reporting.
  • Autopsy — Forensic analysis of disk images (.E01).

Key Activities

Network & Troubleshooting

  • Built pfSense policies for controlled egress/ingress; validated with ping, traceroute, and tcpdump.
  • Resolved Kali connectivity by correcting DNS/mirror settings and pfSense NAT/firewall rules.
ping 8.8.8.8
traceroute 8.8.8.8
ip a
sudo tcpdump -i eth0

Attack Simulation (Red Team)

  • Created test account on the Linux target and simulated SSH brute force with Hydra.
# Create a user on the target
sudo adduser jeeva
sudo passwd jeeva    # set: 123456 (lab only)

# Hydra (small list)
hydra -l jeeva -P /root/top10.txt ssh://10.0.10.25

# Hydra (bigger list + verbose)
sudo gzip -d /usr/share/wordlists/rockyou.txt.gz   # if still gzipped
hydra -l jeeva -P /usr/share/wordlists/rockyou.txt ssh://10.0.10.25 -t 4 -V

# Recon
nmap -sV -p- 10.0.10.25

Failed/successful attempts landed in /var/log/auth.log on the target.

Log Monitoring (Blue Team)

  • Added auth.log and syslog to Splunk, restarted, and built searches to verify activity.
# Add inputs (credentials redacted for public repo)
sudo /opt/splunk/bin/splunk add monitor /var/log/auth.log \
  -sourcetype linux_secure -index main -auth 'admin:<redacted>'

sudo /opt/splunk/bin/splunk add monitor /var/log/syslog \
  -sourcetype syslog -index main -auth 'admin:<redacted>'

sudo /opt/splunk/bin/splunk restart

# SPL examples
index=main sourcetype=linux_secure "Failed password"
index=main sourcetype=linux_secure "Accepted password"
index=main sourcetype=linux_secure jeeva

Vulnerability Management

  • Scanned Linux/Windows hosts with Nessus; reviewed and exported results.
# start local service
sudo systemctl start nessusd.service
# Web UI: https://127.0.0.1:8834/
# CLI (path may vary)
sudo /opt/nessus/sbin/nessuscli update --plugins
sudo /opt/nessus/sbin/nessuscli scan launch <scan-uuid>

Digital Forensics

  • Loaded .E01 images into Autopsy; analyzed partitions, files, and metadata.
# Autopsy workflow
File > New Case > Add Data Source > Disk Image (.E01)

# If nothing shows:
- Ensure data source type = Disk Image
- Reindex/parsing enabled
- Confirm partitions detected

Challenges & Solutions

  • Kali had no internet → Fixed with pfSense NAT + firewall rules and DNS/mirror checks.
  • Hydra wordlist missing → Created top10.txt and used rockyou.txt.
  • Splunk not showing logs → Manually added auth.log/syslog inputs and restarted.
  • Autopsy empty evidence → Reindexed image; verified correct evidence type and partition parsing.

Skills Gained

  • Incident Response Workflow → From attack simulation to detection and correlation.
  • SIEM Administration → Splunk inputs, SPL searches, basic dashboards.
  • Vulnerability Management → Nessus scanning, report review, risk awareness.
  • Digital Forensics → Autopsy case handling and artifact review.
  • Troubleshooting → Real network and configuration fixes (pfSense, Linux, services).

Conclusion

Building this SOC lab has been more than a technical exercise — it brought my passion for cybersecurity to life. Every challenge I faced, from troubleshooting firewalls to analyzing forensic images, pushed me to think like a real analyst and strengthened my belief that this is the career path I’m meant to pursue.

This lab is not just about tools like Splunk, Nessus, or Autopsy — it’s about developing the mindset to investigate, defend, and continuously improve. My dream is to turn this passion into a professional career where I can protect organizations, contribute to security teams, and keep learning along the way. Cybersecurity is more than a job for me — it’s a calling.