When people imagine a SOC analyst job they picture dashboards alerts maybe someone calmly typing while red lights blink on a wall of monitors. Nobody pictures the part where you spend forty five minutes wondering why your virtual machine cannot see the internet, only to realize you configured the wrong network adapter.

That was my first afternoon building a Security Operations Center lab from the ground up.

I want to walk you through how I did it not because the steps themslves are secret (they are all documnted and free) but because the thing that go wrong along the way teach you more about how network actualy behave than anys clean tutorial ever will.

Why build a lab at all

You cannot ethically run Nmap scans or test malware behavior on a live network. You also cannot learn what a SIEM actually does by reading about it. At some point you need an environment that is isolated, disposable, and entirely yours to break.

So the plan was simple on paper. Stand up a Type 2 hypervisor on my own machine, create an attacker box, create a monitoring box, and…