Practice Labs Guide: TryHackMe, Hack The Box, and How to Build a Home Lab

Contact Us

Browse cybersecurity guides, AI tutorials, certification paths, career resources, practice labs, and checklists across all topics in the Cybersanso Learn Hub.

TryHackMe: The Best Starting Point for Beginners

Hands-on practice is the single most important activity in cybersecurity skill development. Reading about vulnerability exploitation and actually exploiting a vulnerability are completely different experiences. The knowledge from doing transfers to real situations; the knowledge from reading mostly does not.

TryHackMe is a browser-based platform providing guided learning paths and hands-on exercises from complete beginner through to advanced practitioner. Machines run in the cloud; you access them through your browser or via VPN. No home lab hardware required to start.

Free versus paid: The free tier provides access to a large number of rooms covering foundational topics. Subscription (approximately $14 per month) unlocks all rooms, learning paths, and certificates. The free tier is sufficient to start.

Where to start on TryHackMe: Pre-Security path covers networking, Linux, and web fundamentals before introducing security topics. Introduction to Cybersecurity path provides an overview of concepts and roles. SOC Level 1 path focuses on SIEM, log analysis, and incident response for analyst roles. Jr Penetration Tester path covers methodology and tools for entry-level pen testing.

Making the most of TryHackMe: Do not just complete rooms: make notes on what each tool does and why, not just the commands. When you finish a room, summarise what you learned in your own words. This consolidation makes knowledge stick and creates study material you can review before interviews.

Hack The Box and Other Free Practice Platforms

Hack The Box (HTB): Provides a competitive lab environment where you compromise real machines to retrieve flags (text strings that prove you gained access). Unlike TryHackMe’s guided approach, HTB provides targets with no instructions: you work out the attack path yourself. The free tier provides access to retired machines and starting point machines. The recommended progression: complete TryHackMe Jr Penetration Tester path before attempting HTB machines.

HTB Academy versus machines: HTB Academy is a structured learning platform within HTB closer to TryHackMe in format. Regular HTB machines require you to figure out the path yourself. Academy is better for structured skill development; machines are better for testing problem-solving capability. Starting machines: Lame, Legacy, and Blue cover well-known Samba and SMB vulnerabilities and are classic beginner HTB machines.

PortSwigger Web Security Academy: The most comprehensive free web application security training available. Covers every topic in the OWASP Top 10 and beyond, with guided labs using a deliberately vulnerable web application. If web application security is your direction, this is the first resource to complete. Free, no subscription required.

Other free platforms: PentesterLab for targeted web and Linux security exercises. picoCTF for beginner-friendly CTF competitions hosted by Carnegie Mellon University. VulnHub for downloadable vulnerable virtual machines to run locally. OWASP WebGoat for intentionally insecure web application lessons with guided explanations.

Building Your Own Home Lab

A home lab provides an environment where you can practise against real software installations that you control completely. This allows deeper experimentation than managed platforms.

What you need: A computer with at least 8GB RAM (16GB preferred), 100GB free disk space, and VirtualBox free from virtualbox.org.

What to install: Kali Linux (download VirtualBox OVA from kali.org). Metasploitable 2 (a deliberately vulnerable Linux VM, download from SourceForge, never connect to the internet). DVWA (Damn Vulnerable Web Application, a PHP web app with multiple vulnerability classes). Windows Server trial (Microsoft provides 180-day trial ISOs for lab use).

Critical network configuration: Set all vulnerable lab VMs to Host-Only networking in VirtualBox. This prevents them from reaching the internet or your home network. If a vulnerable VM were exposed to the internet, it would be compromised within minutes.

CTF competitions for additional practice: Capture The Flag competitions are time-limited security challenges where participants solve puzzles to find hidden strings. Categories include web exploitation, cryptography, reverse engineering, forensics, and OSINT. CTFtime.org lists upcoming competitions with difficulty ratings. After a CTF, read writeups from other participants for challenges you did not solve. The writeup culture in CTF provides significant learning value even from challenges you did not complete during the event.

Why practice matters for job applications: Employers in technical cybersecurity roles look for demonstrated practical skill. A completed TryHackMe path, a series of retired HTB machines, and a documented home lab tell employers you have used the tools and can problem-solve with them. This cannot be developed through reading alone and is what distinguishes candidates who get interviews from those who do not.

No single LLM wins every category in 2025 - 2026:
• Claude (Anthropic) - best for coding (SWE-Bench) and long documents
• GPT-4o / GPT-5 (OpenAI) - best for reasoning (GPQA) and multimodal tasks
• Gemini 2.0 (Google) - best for ultra-long context (1M tokens) and video

The best LLM depends on your specific task, not the overall ranking.

Claude vs ChatGPT - key differences:
• Developer: Claude = Anthropic, ChatGPT = OpenAI (GPT-4o / GPT-5)
• Coding: Claude leads on SWE-Bench Verified (real software engineering)
• Images & tools: ChatGPT/GPT-4o is more widely integrated
• Long docs: Claude is preferred for large context window tasks
• Tone: Claude is more cautious; ChatGPT is more versatile across apps

Best LLMs for coding (2025 - 2026):
1. Claude Opus/Sonnet (Anthropic) - #1 on SWE-Bench Verified
2. GPT-4o / o3 (OpenAI) - strong debugging & explanation
3. DeepSeek-V3 / R1 - frontier-class coding at low cost
4. Llama 4 / Code Llama (Meta) - best open-weight self-hosted option
5. Qwen 3 (Alibaba) - cheap, capable, open-weight

Cheapest LLM APIs in 2025 - 2026 (per million tokens):
• Qwen 3.5 0.8B - ~$0.01 (cheapest available)
• Gemma 3n (Google) - free tier via Google AI Studio
• Mistral 7B / Mixtral - $0.05 - $0.20 via Groq / Together AI
• GPT-4o mini (OpenAI) - ~$0.15 input / $0.60 output
• Claude Haiku (Anthropic) - ~$0.25 input / $1.25 output

Open-weight models via Groq or Together AI are 5 - 10x cheaper than proprietary APIs.

Choosing open-source vs proprietary LLM - 5 factors:
1. Data privacy - self-host open-weight models (Llama, Mistral) if data can't leave your infra
2. Cost - open-weight is cheaper at high token volumes
3. Customisation - open-weight models can be fine-tuned; proprietary usually can't
4. Performance - frontier proprietary models (Claude, GPT-5) still lead on hardest tasks
5. Maintenance - proprietary APIs are managed; self-hosting needs GPU infra + DevOps

Choosing open-source vs proprietary LLM - 5 factors:
1. Data privacy - self-host open-weight models (Llama, Mistral) if data can't leave your infra
2. Cost - open-weight is cheaper at high token volumes
3. Customisation - open-weight models can be fine-tuned; proprietary usually can't
4. Performance - frontier proprietary models (Claude, GPT-5) still lead on hardest tasks
5. Maintenance - proprietary APIs are managed; self-hosting needs GPU infra + DevOps