Let me state the biggest truth about becoming a white hacker first. Skill is decided not by certifications but by "the amount of legal hands-on." And to get hands-on, you need "your own practice ground" that you may attack.
This article is a complete self-study roadmap to build an "isolated, non-public, disposable legal lab" on your home PC and safely learn attacks there as puzzles. All procedures complete within the three safe zones (your assets / CTFs / authorized scope) defined in white hackers and the law. You don't step outside the fence at all.
This is a spoke that deepens the practical part of how to become a white hacker (complete roadmap).
1. Three lab-design principles — the conditions of an "incident-free practice ground"
An intentionally vulnerable app becomes a stepping stone for attackers the moment it's exposed to the internet. You could become a perpetrator. So the lab has iron rules.
| Principle | Meaning | Concrete measure |
|---|---|---|
| ① Isolation | Make it unreachable from outside | Bind ports to 127.0.0.1 only. Don't use 0.0.0.0 |
| ② Disposable | Restore in one shot even if broken | Build with containers, hold no state (delete with down) |
| ③ Reproducible | Anyone can build the same environment | One command with compose.yaml + Makefile |
Let me put these three principles straight into code.
2. [Implementation] Build a "legal lab" in one shot with Docker
The industry-standard materials are OWASP's official Juice Shop (an intentionally vulnerable e-commerce site) and the classic DVWA (Damn Vulnerable Web Application). Here's a configuration to stand up both localhost-only, on an isolated network.
# compose.yaml — 学習用の“意図的に脆弱な”アプリ。絶対に公開しないこと。
# 専用ブリッジに閉じ込め、ホスト側は 127.0.0.1 にだけ公開する(外部から到達不能)。
name: security-lab
networks:
lab: # ラボ専用の隔離ネットワーク
driver: bridge
services:
juice-shop:
image: bkimminich/juice-shop:latest # OWASP公式の意図的に脆弱なアプリ
networks: [lab]
ports:
- "127.0.0.1:3000:3000" # ← localhost限定。"0.0.0.0" にして公開しない
security_opt:
- "no-new-privileges:true" # コンテナ内の権限昇格を抑止(最小権限)
restart: "no"
dvwa:
image: vulnerables/web-dvwa:latest # 古典的な脆弱アプリ(学習の幅を広げる)
networks: [lab]
ports:
- "127.0.0.1:8080:80"
security_opt:
- "no-new-privileges:true"
restart: "no"
What makes this a reproducible command is the Makefile. It folds "stand up, check, completely delete" into named operations so you don't have to remember them (DRY, ease of operation).
# Makefile — ラボのライフサイクルをコマンド一発に畳み込む。
# 「使い捨て」を担保するため reset / down を明示的に用意する。
.PHONY: up down reset status
up: ## ラボを起動(http://127.0.0.1:3000 と :8080)
docker compose up -d
status: ## 起動中のコンテナと公開ポートを確認(localhost限定かを目視)
docker compose ps
down: ## ラボを停止して破棄(状態を残さない)
docker compose down
reset: down ## まっさらから作り直す(壊したら即リセット)
docker compose up -d --force-recreate
make up # 起動
make status # 127.0.0.1 限定で公開されているか必ず確認
# ... ブラウザで http://127.0.0.1:3000 を攻撃して学ぶ ...
make down # 終わったら必ず破棄(脆弱アプリを放置しない)
Visually confirming with make status every time that the published address is 127.0.0.1 — this small habit prevents a serious incident.
3. Kali Linux — what for, and how to use it
Kali Linux is a Debian-based distribution developed and maintained by OffSec, with diagnostic tools preinstalled. Famous as "the hacker's OS," its essence is a working environment with the "toolbox" ready from the start.
There are three ways to introduce it. Choose by your learning stage.
| Method | Suited for | Characteristic |
|---|---|---|
| VM (VirtualBox / VMware) | The royal road, safest | Isolated from the host. Easy to dispose with snapshots |
| WSL2 (Windows) | A lightweight intro for Windows users | GUI tools have limits. Enough if CLI-centric |
| Docker (kalilinux/kali-rolling) | A specific tool quickly | apt install the needed tool and dispose |
The trick is to learn the main tools paired with their "legal use." The tool itself is neutral; where you point it separates legal from illegal.
| Tool | What it does | Legal use |
|---|---|---|
| nmap | Recon of hosts and ports | Confirm open ports of your own lab/host |
| Burp Suite / OWASP ZAP | HTTP proxy, tampering, scanning | Request analysis / passive scan of your own lab |
| Wireshark | Packet capture | Observing your own traffic, learning protocols |
| Metasploit | An exploit framework | Attack verification in CTF/your own lab |
| sqlmap | Auto-detection of SQLi | Detection practice in your own lab (Juice Shop, etc.) |
[Implementation] The first step of recon — nmap against your own host
Let me use the most basic recon tool nmap, pointed only at your own machine. This is a completely legal "inspection of your own asset."
# 自分のローカルホストの開放ポートを確認する(=自分の資産の点検)。
# -sV: サービス/バージョン推定, -T4: 標準的な速度。対象は 127.0.0.1 のみ。
nmap -sV -T4 127.0.0.1
# ラボのコンテナが見えるはず(例):
# PORT STATE SERVICE VERSION
# 3000/tcp open http ... (juice-shop)
# 8080/tcp open http ... (dvwa)
An absolute caution: don't point
nmapat others' IPs/domains. An unauthorized scan can violate the Unauthorized Access Act, etc. The only things you may pointnmapat are your own assets or an authorized scope.
Doing a loop of nmap against your own lab → manual browser attack → ZAP passive scan internalizes the feel of "recon → discovery → verification."
4. CTF — safely learn attacks as "puzzles"
The best and completely legal place to hone attack techniques without attacking real environments is CTF (Capture The Flag). Competing with people worldwide, you learn Web, crypto, reverse engineering, forensics, etc. Progressing in order of difficulty is the royal road.
- picoCTF — educational. From the basics of basics, permanent and free. Best for the first step.
- TryHackMe — rich in guided learning rooms. Progress step by step.
- Hack The Box — more practical. A staple as a prelude to OSCP+.
The live rooms of TryHackMe and Hack The Box attack within an isolated practice network by connecting to a dedicated VPN. This is also safe zone ②. Never touch outside the practice network (IPs outside the platform) — as long as you keep this line, attack to your heart's content.
Make use of CTF's "writeup culture" too. For problems you couldn't solve, read the writeup of someone who did, absorb the moves, and reproduce it yourself. This "read → reproduce" repetition decides your self-study growth.
5. A one-year study plan — a weekly "form"
The biggest reason self-study doesn't last is "thinking each time about what to do." Decide a weekly form so you can get hands-on without thinking.
| Period | Theme | Weekly form (example) |
|---|---|---|
| 1–3 months | Foundation + lab build | One theme of network/Linux/Web basics + 2 picoCTF problems |
| 4–6 months | Systematizing web attacks | 3 Juice Shop challenges per week + careful reading of 1 OWASP Top 10 category |
| 7–9 months | Practical exercises | Complete 1 TryHackMe/HTB room per week + write a writeup |
| 10–12 months | Specialization + proof | Deepen your area of interest + study for a certification (Security+, etc.) in parallel |
Keep OWASP Top 10:2025 at your side as the "map" of what to look for. A01 "broken access control" is still #1 and most frequent in both CTFs and bug bounties. For the connection to certifications, see which certification to get.
6. How to use generative AI — as an accelerator, but humans hold the judgment
Self-study in 2026 can't be discussed without generative AI. AI dramatically speeds up
- Organizing recon/enumeration (drawing conclusions from a large amount of output)
- Code reading (explaining "why it's dangerous" for vulnerable code)
- Accelerating understanding of writeups and official docs
On the other hand, there's a line you must not dump on AI.
- The final judgment of "is this a vulnerability or a spec" — it requires understanding business rules. AI can't assert it.
- The ethical judgment of "is this an authorized act" — a matter of law and context. Don't entrust it to AI.
I myself accelerate development with one-person × generative AI (Claude Code), but what ensures quality and safety is always human verification gates. It's the same in security learning — AI is an accelerator; humans bear the final responsibility for verification and ethics. As long as you don't break this role division, AI becomes the strongest self-study partner.
Note that AI-mass-produced code easily yields specific vulnerabilities, and detecting them is the coming main battlefield (→ how to diagnose AI-generated-code vulnerabilities). Precisely because it's an era of building with AI, the value of a white hacker who can see through AI's holes rises.
7. Summary — get hands-on to your heart's content, inside the fence
- The lab is three principles: isolation (127.0.0.1 only), disposable (delete with down), reproducible (compose + Makefile).
- Tools are neutral, the target is everything: point nmap, Burp, and Metasploit only at your own lab / CTF / authorized scope.
- Puzzle-ify attacks with CTFs: picoCTF → TryHackMe → Hack The Box. Repeat read → reproduce.
- AI is an accelerator: humans hold the judgment and ethics.
Once you have a place to get hands-on, next it's time to legally touch real targets and turn it into track record and rewards. The formal route is how to start a bug bounty. And how the skill you built here is valued in the market and leads to projects is explained in white-hat hacker work, salary, and career.
References (official primary sources)
- OWASP Juice Shop / DVWA / OWASP ZAP / OWASP Top 10:2025
- Kali Linux (OffSec) / nmap official / Wireshark
- CTF: picoCTF / TryHackMe / Hack The Box