# A self-study roadmap for white hackers [2026]: build a 'legal lab' at home — learn attacks with Kali, Juice Shop, and CTFs

> A practical roadmap for self-studying toward becoming a white hacker. With reproducible compose.yaml, Makefile, and localhost-only nmap examples, it explains how to build an 'isolated, non-public, disposable' legal lab on your own PC with Docker, and how to safely learn attacks as puzzles with OWASP Juice Shop, Kali Linux, and picoCTF/Hack The Box/TryHackMe. From a one-year study plan to using generative AI, all within a legal range.

- Published: 2026-06-28
- Author: 友田 陽大
- Tags: セキュリティ, ホワイトハッカー, CTF, 倫理的ハッキング, 独学
- URL: https://tomodahinata.com/en/blog/ethical-hacking-home-lab-kali-juice-shop-ctf-self-study-roadmap-guide
- Category: Intro to ethical hacking
- Pillar guide: https://tomodahinata.com/en/blog/white-hat-hacker-ethical-hacker-how-to-become-certification-roadmap-guide

## Key points

- A white hacker's skill is decided by 'the amount of legal hands-on,' not certifications. Reading alone never builds it. Make a lab you may attack on your own PC and repeat within the safe zones (your assets, CTFs).
- Three lab-design principles: ① isolation (don't expose to the external net; 127.0.0.1 only) ② disposable (rebuild if you break it) ③ reproducible (one command with compose.yaml and Makefile). Exposing a vulnerable app is a serious incident where you become a stepping stone.
- Staple materials: OWASP Juice Shop / DVWA (intentionally vulnerable apps), Kali Linux (by OffSec, a collection of diagnostic tools), and CTFs in the order picoCTF → TryHackMe → Hack The Box, raising the difficulty.
- Learn tools paired with their 'legal use': nmap (recon of your own host), Burp/ZAP (proxy analysis of your own lab), Wireshark (observing your own traffic). As long as you don't point them at others' targets, it's all legitimate learning.
- Generative AI accelerates recon, code reading, and understanding writeups, but the judgment of 'is this a vulnerability or a spec' and 'is this an authorized act' is held by humans. AI is an accelerator; humans bear the final responsibility for verification and ethics.

---

Let me state the biggest truth about becoming a white hacker first. **Skill is decided not by certifications but by "the amount of legal hands-on."** And to get hands-on, you need **"your own practice ground" that you may attack.**

This article is a complete self-study roadmap to build an **"isolated, non-public, disposable legal lab"** on your home PC and safely learn attacks there as puzzles. All procedures complete within the **three safe zones (your assets / CTFs / authorized scope)** defined in [white hackers and the law](/blog/ethical-hacker-law-japan-unauthorized-access-act-active-cyber-defense-disclosure-guide). You don't step outside the fence at all.

> This is a spoke that deepens the practical part of [how to become a white hacker (complete roadmap)](/blog/white-hat-hacker-ethical-hacker-how-to-become-certification-roadmap-guide).

---

## 1. Three lab-design principles — the conditions of an "incident-free practice ground"

An intentionally vulnerable app becomes **a stepping stone for attackers the moment it's exposed to the internet.** You could become a perpetrator. So the lab has iron rules.

| Principle | Meaning | Concrete measure |
|---|---|---|
| **① Isolation** | Make it unreachable from outside | Bind ports to `127.0.0.1` only. Don't use `0.0.0.0` |
| **② Disposable** | Restore in one shot even if broken | Build with containers, hold no state (delete with `down`) |
| **③ Reproducible** | Anyone can build the same environment | One command with `compose.yaml` + `Makefile` |

Let me put these three principles straight into code.

---

## 2. [Implementation] Build a "legal lab" in one shot with Docker

The industry-standard materials are OWASP's official [Juice Shop](https://owasp.org/www-project-juice-shop/) (an intentionally vulnerable e-commerce site) and the classic [DVWA](https://github.com/digininja/DVWA) (Damn Vulnerable Web Application). Here's a configuration to stand up both **localhost-only, on an isolated network.**

```yaml
# compose.yaml — 学習用の“意図的に脆弱な”アプリ。絶対に公開しないこと。
# 専用ブリッジに閉じ込め、ホスト側は 127.0.0.1 にだけ公開する（外部から到達不能）。
name: security-lab

networks:
  lab: # ラボ専用の隔離ネットワーク
    driver: bridge

services:
  juice-shop:
    image: bkimminich/juice-shop:latest # OWASP公式の意図的に脆弱なアプリ
    networks: [lab]
    ports:
      - "127.0.0.1:3000:3000" # ← localhost限定。"0.0.0.0" にして公開しない
    security_opt:
      - "no-new-privileges:true" # コンテナ内の権限昇格を抑止（最小権限）
    restart: "no"

  dvwa:
    image: vulnerables/web-dvwa:latest # 古典的な脆弱アプリ（学習の幅を広げる）
    networks: [lab]
    ports:
      - "127.0.0.1:8080:80"
    security_opt:
      - "no-new-privileges:true"
    restart: "no"
```

What makes this a **reproducible command** is the `Makefile`. It folds "stand up, check, completely delete" into named operations so you don't have to remember them (DRY, ease of operation).

```makefile
# Makefile — ラボのライフサイクルをコマンド一発に畳み込む。
# 「使い捨て」を担保するため reset / down を明示的に用意する。
.PHONY: up down reset status

up: ## ラボを起動（http://127.0.0.1:3000 と :8080）
	docker compose up -d

status: ## 起動中のコンテナと公開ポートを確認（localhost限定かを目視）
	docker compose ps

down: ## ラボを停止して破棄（状態を残さない）
	docker compose down

reset: down ## まっさらから作り直す（壊したら即リセット）
	docker compose up -d --force-recreate
```

```bash
make up       # 起動
make status   # 127.0.0.1 限定で公開されているか必ず確認
# ... ブラウザで http://127.0.0.1:3000 を攻撃して学ぶ ...
make down     # 終わったら必ず破棄（脆弱アプリを放置しない）
```

Visually confirming with `make status` **every time that the published address is `127.0.0.1`** — this small habit prevents a serious incident.

---

## 3. Kali Linux — what for, and how to use it

[Kali Linux](https://www.kali.org/) is a Debian-based distribution developed and maintained by [OffSec](https://www.offsec.com/), with diagnostic tools preinstalled. Famous as "the hacker's OS," its essence is **a working environment with the "toolbox" ready from the start.**

There are three ways to introduce it. Choose by your learning stage.

| Method | Suited for | Characteristic |
|---|---|---|
| **VM (VirtualBox / VMware)** | The royal road, safest | Isolated from the host. Easy to dispose with snapshots |
| **WSL2 (Windows)** | A lightweight intro for Windows users | GUI tools have limits. Enough if CLI-centric |
| **Docker (kalilinux/kali-rolling)** | A specific tool quickly | `apt install` the needed tool and dispose |

The trick is to learn the main tools **paired with their "legal use."** The tool itself is neutral; **where you point it separates legal from illegal.**

| Tool | What it does | Legal use |
|---|---|---|
| **nmap** | Recon of hosts and ports | Confirm open ports of **your own lab/host** |
| **Burp Suite / OWASP ZAP** | HTTP proxy, tampering, scanning | Request analysis / passive scan of **your own lab** |
| **Wireshark** | Packet capture | Observing **your own traffic**, learning protocols |
| **Metasploit** | An exploit framework | Attack verification in **CTF/your own lab** |
| **sqlmap** | Auto-detection of SQLi | Detection practice in **your own lab** (Juice Shop, etc.) |

### [Implementation] The first step of recon — nmap against your own host

Let me use the most basic recon tool `nmap`, pointed **only at your own machine.** This is a completely legal "inspection of your own asset."

```bash
# 自分のローカルホストの開放ポートを確認する（＝自分の資産の点検）。
# -sV: サービス/バージョン推定, -T4: 標準的な速度。対象は 127.0.0.1 のみ。
nmap -sV -T4 127.0.0.1

# ラボのコンテナが見えるはず（例）:
# PORT     STATE SERVICE  VERSION
# 3000/tcp open  http     ... (juice-shop)
# 8080/tcp open  http     ... (dvwa)
```

> **An absolute caution:** don't point `nmap` **at others' IPs/domains.** An unauthorized scan can violate the Unauthorized Access Act, etc. The only things you may point `nmap` at are **your own assets or an authorized scope.**

Doing a loop of `nmap` against your own lab → manual browser attack → ZAP passive scan internalizes the feel of "recon → discovery → verification."

---

## 4. CTF — safely learn attacks as "puzzles"

The best and completely legal place to hone attack techniques without attacking real environments is **CTF (Capture The Flag).** Competing with people worldwide, you learn Web, crypto, reverse engineering, forensics, etc. Progressing in order of difficulty is the royal road.

1. **[picoCTF](https://picoctf.org/)** — educational. From the basics of basics, permanent and free. Best for the first step.
2. **[TryHackMe](https://tryhackme.com/)** — rich in guided learning rooms. Progress step by step.
3. **[Hack The Box](https://www.hackthebox.com/)** — more practical. A staple as a prelude to OSCP+.

The live rooms of TryHackMe and Hack The Box attack **within an isolated practice network** by connecting to a dedicated VPN. This is also safe zone ②. **Never touch outside the practice network (IPs outside the platform)** — as long as you keep this line, attack to your heart's content.

Make use of CTF's "writeup culture" too. For problems you couldn't solve, read the writeup of someone who did, absorb the moves, and **reproduce it yourself.** This "read → reproduce" repetition decides your self-study growth.

---

## 5. A one-year study plan — a weekly "form"

The biggest reason self-study doesn't last is "thinking each time about what to do." Decide a **weekly form** so you can get hands-on without thinking.

| Period | Theme | Weekly form (example) |
|---|---|---|
| 1–3 months | Foundation + lab build | One theme of network/Linux/Web basics + 2 picoCTF problems |
| 4–6 months | Systematizing web attacks | 3 Juice Shop challenges per week + careful reading of 1 OWASP Top 10 category |
| 7–9 months | Practical exercises | Complete 1 TryHackMe/HTB room per week + write a writeup |
| 10–12 months | Specialization + proof | Deepen your area of interest + study for a certification (Security+, etc.) in parallel |

> Keep [OWASP Top 10:2025](https://owasp.org/Top10/2025/) at your side as the "map" of what to look for. A01 "broken access control" is still #1 and most frequent in both CTFs and bug bounties. For the connection to certifications, see [which certification to get](/blog/ethical-hacker-certification-comparison-ceh-oscp-security-plus-pentest-plus-toroku-sec-guide).

---

## 6. How to use generative AI — as an accelerator, but humans hold the judgment

Self-study in 2026 can't be discussed without generative AI. AI dramatically speeds up

- **Organizing recon/enumeration** (drawing conclusions from a large amount of output)
- **Code reading** (explaining "why it's dangerous" for vulnerable code)
- **Accelerating understanding of writeups and official docs**

On the other hand, there's a **line you must not dump on AI.**

- **The final judgment of "is this a vulnerability or a spec"** — it requires understanding business rules. AI can't assert it.
- **The ethical judgment of "is this an authorized act"** — a matter of law and context. Don't entrust it to AI.

I myself accelerate development with **one-person × generative AI (Claude Code)**, but what ensures quality and safety is always **human verification gates.** It's the same in security learning — **AI is an accelerator; humans bear the final responsibility for verification and ethics.** As long as you don't break this role division, AI becomes the strongest self-study partner.

Note that AI-mass-produced code easily yields specific vulnerabilities, and detecting them is the coming main battlefield (→ [how to diagnose AI-generated-code vulnerabilities](/blog/ai-generated-code-vulnerability-assessment-vibe-coding-security-guide)). **Precisely because it's an era of building with AI, the value of a white hacker who can see through AI's holes rises.**

---

## 7. Summary — get hands-on to your heart's content, inside the fence

- **The lab is three principles**: isolation (127.0.0.1 only), disposable (delete with down), reproducible (compose + Makefile).
- **Tools are neutral, the target is everything**: point nmap, Burp, and Metasploit only at your own lab / CTF / authorized scope.
- **Puzzle-ify attacks with CTFs**: picoCTF → TryHackMe → Hack The Box. Repeat read → reproduce.
- **AI is an accelerator**: humans hold the judgment and ethics.

Once you have a place to get hands-on, next it's time to **legally touch real targets and turn it into track record and rewards.** The formal route is [how to start a bug bounty](/blog/bug-bounty-getting-started-hackerone-bugcrowd-scope-report-disclosure-guide). And how the skill you built here is valued in the market and leads to projects is explained in [white-hat hacker work, salary, and career](/blog/ethical-hacker-career-path-salary-job-roles-freelance-guide).

---

### References (official primary sources)

- [OWASP Juice Shop](https://owasp.org/www-project-juice-shop/) / [DVWA](https://github.com/digininja/DVWA) / [OWASP ZAP](https://www.zaproxy.org/) / [OWASP Top 10:2025](https://owasp.org/Top10/2025/)
- [Kali Linux](https://www.kali.org/) ([OffSec](https://www.offsec.com/)) / [nmap official](https://nmap.org/) / [Wireshark](https://www.wireshark.org/)
- CTF: [picoCTF](https://picoctf.org/) / [TryHackMe](https://tryhackme.com/) / [Hack The Box](https://www.hackthebox.com/)