I started Phase 1 of my training roadmap this week with clear goals: build an Active Directory lab, misconfigure it intentionally, and execute complete attack chains from initial access to domain compromise. The plan was solid. I had Kali Linux as my attacker machine, Windows 11 as a misconfigured target, and Windows Server 2022 as the domain controller. I set up Sysmon for detailed logging, configured Splunk Enterprise on my Ubuntu host to collect everything, and installed Sliver as my command and control framework.
The lab build-out went well. I created five intentional misconfigurations on Windows 11: enabled SMBv1, weakened NTLM settings, allowed LM hash storage, stored domain credentials in Credential Manager, and created an overprivileged local admin account. I documented everything, took snapshots, and verified that logs were flowing from both Windows systems to Splunk. On paper, I had everything needed to practice offensive IT security.
Then I hit the wall. My Dell OptiPlex couldn't run Windows Server, Windows 11, and Kali simultaneously without grinding to a halt. I tried anyway, managed to get through initial reconnaissance on Windows 11, but the system kept choking when I needed all three VMs active for lateral movement exercises. I could have forced it, accepted the performance issues, and struggled through incomplete attack chains. Instead, I stopped and asked myself what I was actually trying to accomplish.
Phase 1 exists to build IT fundamentals before moving into ICS and operational technology security. It's designed to teach enumeration, privilege escalation, lateral movement, and credential attacks in Windows environments. These skills matter, but they're not my end goal. My specialization is ICS malware research, which starts in Phase 2. I looked at the tools required for Phase 2 and realized something important: OpenPLC, Conpot, protocol analysis tools, and Python-based ICS simulators are significantly lighter than running multiple Windows Server instances with Active Directory.
The decision became clear. I wasn't giving up on Phase 1. I was recognizing that my hardware constraints made it inefficient to complete now, while Phase 2 through 5 are better suited to what I can actually run. I could come back to full Active Directory attack chains later when I have access to better resources, either through upgrades or at a future job. What mattered more was moving forward toward my actual specialization rather than forcing work that didn't align with my current setup.
This taught me something about red teaming that goes beyond technical skills. Adaptability isn't just about pivoting during an engagement when your exploits fail. It's also about recognizing when your approach needs to change based on the resources available. I spent time building that Phase 1 lab, and none of that was wasted. I learned how to configure Active Directory from scratch, how to intentionally weaken Windows security settings in realistic ways, how to set up centralized logging infrastructure, and how to think about attack chains from initial access to full compromise. Those skills carry forward.
I am now in Phase 2. The focus shifted from Active Directory networks to industrial control systems. I'm learning how ICS architecture differs fundamentally from IT networks. In traditional IT, confidentiality comes first and you protect data. In ICS and operational technology, availability comes first and you protect physical processes. A secure failure that shuts down a water treatment plant or manufacturing line isn't acceptable, even if it's technically the safer option from a cybersecurity perspective. That's a completely different mindset, and it's why ICS security is as much about understanding process engineering as it is about exploitation techniques.
I'm installing OpenPLC as my first hands-on tool. It's an open-source programmable logic controller runtime that lets me simulate the control systems that run industrial processes. The installation is lightweight, runs in a single VM, and will let me practice attacking and defending real control logic without needing multiple resource-heavy Windows servers. This is exactly what my hardware can handle, and it's directly relevant to the career path I'm building toward.
The broader lesson here is about knowing when to adapt your plan. I could have spent weeks fighting with my current setup, getting frustrated with incomplete exercises and poor performance. Instead, I made a strategic decision to move forward on a path that works better with what I have. Phase 1 isn't abandoned. The lab infrastructure exists, the knowledge is there, and I can return to those exercises when circumstances change. But right now, Phase 2 through 5 are where I need to be, and my hardware constraints actually pushed me to make that decision earlier than I might have otherwise.
If you're building your own home lab on limited resources, this might be relevant to you too. Not every training path needs to be followed in perfect order, especially when hardware or budget constraints get in the way. Understanding your actual career goals and what's realistically achievable with your current setup matters more than rigidly sticking to a plan that isn't working. I'm moving forward toward ICS malware research. Phase 1 taught me planning and infrastructure skills. Phase 2 is teaching me my actual craft.
If you're working in ICS/OT security, building your own home labs on a budget, or just interested in critical infrastructure security, connect with me on LinkedIn: https://www.linkedin.com/in/ryan-sharpnack-ics-seecurity. Always interested in learning from people further along this path.