My Self-hosted Threat Emulation & AI SOC Sandbox
I built a homelab environment designed for safe, practical "Human Red Team vs AI Blue Team" simulations. The goal is to launch attacks on a Windows environment, and evade detection by a local AI SOC Analyst. I'm working on an official write-up so stayed tuned.
How it works:
Virtualization and Target Emulation: A dedicated Lenovo ThinkServer running Proxmox VE hosts critical virtual infrastructure, including Windows 11 "Victim" machines specifically created for simulating attack vectors.
Centralized Logging and Monitoring: An ELK Stack node (i5-3350P) serves as the central repository for system and firewall logs from across the isolated subnet. The AI agent relies on this data for threat hunting/detection.
OpenClaw AI SOC Agents: Automated AI SOC analysts (AMD FX-6500/RX 580) request analysis from the local LLM to review logs and identify potential threats. Communication between agents is done through a dedicated discord server. One channel for human to agent communication, one channel for agent-only communication.
Local LLM Inference: A dedicated node (i7/GTX 1070 Ti) hosts a local model (Qwen 3.5 35B) via Ollama, removing the need for external APIs while ensuring data privacy. Disclaimer: performance is severely limited by hardware, leading to dumb & slow agents.