Building a Home Lab SOC with UniFi and Sentinel Nerd
A comprehensive guide to building a home Security Operations Center using UniFi hardware and Sentinel Nerd, from hardware selection to daily monitoring operations.
Tony Martinez
There’s no better way to learn security operations than by building your own Security Operations Center (SOC). A home lab SOC gives you hands-on experience with real threats, real monitoring, and real incident response — all in an environment where mistakes are safe to make.
UniFi hardware makes this accessible and affordable. Sentinel Nerd turns it into a genuine security monitoring platform. In this guide, we’ll build a complete home lab SOC from scratch.
Why Build a Home SOC?
A home lab SOC is valuable whether you’re:
- Learning security operations for a career in cybersecurity
- Practicing incident response before you need it in production
- Actually protecting your home network from real threats (yes, they target home networks too)
- Testing security tools before deploying them at work
- Building a portfolio to demonstrate hands-on security skills
The threats are real. Home networks face port scans, brute force attempts, IoT botnet recruitment, and more. Your home SOC will find them.
Hardware List
Here’s the recommended hardware for a fully featured home lab SOC:
Core Network
| Device | Purpose | Approximate Cost |
|---|---|---|
| UniFi Dream Machine Pro (UDM-Pro) | Router, firewall, IDS/IPS, NVR | $379 |
| UniFi Switch Lite 16 PoE | Network switching with PoE for cameras/APs | $199 |
| UniFi U6 Pro Access Point | Wi-Fi 6 with VLAN support | $149 |
Security & Physical Access
| Device | Purpose | Approximate Cost |
|---|---|---|
| UniFi G4 Bullet Camera | Outdoor surveillance | $109 |
| UniFi G4 Instant Camera | Indoor surveillance | $29 |
| UniFi Access Reader G2 | Door access control (optional) | $99 |
| UniFi Access Hub | Access controller (optional) | $99 |
Total: ~$1,064-$1,262
You can start smaller. The UDM-Pro alone gives you routing, firewall, IDS/IPS, and syslog — enough for network monitoring. Add cameras and access control as your budget allows.
Budget alternative: A UniFi Cloud Gateway Ultra ($129) works as a starting point if the UDM-Pro is too expensive. You’ll lose the NVR functionality but keep the core networking and security features.
Network Design
Here’s the network architecture for our home lab SOC:
VLAN Layout
| VLAN | Subnet | Purpose |
|---|---|---|
| 1 (Default) | 192.168.1.0/24 | Management — UniFi devices only |
| 10 | 10.0.10.0/24 | Trusted — Workstations, laptops |
| 20 | 10.0.20.0/24 | Lab — Test devices, VMs |
| 30 | 10.0.30.0/24 | IoT — Smart devices, home automation |
| 40 | 10.0.40.0/24 | Cameras — UniFi Protect cameras |
| 50 | 10.0.50.0/24 | Guest — Visitor Wi-Fi |
Wi-Fi Networks
| SSID | VLAN | Security | Purpose |
|---|---|---|---|
| HomeNet | 10 | WPA3 Personal | Daily use devices |
| Lab-Net | 20 | WPA2 Personal | Lab and test devices |
| IoT-Net | 30 | WPA2 Personal | Smart home devices |
| Guest | 50 | WPA2 Personal | Guest access |
Firewall Rules
Apply these in order:
- Allow established/related traffic
- Allow Trusted (VLAN 10) to all local networks
- Allow Lab (VLAN 20) to Internet only
- Allow IoT (VLAN 30) to Internet only, block local
- Allow Cameras (VLAN 40) to Management only (for NVR)
- Allow Guest (VLAN 50) to Internet only
- Block all inter-VLAN traffic (default deny)
Installing Sentinel Nerd
With your network set up, it’s time to add monitoring:
1. Create Your Account
Sign up at sentinelnerd.com/auth/signup. The Starter plan ($29/month) is perfect for a home lab — it supports one controller and includes AI analysis credits.
2. Connect Your UniFi Controller
In the Sentinel Nerd dashboard:
- Go to Settings > Integrations > UniFi Controllers
- Click Add Controller
- Enter your UDM-Pro’s IP or UniFi.ui.com address
- Provide admin credentials (we recommend creating a dedicated read-only admin account)
- Test the connection
3. Configure Syslog Forwarding
On your UDM-Pro:
- SSH into the device or use the UniFi controller UI
- Navigate to Settings > System > Remote Logging
- Set the syslog server to your Sentinel Nerd syslog endpoint
- Enable logging for all categories
Events should start appearing in Sentinel Nerd within seconds.
4. Enable IDS/IPS
If you haven’t already:
- In UniFi controller, go to Settings > Security > Internet Threat Management
- Enable Intrusion Detection System
- Set to IPS mode (prevention) for the WAN interface
- Choose a threat level (we recommend starting with the default)
Setting Up Integrations
A SOC isn’t just about detection — it’s about notification and response.
Slack (or Discord) Alerts
Set up a notification channel so you see alerts in real time:
- Create a
#home-soc-alertschannel in your Slack or Discord server - Create a webhook (see our Slack integration guide for details)
- In Sentinel Nerd, add the webhook as an alert channel
- Route critical and high severity alerts to this channel
Email Notifications
Configure email as a backup alert channel:
- Go to Settings > Integrations > Alert Channels > Add Channel > Email
- Enter your email address
- Set it to deliver critical alerts only (to avoid inbox overload)
Creating a Detection Rule Library
The built-in rules cover the basics. For your home lab, add these custom rules:
Smart Home Device Monitoring
id: iot-device-new-connection
name: IoT Device Making New External Connection
description: An IoT device is connecting to a new external IP not seen before
severity: medium
category: iot-security
enabled: true
conditions:
- field: event.type
operator: equals
value: client_traffic
- field: vlan_id
operator: equals
value: 30
- field: destination.is_internal
operator: equals
value: false
- field: destination.first_seen
operator: equals
value: true
actions:
- alert
- tag: iot-new-destinationHome Network Reconnaissance Detection
id: internal-port-scan
name: Internal Port Scan Detected
description: A device is scanning multiple ports on internal hosts
severity: high
category: reconnaissance
enabled: true
conditions:
- field: event.type
operator: equals
value: firewall_rule_match
- field: rule.action
operator: equals
value: deny
- field: source.is_internal
operator: equals
value: true
aggregation:
group_by: source_ip
distinct_count: destination_port
threshold: 20
window: 5m
actions:
- alert
- tag: port-scanGuest Network Abuse
id: guest-excessive-bandwidth
name: Excessive Guest Network Usage
description: A guest device is using unusually high bandwidth
severity: low
category: policy
enabled: true
conditions:
- field: event.type
operator: equals
value: traffic_summary
- field: vlan_id
operator: equals
value: 50
- field: bytes_total
operator: greater_than
value: 10737418240
actions:
- alert
- tag: bandwidth-abuseUnauthorized Device on Trusted VLAN
id: unknown-device-trusted
name: Unknown Device on Trusted Network
description: An unrecognized device connected to the trusted VLAN
severity: high
category: unauthorized-access
enabled: true
conditions:
- field: event.type
operator: equals
value: client_connect
- field: vlan_id
operator: equals
value: 10
- field: client.is_known
operator: equals
value: false
actions:
- alert
- tag: unknown-deviceMonitoring Dashboard Setup
Configure your Sentinel Nerd dashboard for SOC operations:
Recommended Widgets
- Event stream — Real-time feed of all security events (top of dashboard)
- Alert summary — Count of open alerts by severity (top right)
- Top source IPs — Most active threat sources in the last 24 hours
- Device health — Status of all monitored UniFi devices
- Event timeline — Hourly event volume chart to spot anomalies
- Geographic map — Source locations of external threats
- Top detection rules — Which rules are firing most often
- Active Response log — Recent automated actions taken
Creating a Morning Routine
A real SOC has regular check-in procedures. For your home lab:
Daily (5 minutes):
- Check Slack/Discord for any alerts since last check
- Review the alert summary widget for unacknowledged alerts
- Glance at the event timeline for unusual spikes
Weekly (15 minutes):
- Review all medium and low severity alerts from the past week
- Check device health for any offline devices
- Review top source IPs and check any new ones against threat intelligence
- Update detection rule thresholds based on observed patterns
Monthly (30 minutes):
- Review and tune detection rules (disable noisy ones, refine thresholds)
- Check firmware versions on all UniFi devices
- Review firewall rules for any needed updates
- Generate a monthly summary report for your records
Ongoing Operations
Investigating Alerts
When an alert comes in, follow this process:
- Read the alert — What rule triggered? What device? What’s the severity?
- Check context — Look at the source IP, destination, timing. Use threat intelligence enrichment.
- Run AI analysis — Let GPT-4 provide initial triage and MITRE ATT&CK mapping.
- Decide action — Is this a true positive? Does it require response?
- Respond — Block, quarantine, or simply acknowledge based on severity.
- Document — Add a note to the alert with your findings and actions.
Building Incident Reports
When something interesting happens (and it will), write it up:
- What triggered the investigation?
- What did you find?
- What actions did you take?
- What would you do differently?
These reports are gold for your portfolio and learning.
Simulating Attacks (Safely)
Use your Lab VLAN (VLAN 20) to generate realistic security events:
- Nmap scans from a lab machine targeting other lab devices
- Hydra for SSH brute force testing against a test server
- Metasploit for vulnerability scanning and exploitation practice
- DNS tunneling tools to test your DNS monitoring rules
Always keep attack simulations on the Lab VLAN. Never test against production VLANs or external targets.
Community Resources
You’re not building this alone. Connect with the community:
- Sentinel Nerd Discord — Share rules, ask questions, show off your setup
- r/homelab — The homelab subreddit has great UniFi SOC discussions
- UniFi Community Forums — Deep knowledge about UniFi hardware configuration
- SANS Holiday Hack — Annual CTF challenge to test your SOC skills
Share your home lab SOC build with us on Discord or Twitter. We love seeing what the community creates.
A home lab SOC isn’t just a learning exercise — it’s genuine security monitoring for your home network. The threats targeting home networks are real, and the skills you build here transfer directly to professional security operations.
Start with the basics, build incrementally, and make it part of your routine. Within a few weeks, you’ll have a working SOC that most small businesses would envy.
Happy monitoring.