CompTIA PBQs simulate real IT environments — firewall consoles, CLI sessions, network topologies, PKI dashboards. Reading about them doesn't build the muscle memory you need to complete them under exam pressure. Doing them does. The problem most candidates have is they don't know how to set up a practice environment, so they never actually do the hands-on work. That gap shows up on exam day.

The good news: you don't need a server rack or a $500 software license. Every tool you need to build a full CompTIA practice lab is free. VirtualBox, Windows Server evaluation, Kali Linux, GNS3, Cisco Packet Tracer — zero cost, runs on your existing laptop or desktop. This guide walks you through the complete setup, step by step, so you can go from nothing to a working lab in about two hours.

What You'll Need

Before downloading anything, confirm your machine can handle a virtual lab. Running VMs inside your operating system requires headroom — you're essentially running a second computer inside your first one.

RAM: 8GB minimum. 16GB is better. VMs typically need 2–4GB each, and you still need RAM for your host OS.
Disk space: 20GB free minimum per VM. Dynamic allocation helps — VMs won't immediately consume their full allocated size.
Operating system: Windows 10/11 or macOS (Intel or Apple Silicon with Rosetta support for VirtualBox).
CPU: Any modern Intel Core i5/i7 or AMD Ryzen — virtualization extensions (VT-x or AMD-V) are required and enabled by default on most machines made after 2012.
Internet connection: You'll need to download ISO files and VM images (ranges from 1GB to 6GB depending on the OS).
Cost: $0. Every tool in this guide is free.

Apple Silicon note: VirtualBox 7.x supports macOS on Apple M-series chips via experimental ARM support. For native performance on M1/M2/M3/M4, UTM (mac.getutm.app) is a free alternative that runs ARM-based Linux VMs natively. The steps below apply to both — the UI differs slightly but the concepts are identical.

Option 1: VirtualBox (Best for Beginners)

VirtualBox is the foundation of most CompTIA home labs. It's free, open-source, runs on Windows and macOS, and supports every OS you'll need for Security+ and Network+ practice. If you're new to virtualization, start here.

Step 1

Download and Install VirtualBox

Go to virtualbox.org and download the installer for your operating system. Choose the latest stable release (7.x as of 2026).

Run the installer and accept all default settings
Also download and install the VirtualBox Extension Pack (same download page) — it adds USB 2.0/3.0 support and improved performance
Restart your computer after installation if prompted

If a VM won't start after setup, the most common cause is hardware virtualization disabled in BIOS. Reboot into BIOS/UEFI settings (usually Del, F2, or F12 at startup) and look for VT-x (Intel) or AMD-V / SVM (AMD) under the CPU or Advanced tab. Enable it, save, and reboot.

Step 2

Download a Windows Server ISO

Microsoft offers free evaluation versions of Windows Server — fully functional for 180 days, no activation required. This is what you want for Security+ lab work.

Go to microsoft.com/en-us/evalcenter
Select Windows Server 2022 → choose ISO download
Fill in the free registration form and download the ISO (~5GB)
Alternatively, download the Windows 10 Enterprise Evaluation ISO if you want a desktop experience instead of Server Core

Save the ISO somewhere accessible — you'll point VirtualBox to it in the next step.

Step 3

Create Your First VM

In VirtualBox, click New and follow the wizard:

Name: CompTIA-Lab-Win
Type: Microsoft Windows
Version: Windows 2022 (64-bit)
RAM: 2048MB minimum — 4096MB recommended if your machine has 16GB+
Hard disk: Create virtual hard disk now → VDI → Dynamically allocated → 20GB

After the VM is created, go to Settings → Storage → Controller: IDE → Empty, click the disc icon, and select your Windows Server ISO.

Step 4

Install Windows and Take a Snapshot

Start the VM. It will boot from the ISO and launch the Windows installer. Walk through the installation — choose Windows Server 2022 Standard Evaluation (Desktop Experience) for a full GUI.

Set an administrator password when prompted
Log in and confirm the desktop loads
Critical step: Before doing anything else, take a snapshot. In VirtualBox, go to Machine → Take Snapshot and name it Clean-State

This clean snapshot is your reset button. Whenever a lab exercise corrupts a config or you want to start fresh, you restore this snapshot and you're back to baseline in 30 seconds.

Step 5

Install Key Tools for Security+ Practice

Inside the Windows VM, install these free tools to cover the major Security+ PBQ scenario types:

Windows Firewall (built-in) — used for firewall rule PBQs. Open wf.msc to access the advanced interface.
Wireshark — download from wireshark.org. Used for packet capture and log analysis PBQs.
OpenSSL for Windows — download from slproweb.com/products/Win32OpenSSL.html. Used for PKI and certificate PBQs.
Event Viewer (built-in) — press Win+R, type eventvwr.msc. Used for log analysis PBQs.
OpenVPN Community — free download from openvpn.net. Used for VPN configuration PBQs.

After installing tools, take another snapshot: Tools-Installed. Now you have two restore points.

Snapshot Strategy

Snapshots are the core workflow mechanic that makes a home lab actually useful for exam prep. The principle is simple:

Snapshot before every lab exercise — name it clearly: Before-Firewall-Lab, Before-PKI-Lab
Restore after every lab exercise — don't carry over config changes from one scenario to the next
Limit to 3–4 snapshots per VM — too many snapshots slow performance and consume disk space
Use descriptive names — Clean-State, Tools-Installed, After-Lab-3 is infinitely better than Snapshot 1, Snapshot 2

Option 2: GNS3 + Packet Tracer (Best for Network+ Practice)

VirtualBox running Windows is great for Security+ scenarios, but Network+ PBQs live in a different domain — routing tables, VLAN configs, switch CLI, network topology diagrams. For those, you need purpose-built network simulation tools.

GNS3

Free & Open Source

GNS3 (Graphical Network Simulator 3) is the gold standard for realistic network simulation. It can emulate real Cisco, Juniper, and other vendor hardware, which means you're working with the actual IOS/NX-OS commands that appear on exams and in real-world environments.

Download: gns3.com → download the GUI installer for your OS
During setup, install the GNS3 VM (available as a VirtualBox appliance from the same page) — the VM backend handles the actual network emulation
Import the GNS3 VM into VirtualBox before launching GNS3
GNS3 GUI connects to the VM automatically on first launch

GNS3 is the heavier option — you'll want 16GB RAM to run it comfortably alongside other VMs. For lighter setups, Packet Tracer is the better starting point.

Cisco Packet Tracer

Free with NetAcad Account

Packet Tracer is Cisco's official free network simulation tool. It's lighter than GNS3, runs on most computers without a VM backend, and covers every networking scenario you'll encounter on the Network+ exam.

Go to netacad.com and create a free Cisco Networking Academy account
Enroll in the free "Packet Tracer" self-paced course — this unlocks the download
Download and install Packet Tracer for Windows or macOS
Log in with your NetAcad credentials when the app launches

What You Can Practice in GNS3 / Packet Tracer

Subnetting: Configure real IP addresses and subnet masks on virtual interfaces — validate your calculations by testing connectivity
VLAN configuration: Create access and trunk ports, configure inter-VLAN routing with a Layer 3 switch or router-on-a-stick
Static and dynamic routing: Configure RIP, OSPF, and static routes between routers — run show ip route to verify
CLI command fluency: Practice show, ping, traceroute, show interfaces, show vlan until they're automatic
Network topology troubleshooting: Build a topology, introduce a deliberate misconfiguration, then diagnose it — exactly the format of Network+ PBQs

! Example: Verify VLAN configuration on a Cisco switch
Switch# show vlan brief
Switch# show interfaces trunk
Switch# show running-config interface fa0/1

! Verify routing table
Router# show ip route
Router# ping 192.168.10.1 source 192.168.20.1

Option 3: Kali Linux for Security+

Kali Linux is a Debian-based Linux distribution purpose-built for security professionals. It ships with hundreds of security tools pre-installed — Wireshark, nmap, OpenSSL, Netcat, and dozens more. For Security+ PBQ scenarios involving command-line security operations, Kali gives you a ready-made environment without installing individual tools.

The fastest way to get Kali running in VirtualBox:

Go to kali.org/get-kali and select Virtual Machines
Download the VirtualBox pre-built image (.ova file)
In VirtualBox, go to File → Import Appliance and select the .ova file
Accept defaults and click Import — no OS installation needed
Default credentials: username kali, password kali — change the password after first login

What Kali gives you out of the box that's directly relevant to Security+ PBQs:

Wireshark: Capture and analyze packets, filter by protocol, identify attack patterns
nmap: Network scanning — practice nmap -sV, nmap -sU, service enumeration
OpenSSL CLI: Generate certificates, inspect cert chains, test TLS handshakes
iptables: Linux firewall — create, list, and delete rules by port and protocol
Netcat: Create TCP/UDP connections, test port accessibility, basic banner grabbing

# Generate a self-signed certificate with OpenSSL (PKI PBQ practice)
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

# View certificate details
openssl x509 -in cert.pem -text -noout

# Scan a host for open services (nmap practice)
nmap -sV 192.168.1.0/24

# List current iptables rules (firewall PBQ practice)
iptables -L -n -v

# Block inbound traffic on port 23 (Telnet)
iptables -A INPUT -p tcp --dport 23 -j DROP

Ethics note: Only run security tools against systems you own or have explicit permission to test. In a lab environment, only target your own VMs. Never scan or probe external networks.

Building a Multi-VM Lab Environment

Running a single VM gets you started. Running multiple VMs on the same virtual network gets you exam-ready. The most realistic PBQ preparation involves an attacker, a server, and a client — the same three-node topology that appears in Security+ scenario questions.

Recommended Three-VM Setup

VM 1 — Windows Server 2022: Acts as your domain controller, file server, and web server. This is where you configure firewall rules, manage certificates, and review event logs.
VM 2 — Windows 10/11: Client machine joined to the domain. Lets you practice domain authentication, GPO scenarios, and client-side security settings.
VM 3 — Kali Linux: Attacker/analyst machine. Used for network scanning, packet capture, and testing your defensive configurations.

Connecting VMs on a Virtual Network

By default, VMs use NAT — they can reach the internet but not each other. To connect your VMs so they can communicate:

Shut down all three VMs
For each VM: Settings → Network → Adapter 1 → Attached to: Internal Network
Set the same network name for all three (e.g., CompTIA-Lab-Net)
Assign static IP addresses manually inside each VM after booting:
- Windows Server: 192.168.10.1/24
- Windows 10: 192.168.10.2/24
- Kali Linux: 192.168.10.3/24
Test connectivity: run ping 192.168.10.1 from the Kali VM. If you get replies, your lab network is working.

# Set a static IP on Kali Linux (temporary, for this session)
ip addr add 192.168.10.3/24 dev eth0
ip route add default via 192.168.10.1

# Verify connectivity to Windows Server
ping 192.168.10.1 -c 4

# From Windows Server: verify ping back to Kali
ping 192.168.10.3

With all three VMs on the same internal network, you can now run Wireshark on Kali while generating authentication traffic from the Windows 10 client — the same scenario structure as Security+ log analysis PBQs. You can configure firewall rules on the server to block the Kali scanner. You can set up a certificate on the server and connect to it from the client. The scenarios are limited only by the exam objectives themselves.

RAM tip: If 8GB RAM is all you have, don't run all three VMs simultaneously. Run two at a time and increase the page file / swap space. A Windows Server + Kali setup at 2GB RAM each will run on 8GB with headroom for your host OS.

Common Issues and Fixes

Problem	Fix
VM won't start — "VT-x is not available"	Reboot into BIOS/UEFI and enable VT-x (Intel) or AMD-V/SVM (AMD) under CPU or Advanced settings. On Windows 11, also check that Hyper-V isn't exclusively locking virtualization resources.
VM runs very slow	Increase RAM allocation if host has headroom. In VM Settings → Display, enable 3D Acceleration. In System → Processor, add more vCPUs. Close background apps on the host.
VMs can't communicate with each other	Ensure both VMs have their network adapter set to "Internal Network" with the same network name. Verify both VMs have manually assigned static IPs in the same subnet. Temporarily disable Windows Firewall to test connectivity.
Ran out of disk space during VM creation	Use dynamic allocation when creating VDI disks — the disk only grows as data is written. If you've already created a fixed disk, use VBoxManage to resize: `VBoxManage modifymedium --resize <size-in-MB> disk.vdi`
Snapshot takes too long or hangs	Limit to 3–4 snapshots per VM — each snapshot creates a differencing disk that adds I/O overhead. Delete old snapshots you no longer need (VirtualBox → Snapshots panel).
Windows Server activation warning appears	Normal — the evaluation version runs fully functional for 180 days without activation. Dismiss the warning. If you need more time, you can renew the evaluation license with: `slmgr /rearm`
Kali Linux has no network access after import	In VirtualBox, change the Kali adapter from Internal Network to NAT temporarily to update packages (`sudo apt update && sudo apt upgrade`), then switch back to Internal Network for lab exercises.

What to Practice in Your Lab

The lab is infrastructure. The scenarios are the actual exam prep. Here's a direct mapping of PBQ types to specific lab actions — organized by exam.

Security+ SY0-701 PBQ Practice

Firewall Rule Configuration — Windows Defender Firewall with Advanced Security (wf.msc):

Create an inbound rule blocking TCP port 23 (Telnet)
Create an outbound rule allowing only TCP 443 from a specific IP range
Export the current rule set, modify it, re-import it
Practice reading existing rules and identifying what traffic they permit or deny

PKI / Certificate Scenarios — OpenSSL in Kali or Windows:

# Generate a private key and CSR (Certificate Signing Request)
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr

# Self-sign the certificate (simulating an internal CA)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# View the certificate chain and validate expiry
openssl x509 -in server.crt -text -noout | grep -E "Not Before|Not After|Subject:|Issuer:"

# Verify a certificate against a CA bundle
openssl verify -CAfile ca.crt server.crt

Log Analysis — Windows Event Viewer (eventvwr.msc):

Navigate to Windows Logs → Security
Filter for Event ID 4625 (failed logon attempts) — this is the most common Security+ log analysis scenario
Filter for Event ID 4624 (successful logon) and Event ID 4648 (explicit credential logon)
Practice identifying the source IP, account name, and logon type from a log entry
Generate failed logins deliberately (wrong password) and find them in the log

VPN Configuration — OpenVPN Community:

Generate a CA, server cert, and client cert using the EasyRSA scripts included with OpenVPN
Configure a server config file (server.ovpn) specifying port, protocol, cipher, and TLS settings
Connect a client VM and verify tunnel establishment with ipconfig or ip addr

Network+ N10-009 PBQ Practice

Subnetting — use your VM's IP configuration as a sandbox:

# Windows — view IP config and default gateway
ipconfig /all

# Windows — view routing table
route print

# Linux — view IP addressing
ip addr show
ip route show

# Calculate: given 192.168.10.0/26, what are the valid host range, broadcast, and subnet mask?
# Answer: hosts 192.168.10.1–62, broadcast 192.168.10.63, mask 255.255.255.192

CLI Troubleshooting Tools — practice until the commands are reflex:

# Connectivity test
ping 8.8.8.8
ping -t 192.168.1.1   (continuous ping on Windows)

# Trace path to destination
tracert 8.8.8.8       (Windows)
traceroute 8.8.8.8    (Linux)

# DNS lookup
nslookup getcertlab.com
nslookup -type=MX getcertlab.com

# Active connections and listening ports
netstat -an
netstat -anb           (Windows — shows process names)
ss -tulnp              (Linux equivalent)

# ARP table
arp -a

VLAN Configuration — Packet Tracer or GNS3:

Create VLANs 10 (Sales), 20 (Engineering), 30 (Management) on a switch
Assign access ports to each VLAN: switchport mode access; switchport access vlan 10
Configure a trunk port to carry all VLANs: switchport mode trunk
Verify with show vlan brief and show interfaces trunk
Test: a device in VLAN 10 should not reach a device in VLAN 20 without a router

The Structured Practice Layer

Getting the lab running is the infrastructure layer. What turns that infrastructure into actual PBQ readiness is structured scenarios — exercises that mirror the exact format, question phrasing, and evaluation criteria of real CompTIA PBQs.

Once your lab is set up, you need a way to practice that actually mirrors the exam. Our PBQ lab guides were built for exactly this purpose: each scenario walks you through a specific PBQ type, tells you what to configure, and includes verification checkpoints so you know when you've done it correctly — the same way the exam engine grades you.

The Security+ SY0-701 PBQ Lab Guide covers 12 scenario types — firewall rules, VPN setup, log analysis, PKI/certificates, cloud architecture, and more. The Network+ N10-009 PBQ Lab Guide covers subnetting, CLI troubleshooting, VLAN config, routing, and wireless setup.

Both guides include free sample scenarios so you can see the format before buying. Your lab environment runs the exercises; the guides provide the structured scenarios to run in it.

→ Security+ PBQ Lab Guide — free sample available · Network+ PBQ Lab Guide — free sample available

Conclusion

Building a virtual lab is a one-time two-hour investment. Download VirtualBox, grab the Windows Server evaluation ISO, import the Kali Linux appliance, and install Packet Tracer. That's the entire setup. After that, you have a complete practice environment that costs nothing and resets on demand with a single snapshot restore.

The candidates who pass PBQs without sweating them aren't smarter than the ones who fail. They've just done the scenarios before. Firewall rules, certificate generation, log filtering, VLAN configuration — when you've typed the commands and watched the results, exam day feels like a repeat, not a first attempt. Set up the lab. Run the scenarios. The investment compounds directly into your score.