Field Notes — a personal blog
Building, breaking, and writing about self-hosted systems.
I’m a cybersecurity engineer based in London, Ontario. By day I work on keeping systems defensible; by night I run a homelab that has slowly grown from a single laptop into a small fleet of VMs, containers, and self-hosted AI tools.
This is where I write down what I’ve actually built — wrong turns included. No hype, no affiliate links, no “10x your workflow”. Just field notes from someone who likes to understand the whole stack, from the hypervisor up to the model.
If something here is useful, take it. If something’s wrong, tell me.
- Cybersecurity engineer
- London, Ontario
- Homelab since 2024
Writing
Two series — beginner to blue team, in orderStart Your AI Homelab
6 parts, in order- Start Here: What an AI Homelab Is (and Why Bother) What an AI homelab actually is, what you'll get out of one, and the realistic baseline you need to begin.
- AI Foundations Without the Hype Models, tokens, context windows, and agents — the vocabulary that actually matters, in plain English.
- Choosing Your Stack: Subscriptions, APIs & Local Models The three ways to get AI into your homelab, honest trade-offs, the model landscape, and what I'd pick at each budget.
- Getting the VM Ready Where your homelab actually lives: choosing a hypervisor, provisioning a base Linux VM, sizing it, snapshots, and first-boot setup.
- Securing the Box: SSH & the Physical-Access Truth Harden SSH the right way — then understand why physical access is the security boundary that actually matters for a homelab.
- Starter Projects Worth Your First Weekend Five AI-homelab projects graded from easy to ambitious — what each one teaches you and why it's a good rung to climb.
Blue Team Homelab
6 parts, in order- Why Run a SOC at Home What a security operations practice actually is, why you'd build one in a homelab, and the five disciplines this series walks through.
- Building a Home SOC: The Architecture The data pipeline behind every SOC — log sources, collection, normalization, a SIEM, detections, and alerting — and how to stand up a real one on a single homelab box.
- Threat Hunting: Hypotheses, Not Alerts Hunting is what you do when nothing alerted. The PEAK loop, the Pyramid of Pain, and using MITRE ATT&CK to turn a hunch into a repeatable hunt.
- Threat Intelligence That Isn't Just a Feed Intelligence is a process, not a list of bad IPs. The intel lifecycle, strategic/operational/tactical levels, IOCs vs TTPs, and running MISP or OpenCTI at home.
- Detection Engineering: Detections as Code Treat detections like software — version-controlled, tested, and tuned. Sigma rules, the detection lifecycle, the ADS framework, and validating with Atomic Red Team.
- Automation & SOAR: Closing the Loop The boring 80% of response is automatable. SOAR concepts, playbooks, and enrichment-and-triage automation at home with Shuffle, n8n, and TheHive — with guardrails.