Multi-tier cybersecurity lab network with pfSense firewall, three segregated VLANs, and centralized Sysmon telemetry collection for endpoint monitoring. Internet traffic flows through pfSense 192.168.0.1 to a core distribution switch using 802.1Q trunk links, then branches into VLAN 10 (management with Domain Controller and AD/DNS), VLAN 20 (user endpoints with Windows 10/11 workstations), and VLAN 30 (legacy Windows 7 vulnerability testing segment). All endpoints run Sysmon agents that forward forensic logs to a centralized SIEM/Log Server 192.168.50.10 for real-time threat detection and incident response. This architecture demonstrates network segmentation, least-privilege access, and comprehensive endpoint visibility—critical for building detection capabilities and safely testing malware in isolated environments. Fork this diagram on Diagrams.so to customize VLANs, add additional monitoring zones, or adapt it for your own security lab infrastructure. The segregation of legacy systems in VLAN 30 with high-risk telemetry links ensures vulnerable machines remain isolated while still providing forensic coverage.