Looks like that section focuses on how to get some vulnerable services running in the lab to test against, which is why Kali isn't on the list as it's an offensive distro for your workstation.

Kali is very convenient and well-maintained, but at the end of the day it's really just Debian with a bunch of common security tools pre-installed. I usually default to using it since it's easy to install and I know it pretty well, but it's perfectly reasonable for someone to run vanilla Debian or Fedora or whatever they prefer and customize the tooling themselves instead.

Going to second this, I keep a relatively up to date kali vm on hand, and it saves me the trouble of configuring and maintaining $randomtool I need when I stumble across the need for it, but I have my usual toolkit of security tools that I use on a daily basis deployed on my host OS as well.

“There’s a couple of good options (and this is not an exhaustive list) for pre-made tool VMs. Obviously you have Kali Linux for offensive tools and penetration testing, but you can also use Security Onion for the defensive side – intrusion detection and network security monitoring.”

Seems like it’s there.

It definitely is the most popular OS for security peeps, however those VMs mentioned in the article are purpose built to be vulnerable. They allow someone to spin them up and attempt to hack the boxes (likely using Kali) as a way of honing their offensive security skills.

another way is to increase defensive skills by starting with Damn Vulnerable Linus (DVL) and trying to close all holes and having someone try to crack it.

for fun of course :-)

Wow, thanks, I completely misread that part.