I made an information security reference. Wasn't really one when I started and still not really aware of one. Has proved immensely helpful in recalling certain things or teaching others. https://github.com/rmusser01/Infosec_Reference

Manual analysis with Burp/Zed Attack Proxy is going to be your best bet. Tools will only do so much for you, they lack contextual awareness of what the application should do vs is doing. If you're unfamiliar with performing manual analysis, OWASP has a free, public testing guide available: https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Contents ;This is an excellent resource to help aid you in testing the security of your site, so that when you do use tools mentioned, you have an understanding of what they're doing/trying to accomplish.

If I'm understanding wizzy correctly, he's saying that he setups a ssh connection/proxy from his 'main' box to his 'kali' box. He is then able to use tools inside of kali and point them towards the ssh proxy, to have them come out through his 'main' box connection. This prevents individuals from directly attacking his 'kali' instance, as they would have to either compromise his 'main' box, or be able to send back packets across the same connections he initiates from within kali, to successfully traverse the NAT 'firewall' to directly attack his 'kali' box. For verification in VMware Workstation, select the target VM, then from the menu, click: VM -> Settings -> Network Adapter.