{"id":50117576,"url":"https://github.com/vyntral/awesome-killchain","last_synced_at":"2026-05-23T16:01:32.959Z","repository":{"id":359788348,"uuid":"1247418610","full_name":"Vyntral/awesome-killchain","owner":"Vyntral","description":"MITRE ATT\u0026CK-aligned offensive + defensive security toolkit. 140+ tools organized by tactic Γ— target with live health signals refreshed daily.","archived":false,"fork":false,"pushed_at":"2026-05-23T14:05:19.000Z","size":286,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-23T14:18:21.525Z","etag":null,"topics":["awesome","awesome-list","blue-team","bug-bounty","ctf","cybersecurity","ethical-hacking","hacking","infosec","kill-chain","mitre-attack","pentest","pentesting","red-team","security","security-tools"],"latest_commit_sha":null,"homepage":null,"language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Vyntral.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE-CODE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-23T09:37:37.000Z","updated_at":"2026-05-23T14:05:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/Vyntral/awesome-killchain","commit_stats":null,"previous_names":["vyntral/awesome-killchain"],"tags_count":4,"template":false,"template_full_name":null,"purl":"pkg:github/Vyntral/awesome-killchain","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vyntral%2Fawesome-killchain","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vyntral%2Fawesome-killchain/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vyntral%2Fawesome-killchain/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vyntral%2Fawesome-killchain/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Vyntral","download_url":"https://codeload.github.com/Vyntral/awesome-killchain/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Vyntral%2Fawesome-killchain/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33402174,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-23T04:15:53.637Z","status":"ssl_error","status_checked_at":"2026-05-23T04:15:53.242Z","response_time":53,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["awesome","awesome-list","blue-team","bug-bounty","ctf","cybersecurity","ethical-hacking","hacking","infosec","kill-chain","mitre-attack","pentest","pentesting","red-team","security","security-tools"],"created_at":"2026-05-23T16:01:28.933Z","updated_at":"2026-05-23T16:01:32.942Z","avatar_url":"https://github.com/Vyntral.png","language":"TypeScript","funding_links":[],"categories":["Other Lists"],"sub_categories":["Vue Lists"],"readme":"# Awesome Killchain\n\n[![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)\n[![Build](https://img.shields.io/github/actions/workflow/status/Vyntral/awesome-killchain/build.yml?branch=main\u0026style=flat-square\u0026label=build)](https://github.com/Vyntral/awesome-killchain/actions/workflows/build.yml)\n[![Stars](https://img.shields.io/github/stars/Vyntral/awesome-killchain?style=flat-square)](https://github.com/Vyntral/awesome-killchain/stargazers)\n[![Last commit](https://img.shields.io/github/last-commit/Vyntral/awesome-killchain?style=flat-square)](https://github.com/Vyntral/awesome-killchain/commits)\n[![Code license](https://img.shields.io/badge/code-MIT-blue?style=flat-square)](LICENSE-CODE)\n[![Content license](https://img.shields.io/badge/content-CC--BY--4.0-lightgrey?style=flat-square)](LICENSE-CONTENT)\n[![X](https://img.shields.io/badge/X-@vyntral-black?style=flat-square\u0026logo=x)](https://x.com/vyntral)\n\n\u003e **Find the right tool for the phase you're in.** MITRE ATT\u0026CK-aligned offensive + defensive toolkit. Organized by tactic Γ— target with live quality signals.\n\n🟒 115 active Β· 🟑 12 stale Β· πŸ”΄ 28 unmaintained Β· last refresh: 2026-05-23\n\n\u003e ⭐ **Find this useful?** [Star the repo](https://github.com/Vyntral/awesome-killchain) β€” it helps other operators discover it and signals which tools deserve more curation effort.\n\n## πŸ“Š At a glance\n\n\u003cp align=\"center\"\u003e\n \u003cimg alt=\"Total\" src=\"https://img.shields.io/badge/155-tools-0ea5e9?style=for-the-badge\u0026logoColor=white\u0026logo=github\" /\u003e\n \u003cimg alt=\"Active\" src=\"https://img.shields.io/badge/115-🟒_active-22c55e?style=for-the-badge\" /\u003e\n \u003cimg alt=\"Stale\" src=\"https://img.shields.io/badge/12-🟑_stale-f59e0b?style=for-the-badge\" /\u003e\n \u003cimg alt=\"Top AKS\" src=\"https://img.shields.io/badge/99-top_AKS-8b5cf6?style=for-the-badge\" /\u003e\n\u003c/p\u003e\n\n**πŸ† Top 5 by AKS Score (Awesome Killchain Score, 0–100):**\n\n| | Tool | AKS | Stars |\n|--|------|----:|------:|\n| πŸ₯‡ | **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** | 99 | 68.8k |\n| πŸ₯ˆ | **[SecLists](https://github.com/danielmiessler/SecLists)** | 97 | 71.1k |\n| πŸ₯‰ | **[Promptfoo](https://github.com/promptfoo/promptfoo)** | 97 | 21.5k |\n| 4 | **[Trivy](https://github.com/aquasecurity/trivy)** | 96 | 35.1k |\n| 5 | **[Maigret](https://github.com/soxoj/maigret)** | 96 | 30k |\n\nπŸ“Š **[Full live dashboard β†’](DASHBOARD.md)** with ATT\u0026CK heatmap, hidden gems, legacy brands, sankey flow, language/license breakdowns, and more (auto-refreshed daily).\n\n## Why awesome-killchain?\n\nThe space already has [great awesome lists](https://github.com/Hack-with-Github/Awesome-Hacking). This one is different on purpose β€” it indexes tools by **MITRE ATT\u0026CK tactic Γ— target domain**, not alphabetically.\n\n| | This list | Typical awesome list |\n| --- | --- | --- |\n| Organization | **MITRE ATT\u0026CK tactic Γ— target matrix** β€” find tools by the phase you're in, not alphabetically | Alphabetical, or one flat dump |\n| Quality signals | **πŸŸ’πŸŸ‘πŸ”΄ health auto-refreshed daily** by CI (stars, last release, archived flag) | Static markdown, link rot accumulates |\n| Editorial value | Each tool has **`when_to_use`** (1-2 operational sentences) and **`alternatives`** | Just name + one-line description |\n| Per-domain reference | **[Auto-generated cheatsheets](cheatsheets/)** β€” one per target (web, AD, cloud-aws, ai-llm, …) | None |\n| Source of truth | YAML files in [`data/tools/`](data/tools/) β€” easy to contribute, easy to fork | Hand-edited markdown that drifts |\n\n**Use this list when:** you want a workflow-driven reference that answers _\"I'm in phase X targeting Y, what's the right tool?\"_ with current, maintained options.\n\nDefensive entries are mapped to the **MITRE D3FEND** countermeasure framework (Detection, Hardening, Isolation, Deception, Eviction, Restoration) β€” the official ATT\u0026CK companion for defenders that no other awesome-list cites in earnest.\n\n**Use [`enaqx/awesome-pentest`](https://github.com/enaqx/awesome-pentest) (26kβ˜…) or [`Hack-with-Github`](https://github.com/Hack-with-Github/Awesome-Hacking) (112kβ˜…) when:** you want broad alphabetical coverage of everything ever made.\n\n### What we don't track\n\nThis list focuses on **tools with a public GitHub presence** so we can keep live metadata fresh. Essential commercial tools without a GitHub repo (Burp Suite, Cobalt Strike, KAPE, Nessus, etc.) are intentionally out of scope β€” they're widely covered elsewhere and we'd rather not pretend to track their freshness.\n\n### Related projects worth knowing\n\n- **[mukul975/Threatswarm](https://github.com/mukul975/Threatswarm)** β€” AI agents that *execute* kill-chain operations as a Claude Code plugin. Different category from this list (they run, we index), but the two complement: use this repo as the knowledge base for what to invoke.\n\n---\n\n## How to navigate\n\n- πŸ“‚ **Browse by target:** see [cheatsheets/](cheatsheets/) for per-domain tool lists (web, cloud-aws, active-directory, ai-llm, ...)\n- πŸ“Š **See the live dashboard:** [DASHBOARD.md](DASHBOARD.md) β€” Mermaid charts of tool health, AKS distribution, ATT\u0026CK coverage, top/bottom 10, hidden gems, and more, auto-refreshed daily\n- πŸ“– **Read here:** scroll by ATT\u0026CK tactic phase below\n- 🎯 **Looking for a scenario?** see [Playbooks](#playbooks)\n- πŸ”Œ **Consume as data:** machine-readable `tools.json` available as [release asset](https://github.com/Vyntral/awesome-killchain/releases/latest) β€” schema + playbooks + taxonomy bundled\n- πŸͺ¦ **Tools that died:** see [OBITUARIES.md](OBITUARIES.md) for the stories behind the πŸ”΄ entries\n- πŸ’Ž **One operator's picks:** see [stacks/](stacks/) for opinionated minimum-viable stacks (web BB, AD, AWS, mobile, AI, web3) with explicit rejections\n- 🚨 **CVE responses:** see [cve-responses/](cve-responses/) for structured detection/exploitation/mitigation mappings when critical CVEs drop\n\n## Legend\n\n| Symbol | Meaning |\n|--------|---------|\n| πŸŸ’πŸŸ‘πŸ”΄ | Health (active / stale / unmaintained) |\n| ⭐ N | GitHub stars (auto-refreshed daily) |\n| β˜… / β˜…β˜… / β˜…β˜…β˜… | Beginner / Intermediate / Advanced |\n| πŸ’° | Paid or freemium |\n\n---\n\n## Offensive (ATT\u0026CK tactics)\n\n### πŸ” Reconnaissance\n\n#### 🌐 Web applications \u003csup\u003e(showing top 3 of 23 β€” see [full cheatsheet](cheatsheets/web.md))\u003c/sup\u003e\n- 🟒 **[Nuclei](https://github.com/projectdiscovery/nuclei)** β˜…β˜… ⭐28.8k Β· Go Β· MIT\n Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Run with web-specific templates from nuclei-templates/http/ β€” CVE-tagged templates for CMS vulnerabilities, exposed admin panels, and misconfiguration checks on web targets.\n_ _Alternatives: jaeles, dalfox_\n- 🟒 **[SpiderFoot](https://github.com/smicallef/spiderfoot)** β˜…β˜… ⭐17.9k Β· Python Β· MIT\n Automated OSINT collection framework that correlates data across 200+ modules covering IPs, domains, emails, and threat intel feeds. _Use when: When you need fully automated, deep passive reconnaissance with correlated results across dozens of data sources; use recon-ng when you prefer manual module-by-module control.\n_ _Alternatives: recon-ng_\n- 🟒 **[Katana](https://github.com/projectdiscovery/katana)** β˜…β˜… ⭐16.7k Β· Go Β· MIT\n Next-generation web crawler designed for automated endpoint discovery with JavaScript parsing and headless browser support. _Use when: When you have confirmed live web targets and need to map all reachable endpoints, forms, and JS-loaded paths before manual testing or automated scanning.\n_ _Alternatives: gospider, hakrawler_\n- _…and 20 more in [`cheatsheets/web.md`](cheatsheets/web.md)_\n\n#### πŸ”Œ APIs (REST, GraphQL, gRPC) \u003csup\u003e(showing top 3 of 9 β€” see [full cheatsheet](cheatsheets/api.md))\u003c/sup\u003e\n- 🟒 **[Nuclei](https://github.com/projectdiscovery/nuclei)** β˜…β˜… ⭐28.8k Β· Go Β· MIT\n Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Target with api/ and exposures/ templates to detect exposed Swagger/OpenAPI docs, authentication bypass endpoints, and API key leaks in responses.\n_ _Alternatives: jaeles, dalfox_\n- 🟒 **[ffuf](https://github.com/ffuf/ffuf)** β˜… ⭐16.1k Β· Go Β· MIT\n High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.\n_ _Alternatives: feroxbuster, gobuster_\n- 🟒 **[OWASP ZAP](https://github.com/zaproxy/zaproxy)** β˜… ⭐15.2k Β· Java Β· Apache-2.0\n Open-source web application security scanner maintained by OWASP, with automated scanning, spidering, and a proxy for manual testing. _Use when: When you need a free, fully automated web scanner or a Burp alternative in CI/CD pipelines where a headless/API-driven scan is required.\n_ _Alternatives: burp-suite_\n- _…and 6 more in [`cheatsheets/api.md`](cheatsheets/api.md)_\n\n#### πŸ€– Android\n- 🟑 **[APKLeaks](https://github.com/dwisiswant0/apkleaks)** β˜… ⭐6.1k Β· Python Β· Apache-2.0\n Scans APK files for hardcoded URIs, endpoints, secrets, and API keys using regex pattern matching on decompiled code. _Use when: As a fast first step when receiving an Android APK to extract hardcoded secrets, API endpoints, and sensitive strings before deeper static or dynamic analysis.\n_\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 12 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Nuclei](https://github.com/projectdiscovery/nuclei)** β˜…β˜… ⭐28.8k Β· Go Β· MIT\n Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Use network/ and ssl/ templates for network service fingerprinting, protocol version detection, and SSL/TLS misconfiguration checks across port-scanned hosts.\n_ _Alternatives: jaeles, dalfox_\n- 🟒 **[Masscan](https://github.com/robertdavidgraham/masscan)** β˜…β˜… ⭐25.7k Β· C Β· AGPL-3.0\n Fastest TCP/UDP port scanner capable of scanning the entire IPv4 internet in under six minutes using a custom async network stack. _Use when: When you need rapid port discovery across large CIDR ranges where nmap speed is insufficient; feed the open port list into nmap for service/version detection afterward.\n_ _Alternatives: naabu, nmap_\n- 🟒 **[Bettercap](https://github.com/bettercap/bettercap)** β˜…β˜… ⭐19.2k Β· Go Β· GPL-3.0\n Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.\n_\n- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- πŸ”΄ **[Kerbrute](https://github.com/ropnop/kerbrute)** β˜…β˜… ⭐3.3k Β· Go Β· MIT\n Fast Kerberos pre-auth brute-forcing and user enumeration tool that avoids traditional LDAP queries by speaking directly to the KDC. _Use when: When you need to enumerate valid AD usernames or spray passwords against Kerberos without triggering LDAP-based detection; combines with a user list from OSINT for AS-REP roasting prep.\n_ _Alternatives: rubeus_\n- 🟒 **[PingCastle](https://github.com/vletoux/pingcastle)** β˜…β˜… ⭐2.9k Β· C# Β· Non-Profit OSL 3.0\n Active Directory security audit tool that produces risk-scored reports and graphs identifying misconfigurations and attack paths. _Use when: When you need a fast executive-ready AD health report with scored risk indicators; use BloodHound for interactive attack path visualization and lateral movement analysis.\n_ _Alternatives: adrecon_\n- 🟑 **[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)** β˜…β˜… ⭐1.4k Β· Python Β· MIT\n Active Directory information dumper via LDAP that exports users, groups, computers, and GPOs to structured JSON and HTML reports. _Use when: When you have valid domain credentials and want a quick structured dump of AD objects (users, groups, computers, policies) for offline analysis without installing BloodHound.\n_ _Alternatives: bloodhound-python_\n- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### ☁️ AWS \u003csup\u003e(showing top 3 of 5 β€” see [full cheatsheet](cheatsheets/cloud-aws.md))\u003c/sup\u003e\n- 🟒 **[Prowler](https://github.com/prowler-cloud/prowler)** β˜…β˜… ⭐13.9k Β· Python Β· Apache-2.0\n Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.\n_ _Alternatives: cloudsploit, pacu_\n- 🟑 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** β˜…β˜… ⭐7.7k Β· Python Β· GPL-2.0\n Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.\n_ _Alternatives: prowler, cloudsploit_\n- 🟒 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** β˜…β˜…β˜… ⭐5.2k Β· Python Β· BSD-3-Clause\n AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.\n_ _Alternatives: cloudsploit, prowler_\n- _…and 2 more in [`cheatsheets/cloud-aws.md`](cheatsheets/cloud-aws.md)_\n\n#### ☁️ Google Cloud\n- 🟒 **[Prowler](https://github.com/prowler-cloud/prowler)** β˜…β˜… ⭐13.9k Β· Python Β· Apache-2.0\n Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.\n_ _Alternatives: cloudsploit, pacu_\n- 🟑 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** β˜…β˜… ⭐7.7k Β· Python Β· GPL-2.0\n Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.\n_ _Alternatives: prowler, cloudsploit_\n- 🟒 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** β˜… ⭐3.7k Β· JavaScript Β· Apache-2.0\n Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.\n_ _Alternatives: prowler, pacu_\n\n#### ☁️ Azure \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/cloud-azure.md))\u003c/sup\u003e\n- 🟒 **[Prowler](https://github.com/prowler-cloud/prowler)** β˜…β˜… ⭐13.9k Β· Python Β· Apache-2.0\n Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.\n_ _Alternatives: cloudsploit, pacu_\n- 🟑 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** β˜…β˜… ⭐7.7k Β· Python Β· GPL-2.0\n Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.\n_ _Alternatives: prowler, cloudsploit_\n- 🟒 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** β˜… ⭐3.7k Β· JavaScript Β· Apache-2.0\n Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.\n_ _Alternatives: prowler, pacu_\n- _…and 1 more in [`cheatsheets/cloud-azure.md`](cheatsheets/cloud-azure.md)_\n\n#### ☁️ Cloud (generic / multi-cloud)\n- 🟒 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** β˜… ⭐3.7k Β· JavaScript Β· Apache-2.0\n Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.\n_ _Alternatives: prowler, pacu_\n\n#### 🏭 ICS / SCADA\n- 🟑 **[modbus-cli](https://github.com/tallakt/modbus-cli)** β˜… ⭐114 Β· Ruby Β· MIT\n Command-line client for reading from and writing to Modbus devices over TCP or serial connections. _Use when: When you need to quickly read registers or coils from a Modbus device during an ICS assessment to understand process data without writing custom code.\n_\n- πŸ”΄ **[PLCscan](https://github.com/meeas/plcscan)** β˜…β˜… ⭐113 Β· Python Β· MIT\n Scanner for detecting Siemens S7 and Modbus PLCs on a network during ICS security assessments. _Use when: When scoping an ICS/OT assessment and you need to identify reachable PLCs on a network segment. Use before deeper protocol-level testing with ISF or manual interaction.\n_\n\n#### πŸ“Ά Radio / wireless\n- 🟒 **[Bettercap](https://github.com/bettercap/bettercap)** β˜…β˜… ⭐19.2k Β· Go Β· GPL-3.0\n Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.\n_\n\n#### 🐳 Containers / Kubernetes\n- πŸ”΄ **[kube-hunter](https://github.com/aquasecurity/kube-hunter)** β˜…β˜… ⭐5k Β· Python Β· Apache-2.0\n Kubernetes cluster penetration testing tool that hunts for security weaknesses from inside or outside the cluster, including RBAC misconfigurations and exposed APIs. _Use when: When testing a Kubernetes cluster for exposed API endpoints, privileged pods, or RBAC misconfigurations; run in remote mode from outside and passive mode from inside a compromised pod.\n_ _Alternatives: kubescape_\n\n### 🧰 Resource Development\n\n#### 🌐 Network (IP, TCP/UDP, services)\n- 🟒 **[Caldera](https://github.com/mitre/caldera)** β˜…β˜…β˜… ⭐7k Β· Python Β· Apache-2.0\n MITRE's automated adversary emulation platform that executes ATT\u0026CK-mapped TTPs to test defenses. _Use when: Run network-targeted adversary profiles to validate lateral movement detection β€” test SMB, WMI, and SSH-based movement techniques with ATT\u0026CK-mapped operations across network segments.\n_ _Alternatives: atomic-red-team, stratus-red-team_\n\n#### πŸ›οΈ Active Directory\n- 🟒 **[Caldera](https://github.com/mitre/caldera)** β˜…β˜…β˜… ⭐7k Β· Python Β· Apache-2.0\n MITRE's automated adversary emulation platform that executes ATT\u0026CK-mapped TTPs to test defenses. _Use when: Deploy AD-specific adversary profiles (Kerberoasting, DCSync, pass-the-hash) to validate your EDR and SIEM detection coverage on domain-joined infrastructure before a real engagement.\n_ _Alternatives: atomic-red-team, stratus-red-team_\n\n#### ☁️ AWS\n- 🟒 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** β˜…β˜… ⭐2.3k Β· Go Β· Apache-2.0\n Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT\u0026CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT\u0026CK techniques against your own AWS or Azure environment with automatic cleanup.\n_ _Alternatives: atomic-red-team_\n\n#### ☁️ Azure\n- 🟒 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** β˜…β˜… ⭐2.3k Β· Go Β· Apache-2.0\n Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT\u0026CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT\u0026CK techniques against your own AWS or Azure environment with automatic cleanup.\n_ _Alternatives: atomic-red-team_\n\n### πŸšͺ Initial Access\n\n#### 🌐 Web applications\n- 🟒 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** β˜…β˜… ⭐38.2k Β· Ruby Β· BSD-3-Clause\n Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.\n_ _Alternatives: sliver, cobalt-strike_\n- 🟑 **[Evilginx2](https://github.com/kgretzky/evilginx2)** β˜…β˜…β˜… ⭐15.1k Β· Go Β· BSD-3-Clause\n Man-in-the-middle phishing framework that captures session cookies and credentials by proxying authentication flows, bypassing MFA. _Use when: On red team engagements where the target uses MFA and standard credential phishing won't work; requires a convincing lookalike domain and valid TLS certificate to be effective.\n_ _Alternatives: gophish, modlishka_\n- πŸ”΄ **[GoPhish](https://github.com/gophish/gophish)** β˜… ⭐13.9k Β· Go Β· MIT\n Open-source phishing simulation framework for building, launching, and tracking phishing campaigns against target organizations. _Use when: When scoping a phishing simulation or red team initial access phase; provides a built-in dashboard for tracking click rates and credential submissions per campaign.\n_ _Alternatives: evilginx2, king-phisher_\n\n#### 🌐 Network (IP, TCP/UDP, services)\n- 🟒 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** β˜…β˜… ⭐38.2k Β· Ruby Β· BSD-3-Clause\n Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.\n_ _Alternatives: sliver, cobalt-strike_\n- 🟒 **[Responder](https://github.com/lgandx/Responder)** β˜…β˜… ⭐6.5k Β· Python Β· GPL-3.0\n LLMNR, NBT-NS, and MDNS poisoner that captures NTLMv1/v2 hashes from Windows hosts on the local network for offline cracking or relay attacks. _Use when: When you have network-level access to a Windows environment and want to passively capture NetNTLM hashes via protocol poisoning for cracking or relay with ntlmrelayx.\n_ _Alternatives: inveigh_\n\n#### πŸ›οΈ Active Directory\n- 🟒 **[Responder](https://github.com/lgandx/Responder)** β˜…β˜… ⭐6.5k Β· Python Β· GPL-3.0\n LLMNR, NBT-NS, and MDNS poisoner that captures NTLMv1/v2 hashes from Windows hosts on the local network for offline cracking or relay attacks. _Use when: When you have network-level access to a Windows environment and want to passively capture NetNTLM hashes via protocol poisoning for cracking or relay with ntlmrelayx.\n_ _Alternatives: inveigh_\n\n### ▢️ Execution\n\n#### 🌐 Web applications\n- 🟒 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** β˜…β˜… ⭐38.2k Β· Ruby Β· BSD-3-Clause\n Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.\n_ _Alternatives: sliver, cobalt-strike_\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 9 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** β˜…β˜… ⭐38.2k Β· Ruby Β· BSD-3-Clause\n Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.\n_ _Alternatives: sliver, cobalt-strike_\n- 🟒 **[Impacket](https://github.com/fortra/impacket)** β˜…β˜…β˜… ⭐15.7k Β· Python Β· Apache-2.0\n Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.\n_ _Alternatives: crackmapexec, evil-winrm_\n- 🟒 **[Sliver](https://github.com/BishopFox/sliver)** β˜…β˜…β˜… ⭐11.3k Β· Go Β· GPL-3.0\n Open-source cross-platform adversary simulation C2 framework supporting mTLS, WireGuard, HTTP/S, and DNS communication channels. _Use when: When you need a free, actively maintained C2 alternative to Cobalt Strike with modern implant generation and multiplayer operator support for red team operations.\n_ _Alternatives: cobalt-strike, mythic_\n- _…and 6 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 5 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[Impacket](https://github.com/fortra/impacket)** β˜…β˜…β˜… ⭐15.7k Β· Python Β· Apache-2.0\n Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.\n_ _Alternatives: crackmapexec, evil-winrm_\n- 🟒 **[Caldera](https://github.com/mitre/caldera)** β˜…β˜…β˜… ⭐7k Β· Python Β· Apache-2.0\n MITRE's automated adversary emulation platform that executes ATT\u0026CK-mapped TTPs to test defenses. _Use when: Deploy AD-specific adversary profiles (Kerberoasting, DCSync, pass-the-hash) to validate your EDR and SIEM detection coverage on domain-joined infrastructure before a real engagement.\n_ _Alternatives: atomic-red-team, stratus-red-team_\n- 🟒 **[Evil-WinRM](https://github.com/Hackplayers/evil-winrm)** β˜…β˜… ⭐5.4k Β· Ruby Β· LGPL-3.0\n WinRM shell for penetration testing that provides file transfer, in-memory PowerShell script loading, and pass-the-hash authentication support. _Use when: When WinRM (port 5985/5986) is open on a Windows target and you have valid credentials or an NTLM hash to obtain an interactive shell with built-in upload/download capability.\n_ _Alternatives: impacket, crackmapexec_\n- _…and 2 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n### πŸ“Œ Persistence\n\n#### πŸ›οΈ Active Directory\n- 🟒 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** β˜…β˜…β˜… ⭐21.6k Β· C Β· CC-BY-4.0\n Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.\n_ _Alternatives: impacket, certipy_\n- 🟒 **[Certipy](https://github.com/ly4k/Certipy)** β˜…β˜…β˜… ⭐3.5k Β· Python Β· MIT\n Active Directory Certificate Services (AD CS) attack tool for enumerating misconfigurations, forging certificates, and escalating privileges via ESC1-ESC13 attack paths. _Use when: When AD CS is deployed in the environment β€” enumerate certificate templates for ESC misconfigurations, then forge certificates to obtain domain admin credentials or persistent access.\n_ _Alternatives: mimikatz_\n\n### ⬆️ Privilege Escalation\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 5 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[LinPEAS](https://github.com/peass-ng/PEASS-ng)** β˜… ⭐19.9k Β· Bash Β· MIT\n Linux privilege escalation script that audits the system for misconfigurations, weak permissions, SUID binaries, and known CVEs. _Use when: Immediately after gaining a low-privilege shell on a Linux host to enumerate all privilege escalation vectors in one pass before manual analysis.\n_ _Alternatives: peass-ng, linux-exploit-suggester_\n- 🟒 **[PEASS-ng](https://github.com/peass-ng/PEASS-ng)** β˜… ⭐19.9k Β· Bash Β· MIT\n Suite containing LinPEAS and WinPEAS privilege escalation scripts for automated local enumeration on Linux, Windows, and macOS hosts. _Use when: When you need a single repository that covers both Linux and Windows privilege escalation enumeration; pull the relevant script (LinPEAS or WinPEAS) for the target OS.\n_ _Alternatives: linpeas, winpeas_\n- 🟒 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** β˜… ⭐19.9k Β· C# Β· MIT\n Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.\n_ _Alternatives: seatbelt, powerup_\n- _…and 2 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** β˜… ⭐19.9k Β· C# Β· MIT\n Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.\n_ _Alternatives: seatbelt, powerup_\n- πŸ”΄ **[PowerUp](https://github.com/PowerShellMafia/PowerSploit)** β˜…β˜… ⭐13k Β· PowerShell Β· BSD-3-Clause\n PowerShell script for identifying common Windows privilege escalation vectors such as unquoted service paths and modifiable service binaries. _Use when: When enumerating Windows privesc vectors on a low-privilege shell; note that the parent project PowerSploit is archived but PowerUp remains a valid technique reference and still functions on modern Windows hosts.\n_ _Alternatives: winpeas, seatbelt_\n- 🟑 **[Seatbelt](https://github.com/GhostPack/Seatbelt)** β˜…β˜… ⭐4.6k Β· C# Β· BSD-3-Clause\n C# post-exploitation enumeration tool that runs a wide range of host-based security checks for situational awareness after gaining access to a Windows system. _Use when: After initial foothold on a Windows system to enumerate installed security products, credential stores, scheduled tasks, and other artifacts useful for planning next steps.\n_ _Alternatives: winpeas, powerup_\n- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### ☁️ AWS\n- 🟒 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** β˜…β˜…β˜… ⭐5.2k Β· Python Β· BSD-3-Clause\n AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.\n_ _Alternatives: cloudsploit, prowler_\n- πŸ”΄ **[enumerate-iam](https://github.com/andresriancho/enumerate-iam)** β˜…β˜… ⭐1.2k Β· Python Β· MIT\n Enumerates AWS IAM permissions for a given set of credentials by bruteforcing API calls and reporting allowed actions. _Use when: When you have AWS credentials of unknown privilege level and need to map all allowed actions before attempting privilege escalation; use Pacu for a full exploitation framework.\n_ _Alternatives: pacu_\n\n#### ☁️ Azure\n- 🟒 **[MicroBurst](https://github.com/NetSPI/MicroBurst)** β˜…β˜… ⭐2.4k Β· PowerShell Β· MIT\n PowerShell toolkit for Azure security assessment covering storage, Key Vault, Active Directory, and service enumeration. _Use when: During Azure red team engagements to enumerate resources, extract secrets from Key Vault and storage blobs, and identify misconfigured service principals.\n_\n\n#### 🐳 Containers / Kubernetes\n- 🟒 **[Peirates](https://github.com/inguardians/peirates)** β˜…β˜…β˜… ⭐1.4k Β· Go Β· GPL-2.0\n Kubernetes penetration tool for attacking and maintaining access, including token theft, privilege escalation, and pod escape techniques. _Use when: When you have initial access to a Kubernetes pod and need to escalate privileges, steal service account tokens, or pivot to other namespaces and nodes.\n_ _Alternatives: kube-hunter_\n\n### πŸ₯· Defense Evasion\n\n#### πŸ€– Android\n- 🟒 **[Objection](https://github.com/sensepost/objection)** β˜…β˜… ⭐9.1k Β· Python Β· GPL-3.0\n Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.\n_ _Alternatives: frida, mobsf_\n\n#### πŸ“± iOS\n- 🟒 **[Objection](https://github.com/sensepost/objection)** β˜…β˜… ⭐9.1k Β· Python Β· GPL-3.0\n Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.\n_ _Alternatives: frida, mobsf_\n\n#### 🌐 Network (IP, TCP/UDP, services)\n- πŸ”΄ **[Havoc](https://github.com/HavocFramework/Havoc)** β˜…β˜…β˜… ⭐8.4k Β· C++ Β· GPL-3.0\n Modern red team C2 framework focused on evasion with a Demon implant supporting sleep obfuscation, indirect syscalls, and process injection. _Use when: When you need a modern open-source C2 with strong EDR evasion capabilities; the Demon agent's built-in obfuscation features make it suitable for engagements with mature defenses.\n_ _Alternatives: sliver, cobalt-strike_\n\n### πŸ”‘ Credential Access\n\n#### 🌐 Web applications\n- 🟑 **[Evilginx2](https://github.com/kgretzky/evilginx2)** β˜…β˜…β˜… ⭐15.1k Β· Go Β· BSD-3-Clause\n Man-in-the-middle phishing framework that captures session cookies and credentials by proxying authentication flows, bypassing MFA. _Use when: On red team engagements where the target uses MFA and standard credential phishing won't work; requires a convincing lookalike domain and valid TLS certificate to be effective.\n_ _Alternatives: gophish, modlishka_\n- 🟒 **[THC Hydra](https://github.com/vanhauser-thc/thc-hydra)** β˜…β˜… ⭐11.8k Β· C Β· AGPL-3.0\n Fast and parallelized network login cracker supporting over 50 protocols including SSH, FTP, HTTP, SMB, RDP, and database services. _Use when: When brute-forcing or credential-stuffing against a live network service (SSH, RDP, HTTP forms, SMB) with a known username list and password wordlist.\n_ _Alternatives: hashcat, john-the-ripper_\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 11 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Hashcat](https://github.com/hashcat/hashcat)** β˜…β˜… ⭐26k Β· C Β· MIT\n World's fastest GPU-accelerated password recovery tool supporting 300+ hash types including NTLM, Kerberos, bcrypt, and WPA-PMKID. _Use when: When cracking captured hashes (NTLM, NTLMv2, AS-REP, TGS tickets) offline using GPU acceleration; pair with rockyou or custom rule-sets for AD password policy bypass.\n_ _Alternatives: john-the-ripper_\n- 🟒 **[Bettercap](https://github.com/bettercap/bettercap)** β˜…β˜… ⭐19.2k Β· Go Β· GPL-3.0\n Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.\n_\n- 🟒 **[Impacket](https://github.com/fortra/impacket)** β˜…β˜…β˜… ⭐15.7k Β· Python Β· Apache-2.0\n Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.\n_ _Alternatives: crackmapexec, evil-winrm_\n- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 16 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[Hashcat](https://github.com/hashcat/hashcat)** β˜…β˜… ⭐26k Β· C Β· MIT\n World's fastest GPU-accelerated password recovery tool supporting 300+ hash types including NTLM, Kerberos, bcrypt, and WPA-PMKID. _Use when: When cracking captured hashes (NTLM, NTLMv2, AS-REP, TGS tickets) offline using GPU acceleration; pair with rockyou or custom rule-sets for AD password policy bypass.\n_ _Alternatives: john-the-ripper_\n- 🟒 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** β˜…β˜…β˜… ⭐21.6k Β· C Β· CC-BY-4.0\n Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.\n_ _Alternatives: impacket, certipy_\n- 🟒 **[Impacket](https://github.com/fortra/impacket)** β˜…β˜…β˜… ⭐15.7k Β· Python Β· Apache-2.0\n Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.\n_ _Alternatives: crackmapexec, evil-winrm_\n- _…and 13 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### πŸ“Ά Radio / wireless\n- 🟒 **[Bettercap](https://github.com/bettercap/bettercap)** β˜…β˜… ⭐19.2k Β· Go Β· GPL-3.0\n Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.\n_\n\n### πŸ—ΊοΈ Discovery\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[LinPEAS](https://github.com/peass-ng/PEASS-ng)** β˜… ⭐19.9k Β· Bash Β· MIT\n Linux privilege escalation script that audits the system for misconfigurations, weak permissions, SUID binaries, and known CVEs. _Use when: Immediately after gaining a low-privilege shell on a Linux host to enumerate all privilege escalation vectors in one pass before manual analysis.\n_ _Alternatives: peass-ng, linux-exploit-suggester_\n- 🟒 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** β˜… ⭐19.9k Β· C# Β· MIT\n Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.\n_ _Alternatives: seatbelt, powerup_\n- 🟒 **[NetExec](https://github.com/Pennyw0rth/NetExec)** β˜…β˜… ⭐5.5k Β· Python Β· BSD-2-Clause\n Network pentesting framework for credential validation, lateral movement, and enumeration across SMB, WinRM, MSSQL, RDP, and other Windows protocols β€” the actively maintained successor to CrackMapExec. _Use when: When spraying or validating credentials across a Windows network, executing commands, or enumerating shares; use this in place of the archived CrackMapExec for continued feature updates and bug fixes.\n_ _Alternatives: crackmapexec, impacket_\n- _…and 1 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 9 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** β˜… ⭐19.9k Β· C# Β· MIT\n Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.\n_ _Alternatives: seatbelt, powerup_\n- 🟒 **[NetExec](https://github.com/Pennyw0rth/NetExec)** β˜…β˜… ⭐5.5k Β· Python Β· BSD-2-Clause\n Network pentesting framework for credential validation, lateral movement, and enumeration across SMB, WinRM, MSSQL, RDP, and other Windows protocols β€” the actively maintained successor to CrackMapExec. _Use when: When spraying or validating credentials across a Windows network, executing commands, or enumerating shares; use this in place of the archived CrackMapExec for continued feature updates and bug fixes.\n_ _Alternatives: crackmapexec, impacket_\n- 🟑 **[Seatbelt](https://github.com/GhostPack/Seatbelt)** β˜…β˜… ⭐4.6k Β· C# Β· BSD-3-Clause\n C# post-exploitation enumeration tool that runs a wide range of host-based security checks for situational awareness after gaining access to a Windows system. _Use when: After initial foothold on a Windows system to enumerate installed security products, credential stores, scheduled tasks, and other artifacts useful for planning next steps.\n_ _Alternatives: winpeas, powerup_\n- _…and 6 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### ☁️ Azure\n- 🟒 **[AzureHound](https://github.com/SpecterOps/AzureHound)** β˜…β˜…β˜… ⭐910 Β· Go Β· Apache-2.0\n BloodHound data collector for Azure and Azure Active Directory that maps attack paths across cloud and hybrid environments. _Use when: Run against the target tenant to collect Azure AD and Azure RBAC relationships; import into BloodHound CE to query cross-tenant privilege escalation paths and service principal abuse.\n_ _Alternatives: bloodhound, sharphound_\n\n### ↔️ Lateral Movement\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 8 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Bettercap](https://github.com/bettercap/bettercap)** β˜…β˜… ⭐19.2k Β· Go Β· GPL-3.0\n Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.\n_\n- 🟒 **[Chisel](https://github.com/jpillora/chisel)** β˜…β˜… ⭐16k Β· Go Β· MIT\n Fast TCP/UDP tunnel over HTTP, secured with SSH, enabling reverse tunnels and port forwarding through firewalls from a single binary. _Use when: When you need to establish a reverse tunnel or pivot through a firewall with HTTP/HTTPS egress only, using a single static binary dropped on the compromised host.\n_ _Alternatives: ligolo-ng_\n- 🟒 **[Impacket](https://github.com/fortra/impacket)** β˜…β˜…β˜… ⭐15.7k Β· Python Β· Apache-2.0\n Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.\n_ _Alternatives: crackmapexec, evil-winrm_\n- _…and 5 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 8 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** β˜…β˜…β˜… ⭐21.6k Β· C Β· CC-BY-4.0\n Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.\n_ _Alternatives: impacket, certipy_\n- 🟒 **[Impacket](https://github.com/fortra/impacket)** β˜…β˜…β˜… ⭐15.7k Β· Python Β· Apache-2.0\n Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.\n_ _Alternatives: crackmapexec, evil-winrm_\n- πŸ”΄ **[CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)** β˜…β˜… ⭐9.1k Β· Python Β· BSD-2-Clause\n Network pentesting swiss army knife for credential testing, lateral movement, and enumeration across SMB, WinRM, MSSQL, and other Windows protocols. _Use when: When spraying credentials or validating access across a subnet of Windows hosts; note that this project is archived β€” consider using its successor NetExec for active development and new features.\n_ _Alternatives: impacket, evil-winrm_\n- _…and 5 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### ☁️ AWS\n- 🟒 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** β˜…β˜…β˜… ⭐5.2k Β· Python Β· BSD-3-Clause\n AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.\n_ _Alternatives: cloudsploit, prowler_\n\n#### ☁️ Azure\n- 🟒 **[AzureHound](https://github.com/SpecterOps/AzureHound)** β˜…β˜…β˜… ⭐910 Β· Go Β· Apache-2.0\n BloodHound data collector for Azure and Azure Active Directory that maps attack paths across cloud and hybrid environments. _Use when: Run against the target tenant to collect Azure AD and Azure RBAC relationships; import into BloodHound CE to query cross-tenant privilege escalation paths and service principal abuse.\n_ _Alternatives: bloodhound, sharphound_\n\n#### πŸ“Ά Radio / wireless\n- 🟒 **[Bettercap](https://github.com/bettercap/bettercap)** β˜…β˜… ⭐19.2k Β· Go Β· GPL-3.0\n Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.\n_\n\n#### 🐳 Containers / Kubernetes\n- 🟒 **[Peirates](https://github.com/inguardians/peirates)** β˜…β˜…β˜… ⭐1.4k Β· Go Β· GPL-2.0\n Kubernetes penetration tool for attacking and maintaining access, including token theft, privilege escalation, and pod escape techniques. _Use when: When you have initial access to a Kubernetes pod and need to escalate privileges, steal service account tokens, or pivot to other namespaces and nodes.\n_ _Alternatives: kube-hunter_\n\n### πŸ“¦ Collection\n\n#### 🌐 Network (IP, TCP/UDP, services)\n- πŸ”΄ **[Pillager](https://github.com/qwqdanchun/Pillager)** β˜…β˜…β˜… ⭐0 Β· C++ Β· MIT\n Post-exploitation collection tool for Windows that harvests credentials, tokens, cookies, and sensitive files from common application stores in a single sweep. _Use when: After obtaining a shell on a Windows host β€” runs a broad sweep of credential stores (browsers, SSH agents, RDP configs, application tokens) faster than manual enumeration. Pair with snaffler for share-based collection.\n_ _Alternatives: snaffler_\n\n#### πŸ›οΈ Active Directory\n- 🟒 **[Snaffler](https://github.com/SnaffCon/Snaffler)** β˜…β˜… ⭐2.8k Β· C# Β· GPL-3.0\n Finds credentials, secrets, and sensitive files on network shares and file systems during internal penetration tests. _Use when: After obtaining domain user credentials on an internal engagement; automatically triage shares for passwords, keys, and sensitive config files faster than manual review.\n_\n- πŸ”΄ **[Certify](https://github.com/GhostPack/Certify)** β˜…β˜…β˜… ⭐0 Β· C# Β· BSD-3-Clause\n C# tool for enumerating and abusing Active Directory Certificate Services misconfigurations to request certificates that enable privilege escalation or persistence. _Use when: On AD engagements where AD CS is deployed β€” enumerate certificate templates for ESC1–ESC8 misconfigurations, then request certs to obtain NTLM hashes or TGTs without touching LSASS. Use certipy for Linux-based equivalents.\n_ _Alternatives: certipy_\n- πŸ”΄ **[Pillager](https://github.com/qwqdanchun/Pillager)** β˜…β˜…β˜… ⭐0 Β· C++ Β· MIT\n Post-exploitation collection tool for Windows that harvests credentials, tokens, cookies, and sensitive files from common application stores in a single sweep. _Use when: After obtaining a shell on a Windows host β€” runs a broad sweep of credential stores (browsers, SSH agents, RDP configs, application tokens) faster than manual enumeration. Pair with snaffler for share-based collection.\n_ _Alternatives: snaffler_\n\n### πŸ“‘ Command and Control (C2)\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 10 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Chisel](https://github.com/jpillora/chisel)** β˜…β˜… ⭐16k Β· Go Β· MIT\n Fast TCP/UDP tunnel over HTTP, secured with SSH, enabling reverse tunnels and port forwarding through firewalls from a single binary. _Use when: When you need to establish a reverse tunnel or pivot through a firewall with HTTP/HTTPS egress only, using a single static binary dropped on the compromised host.\n_ _Alternatives: ligolo-ng_\n- 🟒 **[Sliver](https://github.com/BishopFox/sliver)** β˜…β˜…β˜… ⭐11.3k Β· Go Β· GPL-3.0\n Open-source cross-platform adversary simulation C2 framework supporting mTLS, WireGuard, HTTP/S, and DNS communication channels. _Use when: When you need a free, actively maintained C2 alternative to Cobalt Strike with modern implant generation and multiplayer operator support for red team operations.\n_ _Alternatives: cobalt-strike, mythic_\n- πŸ”΄ **[Havoc](https://github.com/HavocFramework/Havoc)** β˜…β˜…β˜… ⭐8.4k Β· C++ Β· GPL-3.0\n Modern red team C2 framework focused on evasion with a Demon implant supporting sleep obfuscation, indirect syscalls, and process injection. _Use when: When you need a modern open-source C2 with strong EDR evasion capabilities; the Demon agent's built-in obfuscation features make it suitable for engagements with mature defenses.\n_ _Alternatives: sliver, cobalt-strike_\n- _…and 7 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory\n- 🟒 **[Empire](https://github.com/BC-SECURITY/Empire)** β˜…β˜…β˜… ⭐5.2k Β· PowerShell Β· BSD-3-Clause\n Post-exploitation C2 framework with PowerShell and Python agents supporting a wide range of modules for lateral movement and persistence. _Use when: When conducting Windows-focused red team operations requiring a mature agent with extensive post-exploitation modules; prefer Sliver or Havoc for more evasive, modern C2 profiles.\n_ _Alternatives: sliver, mythic, havoc_\n- πŸ”΄ **[Covenant](https://github.com/cobbr/Covenant)** β˜…β˜…β˜… ⭐4.7k Β· C# Β· GPL-3.0\n .NET-based C2 framework with a web UI for collaborative red team operations, featuring Grunt implants. _Use when: When you need a .NET-native C2 with a collaborative web interface for multi-operator engagements. Good for Windows-heavy environments where .NET LOLbins are your primary execution path.\n_ _Alternatives: empire, sliver, mythic_\n\n### πŸ“€ Exfiltration\n\n#### 🌐 Network (IP, TCP/UDP, services)\n- 🟑 **[Iodine](https://github.com/yarrick/iodine)** β˜…β˜… ⭐7.9k Β· C Β· ISC\n Tool that tunnels IPv4 traffic over DNS to provide network connectivity through restrictive firewalls that permit DNS lookups. _Use when: When you need full IP tunnel capability over DNS rather than just C2 channels; useful for pivoting through egress-restricted networks where DNS is the only allowed protocol.\n_ _Alternatives: dnscat2, dns2tcp_\n- πŸ”΄ **[dnscat2](https://github.com/iagox86/dnscat2)** β˜…β˜… ⭐3.9k Β· Ruby Β· BSD-3-Clause\n DNS-based encrypted C2 and exfiltration tool that tunnels data through DNS queries to bypass network egress filtering. _Use when: When outbound HTTP/HTTPS is blocked but DNS resolution is allowed; requires control of a domain with a custom nameserver pointing to your dnscat2 server.\n_ _Alternatives: iodine, dnsteal_\n\n### πŸ’₯ Impact\n\n#### 🌐 Web applications\n- πŸ”΄ **[GoldenEye](https://github.com/jseidl/GoldenEye)** β˜… ⭐0 Β· Python Β· GPL-3.0\n HTTP DoS test tool that uses multiple concurrent HTTP/1.1 keep-alive connections with randomized headers and cache-control directives to stress HTTP servers. _Use when: When authorized to test HTTP-layer DoS resilience and want randomized headers to evade basic rate-limiting by IP; complements slowloris (different attack vector against the same connection-pool exhaustion class).\n_ _Alternatives: slowloris_\n- πŸ”΄ **[Slowloris](https://github.com/gkbrk/slowloris)** β˜… ⭐0 Β· Python Β· MIT\n Low-bandwidth denial-of-service tool that holds HTTP connections open by sending partial requests, exhausting server connection pools without high throughput. _Use when: When testing a web server's resilience to connection-exhaustion DoS without large bandwidth β€” effective against Apache and other threaded servers; less effective against async servers like nginx. Use in authorized load/DoS testing only.\n_\n\n#### 🌐 Network (IP, TCP/UDP, services)\n- πŸ”΄ **[Slowloris](https://github.com/gkbrk/slowloris)** β˜… ⭐0 Β· Python Β· MIT\n Low-bandwidth denial-of-service tool that holds HTTP connections open by sending partial requests, exhausting server connection pools without high throughput. _Use when: When testing a web server's resilience to connection-exhaustion DoS without large bandwidth β€” effective against Apache and other threaded servers; less effective against async servers like nginx. Use in authorized load/DoS testing only.\n_\n\n---\n\n## Defensive (D3FEND-aligned lifecycle)\n\n### πŸ›‘οΈ Detection Engineering\n\n#### 🌐 Web applications\n- 🟒 **[Sigma](https://github.com/SigmaHQ/sigma)** β˜…β˜… ⭐10.5k Β· YAML Β· DRL-1.1\n Generic and open signature format for SIEM systems β€” detection rules in YAML. _Use when: Target sigma/rules/web/ for web server and proxy log detections β€” SQLi, path traversal, webshell upload patterns; convert for your WAF or SIEM web log source.\n_ _Alternatives: yara, snort-rules, suricata-rules_\n- 🟑 **[dnstwist](https://github.com/elceef/dnstwist)** β˜… ⭐5.7k Β· Python Β· Apache-2.0\n Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.\n_\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 11 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[osquery](https://github.com/osquery/osquery)** β˜…β˜… ⭐23.3k Β· C++ Β· Apache-2.0\n Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.\n_ _Alternatives: velociraptor_\n- 🟒 **[Wazuh](https://github.com/wazuh/wazuh)** β˜…β˜… ⭐15.7k Β· C Β· AGPL-3.0\n Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.\n_\n- 🟒 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** β˜…β˜… ⭐12k Β· PowerShell Β· MIT\n Library of small, portable tests mapped to MITRE ATT\u0026CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Run network-category atomics (T1021, T1046, T1572) in an isolated environment to confirm your SIEM creates the expected alerts for lateral movement and C2 channel techniques.\n_ _Alternatives: caldera, sigma_\n- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### 🧠 AI / LLM systems\n- 🟒 **[LLM Guard](https://github.com/protectai/llm-guard)** β˜…β˜… ⭐3k Β· Python Β· MIT\n Modular input and output scanning framework for LLM applications with scanners for prompt injection, toxicity, PII, and secrets. _Use when: When you need a composable, production-ready guardrail layer with multiple independent scanners for both input sanitization and output validation in LLM pipelines.\n_ _Alternatives: rebuff, vigil-llm_\n- πŸ”΄ **[Rebuff](https://github.com/protectai/rebuff)** β˜…β˜… ⭐1.5k Β· Python Β· Apache-2.0\n Self-hardening prompt injection detector for LLM applications that uses a canary-token strategy and vector similarity to identify and log attack attempts. _Use when: When building LLM-powered applications that accept user input and need runtime protection against prompt injection attacks; integrates as middleware to intercept and flag malicious prompts before they reach the model.\n_ _Alternatives: llm-guard, vigil-llm_\n- πŸ”΄ **[Vigil](https://github.com/deadbits/vigil-llm)** β˜…β˜… ⭐480 Β· Python Β· Apache-2.0\n LLM prompt injection and jailbreak detection server that scans inputs and outputs against known attack patterns and embeddings. _Use when: When deploying an LLM-backed application and need runtime detection of prompt injection attempts; integrate as a middleware scanner before passing user input to the model.\n_ _Alternatives: rebuff, llm-guard_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 5 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[osquery](https://github.com/osquery/osquery)** β˜…β˜… ⭐23.3k Β· C++ Β· Apache-2.0\n Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.\n_ _Alternatives: velociraptor_\n- 🟒 **[Wazuh](https://github.com/wazuh/wazuh)** β˜…β˜… ⭐15.7k Β· C Β· AGPL-3.0\n Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.\n_\n- 🟒 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** β˜…β˜… ⭐12k Β· PowerShell Β· MIT\n Library of small, portable tests mapped to MITRE ATT\u0026CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Execute AD-specific atomics (T1558, T1069, T1087) against a test domain to verify Kerberoasting, group enumeration, and LDAP query detections fire correctly in your SIEM.\n_ _Alternatives: caldera, sigma_\n- _…and 2 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### ☁️ AWS\n- 🟒 **[Sigma](https://github.com/SigmaHQ/sigma)** β˜…β˜… ⭐10.5k Β· YAML Β· DRL-1.1\n Generic and open signature format for SIEM systems β€” detection rules in YAML. _Use when: Use the CloudTrail-focused Sigma rule pack from sigma/rules/cloud/aws/ β€” covers IAM enumeration, S3 abuse, Lambda persistence, and CloudTrail tampering patterns.\n_ _Alternatives: yara, snort-rules, suricata-rules_\n- 🟒 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** β˜…β˜… ⭐2.3k Β· Go Β· Apache-2.0\n Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT\u0026CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT\u0026CK techniques against your own AWS or Azure environment with automatic cleanup.\n_ _Alternatives: atomic-red-team_\n\n#### ☁️ Google Cloud\n- 🟒 **[Sigma](https://github.com/SigmaHQ/sigma)** β˜…β˜… ⭐10.5k Β· YAML Β· DRL-1.1\n Generic and open signature format for SIEM systems β€” detection rules in YAML. _Use when: Target sigma/rules/cloud/gcp/ for GCP-specific detections: GSuite admin audit, VPC flow anomalies, and service account key creation events.\n_ _Alternatives: yara, snort-rules, suricata-rules_\n\n#### ☁️ Azure\n- 🟒 **[Sigma](https://github.com/SigmaHQ/sigma)** β˜…β˜… ⭐10.5k Β· YAML Β· DRL-1.1\n Generic and open signature format for SIEM systems β€” detection rules in YAML. _Use when: Use the Sigma Azure ruleset under sigma/rules/cloud/azure/ β€” focus on Azure AD sign-in events, Resource Manager activity logs, and conditional access bypass detections.\n_ _Alternatives: yara, snort-rules, suricata-rules_\n- 🟒 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** β˜…β˜… ⭐2.3k Β· Go Β· Apache-2.0\n Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT\u0026CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT\u0026CK techniques against your own AWS or Azure environment with automatic cleanup.\n_ _Alternatives: atomic-red-team_\n\n#### ☁️ Cloud (generic / multi-cloud)\n- 🟒 **[Falco](https://github.com/falcosecurity/falco)** β˜…β˜… ⭐9k Β· C++ Β· Apache-2.0\n Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.\n_\n\n#### 🐳 Containers / Kubernetes\n- 🟒 **[Falco](https://github.com/falcosecurity/falco)** β˜…β˜… ⭐9k Β· C++ Β· Apache-2.0\n Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.\n_\n\n### 🎯 Threat Hunting\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 11 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[osquery](https://github.com/osquery/osquery)** β˜…β˜… ⭐23.3k Β· C++ Β· Apache-2.0\n Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.\n_ _Alternatives: velociraptor_\n- 🟒 **[Wazuh](https://github.com/wazuh/wazuh)** β˜…β˜… ⭐15.7k Β· C Β· AGPL-3.0\n Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.\n_\n- 🟒 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** β˜…β˜… ⭐12k Β· PowerShell Β· MIT\n Library of small, portable tests mapped to MITRE ATT\u0026CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Run network-category atomics (T1021, T1046, T1572) in an isolated environment to confirm your SIEM creates the expected alerts for lateral movement and C2 channel techniques.\n_ _Alternatives: caldera, sigma_\n- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 7 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[osquery](https://github.com/osquery/osquery)** β˜…β˜… ⭐23.3k Β· C++ Β· Apache-2.0\n Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.\n_ _Alternatives: velociraptor_\n- 🟒 **[Wazuh](https://github.com/wazuh/wazuh)** β˜…β˜… ⭐15.7k Β· C Β· AGPL-3.0\n Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.\n_\n- 🟒 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** β˜…β˜… ⭐12k Β· PowerShell Β· MIT\n Library of small, portable tests mapped to MITRE ATT\u0026CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Execute AD-specific atomics (T1558, T1069, T1087) against a test domain to verify Kerberoasting, group enumeration, and LDAP query detections fire correctly in your SIEM.\n_ _Alternatives: caldera, sigma_\n- _…and 4 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### ☁️ AWS\n- 🟒 **[MSTICPy](https://github.com/microsoft/msticpy)** β˜…β˜…β˜… ⭐2k Β· Python Β· MIT\n Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds β€” saves weeks of plumbing for SOC analysts.\n_\n\n#### ☁️ Azure\n- 🟒 **[MSTICPy](https://github.com/microsoft/msticpy)** β˜…β˜…β˜… ⭐2k Β· Python Β· MIT\n Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds β€” saves weeks of plumbing for SOC analysts.\n_\n\n#### ☁️ Cloud (generic / multi-cloud)\n- 🟒 **[Falco](https://github.com/falcosecurity/falco)** β˜…β˜… ⭐9k Β· C++ Β· Apache-2.0\n Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.\n_\n\n#### 🐳 Containers / Kubernetes\n- 🟒 **[Falco](https://github.com/falcosecurity/falco)** β˜…β˜… ⭐9k Β· C++ Β· Apache-2.0\n Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.\n_\n\n### 🚨 Incident Response\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 12 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[GRR Rapid Response](https://github.com/google/grr)** β˜…β˜…β˜… ⭐5.1k Β· Python Β· Apache-2.0\n Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.\n_ _Alternatives: velociraptor_\n- 🟒 **[Volatility 3](https://github.com/volatilityfoundation/volatility3)** β˜…β˜…β˜… ⭐4.1k Β· Python Β· Volatility\n Memory forensics framework for extracting digital artifacts from RAM dumps across Windows, Linux, and macOS operating systems. _Use when: During incident response or forensic investigation when you have a memory image and need to recover processes, network connections, injected code, or encryption keys from RAM.\n_ _Alternatives: rekall, redline_\n- 🟒 **[Velociraptor](https://github.com/Velocidex/velociraptor)** β˜…β˜… ⭐4k Β· Go Β· AGPL-3.0\n Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.\n_\n- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[GRR Rapid Response](https://github.com/google/grr)** β˜…β˜…β˜… ⭐5.1k Β· Python Β· Apache-2.0\n Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.\n_ _Alternatives: velociraptor_\n- 🟒 **[Velociraptor](https://github.com/Velocidex/velociraptor)** β˜…β˜… ⭐4k Β· Go Β· AGPL-3.0\n Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.\n_\n- 🟒 **[Chainsaw](https://github.com/WithSecureLabs/chainsaw)** β˜…β˜… ⭐3.6k Β· Rust Β· GPL-3.0\n Rust-based Windows event log forensics tool for rapid threat hunting using Sigma rules and built-in detection logic. _Use when: When performing first-response log triage on collected EVTX files to surface indicators of compromise; compare results with Hayabusa for cross-rule coverage.\n_ _Alternatives: hayabusa_\n- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### ☁️ AWS\n- 🟒 **[MSTICPy](https://github.com/microsoft/msticpy)** β˜…β˜…β˜… ⭐2k Β· Python Β· MIT\n Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds β€” saves weeks of plumbing for SOC analysts.\n_\n\n#### ☁️ Azure\n- 🟒 **[MSTICPy](https://github.com/microsoft/msticpy)** β˜…β˜…β˜… ⭐2k Β· Python Β· MIT\n Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds β€” saves weeks of plumbing for SOC analysts.\n_\n\n### πŸ”¬ Digital Forensics\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 12 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Wireshark](https://github.com/wireshark/wireshark)** β˜…β˜… ⭐9.4k Β· C Β· GPL-2.0\n Industry-standard network protocol analyzer for live capture and offline analysis of packet data with deep dissection of hundreds of protocols. _Use when: When analyzing captured network traffic to identify C2 communications, extract credentials from cleartext protocols, or reconstruct session data during incident response or network penetration testing.\n_\n- 🟒 **[Arkime](https://github.com/arkime/arkime)** β˜…β˜… ⭐7.4k Β· JavaScript Β· Apache-2.0\n Full packet capture and indexing system (formerly Moloch) providing long-term PCAP storage with fast search, session reconstruction, and integration with Elasticsearch for large-scale network forensics. _Use when: When you need full PCAP retention at multi-gigabit rates with indexed search for retrospective investigation after a detection fires. Pair with Zeek for structured metadata and Arkime for raw packet access during the same investigation.\n_\n- 🟒 **[GRR Rapid Response](https://github.com/google/grr)** β˜…β˜…β˜… ⭐5.1k Β· Python Β· Apache-2.0\n Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.\n_ _Alternatives: velociraptor_\n- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### πŸ›οΈ Active Directory \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/active-directory.md))\u003c/sup\u003e\n- 🟒 **[GRR Rapid Response](https://github.com/google/grr)** β˜…β˜…β˜… ⭐5.1k Β· Python Β· Apache-2.0\n Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.\n_ _Alternatives: velociraptor_\n- 🟒 **[Velociraptor](https://github.com/Velocidex/velociraptor)** β˜…β˜… ⭐4k Β· Go Β· AGPL-3.0\n Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.\n_\n- 🟒 **[Chainsaw](https://github.com/WithSecureLabs/chainsaw)** β˜…β˜… ⭐3.6k Β· Rust Β· GPL-3.0\n Rust-based Windows event log forensics tool for rapid threat hunting using Sigma rules and built-in detection logic. _Use when: When performing first-response log triage on collected EVTX files to surface indicators of compromise; compare results with Hayabusa for cross-rule coverage.\n_ _Alternatives: hayabusa_\n- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_\n\n#### πŸ”Œ Hardware\n- 🟒 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** β˜…β˜… ⭐14k Β· Python Β· MIT\n Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.\n_\n\n#### πŸ“Ÿ IoT devices\n- 🟒 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** β˜…β˜… ⭐14k Β· Python Β· MIT\n Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.\n_\n\n### 🦠 Malware Analysis\n\n#### πŸ€– Android\n- 🟒 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** β˜…β˜…β˜… ⭐68.8k Β· Java Β· Apache-2.0\n NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.\n_ _Alternatives: radare2_\n- 🟒 **[Radare2](https://github.com/radareorg/radare2)** β˜…β˜…β˜… ⭐23.9k Β· C Β· LGPL-3.0\n Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.\n_ _Alternatives: ghidra_\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 7 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** β˜…β˜…β˜… ⭐68.8k Β· Java Β· Apache-2.0\n NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.\n_ _Alternatives: radare2_\n- 🟒 **[Radare2](https://github.com/radareorg/radare2)** β˜…β˜…β˜… ⭐23.9k Β· C Β· LGPL-3.0\n Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.\n_ _Alternatives: ghidra_\n- 🟒 **[YARA](https://github.com/VirusTotal/yara)** β˜…β˜… ⭐9.6k Β· C Β· BSD-3-Clause\n Pattern matching tool for malware researchers that creates rules to identify and classify malware families based on textual or binary patterns. _Use when: When writing detection rules for malware samples or integrating signature-based detection into your SIEM, EDR, or incident response workflow for hunting known threat families.\n_ _Alternatives: sigma, suricata_\n- _…and 4 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n### 🧠 Threat Intelligence\n\n#### 🌐 Web applications\n- 🟑 **[dnstwist](https://github.com/elceef/dnstwist)** β˜… ⭐5.7k Β· Python Β· Apache-2.0\n Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.\n_\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 7 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[OpenCTI](https://github.com/OpenCTI-Platform/opencti)** β˜…β˜… ⭐9.4k Β· TypeScript Β· Apache-2.0\n Open-source cyber threat intelligence platform with a knowledge graph that links threat actors, campaigns, TTPs, and observables. _Use when: When you need structured threat intelligence with entity relationships mapped to STIX 2.1 and MITRE ATT\u0026CK; use MISP when the primary need is IoC sharing and correlation.\n_ _Alternatives: misp_\n- 🟒 **[MISP](https://github.com/MISP/MISP)** β˜…β˜… ⭐6.3k Β· PHP Β· AGPL-3.0\n Open-source threat intelligence platform for sharing, storing, and correlating IoCs, malware, and threat actor TTPs. _Use when: When you need a collaborative threat intelligence platform to ingest, correlate, and share IoCs across teams or partner organizations; use OpenCTI when you need richer knowledge-graph relationships between threats.\n_ _Alternatives: opencti_\n- 🟑 **[dnstwist](https://github.com/elceef/dnstwist)** β˜… ⭐5.7k Β· Python Β· Apache-2.0\n Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.\n_\n- _…and 4 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### ☁️ AWS\n- 🟒 **[MSTICPy](https://github.com/microsoft/msticpy)** β˜…β˜…β˜… ⭐2k Β· Python Β· MIT\n Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds β€” saves weeks of plumbing for SOC analysts.\n_\n\n#### ☁️ Azure\n- 🟒 **[MSTICPy](https://github.com/microsoft/msticpy)** β˜…β˜…β˜… ⭐2k Β· Python Β· MIT\n Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds β€” saves weeks of plumbing for SOC analysts.\n_\n\n### πŸ”— SIEM \u0026 SOAR\n\n#### 🌐 Network (IP, TCP/UDP, services)\n- 🟒 **[Wazuh](https://github.com/wazuh/wazuh)** β˜…β˜… ⭐15.7k Β· C Β· AGPL-3.0\n Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.\n_\n\n#### πŸ›οΈ Active Directory\n- 🟒 **[Wazuh](https://github.com/wazuh/wazuh)** β˜…β˜… ⭐15.7k Β· C Β· AGPL-3.0\n Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.\n_\n\n---\n\n## Cross-cutting\n\n### πŸ§ͺ Vulnerability Discovery\n\n#### 🌐 Web applications \u003csup\u003e(showing top 3 of 12 β€” see [full cheatsheet](cheatsheets/web.md))\u003c/sup\u003e\n- 🟒 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** β˜…β˜… ⭐37.5k Β· Python Β· GPL-2.0\n Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.\n_ _Alternatives: commix_\n- 🟒 **[Nuclei](https://github.com/projectdiscovery/nuclei)** β˜…β˜… ⭐28.8k Β· Go Β· MIT\n Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Run with web-specific templates from nuclei-templates/http/ β€” CVE-tagged templates for CMS vulnerabilities, exposed admin panels, and misconfiguration checks on web targets.\n_ _Alternatives: jaeles, dalfox_\n- 🟒 **[ffuf](https://github.com/ffuf/ffuf)** β˜… ⭐16.1k Β· Go Β· MIT\n High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.\n_ _Alternatives: feroxbuster, gobuster_\n- _…and 9 more in [`cheatsheets/web.md`](cheatsheets/web.md)_\n\n#### πŸ”Œ APIs (REST, GraphQL, gRPC) \u003csup\u003e(showing top 3 of 9 β€” see [full cheatsheet](cheatsheets/api.md))\u003c/sup\u003e\n- 🟒 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** β˜…β˜… ⭐37.5k Β· Python Β· GPL-2.0\n Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.\n_ _Alternatives: commix_\n- 🟒 **[Nuclei](https://github.com/projectdiscovery/nuclei)** β˜…β˜… ⭐28.8k Β· Go Β· MIT\n Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Target with api/ and exposures/ templates to detect exposed Swagger/OpenAPI docs, authentication bypass endpoints, and API key leaks in responses.\n_ _Alternatives: jaeles, dalfox_\n- 🟒 **[ffuf](https://github.com/ffuf/ffuf)** β˜… ⭐16.1k Β· Go Β· MIT\n High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.\n_ _Alternatives: feroxbuster, gobuster_\n- _…and 6 more in [`cheatsheets/api.md`](cheatsheets/api.md)_\n\n#### πŸ€– Android \u003csup\u003e(showing top 3 of 11 β€” see [full cheatsheet](cheatsheets/mobile-android.md))\u003c/sup\u003e\n- 🟒 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** β˜…β˜…β˜… ⭐68.8k Β· Java Β· Apache-2.0\n NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.\n_ _Alternatives: radare2_\n- 🟒 **[JADX](https://github.com/skylot/jadx)** β˜…β˜… ⭐48.7k Β· Java Β· Apache-2.0\n Dex-to-Java decompiler that converts Android APK and DEX files into readable Java source code with a GUI and CLI for Android application reverse engineering. _Use when: When reverse engineering Android APKs to review business logic, find hardcoded secrets, or identify insecure API calls; the GUI makes navigating decompiled class hierarchies faster than command-line tools alone.\n_ _Alternatives: apktool_\n- 🟒 **[Apktool](https://github.com/iBotPeaches/Apktool)** β˜…β˜… ⭐24.6k Β· Java Β· Apache-2.0\n Reverse engineering tool for Android APK files that decodes resources and disassembles Dalvik bytecode to smali for analysis and modification. _Use when: When statically analysing an Android APK to inspect permissions, decode resources, read smali code, or modify and repackage an app for dynamic testing.\n_ _Alternatives: mobsf, frida_\n- _…and 8 more in [`cheatsheets/mobile-android.md`](cheatsheets/mobile-android.md)_\n\n#### πŸ“± iOS \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/mobile-ios.md))\u003c/sup\u003e\n- 🟒 **[MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)** β˜… ⭐21.1k Β· Python Β· GPL-3.0\n All-in-one mobile security testing framework supporting static and dynamic analysis of Android APKs and iOS IPAs via a web-based interface. _Use when: When starting a mobile app assessment and wanting a quick automated static analysis report covering permissions, hardcoded secrets, and insecure API calls before manual testing.\n_ _Alternatives: frida, objection_\n- 🟒 **[Frida](https://github.com/frida/frida)** β˜…β˜…β˜… ⭐20.7k Β· C Β· wxWindows\n Dynamic instrumentation toolkit that injects JavaScript into native apps on Android, iOS, Windows, Linux, and macOS for runtime hooking and analysis. _Use when: When you need to hook API calls, bypass SSL pinning, trace function arguments, or patch runtime behavior in a mobile app without access to source code.\n_ _Alternatives: objection, xposed_\n- 🟒 **[Objection](https://github.com/sensepost/objection)** β˜…β˜… ⭐9.1k Β· Python Β· GPL-3.0\n Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.\n_ _Alternatives: frida, mobsf_\n- _…and 1 more in [`cheatsheets/mobile-ios.md`](cheatsheets/mobile-ios.md)_\n\n#### 🌐 Network (IP, TCP/UDP, services) \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/network.md))\u003c/sup\u003e\n- 🟒 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** β˜…β˜…β˜… ⭐68.8k Β· Java Β· Apache-2.0\n NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.\n_ _Alternatives: radare2_\n- 🟒 **[Nuclei](https://github.com/projectdiscovery/nuclei)** β˜…β˜… ⭐28.8k Β· Go Β· MIT\n Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Use network/ and ssl/ templates for network service fingerprinting, protocol version detection, and SSL/TLS misconfiguration checks across port-scanned hosts.\n_ _Alternatives: jaeles, dalfox_\n- 🟒 **[Radare2](https://github.com/radareorg/radare2)** β˜…β˜…β˜… ⭐23.9k Β· C Β· LGPL-3.0\n Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.\n_ _Alternatives: ghidra_\n- _…and 1 more in [`cheatsheets/network.md`](cheatsheets/network.md)_\n\n#### 🧠 AI / LLM systems \u003csup\u003e(showing top 3 of 5 β€” see [full cheatsheet](cheatsheets/ai-llm.md))\u003c/sup\u003e\n- 🟒 **[Promptfoo](https://github.com/promptfoo/promptfoo)** β˜… ⭐21.5k Β· TypeScript Β· MIT\n Open-source LLM testing framework for red-teaming, prompt injection testing, and evaluating AI model outputs against security and safety policies. _Use when: When assessing an AI application for prompt injection, jailbreaks, or data leakage; configure test cases declaratively in YAML and run automated red-team probes against any LLM endpoint.\n_ _Alternatives: garak, pyrit_\n- 🟒 **[garak](https://github.com/NVIDIA/garak)** β˜…β˜… ⭐7.9k Β· Python Β· Apache-2.0\n LLM vulnerability scanner β€” probes models for prompt injection, jailbreaks, toxicity, hallucinations, data leakage. _Use when: When red-teaming an LLM application or evaluating a model release. Modular probes cover OWASP LLM Top 10 categories; outputs structured reports suitable for engagement deliverables.\n_ _Alternatives: promptfoo, pyrit, llm-attacks_\n- πŸ”΄ **[llm-attacks](https://github.com/llm-attacks/llm-attacks)** β˜…β˜…β˜… ⭐4.7k Β· Python Β· MIT\n Research framework implementing universal and transferable adversarial attacks (GCG suffix optimization) against aligned large language models to elicit harmful outputs. _Use when: When red-teaming LLM safety mechanisms by generating adversarial suffixes that transfer across models; use in an isolated research environment to evaluate model robustness to gradient-based jailbreak attacks.\n_ _Alternatives: garak, pyrit_\n- _…and 2 more in [`cheatsheets/ai-llm.md`](cheatsheets/ai-llm.md)_\n\n#### ⛓️ Blockchain / Web3 \u003csup\u003e(showing top 3 of 6 β€” see [full cheatsheet](cheatsheets/blockchain-web3.md))\u003c/sup\u003e\n- 🟒 **[Foundry](https://github.com/foundry-rs/foundry)** β˜…β˜… ⭐10.4k Β· Rust Β· Apache-2.0\n Blazing-fast Ethereum development toolkit with built-in fuzzer (Forge), cast CLI, and Anvil local testnet for smart contract testing and exploit PoC development. _Use when: When writing fuzz tests or PoC exploits for smart contracts; Forge's invariant fuzzer finds edge cases that manual review misses, and Anvil lets you fork mainnet to reproduce live exploits locally.\n_\n- 🟒 **[Slither](https://github.com/crytic/slither)** β˜…β˜… ⭐6.3k Β· Python Β· AGPL-3.0\n Static analysis framework for Solidity smart contracts that detects vulnerabilities, code quality issues, and anti-patterns using a suite of built-in and custom detectors. _Use when: When auditing Solidity contracts for reentrancy, integer overflow, access control flaws, and other common smart contract vulnerabilities before deployment or during a bug bounty engagement.\n_ _Alternatives: mythril_\n- 🟒 **[Mythril](https://github.com/Consensys/mythril)** β˜…β˜…β˜… ⭐4.2k Β· Python Β· MIT\n Security analysis tool for EVM bytecode using symbolic execution, SMT solving, and taint analysis to detect smart contract vulnerabilities at the bytecode level. _Use when: When performing deep symbolic execution analysis on Solidity or EVM bytecode to uncover logic flaws that static analysis misses; slower than Slither but catches complex multi-transaction vulnerabilities.\n_ _Alternatives: slither_\n- _…and 3 more in [`cheatsheets/blockchain-web3.md`](cheatsheets/blockchain-web3.md)_\n\n#### πŸ›οΈ Active Directory\n- 🟒 **[PingCastle](https://github.com/vletoux/pingcastle)** β˜…β˜… ⭐2.9k Β· C# Β· Non-Profit OSL 3.0\n Active Directory security audit tool that produces risk-scored reports and graphs identifying misconfigurations and attack paths. _Use when: When you need a fast executive-ready AD health report with scored risk indicators; use BloodHound for interactive attack path visualization and lateral movement analysis.\n_ _Alternatives: adrecon_\n\n#### ☁️ AWS\n- 🟒 **[Prowler](https://github.com/prowler-cloud/prowler)** β˜…β˜… ⭐13.9k Β· Python Β· Apache-2.0\n Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.\n_ _Alternatives: cloudsploit, pacu_\n- 🟑 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** β˜…β˜… ⭐7.7k Β· Python Β· GPL-2.0\n Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.\n_ _Alternatives: prowler, cloudsploit_\n- 🟒 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** β˜… ⭐3.7k Β· JavaScript Β· Apache-2.0\n Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.\n_ _Alternatives: prowler, pacu_\n\n#### ☁️ Google Cloud\n- 🟒 **[Prowler](https://github.com/prowler-cloud/prowler)** β˜…β˜… ⭐13.9k Β· Python Β· Apache-2.0\n Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.\n_ _Alternatives: cloudsploit, pacu_\n- 🟑 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** β˜…β˜… ⭐7.7k Β· Python Β· GPL-2.0\n Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.\n_ _Alternatives: prowler, cloudsploit_\n- 🟒 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** β˜… ⭐3.7k Β· JavaScript Β· Apache-2.0\n Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.\n_ _Alternatives: prowler, pacu_\n\n#### ☁️ Azure \u003csup\u003e(showing top 3 of 4 β€” see [full cheatsheet](cheatsheets/cloud-azure.md))\u003c/sup\u003e\n- 🟒 **[Prowler](https://github.com/prowler-cloud/prowler)** β˜…β˜… ⭐13.9k Β· Python Β· Apache-2.0\n Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other complian","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvyntral%2Fawesome-killchain","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvyntral%2Fawesome-killchain","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvyntral%2Fawesome-killchain/lists"}