• Clevis - Plugable framework for automated decryption, often used as a Tang client.
• DShell - Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.
• Dev-Sec.io - Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
• peepdf - Scriptable PDF file analyzer.
• PyREBox - Python-scriptable reverse engineering sandbox, based on QEMU.
• Watchtower - Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience.

Code libraries and bindings

• MultiScanner - File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.
• Posh-VirusTotal - PowerShell interface to VirusTotal.com APIs.
• censys-python - Python wrapper to the Censys REST API.
• libcrafter - High level C++ network packet sniffing and crafting library.
• python-dshield - Pythonic interface to the Internet Storm Center/DShield API.
• python-stix2 - Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.
• python-sandboxapi - Minimal, consistent Python API for building integrations with malware sandboxes.

Security Orchestration, Automation, and Response (SOAR)

• Shuffle - Graphical generalized workflow (automation) builder for IT professionals and blue teamers.

Security Orchestration, Automation, and Response (SOAR)

• Prowler - Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.
• Scout Suite - Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
• gVisor - Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.
• asecure.cloud/tools
• Checkov - Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
• Falco - Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.
• Kata Containers - Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.

Kubernetes

• Managed Kubernetes Inspection Tool (MKIT) - Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
• kube-forensics - Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.
• KubeSec - Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service.
• Linkerd - Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself.
• Polaris - Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster.
• kube-hunter - Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.

Distributed observability and tracing

• OpenTelemetry - Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects).
• Jaeger - Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems.
• Zipkin - Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures.

Service meshes

• ServiceMesh.es
• Istio - Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Service meshes

• GPG Sync - Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team.
• GlobaLeaks - Free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.
• SecureDrop - Open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.
• Geneva (Genetic Evasion) - Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

Service meshes

• awesome-devsecops
• Bane - Custom and better AppArmor profile generator for Docker containers.
• BlackBox - Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG.
• Clair - Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.
• Git Secrets - Prevents you from committing passwords and other sensitive information to a git repository.
• Trivy - Simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for use in continuous integration pipelines.
• Cilium - Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
• DefectDojo - Application vulnerability management tool built for DevOps and continuous security integration.
• Gauntlt - Pentest applications during routine continuous integration build pipelines.
• Snyk - Finds and fixes vulnerabilities and license violations in open source dependencies and container images.
• Vault - Tool for securely accessing secrets such as API keys, passwords, or certificates through a unified interface.
• git-crypt - Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.
• SOPS - Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.

Fuzzing

• Awesome-Fuzzing
• FuzzBench - Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.
• OneFuzz - Self-hosted Fuzzing-as-a-Service (FaaS) platform.
• Atheris - Coverage-guided Python fuzzing engine based off of libFuzzer that supports fuzzing of Python code but also native extensions written for CPython.

Policy enforcement

• Tang - Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network.
• OpenPolicyAgent - Unified toolset and framework for policy across the cloud native stack.

Application or Binary Hardening

• DynInst - Tools for binary instrumentation, analysis, and modification, useful for binary patching.
• DynamoRIO - Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.
• Egalito - Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.

Compliance testing and reporting

• Chef InSpec - Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.
• OpenSCAP Base - Both a library and a command line tool (`oscap`) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Policy enforcement

• CanaryTokens - Self-hostable honeytoken generator and reporting dashboard; demo version available at [CanaryTokens.org](https://canarytokens.org/).
• awesome-honeypots
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Tarpits

• Endlessh - SSH tarpit that slowly sends an endless banner.

Tarpits

• Artillery - Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.
• Crowd Inspect - Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.
• Open Source HIDS SECurity (OSSEC) - Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).

Sandboxes

• Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.
• Firejail - SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Sandboxes

• awesome-incident-response
• Volatility - Advanced memory forensics framework.

IR management consoles

• Rekall - Advanced forensic and incident response framework.
• TheHive - Scalable, free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, and CERTs, featuring tight integration with MISP.
• Rekall - Advanced forensic and incident response framework.

Evidence collection

• fwknop - Protects ports via Single Packet Authorization in your firewall.

Firewall appliances or distributions

• Wikipedia: List of router and firewall distributions
• IPFire - Hardened GNU/Linux based router and firewall distribution forked from IPCop.
• OPNsense - Hardened FreeBSD based firewall and routing platform forked from pfSense.
• pfSense - FreeBSD firewall and router distribution forked from m0n0wall.

Firewall appliances or distributions

• Gophish - Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

Firewall appliances or distributions

• Atomic Red Team - Library of simple, automatable tests to execute for testing security controls.
• BadBlood - Fills a test (non-production) Windows Domain with data that enables security analysts and engineers to practice using tools to gain an understanding and prescribe to securing Active Directory.

Endpoint Detection and Response (EDR)

• Wazuh - Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.

Network Security Monitoring (NSM)

• awesome-pcaptools
• OwlH - Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.
• Snort - Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.
• Suricata - Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.
• Zeek - Powerful network analysis framework focused on security monitoring, formerly known as Bro.
• netsniff-ng - Free and fast GNU/Linux networking toolkit with numerous utilities such as a connection tracking tool (`flowtop`), traffic generator (`trafgen`), and autonomous system (AS) trace route utility (`astraceroute`).

Security Information and Event Management (SIEM)

• Prelude SIEM OSS - Open source, agentless SIEM with a long history and several commercial variants featuring security event collection, normalization, and alerting from arbitrary log input and numerous popular monitoring tools.

Service and performance monitoring

• Icinga - Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.
• Locust - Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.
• Zabbix - Mature, enterprise-level platform to monitor large-scale IT environments.

Threat hunting

• AttackerKB - Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.
• Malware Information Sharing Platform and Threat Sharing (MISP) - Open source software solution for collecting, storing, distributing and sharing cyber security indicators.
• Open Source Vulnerabilities (OSV) - Vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

Threat signature packages and collections

• Certbot - Free tool to automate the issuance and renewal of TLS certificates from the [LetsEncrypt Root CA](https://letsencrypt.org/) with plugins that configure various Web and e-mail server software.
• OpenVPN - Open source, SSL/TLS-based virtual private network (VPN).

Threat signature packages and collections

• awesome-windows#security - windows-domain-hardening](https://github.com/PaulSec/awesome-windows-domain-hardening).
• Sandboxie - Free and open source general purpose Windows application sandboxing utility.