Sandboxes

• Volatility - Advanced memory forensics framework.
• awesome-incident-response

IR management consoles

• Rekall - Advanced forensic and incident response framework.
• TheHive - Scalable, free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, and CERTs, featuring tight integration with MISP.
• Rekall - Advanced forensic and incident response framework.

Security Orchestration, Automation, and Response (SOAR)

• asecure.cloud/tools
• Falco - Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.
• Kata Containers - Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
• Prowler - Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.
• Prowler - Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.
• Aaia - Helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j.
• Principal Mapper (PMapper) - Quickly evaluate IAM permissions in AWS via script and library capable of identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization.
• Prowler - Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.
• Scout Suite - Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
• gVisor - Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.

Distributed monitoring

• Cortex - Provides horizontally scalable, highly available, multi-tenant, long term storage for Prometheus.
• Jaeger - Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems.
• OpenTelemetry - Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects).
• Prometheus - Open-source systems monitoring and alerting toolkit originally built at SoundCloud.
• Zipkin - Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures.

Kubernetes

• Kubernetes-Security.info
• KubeSec - Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service.
• Kyverno - Policy engine designed for Kubernetes.
• Linkerd - Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself.
• Polaris - Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster.
• Managed Kubernetes Inspection Tool (MKIT) - Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
• Sealed Secrets - Kubernetes controller and tool for one-way encrypted Secrets.
• certificate-expiry-monitor - Utility that exposes the expiry of TLS certificates as Prometheus metrics.
• k-rail - Workload policy enforcement tool for Kubernetes.
• kube-forensics - Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.
• kube-hunter - Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.
• kubernetes-event-exporter - Allows exporting the often missed Kubernetes events to various outputs so that they can be used for observability or alerting purposes.
• kube-hunter - Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.

Service meshes

• ServiceMesh.es
• Consul - Solution to connect and configure applications across dynamic, distributed infrastructure and, with Consul Connect, enabling secure service-to-service communication with automatic TLS encryption and identity-based authorization.
• Istio - Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Service meshes

• Geneva (Genetic Evasion) - Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.
• GlobaLeaks - Free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.
• SecureDrop - Open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.
• Teleport - Allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments.
• GPG Sync - Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team.
• Geneva (Genetic Evasion) - Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

Supply chain security

• in-toto - Framework to secure the integrity of software supply chains.
• Grafeas - Open artifact metadata API to audit and govern your software supply chain.
• Notary - Aims to make the internet more secure by making it easy for people to publish and verify content.
• Helm GPG (GnuPG) Plugin - Chart signing and verification with GnuPG for Helm.
• Notary - Aims to make the internet more secure by making it easy for people to publish and verify content.

Service meshes

• Checkov - Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
• Cilium - Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
• Clair - Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.
• CodeQL - Discover vulnerabilities across a codebase by performing queries against code as though it were data.
• DefectDojo - Application vulnerability management tool built for DevOps and continuous security integration.
• Gauntlt - Pentest applications during routine continuous integration build pipelines.
• SOPS - Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.
• Snyk - Finds and fixes vulnerabilities and license violations in open source dependencies and container images.
• SonarQube - Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.
• Vault - Tool for securely accessing secrets such as API keys, passwords, or certificates through a unified interface.
• git-crypt - Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.
• terrascan - Static code analyzer for Infrastructure as Code tools that helps detect compliance and security violations to mitigate risk before provisioning cloud native resources.
• SOPS - Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.
• awesome-devsecops
• Bane - Custom and better AppArmor profile generator for Docker containers.
• BlackBox - Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG.
• Clair - Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.
• Git Secrets - Prevents you from committing passwords and other sensitive information to a git repository.
• Trivy - Simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for use in continuous integration pipelines.
• helm-secrets - Helm plugin that helps manage secrets with Git workflow and stores them anywhere, backed by SOPS.
• tfsec - Static analysis security scanner for your Terraform code designed to run locally and in CI pipelines.
• SOPS - Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.

Application or Binary Hardening

• DynInst - Tools for binary instrumentation, analysis, and modification, useful for binary patching.
• DynamoRIO - Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.
• Egalito - Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.
• Valgrind - Instrumentation framework for building dynamic analysis tools.

Compliance testing and reporting

• Chef InSpec - Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.
• OpenSCAP Base - Both a library and a command line tool (`oscap`) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Fuzzing

• Atheris - Coverage-guided Python fuzzing engine based off of libFuzzer that supports fuzzing of Python code but also native extensions written for CPython.
• Awesome-Fuzzing
• FuzzBench - Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.
• OneFuzz - Self-hosted Fuzzing-as-a-Service (FaaS) platform.

Policy enforcement

• Conftest - Utility to help you write tests against structured configuration data.
• Open Policy Agent (OPA) - Unified toolset and framework for policy across the cloud native stack.
• Regula - Checks infrastructure as code templates (Terraform, CloudFormation, K8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego.
• AllStar - GitHub App installed on organizations or repositories to set and enforce security policies.
• Tang - Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network.

Dependency confusion

• Dependency Combobulator - Open source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.
• Confusion checker - Script to check if you have artifacts containing the same name between your repositories.
• snync - Prevent and detect if you're vulnerable to dependency confusion supply chain security attacks.

Supply chain security

• awesome-honeypots
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• CanaryTokens - Self-hostable honeytoken generator and reporting dashboard; demo version available at [CanaryTokens.org](https://canarytokens.org/).
• Manuka - Open-sources intelligence (OSINT) honeypot that monitors reconnaissance attempts by threat actors and generates actionable intelligence for Blue Teamers.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.
• Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Tarpits

• LaBrea - Program that answers ARP requests for unused IP space, creating the appearance of fake machines that answer further requests very slowly in order to slow down scanners, worms, etcetera.
• Endlessh - SSH tarpit that slowly sends an endless banner.

Tarpits

• Crowd Inspect - Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.
• Fail2ban - Intrusion prevention software framework that protects computer servers from brute-force attacks.
• Open Source HIDS SECurity (OSSEC) - Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).
• Rootkit Hunter (rkhunter) - POSIX-compliant Bash script that scans a host for various signs of malware.
• Shufflecake - Plausible deniability for multiple hidden filesystems on Linux.
• chkrootkit - Locally checks for signs of a rootkit on GNU/Linux systems.
• Rootkit Hunter (rkhunter) - POSIX-compliant Bash script that scans a host for various signs of malware.
• Artillery - Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.
• USB Keystroke Injection Protection - Daemon for blocking USB keystroke injection devices on Linux systems.

Sandboxes

• Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.
• Firejail - SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Sandboxes

• Gluu Server - Central authentication and authorization for Web and mobile applications with a Free and Open Source Software cloud-native community distribution.

Firewall appliances or distributions

• BadBlood - Fills a test (non-production) Windows Domain with data that enables security analysts and engineers to practice using tools to gain an understanding and prescribe to securing Active Directory.
• Caldera - Scalable, automated, and extensible adversary emulation platform developed by MITRE.
• Drool - Replay DNS traffic from packet capture files and send it to a specified server, such as for simulating DDoS attacks on the DNS and measuring normal DNS querying.
• Infection Monkey - Open-source breach and attack simulation (BAS) platform that helps you validate existing controls and identify how attackers might exploit your current network security gaps.
• tcpreplay - Suite of free Open Source utilities for editing and replaying previously captured network traffic originally designed to replay malicious traffic patterns to Intrusion Detection/Prevention Systems.
• Atomic Red Team - Library of simple, automatable tests to execute for testing security controls.
• Stratus Red Team - Emulate offensive attack techniques in a granular and self-contained manner against a cloud environment; think "Atomic Red Team™ for the cloud."

Post-engagement analysis and reporting

• Bunkerized-nginx - Docker image of an NginX configuration and scripts implementing many defensive techniques for Web sites.
• Bunkerized-nginx - Docker image of an NginX configuration and scripts implementing many defensive techniques for Web sites.

Endpoint Detection and Response (EDR)

• Wazuh - Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.

Network Security Monitoring (NSM)

• awesome-pcaptools
• OwlH - Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.
• Snort - Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.
• Suricata - Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.
• VAST - Free and open-source network telemetry engine for data-driven security investigations.
• Wireshark - Free and open-source packet analyzer useful for network troubleshooting or forensic netflow analysis.
• Zeek - Powerful network analysis framework focused on security monitoring, formerly known as Bro.
• netsniff-ng - Free and fast GNU/Linux networking toolkit with numerous utilities such as a connection tracking tool (`flowtop`), traffic generator (`trafgen`), and autonomous system (AS) trace route utility (`astraceroute`).
• Wireshark - Free and open-source packet analyzer useful for network troubleshooting or forensic netflow analysis.

Threat hunting

• Logging Made Easy (LME) - Free and open logging and protective monitoring solution serving.
• Redline - Freeware endpoint auditing and analysis tool that provides host-based investigative capabilities, offered by FireEye, Inc.

Security Information and Event Management (SIEM)

• AlienVault OSSIM - Single-server open source SIEM platform featuring asset discovery, asset inventorying, behavioral monitoring, and event correlation, driven by AlienVault Open Threat Exchange (OTX).
• Prelude SIEM OSS - Open source, agentless SIEM with a long history and several commercial variants featuring security event collection, normalization, and alerting from arbitrary log input and numerous popular monitoring tools.
• AlienVault OSSIM - Single-server open source SIEM platform featuring asset discovery, asset inventorying, behavioral monitoring, and event correlation, driven by AlienVault Open Threat Exchange (OTX).

Service and performance monitoring

• awesome-sysadmin#monitoring
• Icinga - Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.
• Locust - Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.
• Nagios - Popular network and service monitoring solution and reporting platform.
• OpenNMS - Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).
• osquery - Operating system instrumentation framework for macOS, Windows, and Linux, exposing the OS as a high-performance relational database that can be queried with a SQL-like syntax.
• Zabbix - Mature, enterprise-level platform to monitor large-scale IT environments.
• awesome-sysadmin#monitoring

Post-engagement analysis and reporting

• Crossfeed - Continuously enumerates and monitors an organization’s public-facing attack surface in order to discover assets and flag potential security flaws.

Evidence collection

• fwknop - Protects ports via Single Packet Authorization in your firewall.

Firewall appliances or distributions

• Wikipedia: List of router and firewall distributions
• IPFire - Hardened GNU/Linux based router and firewall distribution forked from IPCop.
• OPNsense - Hardened FreeBSD based firewall and routing platform forked from pfSense.
• pfSense - FreeBSD firewall and router distribution forked from m0n0wall.

Firewall appliances or distributions

• Computer Aided Investigative Environment (CAINE) - Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.
• Security Onion - Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.
• Qubes OS - Desktop environment built atop the Xen hypervisor project that runs each end-user program in its own virtual machine intended to provide strict security controls to constrain the reach of any successful malware exploit.

Firewall appliances or distributions

• Gophish - Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.
• King Phisher - Tool for testing and promoting user awareness by simulating real world phishing attacks.

Threat hunting

• AttackerKB - Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.
• Malware Information Sharing Platform and Threat Sharing (MISP) - Open source software solution for collecting, storing, distributing and sharing cyber security indicators.
• Open Source Vulnerabilities (OSV) - Vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.
• Sigma - Generic signature format for SIEM systems, offering an open signature format that allows you to describe relevant log events in a straightforward manner.

Fingerprinting

• JA3 - Extracts SSL/TLS handshake settings for fingerprinting and communicating about a given TLS implementation.

Threat signature packages and collections

• FireEye's Red Team Tool Countermeasures - Collection of Snort and YARA rules to detect attacks carried out with FireEye's own Red Team tools, first released after FireEye disclosed a breach in December 2020.

Threat signature packages and collections

• OnionBalance - Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure.

Threat signature packages and collections

• Certbot - Free tool to automate the issuance and renewal of TLS certificates from the [LetsEncrypt Root CA](https://letsencrypt.org/) with plugins that configure various Web and e-mail server software.
• Tor - Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (`.onion` domains) to enhance publisher privacy and service availability.

Overlay and Virtual Private Networks (VPNs)

• Firezone - Self-hosted VPN server built on WireGuard that supports MFA and SSO.
• OpenVPN - Longstanding Free Software traditional SSL/TLS-based virtual private network.
• OpenZITI - Open source initiative focused on bringing Zero Trust to any application via an overlay network, tunelling applications, and numerous SDKs.
• Tailscale - Managed freemium mesh VPN service built on top of WireGuard.
• WireGuard - Extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.
• tinc - Free Software mesh VPN implemented entirely in userspace that supports expandable network space, bridged ethernet segments, and more.

Overlay and Virtual Private Networks (VPNs)

• BlockBlock - Monitors common persistence locations and alerts whenever a persistent component is added, which helps to detect and prevent malware installation.
• LuLu - Free macOS firewall.
• macOS Fortress - Automated configuration of kernel-level, OS-level, and client-level security features including privatizing proxying and anti-virus scanning for macOS.

Overlay and Virtual Private Networks (VPNs)

• awesome-windows#security - windows-domain-hardening](https://github.com/PaulSec/awesome-windows-domain-hardening).
• CobaltStrikeScan - Scan files or process memory for Cobalt Strike beacons and parse their configuration.
• Sandboxie - Free and open source general purpose Windows application sandboxing utility.
• Sigcheck - Audit a Windows host's root certificate store against Microsoft's [Certificate Trust List (CTL)](https://docs.microsoft.com/en-us/windows/desktop/SecCrypto/certificate-trust-list-overview).
• HardenTools - Utility that disables a number of risky Windows features.
• Sandboxie - Free and open source general purpose Windows application sandboxing utility.

Active Directory

• PingCastle - Active Directory vulnerability detection and reporting tool.

• Clevis - Plugable framework for automated decryption, often used as a Tang client.
• DShell - Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.
• Password Manager Resources - Collaborative, crowd-sourced data and code to make password management better.
• Dev-Sec.io - Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
• peepdf - Scriptable PDF file analyzer.
• PyREBox - Python-scriptable reverse engineering sandbox, based on QEMU.
• Watchtower - Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience.

Code libraries and bindings

• MultiScanner - File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.
• Posh-VirusTotal - PowerShell interface to VirusTotal.com APIs.
• censys-python - Python wrapper to the Censys REST API.
• libcrafter - High level C++ network packet sniffing and crafting library.
• python-dshield - Pythonic interface to the Internet Storm Center/DShield API.
• python-sandboxapi - Minimal, consistent Python API for building integrations with malware sandboxes.
• python-stix2 - Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.
• python-sandboxapi - Minimal, consistent Python API for building integrations with malware sandboxes.

Security Orchestration, Automation, and Response (SOAR)

• Shuffle - Graphical generalized workflow (automation) builder for IT professionals and blue teamers.