https://github.com/vyntral/awesome-killchain

MITRE ATT&CK-aligned offensive + defensive security toolkit. 140+ tools organized by tactic × target with live health signals refreshed daily.
https://github.com/vyntral/awesome-killchain

List: awesome-killchain

awesome awesome-list blue-team bug-bounty ctf cybersecurity ethical-hacking hacking infosec kill-chain mitre-attack pentest pentesting red-team security security-tools

Last synced: 25 days ago
JSON representation

MITRE ATT&CK-aligned offensive + defensive security toolkit. 140+ tools organized by tactic × target with live health signals refreshed daily.

Host: GitHub
URL: https://github.com/vyntral/awesome-killchain
Owner: Vyntral
License: mit
Created: 2026-05-23T09:37:37.000Z (25 days ago)
Default Branch: main
Last Pushed: 2026-05-23T14:05:19.000Z (25 days ago)
Last Synced: 2026-05-23T14:18:21.525Z (25 days ago)
Topics: awesome, awesome-list, blue-team, bug-bounty, ctf, cybersecurity, ethical-hacking, hacking, infosec, kill-chain, mitre-attack, pentest, pentesting, red-team, security, security-tools
Language: TypeScript
Size: 279 KB
Stars: 0
Watchers: 0
Forks: 0
Open Issues: 0
Metadata Files:
- Readme: README.md
- Contributing: CONTRIBUTING.md
- License: LICENSE-CODE
- Code of conduct: CODE_OF_CONDUCT.md

Awesome Lists containing this project

ultimate-awesome - awesome-killchain - MITRE ATT&CK-aligned offensive + defensive security toolkit. 140+ tools organized by tactic × target with live health signals refreshed daily. (Other Lists / Vue Lists)

README

# Awesome Killchain

[![Awesome](https://awesome.re/badge-flat2.svg)](https://awesome.re)
[![Build](https://img.shields.io/github/actions/workflow/status/Vyntral/awesome-killchain/build.yml?branch=main&style=flat-square&label=build)](https://github.com/Vyntral/awesome-killchain/actions/workflows/build.yml)
[![Stars](https://img.shields.io/github/stars/Vyntral/awesome-killchain?style=flat-square)](https://github.com/Vyntral/awesome-killchain/stargazers)
[![Last commit](https://img.shields.io/github/last-commit/Vyntral/awesome-killchain?style=flat-square)](https://github.com/Vyntral/awesome-killchain/commits)
[![Code license](https://img.shields.io/badge/code-MIT-blue?style=flat-square)](LICENSE-CODE)
[![Content license](https://img.shields.io/badge/content-CC--BY--4.0-lightgrey?style=flat-square)](LICENSE-CONTENT)
[![X](https://img.shields.io/badge/X-@vyntral-black?style=flat-square&logo=x)](https://x.com/vyntral)

> **Find the right tool for the phase you're in.** MITRE ATT&CK-aligned offensive + defensive toolkit. Organized by tactic × target with live quality signals.

🟢 115 active · 🟡 12 stale · 🔴 28 unmaintained · last refresh: 2026-05-23

> ⭐ **Find this useful?** [Star the repo](https://github.com/Vyntral/awesome-killchain) — it helps other operators discover it and signals which tools deserve more curation effort.

## 📊 At a glance

**🏆 Top 5 by AKS Score (Awesome Killchain Score, 0–100):**

| | Tool | AKS | Stars |
|--|------|----:|------:|
| 🥇 | **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** | 99 | 68.8k |
| 🥈 | **[SecLists](https://github.com/danielmiessler/SecLists)** | 97 | 71.1k |
| 🥉 | **[Promptfoo](https://github.com/promptfoo/promptfoo)** | 97 | 21.5k |
| 4 | **[Trivy](https://github.com/aquasecurity/trivy)** | 96 | 35.1k |
| 5 | **[Maigret](https://github.com/soxoj/maigret)** | 96 | 30k |

📊 **[Full live dashboard →](DASHBOARD.md)** with ATT&CK heatmap, hidden gems, legacy brands, sankey flow, language/license breakdowns, and more (auto-refreshed daily).

## Why awesome-killchain?

The space already has [great awesome lists](https://github.com/Hack-with-Github/Awesome-Hacking). This one is different on purpose — it indexes tools by **MITRE ATT&CK tactic × target domain**, not alphabetically.

| | This list | Typical awesome list |
| --- | --- | --- |
| Organization | **MITRE ATT&CK tactic × target matrix** — find tools by the phase you're in, not alphabetically | Alphabetical, or one flat dump |
| Quality signals | **🟢🟡🔴 health auto-refreshed daily** by CI (stars, last release, archived flag) | Static markdown, link rot accumulates |
| Editorial value | Each tool has **`when_to_use`** (1-2 operational sentences) and **`alternatives`** | Just name + one-line description |
| Per-domain reference | **[Auto-generated cheatsheets](cheatsheets/)** — one per target (web, AD, cloud-aws, ai-llm, …) | None |
| Source of truth | YAML files in [`data/tools/`](data/tools/) — easy to contribute, easy to fork | Hand-edited markdown that drifts |

**Use this list when:** you want a workflow-driven reference that answers _"I'm in phase X targeting Y, what's the right tool?"_ with current, maintained options.

Defensive entries are mapped to the **MITRE D3FEND** countermeasure framework (Detection, Hardening, Isolation, Deception, Eviction, Restoration) — the official ATT&CK companion for defenders that no other awesome-list cites in earnest.

**Use [`enaqx/awesome-pentest`](https://github.com/enaqx/awesome-pentest) (26k★) or [`Hack-with-Github`](https://github.com/Hack-with-Github/Awesome-Hacking) (112k★) when:** you want broad alphabetical coverage of everything ever made.

### What we don't track

This list focuses on **tools with a public GitHub presence** so we can keep live metadata fresh. Essential commercial tools without a GitHub repo (Burp Suite, Cobalt Strike, KAPE, Nessus, etc.) are intentionally out of scope — they're widely covered elsewhere and we'd rather not pretend to track their freshness.

### Related projects worth knowing

- **[mukul975/Threatswarm](https://github.com/mukul975/Threatswarm)** — AI agents that *execute* kill-chain operations as a Claude Code plugin. Different category from this list (they run, we index), but the two complement: use this repo as the knowledge base for what to invoke.

---

## How to navigate

- 📂 **Browse by target:** see [cheatsheets/](cheatsheets/) for per-domain tool lists (web, cloud-aws, active-directory, ai-llm, ...)
- 📊 **See the live dashboard:** [DASHBOARD.md](DASHBOARD.md) — Mermaid charts of tool health, AKS distribution, ATT&CK coverage, top/bottom 10, hidden gems, and more, auto-refreshed daily
- 📖 **Read here:** scroll by ATT&CK tactic phase below
- 🎯 **Looking for a scenario?** see [Playbooks](#playbooks)
- 🔌 **Consume as data:** machine-readable `tools.json` available as [release asset](https://github.com/Vyntral/awesome-killchain/releases/latest) — schema + playbooks + taxonomy bundled
- 🪦 **Tools that died:** see [OBITUARIES.md](OBITUARIES.md) for the stories behind the 🔴 entries
- 💎 **One operator's picks:** see [stacks/](stacks/) for opinionated minimum-viable stacks (web BB, AD, AWS, mobile, AI, web3) with explicit rejections
- 🚨 **CVE responses:** see [cve-responses/](cve-responses/) for structured detection/exploitation/mitigation mappings when critical CVEs drop

## Legend

| Symbol | Meaning |
|--------|---------|
| 🟢🟡🔴 | Health (active / stale / unmaintained) |
| ⭐ N | GitHub stars (auto-refreshed daily) |
| ★ / ★★ / ★★★ | Beginner / Intermediate / Advanced |
| 💰 | Paid or freemium |

---

## Offensive (ATT&CK tactics)

### 🔍 Reconnaissance

#### 🌐 Web applications ^{(showing top 3 of 23 — see [full cheatsheet](cheatsheets/web.md))}
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐28.8k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Run with web-specific templates from nuclei-templates/http/ — CVE-tagged templates for CMS vulnerabilities, exposed admin panels, and misconfiguration checks on web targets.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[SpiderFoot](https://github.com/smicallef/spiderfoot)** ★★ ⭐17.9k · Python · MIT
Automated OSINT collection framework that correlates data across 200+ modules covering IPs, domains, emails, and threat intel feeds. _Use when: When you need fully automated, deep passive reconnaissance with correlated results across dozens of data sources; use recon-ng when you prefer manual module-by-module control.
_ _Alternatives: recon-ng_
- 🟢 **[Katana](https://github.com/projectdiscovery/katana)** ★★ ⭐16.7k · Go · MIT
Next-generation web crawler designed for automated endpoint discovery with JavaScript parsing and headless browser support. _Use when: When you have confirmed live web targets and need to map all reachable endpoints, forms, and JS-loaded paths before manual testing or automated scanning.
_ _Alternatives: gospider, hakrawler_
- _…and 20 more in [`cheatsheets/web.md`](cheatsheets/web.md)_

#### 🔌 APIs (REST, GraphQL, gRPC) ^{(showing top 3 of 9 — see [full cheatsheet](cheatsheets/api.md))}
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐28.8k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Target with api/ and exposures/ templates to detect exposed Swagger/OpenAPI docs, authentication bypass endpoints, and API key leaks in responses.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[ffuf](https://github.com/ffuf/ffuf)** ★ ⭐16.1k · Go · MIT
High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.
_ _Alternatives: feroxbuster, gobuster_
- 🟢 **[OWASP ZAP](https://github.com/zaproxy/zaproxy)** ★ ⭐15.2k · Java · Apache-2.0
Open-source web application security scanner maintained by OWASP, with automated scanning, spidering, and a proxy for manual testing. _Use when: When you need a free, fully automated web scanner or a Burp alternative in CI/CD pipelines where a headless/API-driven scan is required.
_ _Alternatives: burp-suite_
- _…and 6 more in [`cheatsheets/api.md`](cheatsheets/api.md)_

#### 🤖 Android
- 🟡 **[APKLeaks](https://github.com/dwisiswant0/apkleaks)** ★ ⭐6.1k · Python · Apache-2.0
Scans APK files for hardcoded URIs, endpoints, secrets, and API keys using regex pattern matching on decompiled code. _Use when: As a fast first step when receiving an Android APK to extract hardcoded secrets, API endpoints, and sensitive strings before deeper static or dynamic analysis.
_

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 12 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐28.8k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Use network/ and ssl/ templates for network service fingerprinting, protocol version detection, and SSL/TLS misconfiguration checks across port-scanned hosts.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[Masscan](https://github.com/robertdavidgraham/masscan)** ★★ ⭐25.7k · C · AGPL-3.0
Fastest TCP/UDP port scanner capable of scanning the entire IPv4 internet in under six minutes using a custom async network stack. _Use when: When you need rapid port discovery across large CIDR ranges where nmap speed is insufficient; feed the open port list into nmap for service/version detection afterward.
_ _Alternatives: naabu, nmap_
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.2k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory ^{(showing top 3 of 4 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🔴 **[Kerbrute](https://github.com/ropnop/kerbrute)** ★★ ⭐3.3k · Go · MIT
Fast Kerberos pre-auth brute-forcing and user enumeration tool that avoids traditional LDAP queries by speaking directly to the KDC. _Use when: When you need to enumerate valid AD usernames or spray passwords against Kerberos without triggering LDAP-based detection; combines with a user list from OSINT for AS-REP roasting prep.
_ _Alternatives: rubeus_
- 🟢 **[PingCastle](https://github.com/vletoux/pingcastle)** ★★ ⭐2.9k · C# · Non-Profit OSL 3.0
Active Directory security audit tool that produces risk-scored reports and graphs identifying misconfigurations and attack paths. _Use when: When you need a fast executive-ready AD health report with scored risk indicators; use BloodHound for interactive attack path visualization and lateral movement analysis.
_ _Alternatives: adrecon_
- 🟡 **[ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump)** ★★ ⭐1.4k · Python · MIT
Active Directory information dumper via LDAP that exports users, groups, computers, and GPOs to structured JSON and HTML reports. _Use when: When you have valid domain credentials and want a quick structured dump of AD objects (users, groups, computers, policies) for offline analysis without installing BloodHound.
_ _Alternatives: bloodhound-python_
- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

#### ☁️ AWS ^{(showing top 3 of 5 — see [full cheatsheet](cheatsheets/cloud-aws.md))}
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** ★★★ ⭐5.2k · Python · BSD-3-Clause
AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.
_ _Alternatives: cloudsploit, prowler_
- _…and 2 more in [`cheatsheets/cloud-aws.md`](cheatsheets/cloud-aws.md)_

#### ☁️ Google Cloud
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_

#### ☁️ Azure ^{(showing top 3 of 4 — see [full cheatsheet](cheatsheets/cloud-azure.md))}
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_
- _…and 1 more in [`cheatsheets/cloud-azure.md`](cheatsheets/cloud-azure.md)_

#### ☁️ Cloud (generic / multi-cloud)
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_

#### 🏭 ICS / SCADA
- 🟡 **[modbus-cli](https://github.com/tallakt/modbus-cli)** ★ ⭐114 · Ruby · MIT
Command-line client for reading from and writing to Modbus devices over TCP or serial connections. _Use when: When you need to quickly read registers or coils from a Modbus device during an ICS assessment to understand process data without writing custom code.
_
- 🔴 **[PLCscan](https://github.com/meeas/plcscan)** ★★ ⭐113 · Python · MIT
Scanner for detecting Siemens S7 and Modbus PLCs on a network during ICS security assessments. _Use when: When scoping an ICS/OT assessment and you need to identify reachable PLCs on a network segment. Use before deeper protocol-level testing with ISF or manual interaction.
_

#### 📶 Radio / wireless
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.2k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_

#### 🐳 Containers / Kubernetes
- 🔴 **[kube-hunter](https://github.com/aquasecurity/kube-hunter)** ★★ ⭐5k · Python · Apache-2.0
Kubernetes cluster penetration testing tool that hunts for security weaknesses from inside or outside the cluster, including RBAC misconfigurations and exposed APIs. _Use when: When testing a Kubernetes cluster for exposed API endpoints, privileged pods, or RBAC misconfigurations; run in remote mode from outside and passive mode from inside a compromised pod.
_ _Alternatives: kubescape_

### 🧰 Resource Development

#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[Caldera](https://github.com/mitre/caldera)** ★★★ ⭐7k · Python · Apache-2.0
MITRE's automated adversary emulation platform that executes ATT&CK-mapped TTPs to test defenses. _Use when: Run network-targeted adversary profiles to validate lateral movement detection — test SMB, WMI, and SSH-based movement techniques with ATT&CK-mapped operations across network segments.
_ _Alternatives: atomic-red-team, stratus-red-team_

#### 🏛️ Active Directory
- 🟢 **[Caldera](https://github.com/mitre/caldera)** ★★★ ⭐7k · Python · Apache-2.0
MITRE's automated adversary emulation platform that executes ATT&CK-mapped TTPs to test defenses. _Use when: Deploy AD-specific adversary profiles (Kerberoasting, DCSync, pass-the-hash) to validate your EDR and SIEM detection coverage on domain-joined infrastructure before a real engagement.
_ _Alternatives: atomic-red-team, stratus-red-team_

#### ☁️ AWS
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_

#### ☁️ Azure
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_

### 🚪 Initial Access

#### 🌐 Web applications
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.2k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟡 **[Evilginx2](https://github.com/kgretzky/evilginx2)** ★★★ ⭐15.1k · Go · BSD-3-Clause
Man-in-the-middle phishing framework that captures session cookies and credentials by proxying authentication flows, bypassing MFA. _Use when: On red team engagements where the target uses MFA and standard credential phishing won't work; requires a convincing lookalike domain and valid TLS certificate to be effective.
_ _Alternatives: gophish, modlishka_
- 🔴 **[GoPhish](https://github.com/gophish/gophish)** ★ ⭐13.9k · Go · MIT
Open-source phishing simulation framework for building, launching, and tracking phishing campaigns against target organizations. _Use when: When scoping a phishing simulation or red team initial access phase; provides a built-in dashboard for tracking click rates and credential submissions per campaign.
_ _Alternatives: evilginx2, king-phisher_

#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.2k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟢 **[Responder](https://github.com/lgandx/Responder)** ★★ ⭐6.5k · Python · GPL-3.0
LLMNR, NBT-NS, and MDNS poisoner that captures NTLMv1/v2 hashes from Windows hosts on the local network for offline cracking or relay attacks. _Use when: When you have network-level access to a Windows environment and want to passively capture NetNTLM hashes via protocol poisoning for cracking or relay with ntlmrelayx.
_ _Alternatives: inveigh_

#### 🏛️ Active Directory
- 🟢 **[Responder](https://github.com/lgandx/Responder)** ★★ ⭐6.5k · Python · GPL-3.0
LLMNR, NBT-NS, and MDNS poisoner that captures NTLMv1/v2 hashes from Windows hosts on the local network for offline cracking or relay attacks. _Use when: When you have network-level access to a Windows environment and want to passively capture NetNTLM hashes via protocol poisoning for cracking or relay with ntlmrelayx.
_ _Alternatives: inveigh_

### ▶️ Execution

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 9 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Metasploit Framework](https://github.com/rapid7/metasploit-framework)** ★★ ⭐38.2k · Ruby · BSD-3-Clause
Widely-used penetration testing framework with a large library of exploits, payloads, and auxiliary modules for network and web attacks. _Use when: When you've identified a known CVE on a service and want a reliable, tested exploit with post-exploitation modules; use msfvenom for payload generation outside the interactive console.
_ _Alternatives: sliver, cobalt-strike_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.7k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- 🟢 **[Sliver](https://github.com/BishopFox/sliver)** ★★★ ⭐11.3k · Go · GPL-3.0
Open-source cross-platform adversary simulation C2 framework supporting mTLS, WireGuard, HTTP/S, and DNS communication channels. _Use when: When you need a free, actively maintained C2 alternative to Cobalt Strike with modern implant generation and multiplayer operator support for red team operations.
_ _Alternatives: cobalt-strike, mythic_
- _…and 6 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory ^{(showing top 3 of 5 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.7k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- 🟢 **[Caldera](https://github.com/mitre/caldera)** ★★★ ⭐7k · Python · Apache-2.0
MITRE's automated adversary emulation platform that executes ATT&CK-mapped TTPs to test defenses. _Use when: Deploy AD-specific adversary profiles (Kerberoasting, DCSync, pass-the-hash) to validate your EDR and SIEM detection coverage on domain-joined infrastructure before a real engagement.
_ _Alternatives: atomic-red-team, stratus-red-team_
- 🟢 **[Evil-WinRM](https://github.com/Hackplayers/evil-winrm)** ★★ ⭐5.4k · Ruby · LGPL-3.0
WinRM shell for penetration testing that provides file transfer, in-memory PowerShell script loading, and pass-the-hash authentication support. _Use when: When WinRM (port 5985/5986) is open on a Windows target and you have valid credentials or an NTLM hash to obtain an interactive shell with built-in upload/download capability.
_ _Alternatives: impacket, crackmapexec_
- _…and 2 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

### 📌 Persistence

#### 🏛️ Active Directory
- 🟢 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** ★★★ ⭐21.6k · C · CC-BY-4.0
Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.
_ _Alternatives: impacket, certipy_
- 🟢 **[Certipy](https://github.com/ly4k/Certipy)** ★★★ ⭐3.5k · Python · MIT
Active Directory Certificate Services (AD CS) attack tool for enumerating misconfigurations, forging certificates, and escalating privileges via ESC1-ESC13 attack paths. _Use when: When AD CS is deployed in the environment — enumerate certificate templates for ESC misconfigurations, then forge certificates to obtain domain admin credentials or persistent access.
_ _Alternatives: mimikatz_

### ⬆️ Privilege Escalation

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 5 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[LinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · Bash · MIT
Linux privilege escalation script that audits the system for misconfigurations, weak permissions, SUID binaries, and known CVEs. _Use when: Immediately after gaining a low-privilege shell on a Linux host to enumerate all privilege escalation vectors in one pass before manual analysis.
_ _Alternatives: peass-ng, linux-exploit-suggester_
- 🟢 **[PEASS-ng](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · Bash · MIT
Suite containing LinPEAS and WinPEAS privilege escalation scripts for automated local enumeration on Linux, Windows, and macOS hosts. _Use when: When you need a single repository that covers both Linux and Windows privilege escalation enumeration; pull the relevant script (LinPEAS or WinPEAS) for the target OS.
_ _Alternatives: linpeas, winpeas_
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- _…and 2 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory ^{(showing top 3 of 4 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- 🔴 **[PowerUp](https://github.com/PowerShellMafia/PowerSploit)** ★★ ⭐13k · PowerShell · BSD-3-Clause
PowerShell script for identifying common Windows privilege escalation vectors such as unquoted service paths and modifiable service binaries. _Use when: When enumerating Windows privesc vectors on a low-privilege shell; note that the parent project PowerSploit is archived but PowerUp remains a valid technique reference and still functions on modern Windows hosts.
_ _Alternatives: winpeas, seatbelt_
- 🟡 **[Seatbelt](https://github.com/GhostPack/Seatbelt)** ★★ ⭐4.6k · C# · BSD-3-Clause
C# post-exploitation enumeration tool that runs a wide range of host-based security checks for situational awareness after gaining access to a Windows system. _Use when: After initial foothold on a Windows system to enumerate installed security products, credential stores, scheduled tasks, and other artifacts useful for planning next steps.
_ _Alternatives: winpeas, powerup_
- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

#### ☁️ AWS
- 🟢 **[Pacu](https://github.com/RhinoSecurityLabs/pacu)** ★★★ ⭐5.2k · Python · BSD-3-Clause
AWS exploitation framework for post-compromise enumeration, privilege escalation, and lateral movement within compromised AWS environments. _Use when: After obtaining AWS credentials during an engagement to enumerate IAM roles, escalate privileges via misconfigured policies, and pivot to other services within the account.
_ _Alternatives: cloudsploit, prowler_
- 🔴 **[enumerate-iam](https://github.com/andresriancho/enumerate-iam)** ★★ ⭐1.2k · Python · MIT
Enumerates AWS IAM permissions for a given set of credentials by bruteforcing API calls and reporting allowed actions. _Use when: When you have AWS credentials of unknown privilege level and need to map all allowed actions before attempting privilege escalation; use Pacu for a full exploitation framework.
_ _Alternatives: pacu_

#### ☁️ Azure
- 🟢 **[MicroBurst](https://github.com/NetSPI/MicroBurst)** ★★ ⭐2.4k · PowerShell · MIT
PowerShell toolkit for Azure security assessment covering storage, Key Vault, Active Directory, and service enumeration. _Use when: During Azure red team engagements to enumerate resources, extract secrets from Key Vault and storage blobs, and identify misconfigured service principals.
_

#### 🐳 Containers / Kubernetes
- 🟢 **[Peirates](https://github.com/inguardians/peirates)** ★★★ ⭐1.4k · Go · GPL-2.0
Kubernetes penetration tool for attacking and maintaining access, including token theft, privilege escalation, and pod escape techniques. _Use when: When you have initial access to a Kubernetes pod and need to escalate privileges, steal service account tokens, or pivot to other namespaces and nodes.
_ _Alternatives: kube-hunter_

### 🥷 Defense Evasion

#### 🤖 Android
- 🟢 **[Objection](https://github.com/sensepost/objection)** ★★ ⭐9.1k · Python · GPL-3.0
Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.
_ _Alternatives: frida, mobsf_

#### 📱 iOS
- 🟢 **[Objection](https://github.com/sensepost/objection)** ★★ ⭐9.1k · Python · GPL-3.0
Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.
_ _Alternatives: frida, mobsf_

#### 🌐 Network (IP, TCP/UDP, services)
- 🔴 **[Havoc](https://github.com/HavocFramework/Havoc)** ★★★ ⭐8.4k · C++ · GPL-3.0
Modern red team C2 framework focused on evasion with a Demon implant supporting sleep obfuscation, indirect syscalls, and process injection. _Use when: When you need a modern open-source C2 with strong EDR evasion capabilities; the Demon agent's built-in obfuscation features make it suitable for engagements with mature defenses.
_ _Alternatives: sliver, cobalt-strike_

### 🔑 Credential Access

#### 🌐 Web applications
- 🟡 **[Evilginx2](https://github.com/kgretzky/evilginx2)** ★★★ ⭐15.1k · Go · BSD-3-Clause
Man-in-the-middle phishing framework that captures session cookies and credentials by proxying authentication flows, bypassing MFA. _Use when: On red team engagements where the target uses MFA and standard credential phishing won't work; requires a convincing lookalike domain and valid TLS certificate to be effective.
_ _Alternatives: gophish, modlishka_
- 🟢 **[THC Hydra](https://github.com/vanhauser-thc/thc-hydra)** ★★ ⭐11.8k · C · AGPL-3.0
Fast and parallelized network login cracker supporting over 50 protocols including SSH, FTP, HTTP, SMB, RDP, and database services. _Use when: When brute-forcing or credential-stuffing against a live network service (SSH, RDP, HTTP forms, SMB) with a known username list and password wordlist.
_ _Alternatives: hashcat, john-the-ripper_

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 11 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Hashcat](https://github.com/hashcat/hashcat)** ★★ ⭐26k · C · MIT
World's fastest GPU-accelerated password recovery tool supporting 300+ hash types including NTLM, Kerberos, bcrypt, and WPA-PMKID. _Use when: When cracking captured hashes (NTLM, NTLMv2, AS-REP, TGS tickets) offline using GPU acceleration; pair with rockyou or custom rule-sets for AD password policy bypass.
_ _Alternatives: john-the-ripper_
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.2k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.7k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory ^{(showing top 3 of 16 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[Hashcat](https://github.com/hashcat/hashcat)** ★★ ⭐26k · C · MIT
World's fastest GPU-accelerated password recovery tool supporting 300+ hash types including NTLM, Kerberos, bcrypt, and WPA-PMKID. _Use when: When cracking captured hashes (NTLM, NTLMv2, AS-REP, TGS tickets) offline using GPU acceleration; pair with rockyou or custom rule-sets for AD password policy bypass.
_ _Alternatives: john-the-ripper_
- 🟢 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** ★★★ ⭐21.6k · C · CC-BY-4.0
Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.
_ _Alternatives: impacket, certipy_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.7k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- _…and 13 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

### 🗺️ Discovery

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 4 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[LinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · Bash · MIT
Linux privilege escalation script that audits the system for misconfigurations, weak permissions, SUID binaries, and known CVEs. _Use when: Immediately after gaining a low-privilege shell on a Linux host to enumerate all privilege escalation vectors in one pass before manual analysis.
_ _Alternatives: peass-ng, linux-exploit-suggester_
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- 🟢 **[NetExec](https://github.com/Pennyw0rth/NetExec)** ★★ ⭐5.5k · Python · BSD-2-Clause
Network pentesting framework for credential validation, lateral movement, and enumeration across SMB, WinRM, MSSQL, RDP, and other Windows protocols — the actively maintained successor to CrackMapExec. _Use when: When spraying or validating credentials across a Windows network, executing commands, or enumerating shares; use this in place of the archived CrackMapExec for continued feature updates and bug fixes.
_ _Alternatives: crackmapexec, impacket_
- _…and 1 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory ^{(showing top 3 of 9 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[WinPEAS](https://github.com/peass-ng/PEASS-ng)** ★ ⭐19.9k · C# · MIT
Windows privilege escalation script that checks for misconfigured services, unquoted paths, weak registry permissions, and stored credentials. _Use when: After landing a low-privilege shell on a Windows host to quickly enumerate escalation paths before manual review with tools like Seatbelt or PowerUp.
_ _Alternatives: seatbelt, powerup_
- 🟢 **[NetExec](https://github.com/Pennyw0rth/NetExec)** ★★ ⭐5.5k · Python · BSD-2-Clause
Network pentesting framework for credential validation, lateral movement, and enumeration across SMB, WinRM, MSSQL, RDP, and other Windows protocols — the actively maintained successor to CrackMapExec. _Use when: When spraying or validating credentials across a Windows network, executing commands, or enumerating shares; use this in place of the archived CrackMapExec for continued feature updates and bug fixes.
_ _Alternatives: crackmapexec, impacket_
- 🟡 **[Seatbelt](https://github.com/GhostPack/Seatbelt)** ★★ ⭐4.6k · C# · BSD-3-Clause
C# post-exploitation enumeration tool that runs a wide range of host-based security checks for situational awareness after gaining access to a Windows system. _Use when: After initial foothold on a Windows system to enumerate installed security products, credential stores, scheduled tasks, and other artifacts useful for planning next steps.
_ _Alternatives: winpeas, powerup_
- _…and 6 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

#### ☁️ Azure
- 🟢 **[AzureHound](https://github.com/SpecterOps/AzureHound)** ★★★ ⭐910 · Go · Apache-2.0
BloodHound data collector for Azure and Azure Active Directory that maps attack paths across cloud and hybrid environments. _Use when: Run against the target tenant to collect Azure AD and Azure RBAC relationships; import into BloodHound CE to query cross-tenant privilege escalation paths and service principal abuse.
_ _Alternatives: bloodhound, sharphound_

### ↔️ Lateral Movement

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 8 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Bettercap](https://github.com/bettercap/bettercap)** ★★ ⭐19.2k · Go · GPL-3.0
Extensible network attack and monitoring framework for ARP spoofing, DNS hijacking, Wi-Fi and BLE attacks, and HTTPS interception via a scriptable module system. _Use when: When performing man-in-the-middle attacks on local network segments or auditing Wi-Fi and BLE security; the interactive REPL and caplet scripting allow automated multi-stage network attack chains.
_
- 🟢 **[Chisel](https://github.com/jpillora/chisel)** ★★ ⭐16k · Go · MIT
Fast TCP/UDP tunnel over HTTP, secured with SSH, enabling reverse tunnels and port forwarding through firewalls from a single binary. _Use when: When you need to establish a reverse tunnel or pivot through a firewall with HTTP/HTTPS egress only, using a single static binary dropped on the compromised host.
_ _Alternatives: ligolo-ng_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.7k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- _…and 5 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory ^{(showing top 3 of 8 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[Mimikatz](https://github.com/gentilkiwi/mimikatz)** ★★★ ⭐21.6k · C · CC-BY-4.0
Windows credential extraction tool that dumps plaintext passwords, NTLM hashes, Kerberos tickets, and other secrets from memory and registry. _Use when: After gaining SYSTEM or local admin on a Windows host to extract credential material for pass-the-hash, pass-the-ticket, or DCSync attacks in Active Directory environments.
_ _Alternatives: impacket, certipy_
- 🟢 **[Impacket](https://github.com/fortra/impacket)** ★★★ ⭐15.7k · Python · Apache-2.0
Python library implementing network protocols (SMB, MSRPC, Kerberos) with ready-made scripts for credential relay, remote execution, and AD attacks. _Use when: When performing SMB relay, remote execution (psexec, wmiexec), or Kerberos attacks like AS-REP roasting and DCSync in an Active Directory environment.
_ _Alternatives: crackmapexec, evil-winrm_
- 🔴 **[CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec)** ★★ ⭐9.1k · Python · BSD-2-Clause
Network pentesting swiss army knife for credential testing, lateral movement, and enumeration across SMB, WinRM, MSSQL, and other Windows protocols. _Use when: When spraying credentials or validating access across a subnet of Windows hosts; note that this project is archived — consider using its successor NetExec for active development and new features.
_ _Alternatives: impacket, evil-winrm_
- _…and 5 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

### 📦 Collection

#### 🌐 Network (IP, TCP/UDP, services)
- 🔴 **[Pillager](https://github.com/qwqdanchun/Pillager)** ★★★ ⭐0 · C++ · MIT
Post-exploitation collection tool for Windows that harvests credentials, tokens, cookies, and sensitive files from common application stores in a single sweep. _Use when: After obtaining a shell on a Windows host — runs a broad sweep of credential stores (browsers, SSH agents, RDP configs, application tokens) faster than manual enumeration. Pair with snaffler for share-based collection.
_ _Alternatives: snaffler_

#### 🏛️ Active Directory
- 🟢 **[Snaffler](https://github.com/SnaffCon/Snaffler)** ★★ ⭐2.8k · C# · GPL-3.0
Finds credentials, secrets, and sensitive files on network shares and file systems during internal penetration tests. _Use when: After obtaining domain user credentials on an internal engagement; automatically triage shares for passwords, keys, and sensitive config files faster than manual review.
_
- 🔴 **[Certify](https://github.com/GhostPack/Certify)** ★★★ ⭐0 · C# · BSD-3-Clause
C# tool for enumerating and abusing Active Directory Certificate Services misconfigurations to request certificates that enable privilege escalation or persistence. _Use when: On AD engagements where AD CS is deployed — enumerate certificate templates for ESC1–ESC8 misconfigurations, then request certs to obtain NTLM hashes or TGTs without touching LSASS. Use certipy for Linux-based equivalents.
_ _Alternatives: certipy_
- 🔴 **[Pillager](https://github.com/qwqdanchun/Pillager)** ★★★ ⭐0 · C++ · MIT
Post-exploitation collection tool for Windows that harvests credentials, tokens, cookies, and sensitive files from common application stores in a single sweep. _Use when: After obtaining a shell on a Windows host — runs a broad sweep of credential stores (browsers, SSH agents, RDP configs, application tokens) faster than manual enumeration. Pair with snaffler for share-based collection.
_ _Alternatives: snaffler_

### 📡 Command and Control (C2)

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 10 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Chisel](https://github.com/jpillora/chisel)** ★★ ⭐16k · Go · MIT
Fast TCP/UDP tunnel over HTTP, secured with SSH, enabling reverse tunnels and port forwarding through firewalls from a single binary. _Use when: When you need to establish a reverse tunnel or pivot through a firewall with HTTP/HTTPS egress only, using a single static binary dropped on the compromised host.
_ _Alternatives: ligolo-ng_
- 🟢 **[Sliver](https://github.com/BishopFox/sliver)** ★★★ ⭐11.3k · Go · GPL-3.0
Open-source cross-platform adversary simulation C2 framework supporting mTLS, WireGuard, HTTP/S, and DNS communication channels. _Use when: When you need a free, actively maintained C2 alternative to Cobalt Strike with modern implant generation and multiplayer operator support for red team operations.
_ _Alternatives: cobalt-strike, mythic_
- 🔴 **[Havoc](https://github.com/HavocFramework/Havoc)** ★★★ ⭐8.4k · C++ · GPL-3.0
Modern red team C2 framework focused on evasion with a Demon implant supporting sleep obfuscation, indirect syscalls, and process injection. _Use when: When you need a modern open-source C2 with strong EDR evasion capabilities; the Demon agent's built-in obfuscation features make it suitable for engagements with mature defenses.
_ _Alternatives: sliver, cobalt-strike_
- _…and 7 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory
- 🟢 **[Empire](https://github.com/BC-SECURITY/Empire)** ★★★ ⭐5.2k · PowerShell · BSD-3-Clause
Post-exploitation C2 framework with PowerShell and Python agents supporting a wide range of modules for lateral movement and persistence. _Use when: When conducting Windows-focused red team operations requiring a mature agent with extensive post-exploitation modules; prefer Sliver or Havoc for more evasive, modern C2 profiles.
_ _Alternatives: sliver, mythic, havoc_
- 🔴 **[Covenant](https://github.com/cobbr/Covenant)** ★★★ ⭐4.7k · C# · GPL-3.0
.NET-based C2 framework with a web UI for collaborative red team operations, featuring Grunt implants. _Use when: When you need a .NET-native C2 with a collaborative web interface for multi-operator engagements. Good for Windows-heavy environments where .NET LOLbins are your primary execution path.
_ _Alternatives: empire, sliver, mythic_

### 📤 Exfiltration

#### 🌐 Network (IP, TCP/UDP, services)
- 🟡 **[Iodine](https://github.com/yarrick/iodine)** ★★ ⭐7.9k · C · ISC
Tool that tunnels IPv4 traffic over DNS to provide network connectivity through restrictive firewalls that permit DNS lookups. _Use when: When you need full IP tunnel capability over DNS rather than just C2 channels; useful for pivoting through egress-restricted networks where DNS is the only allowed protocol.
_ _Alternatives: dnscat2, dns2tcp_
- 🔴 **[dnscat2](https://github.com/iagox86/dnscat2)** ★★ ⭐3.9k · Ruby · BSD-3-Clause
DNS-based encrypted C2 and exfiltration tool that tunnels data through DNS queries to bypass network egress filtering. _Use when: When outbound HTTP/HTTPS is blocked but DNS resolution is allowed; requires control of a domain with a custom nameserver pointing to your dnscat2 server.
_ _Alternatives: iodine, dnsteal_

### 💥 Impact

#### 🌐 Web applications
- 🔴 **[GoldenEye](https://github.com/jseidl/GoldenEye)** ★ ⭐0 · Python · GPL-3.0
HTTP DoS test tool that uses multiple concurrent HTTP/1.1 keep-alive connections with randomized headers and cache-control directives to stress HTTP servers. _Use when: When authorized to test HTTP-layer DoS resilience and want randomized headers to evade basic rate-limiting by IP; complements slowloris (different attack vector against the same connection-pool exhaustion class).
_ _Alternatives: slowloris_
- 🔴 **[Slowloris](https://github.com/gkbrk/slowloris)** ★ ⭐0 · Python · MIT
Low-bandwidth denial-of-service tool that holds HTTP connections open by sending partial requests, exhausting server connection pools without high throughput. _Use when: When testing a web server's resilience to connection-exhaustion DoS without large bandwidth — effective against Apache and other threaded servers; less effective against async servers like nginx. Use in authorized load/DoS testing only.
_

#### 🌐 Network (IP, TCP/UDP, services)
- 🔴 **[Slowloris](https://github.com/gkbrk/slowloris)** ★ ⭐0 · Python · MIT
Low-bandwidth denial-of-service tool that holds HTTP connections open by sending partial requests, exhausting server connection pools without high throughput. _Use when: When testing a web server's resilience to connection-exhaustion DoS without large bandwidth — effective against Apache and other threaded servers; less effective against async servers like nginx. Use in authorized load/DoS testing only.
_

---

## Defensive (D3FEND-aligned lifecycle)

### 🛡️ Detection Engineering

#### 🌐 Web applications
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Target sigma/rules/web/ for web server and proxy log detections — SQLi, path traversal, webshell upload patterns; convert for your WAF or SIEM web log source.
_ _Alternatives: yara, snort-rules, suricata-rules_
- 🟡 **[dnstwist](https://github.com/elceef/dnstwist)** ★ ⭐5.7k · Python · Apache-2.0
Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.
_

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 11 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[osquery](https://github.com/osquery/osquery)** ★★ ⭐23.3k · C++ · Apache-2.0
Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.
_ _Alternatives: velociraptor_
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.7k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
- 🟢 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** ★★ ⭐12k · PowerShell · MIT
Library of small, portable tests mapped to MITRE ATT&CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Run network-category atomics (T1021, T1046, T1572) in an isolated environment to confirm your SIEM creates the expected alerts for lateral movement and C2 channel techniques.
_ _Alternatives: caldera, sigma_
- _…and 8 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🧠 AI / LLM systems
- 🟢 **[LLM Guard](https://github.com/protectai/llm-guard)** ★★ ⭐3k · Python · MIT
Modular input and output scanning framework for LLM applications with scanners for prompt injection, toxicity, PII, and secrets. _Use when: When you need a composable, production-ready guardrail layer with multiple independent scanners for both input sanitization and output validation in LLM pipelines.
_ _Alternatives: rebuff, vigil-llm_
- 🔴 **[Rebuff](https://github.com/protectai/rebuff)** ★★ ⭐1.5k · Python · Apache-2.0
Self-hardening prompt injection detector for LLM applications that uses a canary-token strategy and vector similarity to identify and log attack attempts. _Use when: When building LLM-powered applications that accept user input and need runtime protection against prompt injection attacks; integrates as middleware to intercept and flag malicious prompts before they reach the model.
_ _Alternatives: llm-guard, vigil-llm_
- 🔴 **[Vigil](https://github.com/deadbits/vigil-llm)** ★★ ⭐480 · Python · Apache-2.0
LLM prompt injection and jailbreak detection server that scans inputs and outputs against known attack patterns and embeddings. _Use when: When deploying an LLM-backed application and need runtime detection of prompt injection attempts; integrate as a middleware scanner before passing user input to the model.
_ _Alternatives: rebuff, llm-guard_

#### 🏛️ Active Directory ^{(showing top 3 of 5 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[osquery](https://github.com/osquery/osquery)** ★★ ⭐23.3k · C++ · Apache-2.0
Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.
_ _Alternatives: velociraptor_
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.7k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
- 🟢 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** ★★ ⭐12k · PowerShell · MIT
Library of small, portable tests mapped to MITRE ATT&CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Execute AD-specific atomics (T1558, T1069, T1087) against a test domain to verify Kerberoasting, group enumeration, and LDAP query detections fire correctly in your SIEM.
_ _Alternatives: caldera, sigma_
- _…and 2 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

#### ☁️ AWS
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Use the CloudTrail-focused Sigma rule pack from sigma/rules/cloud/aws/ — covers IAM enumeration, S3 abuse, Lambda persistence, and CloudTrail tampering patterns.
_ _Alternatives: yara, snort-rules, suricata-rules_
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_

#### ☁️ Google Cloud
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Target sigma/rules/cloud/gcp/ for GCP-specific detections: GSuite admin audit, VPC flow anomalies, and service account key creation events.
_ _Alternatives: yara, snort-rules, suricata-rules_

#### ☁️ Azure
- 🟢 **[Sigma](https://github.com/SigmaHQ/sigma)** ★★ ⭐10.5k · YAML · DRL-1.1
Generic and open signature format for SIEM systems — detection rules in YAML. _Use when: Use the Sigma Azure ruleset under sigma/rules/cloud/azure/ — focus on Azure AD sign-in events, Resource Manager activity logs, and conditional access bypass detections.
_ _Alternatives: yara, snort-rules, suricata-rules_
- 🟢 **[Stratus Red Team](https://github.com/DataDog/stratus-red-team)** ★★ ⭐2.3k · Go · Apache-2.0
Granular cloud-native adversary emulation tool with prebuilt attack techniques mapped to ATT&CK for AWS and Azure. _Use when: When validating cloud detection rules by executing isolated, reproducible ATT&CK techniques against your own AWS or Azure environment with automatic cleanup.
_ _Alternatives: atomic-red-team_

#### ☁️ Cloud (generic / multi-cloud)
- 🟢 **[Falco](https://github.com/falcosecurity/falco)** ★★ ⭐9k · C++ · Apache-2.0
Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.
_

#### 🐳 Containers / Kubernetes
- 🟢 **[Falco](https://github.com/falcosecurity/falco)** ★★ ⭐9k · C++ · Apache-2.0
Cloud-native runtime security tool that detects anomalous container and host behavior using kernel system call monitoring and a rich rule language. _Use when: When deploying runtime threat detection in Kubernetes or bare-metal Linux environments; write custom rules to alert on privilege escalation, reverse shell spawning, or unexpected file access in production workloads.
_

### 🎯 Threat Hunting

#### 🏛️ Active Directory ^{(showing top 3 of 7 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[osquery](https://github.com/osquery/osquery)** ★★ ⭐23.3k · C++ · Apache-2.0
Endpoint visibility tool that exposes the operating system as a relational database, enabling SQL-based queries against running processes, network connections, file events, and system state. _Use when: When you need continuous endpoint telemetry for detection rules or ad-hoc hunting queries without deploying a heavyweight EDR agent. Choose over Velociraptor for always-on scheduled queries integrated into a SIEM; choose Velociraptor for ad-hoc incident response artifact collection.
_ _Alternatives: velociraptor_
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.7k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_
- 🟢 **[Atomic Red Team](https://github.com/redcanaryco/atomic-red-team)** ★★ ⭐12k · PowerShell · MIT
Library of small, portable tests mapped to MITRE ATT&CK for validating detection coverage and testing security controls in a repeatable way. _Use when: Execute AD-specific atomics (T1558, T1069, T1087) against a test domain to verify Kerberoasting, group enumeration, and LDAP query detections fire correctly in your SIEM.
_ _Alternatives: caldera, sigma_
- _…and 4 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

#### ☁️ AWS
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_

#### ☁️ Azure
- 🟢 **[MSTICPy](https://github.com/microsoft/msticpy)** ★★★ ⭐2k · Python · MIT
Python library of threat intelligence, hunting, and investigation tools built for Jupyter-based SOC workflows. _Use when: When you run Jupyter-based threat hunting and need pre-built connectors to Microsoft Sentinel, Defender, Azure, and AWS CloudTrail alongside enrichment from TI feeds — saves weeks of plumbing for SOC analysts.
_

### 🚨 Incident Response

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 12 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[GRR Rapid Response](https://github.com/google/grr)** ★★★ ⭐5.1k · Python · Apache-2.0
Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.
_ _Alternatives: velociraptor_
- 🟢 **[Volatility 3](https://github.com/volatilityfoundation/volatility3)** ★★★ ⭐4.1k · Python · Volatility
Memory forensics framework for extracting digital artifacts from RAM dumps across Windows, Linux, and macOS operating systems. _Use when: During incident response or forensic investigation when you have a memory image and need to recover processes, network connections, injected code, or encryption keys from RAM.
_ _Alternatives: rekall, redline_
- 🟢 **[Velociraptor](https://github.com/Velocidex/velociraptor)** ★★ ⭐4k · Go · AGPL-3.0
Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.
_
- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🏛️ Active Directory ^{(showing top 3 of 4 — see [full cheatsheet](cheatsheets/active-directory.md))}
- 🟢 **[GRR Rapid Response](https://github.com/google/grr)** ★★★ ⭐5.1k · Python · Apache-2.0
Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.
_ _Alternatives: velociraptor_
- 🟢 **[Velociraptor](https://github.com/Velocidex/velociraptor)** ★★ ⭐4k · Go · AGPL-3.0
Endpoint visibility and collection tool for digital forensics, incident response, and threat hunting at scale. _Use when: When you need to collect forensic artifacts or run threat-hunting queries across hundreds of endpoints simultaneously. Preferable to manual triage when operating at enterprise scale.
_
- 🟢 **[Chainsaw](https://github.com/WithSecureLabs/chainsaw)** ★★ ⭐3.6k · Rust · GPL-3.0
Rust-based Windows event log forensics tool for rapid threat hunting using Sigma rules and built-in detection logic. _Use when: When performing first-response log triage on collected EVTX files to surface indicators of compromise; compare results with Hayabusa for cross-rule coverage.
_ _Alternatives: hayabusa_
- _…and 1 more in [`cheatsheets/active-directory.md`](cheatsheets/active-directory.md)_

### 🔬 Digital Forensics

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 12 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Wireshark](https://github.com/wireshark/wireshark)** ★★ ⭐9.4k · C · GPL-2.0
Industry-standard network protocol analyzer for live capture and offline analysis of packet data with deep dissection of hundreds of protocols. _Use when: When analyzing captured network traffic to identify C2 communications, extract credentials from cleartext protocols, or reconstruct session data during incident response or network penetration testing.
_
- 🟢 **[Arkime](https://github.com/arkime/arkime)** ★★ ⭐7.4k · JavaScript · Apache-2.0
Full packet capture and indexing system (formerly Moloch) providing long-term PCAP storage with fast search, session reconstruction, and integration with Elasticsearch for large-scale network forensics. _Use when: When you need full PCAP retention at multi-gigabit rates with indexed search for retrospective investigation after a detection fires. Pair with Zeek for structured metadata and Arkime for raw packet access during the same investigation.
_
- 🟢 **[GRR Rapid Response](https://github.com/google/grr)** ★★★ ⭐5.1k · Python · Apache-2.0
Remote live forensics framework by Google enabling fleet-wide artifact collection, memory analysis, and automated hunts across thousands of endpoints simultaneously. _Use when: When you need to hunt for IOCs or collect forensic artifacts across a large fleet (thousands of endpoints) without touching each machine individually. Choose over Velociraptor when you already have GRR deployed at scale and need its server-side hunt scheduling.
_ _Alternatives: velociraptor_
- _…and 9 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🔌 Hardware
- 🟢 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** ★★ ⭐14k · Python · MIT
Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.
_

#### 📟 IoT devices
- 🟢 **[Binwalk](https://github.com/ReFirmLabs/binwalk)** ★★ ⭐14k · Python · MIT
Firmware analysis and extraction tool that identifies embedded file systems, compressed archives, bootloaders, and other binary signatures within firmware images. _Use when: When analyzing IoT firmware images to extract filesystems, identify components, and locate hardcoded credentials or vulnerable libraries embedded within the firmware binary.
_

### 🦠 Malware Analysis

#### 🤖 Android
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐68.8k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐23.9k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 7 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐68.8k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐23.9k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_
- 🟢 **[YARA](https://github.com/VirusTotal/yara)** ★★ ⭐9.6k · C · BSD-3-Clause
Pattern matching tool for malware researchers that creates rules to identify and classify malware families based on textual or binary patterns. _Use when: When writing detection rules for malware samples or integrating signature-based detection into your SIEM, EDR, or incident response workflow for hunting known threat families.
_ _Alternatives: sigma, suricata_
- _…and 4 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

### 🧠 Threat Intelligence

#### 🌐 Web applications
- 🟡 **[dnstwist](https://github.com/elceef/dnstwist)** ★ ⭐5.7k · Python · Apache-2.0
Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.
_

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 7 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[OpenCTI](https://github.com/OpenCTI-Platform/opencti)** ★★ ⭐9.4k · TypeScript · Apache-2.0
Open-source cyber threat intelligence platform with a knowledge graph that links threat actors, campaigns, TTPs, and observables. _Use when: When you need structured threat intelligence with entity relationships mapped to STIX 2.1 and MITRE ATT&CK; use MISP when the primary need is IoC sharing and correlation.
_ _Alternatives: misp_
- 🟢 **[MISP](https://github.com/MISP/MISP)** ★★ ⭐6.3k · PHP · AGPL-3.0
Open-source threat intelligence platform for sharing, storing, and correlating IoCs, malware, and threat actor TTPs. _Use when: When you need a collaborative threat intelligence platform to ingest, correlate, and share IoCs across teams or partner organizations; use OpenCTI when you need richer knowledge-graph relationships between threats.
_ _Alternatives: opencti_
- 🟡 **[dnstwist](https://github.com/elceef/dnstwist)** ★ ⭐5.7k · Python · Apache-2.0
Domain name permutation engine for detecting typosquatting, phishing, and brand abuse domains. _Use when: When you want to enumerate likely phishing or typosquatting domains for a brand, or during recon to discover attacker infrastructure registered with slight variations of your target domain.
_
- _…and 4 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

### 🔗 SIEM & SOAR

#### 🌐 Network (IP, TCP/UDP, services)
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.7k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_

#### 🏛️ Active Directory
- 🟢 **[Wazuh](https://github.com/wazuh/wazuh)** ★★ ⭐15.7k · C · AGPL-3.0
Open-source security platform for threat detection, integrity monitoring, incident response, and compliance. _Use when: When you need an all-in-one SIEM with endpoint agents for log collection, FIM, and rule-based alerting without the cost of commercial platforms. Handles Windows, Linux, and cloud workloads from a single pane.
_

---

## Cross-cutting

### 🧪 Vulnerability Discovery

#### 🌐 Web applications ^{(showing top 3 of 12 — see [full cheatsheet](cheatsheets/web.md))}
- 🟢 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** ★★ ⭐37.5k · Python · GPL-2.0
Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.
_ _Alternatives: commix_
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐28.8k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Run with web-specific templates from nuclei-templates/http/ — CVE-tagged templates for CMS vulnerabilities, exposed admin panels, and misconfiguration checks on web targets.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[ffuf](https://github.com/ffuf/ffuf)** ★ ⭐16.1k · Go · MIT
High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.
_ _Alternatives: feroxbuster, gobuster_
- _…and 9 more in [`cheatsheets/web.md`](cheatsheets/web.md)_

#### 🔌 APIs (REST, GraphQL, gRPC) ^{(showing top 3 of 9 — see [full cheatsheet](cheatsheets/api.md))}
- 🟢 **[sqlmap](https://github.com/sqlmapproject/sqlmap)** ★★ ⭐37.5k · Python · GPL-2.0
Automated SQL injection detection and exploitation tool that fingerprints databases and extracts data across all major DBMS platforms. _Use when: When you have identified a potentially injectable parameter in a web application and need to confirm exploitability and extract data from the backend database.
_ _Alternatives: commix_
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐28.8k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Target with api/ and exposures/ templates to detect exposed Swagger/OpenAPI docs, authentication bypass endpoints, and API key leaks in responses.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[ffuf](https://github.com/ffuf/ffuf)** ★ ⭐16.1k · Go · MIT
High-speed web fuzzer written in Go for directory/file discovery, parameter fuzzing, and vhost enumeration using wordlists. _Use when: When brute-forcing directories, endpoints, parameters, or virtual hosts against a web target; preferred over Gobuster for its filter flexibility and speed.
_ _Alternatives: feroxbuster, gobuster_
- _…and 6 more in [`cheatsheets/api.md`](cheatsheets/api.md)_

#### 🤖 Android ^{(showing top 3 of 11 — see [full cheatsheet](cheatsheets/mobile-android.md))}
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐68.8k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[JADX](https://github.com/skylot/jadx)** ★★ ⭐48.7k · Java · Apache-2.0
Dex-to-Java decompiler that converts Android APK and DEX files into readable Java source code with a GUI and CLI for Android application reverse engineering. _Use when: When reverse engineering Android APKs to review business logic, find hardcoded secrets, or identify insecure API calls; the GUI makes navigating decompiled class hierarchies faster than command-line tools alone.
_ _Alternatives: apktool_
- 🟢 **[Apktool](https://github.com/iBotPeaches/Apktool)** ★★ ⭐24.6k · Java · Apache-2.0
Reverse engineering tool for Android APK files that decodes resources and disassembles Dalvik bytecode to smali for analysis and modification. _Use when: When statically analysing an Android APK to inspect permissions, decode resources, read smali code, or modify and repackage an app for dynamic testing.
_ _Alternatives: mobsf, frida_
- _…and 8 more in [`cheatsheets/mobile-android.md`](cheatsheets/mobile-android.md)_

#### 📱 iOS ^{(showing top 3 of 4 — see [full cheatsheet](cheatsheets/mobile-ios.md))}
- 🟢 **[MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF)** ★ ⭐21.1k · Python · GPL-3.0
All-in-one mobile security testing framework supporting static and dynamic analysis of Android APKs and iOS IPAs via a web-based interface. _Use when: When starting a mobile app assessment and wanting a quick automated static analysis report covering permissions, hardcoded secrets, and insecure API calls before manual testing.
_ _Alternatives: frida, objection_
- 🟢 **[Frida](https://github.com/frida/frida)** ★★★ ⭐20.7k · C · wxWindows
Dynamic instrumentation toolkit that injects JavaScript into native apps on Android, iOS, Windows, Linux, and macOS for runtime hooking and analysis. _Use when: When you need to hook API calls, bypass SSL pinning, trace function arguments, or patch runtime behavior in a mobile app without access to source code.
_ _Alternatives: objection, xposed_
- 🟢 **[Objection](https://github.com/sensepost/objection)** ★★ ⭐9.1k · Python · GPL-3.0
Runtime mobile exploration toolkit built on Frida for bypassing SSL pinning, dumping keychain data, and exploring app internals without jailbreak or root. _Use when: When you need a higher-level interface over Frida to quickly bypass SSL pinning, list classes/methods, and explore app file system during a mobile penetration test.
_ _Alternatives: frida, mobsf_
- _…and 1 more in [`cheatsheets/mobile-ios.md`](cheatsheets/mobile-ios.md)_

#### 🌐 Network (IP, TCP/UDP, services) ^{(showing top 3 of 4 — see [full cheatsheet](cheatsheets/network.md))}
- 🟢 **[Ghidra](https://github.com/NationalSecurityAgency/ghidra)** ★★★ ⭐68.8k · Java · Apache-2.0
NSA-developed software reverse engineering framework with disassembler, decompiler, and scripting API supporting x86, ARM, MIPS, and many other architectures. _Use when: When reversing compiled binaries, firmware, or malware samples where source code is unavailable; use the decompiler for rapid code comprehension and Python/Java scripts for automated analysis across large sample sets.
_ _Alternatives: radare2_
- 🟢 **[Nuclei](https://github.com/projectdiscovery/nuclei)** ★★ ⭐28.8k · Go · MIT
Fast, customizable vulnerability scanner driven by YAML templates contributed by the community. _Use when: Use network/ and ssl/ templates for network service fingerprinting, protocol version detection, and SSL/TLS misconfiguration checks across port-scanned hosts.
_ _Alternatives: jaeles, dalfox_
- 🟢 **[Radare2](https://github.com/radareorg/radare2)** ★★★ ⭐23.9k · C · LGPL-3.0
Portable reverse engineering framework with disassembler, debugger, binary analysis, and patching capabilities for dozens of CPU architectures and binary formats. _Use when: When performing low-level binary analysis, exploit development, or CTF reversing challenges that require fine-grained control over disassembly and memory; the r2pipe API enables scriptable analysis pipelines.
_ _Alternatives: ghidra_
- _…and 1 more in [`cheatsheets/network.md`](cheatsheets/network.md)_

#### 🧠 AI / LLM systems ^{(showing top 3 of 5 — see [full cheatsheet](cheatsheets/ai-llm.md))}
- 🟢 **[Promptfoo](https://github.com/promptfoo/promptfoo)** ★ ⭐21.5k · TypeScript · MIT
Open-source LLM testing framework for red-teaming, prompt injection testing, and evaluating AI model outputs against security and safety policies. _Use when: When assessing an AI application for prompt injection, jailbreaks, or data leakage; configure test cases declaratively in YAML and run automated red-team probes against any LLM endpoint.
_ _Alternatives: garak, pyrit_
- 🟢 **[garak](https://github.com/NVIDIA/garak)** ★★ ⭐7.9k · Python · Apache-2.0
LLM vulnerability scanner — probes models for prompt injection, jailbreaks, toxicity, hallucinations, data leakage. _Use when: When red-teaming an LLM application or evaluating a model release. Modular probes cover OWASP LLM Top 10 categories; outputs structured reports suitable for engagement deliverables.
_ _Alternatives: promptfoo, pyrit, llm-attacks_
- 🔴 **[llm-attacks](https://github.com/llm-attacks/llm-attacks)** ★★★ ⭐4.7k · Python · MIT
Research framework implementing universal and transferable adversarial attacks (GCG suffix optimization) against aligned large language models to elicit harmful outputs. _Use when: When red-teaming LLM safety mechanisms by generating adversarial suffixes that transfer across models; use in an isolated research environment to evaluate model robustness to gradient-based jailbreak attacks.
_ _Alternatives: garak, pyrit_
- _…and 2 more in [`cheatsheets/ai-llm.md`](cheatsheets/ai-llm.md)_

#### ⛓️ Blockchain / Web3 ^{(showing top 3 of 6 — see [full cheatsheet](cheatsheets/blockchain-web3.md))}
- 🟢 **[Foundry](https://github.com/foundry-rs/foundry)** ★★ ⭐10.4k · Rust · Apache-2.0
Blazing-fast Ethereum development toolkit with built-in fuzzer (Forge), cast CLI, and Anvil local testnet for smart contract testing and exploit PoC development. _Use when: When writing fuzz tests or PoC exploits for smart contracts; Forge's invariant fuzzer finds edge cases that manual review misses, and Anvil lets you fork mainnet to reproduce live exploits locally.
_
- 🟢 **[Slither](https://github.com/crytic/slither)** ★★ ⭐6.3k · Python · AGPL-3.0
Static analysis framework for Solidity smart contracts that detects vulnerabilities, code quality issues, and anti-patterns using a suite of built-in and custom detectors. _Use when: When auditing Solidity contracts for reentrancy, integer overflow, access control flaws, and other common smart contract vulnerabilities before deployment or during a bug bounty engagement.
_ _Alternatives: mythril_
- 🟢 **[Mythril](https://github.com/Consensys/mythril)** ★★★ ⭐4.2k · Python · MIT
Security analysis tool for EVM bytecode using symbolic execution, SMT solving, and taint analysis to detect smart contract vulnerabilities at the bytecode level. _Use when: When performing deep symbolic execution analysis on Solidity or EVM bytecode to uncover logic flaws that static analysis misses; slower than Slither but catches complex multi-transaction vulnerabilities.
_ _Alternatives: slither_
- _…and 3 more in [`cheatsheets/blockchain-web3.md`](cheatsheets/blockchain-web3.md)_

#### 🏛️ Active Directory
- 🟢 **[PingCastle](https://github.com/vletoux/pingcastle)** ★★ ⭐2.9k · C# · Non-Profit OSL 3.0
Active Directory security audit tool that produces risk-scored reports and graphs identifying misconfigurations and attack paths. _Use when: When you need a fast executive-ready AD health report with scored risk indicators; use BloodHound for interactive attack path visualization and lateral movement analysis.
_ _Alternatives: adrecon_

#### ☁️ AWS
- 🟢 **[Prowler](https://github.com/prowler-cloud/prowler)** ★★ ⭐13.9k · Python · Apache-2.0
Cloud security tool for AWS, Azure, and GCP that runs hundreds of checks aligned to CIS benchmarks, NIST, and other compliance frameworks. _Use when: When you need compliance-oriented cloud posture assessment with exportable reports for client deliverables; pairs well with Pacu for offense-oriented follow-up on findings.
_ _Alternatives: cloudsploit, pacu_
- 🟡 **[ScoutSuite](https://github.com/nccgroup/ScoutSuite)** ★★ ⭐7.7k · Python · GPL-2.0
Multi-cloud security auditing tool that assesses AWS, Azure, GCP, and other cloud environments by collecting configuration data and flagging misconfigurations. _Use when: When assessing a cloud environment's security posture across IAM, storage, networking, and logging controls; generates an HTML report highlighting critical misconfigurations per service.
_ _Alternatives: prowler, cloudsploit_
- 🟢 **[CloudSploit](https://github.com/aquasecurity/cloudsploit)** ★ ⭐3.7k · JavaScript · Apache-2.0
Open-source cloud security configuration scanner for AWS, Azure, GCP, and Oracle Cloud that checks for misconfigurations and compliance issues. _Use when: When starting a cloud security assessment to get a baseline of misconfigurations across an entire cloud account before diving into manual exploitation paths.
_ _Alternatives: prowler, pacu_

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Awesome

https://github.com/vyntral/awesome-killchain

Awesome Lists containing this project

README