fabacab/awesome-cybersecurity-blueteam

Security 12 days ago 2.5k

💻

🛡️ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

May 16th - May 22nd, 2022

DevSecOps

Checkov - Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.

terrascan - Static code analyzer for Infrastructure as Code tools that helps detect compliance and security violations to mitigate risk before provisioning cloud native resources.

tfsec - Static analysis security scanner for your Terraform code designed to run locally and in CI pipelines.

May 9th - May 15th, 2022

DevSecOps

Dependency confusion

snync stars25 - Prevent and detect if you're vulnerable to dependency confusion supply chain security attacks.

Threat intelligence

Fingerprinting

HASSH stars451 - Network fingerprinting standard which can be used to identify specific client and server SSH implementations.

JA3 - Extracts SSL/TLS handshake settings for fingerprinting and communicating about a given TLS implementation.

Mar 28th - Apr 3rd, 2022

Transport-layer defenses

Overlay and Virtual Private Networks (VPNs)

OpenZITI - Open source initiative focused on bringing Zero Trust to any application via an overlay network, tunelling applications, and numerous SDKs.

Feb 21st - Feb 27th, 2022

Security monitoring

Starbase stars195 - Collects assets and relationships from services and systems into an intuitive graph view to offer graph-based security analysis for everyone.

Feb 7th - Feb 13th, 2022

Cloud platform security

Kubernetes

Sealed Secrets stars5k - Kubernetes controller and tool for one-way encrypted Secrets.

Jan 31st - Feb 6th, 2022

Transport-layer defenses

Overlay and Virtual Private Networks (VPNs)

IPsec VPN Server Auto Setup Scripts stars18.8k - Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2.

Innernet stars3.2k - Free Software private network system that uses WireGuard under the hood, made to be self-hosted.

Nebula stars9.8k - Completely open source and self-hosted, scalable overlay networking tool with a focus on performance, simplicity, and security, inspired by tinc.

OpenVPN - Longstanding Free Software traditional SSL/TLS-based virtual private network.

Tailscale - Managed freemium mesh VPN service built on top of WireGuard.

tinc - Free Software mesh VPN implemented entirely in userspace that supports expandable network space, bridged ethernet segments, and more.

Jan 10th - Jan 16th, 2022

Preparedness training and wargaming

Caldera - Scalable, automated, and extensible adversary emulation platform developed by MITRE.

Nov 22nd - Nov 28th, 2021

Honeypots

Manuka stars264 - Open-sources intelligence (OSINT) honeypot that monitors reconnaissance attempts by threat actors and generates actionable intelligence for Blue Teamers.

Windows-based defenses

CobaltStrikeScan stars692 - Scan files or process memory for Cobalt Strike beacons and parse their configuration.

Preparedness training and wargaming

Infection Monkey - Open-source breach and attack simulation (BAS) platform that helps you validate existing controls and identify how attackers might exploit your current network security gaps.

Windows-based defenses

Active Directory

Active Directory Control Paths stars564 - Visualize and graph Active Directory permission configs ("control relations") to audit questions such as "Who can read the CEO's email?" and similar.

PingCastle - Active Directory vulnerability detection and reporting tool.

PlumHound stars642 - More effectively use BloodHoundAD in continual security life-cycles by utilizing its pathfinding engine to identify Active Directory security vulnerabilities.

Nov 8th - Nov 14th, 2021

DevSecOps

Dependency confusion

Dependency Combobulator stars78 - Open source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Confusion checker stars59 - Script to check if you have artifacts containing the same name between your repositories.

Oct 25th - Oct 31st, 2021

Cloud platform security

Aaia stars251 - Helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j.

Principal Mapper (PMapper)stars1k - Quickly evaluate IAM permissions in AWS via script and library capable of identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization.

Oct 11th - Oct 17th, 2021

DevSecOps

Supply chain security

in-toto - Framework to secure the integrity of software supply chains.

Sep 13th - Sep 19th, 2021

Identity and AuthN/AuthZ

Gluu Server - Central authentication and authorization for Web and mobile applications with a Free and Open Source Software cloud-native community distribution.

Aug 9th - Aug 15th, 2021

DevSecOps

Policy enforcement

AllStar stars882 - GitHub App installed on organizations or repositories to set and enforce security policies.

Aug 2nd - Aug 8th, 2021

Transport-layer defenses

Overlay and Virtual Private Networks (VPNs)

WireGuard - Extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography.

Preparedness training and wargaming

Drool - Replay DNS traffic from packet capture files and send it to a specified server, such as for simulating DDoS attacks on the DNS and measuring normal DNS querying.

Jun 7th - Jun 13th, 2021

Threat intelligence

Threat Bus stars213 - Threat intelligence dissemination layer to connect security tools through a distributed publish/subscribe message broker.

May 17th - May 23rd, 2021

DevSecOps

Policy enforcement

Conftest - Utility to help you write tests against structured configuration data.

DevSecOps

Supply chain security

Grafeas - Open artifact metadata API to audit and govern your software supply chain.

Notary stars2.8k - Aims to make the internet more secure by making it easy for people to publish and verify content.

Helm GPG (GnuPG) Plugin stars21 - Chart signing and verification with GnuPG for Helm.

May 10th - May 16th, 2021

DevSecOps

helm-secrets stars602 - Helm plugin that helps manage secrets with Git workflow and stores them anywhere, backed by SOPS.

May 3rd - May 9th, 2021

Communications security (COMSEC)

Teleport - Allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments.

Cloud platform security

Kubernetes

Kyverno - Policy engine designed for Kubernetes.

k-rail stars430 - Workload policy enforcement tool for Kubernetes.

kubernetes-event-exporter stars880 - Allows exporting the often missed Kubernetes events to various outputs so that they can be used for observability or alerting purposes.

Apr 26th - May 2nd, 2021

DevSecOps

Policy enforcement

Open Policy Agent (OPA) - Unified toolset and framework for policy across the cloud native stack.

Apr 5th - Apr 11th, 2021

Cloud platform security

Distributed monitoring

Cortex - Provides horizontally scalable, highly available, multi-tenant, long term storage for Prometheus.

OpenTelemetry - Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects).

Prometheus - Open-source systems monitoring and alerting toolkit originally built at SoundCloud.

Cloud platform security

Kubernetes

certificate-expiry-monitor stars126 - Utility that exposes the expiry of TLS certificates as Prometheus metrics.

Mar 29th - Apr 4th, 2021

Network perimeter defenses

Firewall appliances or distributions

IPFire - Hardened GNU/Linux based router and firewall distribution forked from IPCop.

OPNsense - Hardened FreeBSD based firewall and routing platform forked from pfSense.

pfSense - FreeBSD firewall and router distribution forked from m0n0wall.

Cloud platform security

Distributed monitoring

Jaeger - Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems.

Zipkin - Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures.

Cloud platform security

Kubernetes

Linkerd - Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself.

Cloud platform security

Service meshes

Consul - Solution to connect and configure applications across dynamic, distributed infrastructure and, with Consul Connect, enabling secure service-to-service communication with automatic TLS encryption and identity-based authorization.

Istio - Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Mar 22nd - Mar 28th, 2021

Communications security (COMSEC)

GlobaLeaks - Free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.

SecureDrop - Open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.

Operating System distributions

Qubes OS - Desktop environment built atop the Xen hypervisor project that runs each end-user program in its own virtual machine intended to provide strict security controls to constrain the reach of any successful malware exploit.

Cloud platform security

Kubernetes

kube-forensics stars154 - Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.

Mar 15th - Mar 21st, 2021

Host-based tools

Sandboxes

Dangerzone - Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.

Mar 8th - Mar 14th, 2021

Threat intelligence

Threat signature packages and collections

ESET's Malware IoCs stars1.2k - Indicators of Compromises (IOCs) derived from ESET's various investigations.

Mar 1st - Mar 7th, 2021

Host-based tools

Sandboxes

Bubblewrap stars2.4k - Sandboxing tool for use by unprivileged Linux users capable of restricting access to parts of the operating system or user data.

Feb 1st - Feb 7th, 2021

Cloud platform security

Kubernetes

KubeSec - Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service.

Managed Kubernetes Inspection Tool (MKIT)stars376 - Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.

Polaris - Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster.

kube-hunter - Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.

Threat intelligence

Open Source Vulnerabilities (OSV) - Vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source.

Dec 28th - Jan 3rd, 2020

Security configurations

Bunkerized-nginx stars2.5k - Docker image of an NginX configuration and scripts implementing many defensive techniques for Web sites.

Dec 14th - Dec 20th, 2020

Threat intelligence

Threat signature packages and collections

FireEye's Sunburst Countermeasures stars545 - Collection of IoC in various languages for detecting backdoored SolarWinds Orion NMS activities and related vulnerabilities.

Dec 7th - Dec 13th, 2020

DevSecOps

Fuzzing

Atheris - Coverage-guided Python fuzzing engine based off of libFuzzer that supports fuzzing of Python code but also native extensions written for CPython.

Threat intelligence

Threat signature packages and collections

FireEye's Red Team Tool Countermeasures stars2.5k - Collection of Snort and YARA rules to detect attacks carried out with FireEye's own Red Team tools, first released after FireEye disclosed a breach in December 2020.

YARA Rules stars3.1k - Project covering the need for IT security researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible.

Nov 30th - Dec 6th, 2020

Preparedness training and wargaming

BadBlood - Fills a test (non-production) Windows Domain with data that enables security analysts and engineers to practice using tools to gain an understanding and prescribe to securing Active Directory.

Threat intelligence

Sigma stars5.1k - Generic signature format for SIEM systems, offering an open signature format that allows you to describe relevant log events in a straightforward manner.

YARA stars5.7k - Tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples, described as "the pattern matching swiss army knife" for file patterns and signatures.

Nov 9th - Nov 15th, 2020

macOS-based defenses

Santa stars3.7k - Keep track of binaries that are naughty or nice in an allow/deny-listing system for macOS.

Oct 19th - Oct 25th, 2020

Automation

PyREBox - Python-scriptable reverse engineering sandbox, based on QEMU.

Oct 5th - Oct 11th, 2020

Threat intelligence

DATA stars88 - Credential phish analysis and automation tool that can accept suspected phishing URLs directly or trigger on observed network traffic containing such a URL.

Sep 14th - Sep 20th, 2020

DevSecOps

Fuzzing

OneFuzz stars2.6k - Self-hosted Fuzzing-as-a-Service (FaaS) platform.

Automation

Watchtower - Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience.

Aug 10th - Aug 16th, 2020

DevSecOps

Bane stars1k - Custom and better AppArmor profile generator for Docker containers.

Trivy stars12.1k - Simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for use in continuous integration pipelines.

Communications security (COMSEC)

Geneva (Genetic Evasion) - Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

DevSecOps

Compliance testing and reporting

Chef InSpec - Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.

OpenSCAP Base - Both a library and a command line tool (oscap) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Jul 27th - Aug 2nd, 2020

DevSecOps

Application or Binary Hardening

DynInst - Tools for binary instrumentation, analysis, and modification, useful for binary patching.

DynamoRIO - Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.

Valgrind - Instrumentation framework for building dynamic analysis tools.

Jul 13th - Jul 19th, 2020

Cloud platform security

Kata Containers - Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.

gVisor stars12.7k - Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.

Security monitoring

Network Security Monitoring (NSM)

Respounder stars284 - Detects the presence of the Responder LLMNR/NBT-NS/MDNS poisoner on a network.

Tsunami stars7.5k - General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

DevSecOps

SOPS stars9.9k - Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.

Vault - Tool for securely accessing secrets such as API keys, passwords, or certificates through a unified interface.

git-crypt - Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.

Jun 22nd - Jun 28th, 2020

Network perimeter defenses

Gatekeeper stars779 - First open source Distributed Denial of Service (DDoS) protection system.

Jun 15th - Jun 21st, 2020

Incident Response tools

LogonTracer stars2k - Investigate malicious Windows logon by visualizing and analyzing Windows event log.

Volatility - Advanced memory forensics framework.

Security monitoring

Network Security Monitoring (NSM)

Real Intelligence Threat Analysis (RITA)stars1.9k - Open source framework for network traffic analysis that ingests Zeek logs and detects beaconing, DNS tunneling, and more.

Automation

Dev-Sec.io - Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.

peepdf - Scriptable PDF file analyzer.

Automation

Security Orchestration, Automation, and Response (SOAR)

Shuffle - Graphical generalized workflow (automation) builder for IT professionals and blue teamers.

Jun 8th - Jun 14th, 2020

Security monitoring

Service and performance monitoring

Zabbix - Mature, enterprise-level platform to monitor large-scale IT environments.

Security monitoring

Network Security Monitoring (NSM)

Stenographer stars1.7k - Full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes.

May 25th - May 31st, 2020

Cloud platform security

Falco - Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.

May 11th - May 17th, 2020

macOS-based defenses

BlockBlock - Monitors common persistence locations and alerts whenever a persistent component is added, which helps to detect and prevent malware installation.

Apr 20th - Apr 26th, 2020

Windows-based defenses

Sandboxie - Free and open source general purpose Windows application sandboxing utility.

Apr 13th - Apr 19th, 2020

DevSecOps

DefectDojo - Application vulnerability management tool built for DevOps and continuous security integration.

DevSecOps

Fuzzing

FuzzBench - Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.

Threat intelligence

AttackerKB - Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.

Apr 6th - Apr 12th, 2020

DevSecOps

CodeQL - Discover vulnerabilities across a codebase by performing queries against code as though it were data.

Mar 30th - Apr 5th, 2020

Security monitoring

Network Security Monitoring (NSM)

VAST stars363 - Free and open-source network telemetry engine for data-driven security investigations.

Zeek - Powerful network analysis framework focused on security monitoring, formerly known as Bro.

Mar 23rd - Mar 29th, 2020

Host-based tools

Crowd Inspect - Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.

Security monitoring

Endpoint Detection and Response (EDR)

Wazuh - Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.

Security monitoring

Network Security Monitoring (NSM)

ChopShop stars461 - Framework to aid analysts in the creation and execution of pynids-based decoders and detectors of APT tradecraft.

Maltrail stars4.6k - Malicious network traffic detection system.

Moloch stars5.2k - Augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.

OwlH - Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.

Snort - Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.

SpoofSpotter stars48 - Catch spoofed NetBIOS Name Service (NBNS) responses and alert to an email or log file.

Suricata - Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.

Wireshark - Free and open-source packet analyzer useful for network troubleshooting or forensic netflow analysis.

netsniff-ng - Free and fast GNU/Linux networking toolkit with numerous utilities such as a connection tracking tool (flowtop), traffic generator (trafgen), and autonomous system (AS) trace route utility (astraceroute).

Security monitoring

Threat hunting

CimSweep stars600 - Suite of CIM/WMI-based tools enabling remote incident response and hunting operations across all versions of Windows.

DeepBlueCLI stars1.5k - PowerShell module for hunt teaming via Windows Event logs.

GRR Rapid Response stars4.1k - Incident response framework focused on remote live forensics consisting of a Python agent installed on assets and Python-based server infrastructure enabling analysts to quickly triage attacks and perform analysis remotely.

Hunting ELK (HELK)stars3.2k - All-in-one Free Software threat hunting stack based on Elasticsearch, Logstash, Kafka, and Kibana with various built-in integrations for analytics including Jupyter Notebook.

MozDef stars2.2k - Automate the security incident handling process and facilitate the real-time activities of incident handlers.

PSHunt stars228 - PowerShell module designed to scan remote endpoints for indicators of compromise or survey them for more comprehensive information related to state of those systems.

PSRecon stars449 - PSHunt-like tool for analyzing remote Windows systems that also produces a self-contained HTML report of its findings.

PowerForensics stars1.2k - All in one PowerShell-based platform to perform live hard disk forensic analysis.

rastrea2r stars195 - Multi-platform tool for triaging suspected IOCs on many endpoints simultaneously and that integrates with antivirus consoles.

Redline - Freeware endpoint auditing and analysis tool that provides host-based investigative capabilities, offered by FireEye, Inc.

Mar 16th - Mar 22nd, 2020

Automation

Clevis stars532 - Plugable framework for automated decryption, often used as a Tang client.

DevSecOps

Policy enforcement

Tang stars282 - Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network.

Feb 24th - Mar 1st, 2020

DevSecOps

Snyk - Finds and fixes vulnerabilities and license violations in open source dependencies and container images.

Feb 17th - Feb 23rd, 2020

DevSecOps

Application or Binary Hardening

Egalito - Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.

Feb 10th - Feb 16th, 2020

Network perimeter defenses

ssh-audit stars1.2k - Simple tool that makes quick recommendations for improving an SSH server's security posture.

Nov 18th - Nov 24th, 2019

Honeypots

Kushtaka - Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Nov 4th - Nov 10th, 2019

Phishing awareness and reporting

mailspoof stars72 - Scans SPF and DMARC records for issues that could allow email spoofing.

CertSpotter stars559 - Certificate Transparency log monitor from SSLMate that alerts you when a SSL/TLS certificate is issued for one of your domains.

phishing_catcher stars1.4k - Configurable script to watch for issuances of suspicious TLS certificates by domain name in the Certificate Transparency Log (CTL) using the CertStream service.

Cloud platform security

Prowler stars5.5k - Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.

Scout Suite stars4.3k - Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

Sep 23rd - Sep 29th, 2019

Phishing awareness and reporting

Phishing Intelligence Engine (PIE)stars165 - Framework that will assist with the detection and response to phishing attacks.

Aug 5th - Aug 11th, 2019

Automation

Ansible Lockdown - Curated collection of information security themed Ansible roles that are both vetted and actively maintained.

Security monitoring

Service and performance monitoring

Locust - Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.

Automation

Code libraries and bindings

MultiScanner stars550 - File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.

libcrafter stars281 - High level C++ network packet sniffing and crafting library.

Jul 29th - Aug 4th, 2019

macOS-based defenses

LuLu - Free macOS firewall.

Stronghold stars933 - Easily configure macOS security settings from the terminal.

macOS Fortress stars350 - Automated configuration of kernel-level, OS-level, and client-level security features including privatizing proxying and anti-virus scanning for macOS.

Jul 22nd - Jul 28th, 2019

Phishing awareness and reporting

Gophish - Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

King Phisher stars1.7k - Tool for testing and promoting user awareness by simulating real world phishing attacks.

NotifySecurity stars113 - Outlook add-in used to help your users to report suspicious e-mails to security teams.

Swordphish stars191 - Platform allowing to create and manage (fake) phishing campaigns intended to train people in identifying suspicious mails.

Jul 8th - Jul 14th, 2019

Incident Response tools

IR management consoles

Rekall - Advanced forensic and incident response framework.

Automation

DShell stars5.4k - Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.

Jun 10th - Jun 16th, 2019

Host-based tools

Sandboxes

Firejail - SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Host-based tools

chkrootkit - Locally checks for signs of a rootkit on GNU/Linux systems.

Jun 3rd - Jun 9th, 2019

Incident Response tools

Evidence collection

AutoMacTC stars410 - Modular, automated forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis.

Apr 29th - May 5th, 2019

DevSecOps

Cilium - Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

Mar 25th - Mar 31st, 2019

Honeypots

Tarpits

Endlessh stars5.4k - SSH tarpit that slowly sends an endless banner.

LaBrea - Program that answers ARP requests for unused IP space, creating the appearance of fake machines that answer further requests very slowly in order to slow down scanners, worms, etcetera.

Mar 18th - Mar 24th, 2019

Transport-layer defenses

MITMEngine stars572 - Golang library for server-side detection of TLS interception events.

Mar 11th - Mar 17th, 2019

Automation

Code libraries and bindings

censys-python stars277 - Python wrapper to the Censys REST API.

Windows-based defenses

Sigcheck - Audit a Windows host's root certificate store against Microsoft's Certificate Trust List (CTL).

Mar 4th - Mar 10th, 2019

Communications security (COMSEC)

GPG Sync stars324 - Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team.

Feb 25th - Mar 3rd, 2019

Host-based tools

Rootkit Hunter (rkhunter) - POSIX-compliant Bash script that scans a host for various signs of malware.

Dec 31st - Jan 6th, 2019

Transport-layer defenses

Tor - Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (.onion domains) to enhance publisher privacy and service availability.

DevSecOps

Clair stars8.8k - Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.

Gauntlt - Pentest applications during routine continuous integration build pipelines.

SonarQube - Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.

Nov 12th - Nov 18th, 2018

DevSecOps

BlackBox stars6.2k - Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG.

Aug 27th - Sep 2nd, 2018

Automation

Code libraries and bindings

python-stix2 stars267 - Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.

python-dshield stars23 - Pythonic interface to the Internet Storm Center/DShield API.

python-sandboxapi stars112 - Minimal, consistent Python API for building integrations with malware sandboxes.

Threat intelligence

ThreatIngestor stars564 - Extendable tool to extract and aggregate IOCs from threat feeds including Twitter, RSS feeds, or other sources.

Aug 20th - Aug 26th, 2018

Incident Response tools

aws_ir stars301 - Automates your incident response with zero security preparedness assumptions.

Incident Response tools

Evidence collection

Margarita Shotgun stars201 - Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.

DevSecOps

Git Secrets stars10.1k - Prevents you from committing passwords and other sensitive information to a git repository.

Aug 6th - Aug 12th, 2018

Host-based tools

Open Source HIDS SECurity (OSSEC) - Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).

Fail2ban - Intrusion prevention software framework that protects computer servers from brute-force attacks.

Transport-layer defenses

Certbot - Free tool to automate the issuance and renewal of TLS certificates from the LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.

Operating System distributions

Computer Aided Investigative Environment (CAINE) - Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.

Security Onion - Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.

Preparedness training and wargaming

Atomic Red Team - Library of simple, automatable tests to execute for testing security controls.

Network Flight Simulator (flightsim)stars724 - Utility to generate malicious network traffic and help security teams evaluate security controls and audit their network visibility.

RedHunt OS stars1.1k - Ubuntu-based Open Virtual Appliance (.ova) preconfigured with several threat emulation tools as well as a defender's toolkit.

APTSimulator stars1.9k - Toolset to make a system look as if it was the victim of an APT attack.

Metta stars946 - Automated information security preparedness tool to do adversarial simulation.

Incident Response tools

IR management consoles

Fast Incident Response (FIR)stars1.4k - Cybersecurity incident management platform allowing for easy creation, tracking, and reporting of cybersecurity incidents.

TheHive - Scalable, free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, and CERTs, featuring tight integration with MISP.

threat_note stars403 - Web application built by Defense Point Security to allow security researchers the ability to add and retrieve indicators related to their research.

Incident Response tools

Evidence collection

OSXAuditor stars3.1k - Free macOS computer forensics tool.

OSXCollector stars1.8k - Forensic evidence collection & analysis toolkit for macOS.

ir-rescue stars380 - Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

Threat intelligence

MLSec Combine stars627 - Gather and combine multiple threat intelligence feed sources into one customizable, standardized CSV-based format.

Windows-based defenses

Sticky Keys Slayer stars293 - Establishes a Windows RDP session from a list of hostnames and scans for accessibility tools backdoors, alerting if one is discovered.

Windows Secure Host Baseline stars1.3k - Group Policy objects, compliance checks, and configuration tools that provide an automated and flexible approach for securely deploying and maintaining the latest releases of Windows 10.

Jul 30th - Aug 5th, 2018

Automation

Code libraries and bindings

Posh-VirusTotal stars97 - PowerShell interface to VirusTotal.com APIs.

Windows-based defenses

HardenTools stars2.2k - Utility that disables a number of risky Windows features.

WMI Monitor stars110 - Log newly created WMI consumers and processes to the Windows Application event log.

NotRuler stars77 - Detect both client-side rules and VBScript enabled forms used by the Ruler stars1.7k attack tool when attempting to compromise a Microsoft Exchange server.

Incident Response tools

IR management consoles

CIRTKit stars133 - Scriptable Digital Forensics and Incident Response (DFIR) toolkit built on Viper.

Security monitoring

Service and performance monitoring

osquery stars18.9k - Operating system instrumentation framework for macOS, Windows, and Linux, exposing the OS as a high-performance relational database that can be queried with a SQL-like syntax.

Threat intelligence

Forager stars148 - Multi-threaded threat intelligence gathering built with Python3 featuring simple text-based configuration and data storage for ease of use and data portability.

Malware Information Sharing Platform and Threat Sharing (MISP) - Open source software solution for collecting, storing, distributing and sharing cyber security indicators.

Viper - Binary analysis and management framework enabling easy organization of malware and exploit samples.

Preparedness training and wargaming

DumpsterFire stars846 - Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events for Blue Team drills and sensor/alert mapping.

Honeypots

CanaryTokens stars992 - Self-hostable honeytoken generator and reporting dashboard; demo version available at CanaryTokens.org.

Host-based tools

Artillery stars910 - Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.

Tor Onion service defenses

OnionBalance - Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure.

Vanguards stars134 - Version 3 Onion service guard discovery attack mitigation script (intended for eventual inclusion in Tor core).

Jul 23rd - Jul 29th, 2018

Threat intelligence

Unfetter - Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework.

GRASSMARLIN stars721 - Provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) by passively mapping, accounting for, and reporting on your ICS/SCADA network topology and endpoints.

Security monitoring

Service and performance monitoring

Icinga - Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.

Nagios - Popular network and service monitoring solution and reporting platform.

OpenNMS - Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).

Network perimeter defenses

fwknop - Protects ports via Single Packet Authorization in your firewall.

Security monitoring

Security Information and Event Management (SIEM)

AlienVault OSSIM - Single-server open source SIEM platform featuring asset discovery, asset inventorying, behavioral monitoring, and event correlation, driven by AlienVault Open Threat Exchange (OTX).

Prelude SIEM OSS - Open source, agentless SIEM with a long history and several commercial variants featuring security event collection, normalization, and alerting from arbitrary log input and numerous popular monitoring tools.

Last Checked At: 2022-05-28T16:14:15.876Z

fabacab/awesome-lockpicking

cpuu/awesome-fuzzing

Track Awesome List

// Track it, not just star it.

Top 50 Awesome List

Recently Updated

Platforms

Programming Languages

Front-End Development

Back-End Development

Computer Science

Big Data

Theory

Books

Editors

Gaming

Development Environment

Entertainment

Databases

Media

Learn

Security

Content Management Systems

Hardware

Business

Work

Networking

Decentralized Systems

Higher Education

Events

Testing

Miscellaneous

Unmaintained

Top 50 Awesome List

Recently Updated

Platforms

Programming Languages

Front-End Development

Back-End Development

Computer Science

Big Data

Theory

Books

Editors

Gaming

Development Environment

Entertainment

Databases

Media

Learn

Security

Content Management Systems

Hardware

Business

Work

Networking

Decentralized Systems

Higher Education

Events

Testing

Miscellaneous

Unmaintained

fabacab/awesome-cybersecurity-blueteam

DevSecOps

May 9th - May 15th, 2022

DevSecOps

Dependency confusion

Threat intelligence

Fingerprinting

Mar 28th - Apr 3rd, 2022

Transport-layer defenses

Overlay and Virtual Private Networks (VPNs)

Feb 21st - Feb 27th, 2022

Security monitoring

Feb 7th - Feb 13th, 2022

Cloud platform security

Kubernetes

Jan 31st - Feb 6th, 2022

Transport-layer defenses

Overlay and Virtual Private Networks (VPNs)

Jan 10th - Jan 16th, 2022

Preparedness training and wargaming