Your first time on this page? Allow me to give some explanations.
Awesome Cybersecurity Blue Team
🛡️ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you fabacab & contributors
View Topic on GitHub:
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Awesome Cybersecurity Blue Team
Automated Encryption Framework
Dshell is a network forensic analysis framework.
Curated collection of information security themed Ansible roles that are both vetted and actively maintained.
Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
Code libraries and bindings
Modular file scanning/analysis framework
PowerShell Module to interact with VirusTotal
An easy-to-use and lightweight API wrapper for the Censys Search Engine
A high level C++ network packet sniffing and crafting library.
Pythonic interface to the Internet Storm Center / DShield API.
Minimal, consistent Python API for building integrations with malware sandboxes.
OASIS TC Open Repository: Python APIs for STIX 2
Security Orchestration, Automation, and Response (SOAR)
Cloud platform security
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.
Multi-Cloud Security Auditing Tool
Application Kernel for Containers
Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.
Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
MKIT is a Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
Communications security (COMSEC)
GPG Sync is designed to let users always have up-to-date public keys for other members of their organization
Custom & better AppArmor profile generator for Docker containers.
Safely store secrets in Git/Mercurial/Subversion
Vulnerability Static Analysis for Containers
Prevents you from committing secrets and credentials into git repositories
Simple and flexible tool for managing secrets
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
Discover vulnerabilities across a codebase by performing queries against code as though it were data.
Application vulnerability management tool built for DevOps and continuous security integration.
Pentest applications during routine continuous integration build pipelines.
copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).
Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.
An encrypted datastore secure enough to hold environment and application secrets.
Application or Binary Hardening
Tools for binary instrumentation, analysis, and modification, useful for binary patching.
Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.
Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.
Compliance testing and reporting
Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.
A self-hosted Fuzzing-As-A-Service platform
Tang binding daemon
Canarytokens helps track activity and actions on your network.
SSH tarpit that slowly sends an endless banner
The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.
Intrusion prevention software framework that protects computer servers from brute-force attacks.
Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).
Incident Response tools
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Python installable command line utiltity for mitigation of host and key compromises.
IR management consoles
Tools for the Computer Incident Response Team
Fast Incident Response
DPS' Lightweight Investigation Notebook
AutoMacTC: Automated Mac Forensic Triage Collector
OS X Auditor is a free Mac OS X computer forensics tool
A forensic evidence collection & analysis toolkit for OS X
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Remote Memory Acquisition Tool
Network perimeter defenses
First open-source DDoS protection system
SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
Firewall appliances or distributions
is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
Operating System distributions
Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.
Phishing awareness and reporting
Certificate Transparency Log Monitor
Phishing Campaign Toolkit
Outlook add-in companion to report suspicious mail easily
The Phishing Intelligence Engine - An Active Defense PowerShell Framework for Phishing Defense with Office 365
Swordphish Phishing Awareness Tool
Scans SPF and DMARC records for issues that could allow email spoofing.
Phishing catcher using Certstream
Preparedness training and wargaming
A toolset to make a system look as if it was the victim of an APT attack
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
An information security preparedness tool to do adversarial simulation.
A utility to generate malicious network traffic and evaluate controls
Virtual Machine for Adversary Emulation and Threat Hunting
Library of simple, automatable tests to execute for testing security controls.
nginx Docker image secure by default.
Endpoint Detection and Response (EDR)
Network Security Monitoring (NSM)
Protocol Analysis/Decoder Framework
Malicious traffic detection system
Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Respounder detects presence of responder in the network.
A tool to catch spoofed NBNS responses.
Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]
Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Visibility Across Space and Time
Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.
Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.
Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.
Powerful network analysis framework focused on security monitoring, formerly known as Bro.
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.
Security Information and Event Management (SIEM)
OSSIM provides all of the features that a security professional needs from a SIEM offering – event collection, normalization, and correlation.
Prelude is a Universal "Security Information & Event Management" (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".
Service and performance monitoring
SQL powered operating system instrumentation, monitoring, and analytics.
Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.
Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.
Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
GRR Rapid Response: remote live forensics for incident response
The Hunting ELK
MozDef: Mozilla Enterprise Defense Platform
Powershell Threat Hunting Module
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
PowerForensics provides an all in one platform for live disk forensic analysis
Collecting & Hunting for IOCs with gusto and style
Active Directory Control Paths auditing and graphing tools
Credential Phish Analysis and Automation
Multithreaded threat Intelligence gathering built with Python3
Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Tool to gather Threat Intelligence indicators from publicly available sources
Generic Signature Format for SIEM Systems
Extract and aggregate threat intelligence.
Binary analysis and management framework
The pattern matching swiss knife
Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.
Open source software solution for collecting, storing, distributing and sharing cyber security indicators.
Threat signature packages and collections
Repository of yara rules
Tor Onion service defenses
Vanguards help guard you from getting vanned...
A MITM (monster-in-the-middle) detection tool. Used to build MALCOLM:
Free tool to automate the issuance and renewal of TLS certificates from the LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.
OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
A binary authorization system for macOS
Easily configure macOS security settings from the terminal.
Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)
Me: "Please alert me whenever anything is persistently installed." BlockBlock: "You got it"
Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.
The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
Bloodhound for Blue and Purple Teams
Scans for accessibility tools backdoors via RDP
Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
Log newly created WMI consumers and processes to the Windows Application event log
Free and open source general purpose Windows application sandboxing utility.