User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Cybersecurity Blue Team

๐Ÿ›ก๏ธ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: None

Thank you fabacab & contributors
View Topic on GitHub:
fabacab/awesome-cybersecurity-blueteam

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Awesome Cybersecurity Blue Team

Automation

Automated Encryption Framework

376
64
21d
n/a

Dshell is a network forensic analysis framework.

5.28K
1.17K
13d
n/a

Curated collection of information security themed Ansible roles that are both vetted and actively maintained.

Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.

Code libraries and bindings

Modular file scanning/analysis framework

495
120
2y 34d
MPL-2.0

PowerShell Module to interact with VirusTotal

87
27
4y 6m
n/a

An easy-to-use and lightweight API wrapper for the Censys Search Engine

206
50
19d
Apache-2.0

A high level C++ network packet sniffing and crafting library.

257
81
7m
n/a

Pythonic interface to the Internet Storm Center / DShield API.

21
11
4y 4m
BSD-3-Clause

Minimal, consistent Python API for building integrations with malware sandboxes.

96
31
74d
GPL-2.0

OASIS TC Open Repository: Python APIs for STIX 2

190
66
11d
BSD-3-Clause

Security Orchestration, Automation, and Response (SOAR)

Graphical generalized workflow (automation) builder for IT professionals and blue teamers.

Cloud platform security

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.

3.08K
581
25d
n/a

Multi-Cloud Security Auditing Tool

2.77K
409
13d
GPL-2.0

Application Kernel for Containers

10.98K
850
5d
Apache-2.0

Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.

Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.

Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Kubernetes

MKIT is a Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.

329
18
8m
MIT

Communications security (COMSEC)

GPG Sync is designed to let users always have up-to-date public keys for other members of their organization

296
26
22d
GPL-3.0

Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

DevSecOps

Custom & better AppArmor profile generator for Docker containers.

889
70
5m
MIT

Safely store secrets in Git/Mercurial/Subversion

5.67K
313
50d
MIT

Vulnerability Static Analysis for Containers

7.53K
931
14d
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

8.69K
735
9m
Apache-2.0

Simple and flexible tool for managing secrets

6.86K
402
5m
MPL-2.0

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

6.45K
567
11d
Apache-2.0

Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

Discover vulnerabilities across a codebase by performing queries against code as though it were data.

Application vulnerability management tool built for DevOps and continuous security integration.

Pentest applications during routine continuous integration build pipelines.

copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.

An encrypted datastore secure enough to hold environment and application secrets.

Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.

Application or Binary Hardening

Tools for binary instrumentation, analysis, and modification, useful for binary patching.

Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.

Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.

Instrumentation framework for building dynamic analysis tools.

Compliance testing and reporting

Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.

Both a library and a command line tool (oscap) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Fuzzing

A self-hosted Fuzzing-As-A-Service platform

1.16K
60
5m
MIT

Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.

Policy enforcement

Tang binding daemon

191
34
22d
GPL-3.0

Unified toolset and framework for policy across the cloud native stack.

Honeypots

Canarytokens helps track activity and actions on your network.

626
110
25d
n/a

Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Tarpits

SSH tarpit that slowly sends an endless banner

4.29K
184
69d
Unlicense

Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.

Host-based tools

The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.

824
182
1y 26d
n/a

Locally checks for signs of a rootkit on GNU/Linux systems.

Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.

Intrusion prevention software framework that protects computer servers from brute-force attacks.

Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).

A Rootkit Hunter for Linux

Sandboxes

SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Incident Response tools

Investigate malicious Windows logon by visualizing and analyzing Windows event log

1.66K
331
22d
n/a

Python installable command line utiltity for mitigation of host and key compromises.

261
55
2y 7m
MIT

Advanced memory forensics framework.

IR management consoles

Tools for the Computer Incident Response Team

122
25
3y 10m
MIT

Fast Incident Response

1.27K
433
25d
GPL-3.0

DPS' Lightweight Investigation Notebook

382
89
4y 6m
Apache-2.0

Memory analysis framework,

Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Evidence collection

AutoMacTC: Automated Mac Forensic Triage Collector

307
53
4m
n/a

OS X Auditor is a free Mac OS X computer forensics tool

3.09K
307
7m
n/a

A forensic evidence collection & analysis toolkit for OS X

1.77K
242
1y 8m
n/a

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

309
76
78d
n/a

Remote Memory Acquisition Tool

168
34
2y 8m
MIT

Network perimeter defenses

First open-source DDoS protection system

354
106
64d
GPL-3.0

SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

535
48
12d
MIT

Protects ports via Single Packet Authorization in your firewall.

Firewall appliances or distributions

is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.

Firewall and Router FreeBSD distribution.

Operating System distributions

Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.

Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.

Phishing awareness and reporting

Certificate Transparency Log Monitor

486
58
8m
MPL-2.0

Phishing Campaign Toolkit

1.33K
401
101d
BSD-3-Clause

Outlook add-in companion to report suspicious mail easily

98
13
2y 115d
GPL-3.0

The Phishing Intelligence Engine - An Active Defense PowerShell Framework for Phishing Defense with Office 365

153
56
1y 10m
MIT

Swordphish Phishing Awareness Tool

174
36
91d
GPL-3.0

Scans SPF and DMARC records for issues that could allow email spoofing.

39
12
4m
MIT

Phishing catcher using Certstream

1.23K
261
84d
GPL-3.0

Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

Preparedness training and wargaming

A toolset to make a system look as if it was the victim of an APT attack

1.31K
280
2y 8m
MIT

"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

767
138
9m
MIT

An information security preparedness tool to do adversarial simulation.

863
125
2y 8m
MIT

A utility to generate malicious network traffic and evaluate controls

522
95
1y 38d
n/a

Virtual Machine for Adversary Emulation and Threat Hunting

975
154
7m
BSD-3-Clause

Library of simple, automatable tests to execute for testing security controls.

Security configurations

nginx Docker image secure by default.

1.78K
70
104d
n/a

Endpoint Detection and Response (EDR)

Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.

Network Security Monitoring (NSM)

Protocol Analysis/Decoder Framework

441
111
1y 10m
n/a

Malicious traffic detection system

3.92K
752
11d
MIT

Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.

4.62K
860
11d
n/a

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

1.32K
215
12d
GPL-3.0

Respounder detects presence of responder in the network.

243
29
3y 10d
Apache-2.0

A tool to catch spoofed NBNS responses.

43
26
2y 8m
n/a

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]

1.58K
193
99d
Apache-2.0

Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

6.81K
708
25d
Apache-2.0

Visibility Across Space and Time

222
44
11d
n/a

Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.

Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.

Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

Powerful network analysis framework focused on security monitoring, formerly known as Bro.

netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.

Security Information and Event Management (SIEM)

OSSIM provides all of the features that a security professional needs from a SIEM offering โ€“ event collection, normalization, and correlation.

Prelude is a Universal "Security Information & Event Management" (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".

Service and performance monitoring

SQL powered operating system instrumentation, monitoring, and analytics.

17.65K
2.11K
11d
n/a

Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.

Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.

Popular network and service monitoring solution and reporting platform.

Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).

Mature, enterprise-level platform to monitor large-scale IT environments.

Threat hunting

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

555
140
3y 5m
BSD-3-Clause
753
124
6m
GPL-3.0

GRR Rapid Response: remote live forensics for incident response

3.72K
669
14d
Apache-2.0

The Hunting ELK

2.75K
534
26d
GPL-3.0

MozDef: Mozilla Enterprise Defense Platform

2.08K
331
35d
MPL-2.0

Powershell Threat Hunting Module

207
54
4y 5m
Apache-2.0

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

411
104
3y 7m
Apache-2.0

PowerForensics provides an all in one platform for live disk forensic analysis

1.05K
250
2y 10m
MIT

Collecting & Hunting for IOCs with gusto and style

168
43
10m
MIT

Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Threat intelligence

Active Directory Control Paths auditing and graphing tools

489
87
1y 55d
n/a

Credential Phish Analysis and Automation

85
26
2y 6m
GPL-3.0

Multithreaded threat Intelligence gathering built with Python3

140
25
3y 39d
MIT

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber

617
243
3y 7m
n/a

Tool to gather Threat Intelligence indicators from publicly available sources

604
171
4y 7m
GPL-3.0

Generic Signature Format for SIEM Systems

3.25K
912
12d
n/a

Extract and aggregate threat intelligence.

432
85
27d
GPL-2.0

Binary analysis and management framework

1.39K
363
26d
n/a

The pattern matching swiss knife

4.11K
915
88d
BSD-3-Clause

Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.

Open source software solution for collecting, storing, distributing and sharing cyber security indicators.

Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework.

Threat signature packages and collections

Repository of yara rules

2.46K
664
25d
GPL-2.0

Tor Onion service defenses

Vanguards help guard you from getting vanned...

86
16
4m
MIT

Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure.

Transport-layer defenses

A MITM (monster-in-the-middle) detection tool. Used to build MALCOLM:

463
48
1y 24d
BSD-3-Clause

Free tool to automate the issuance and renewal of TLS certificates from the LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.

Tor

Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (.onion domains) to enhance publisher privacy and service availability.

macOS-based defenses

A binary authorization system for macOS

3.38K
236
29d
Apache-2.0

Easily configure macOS security settings from the terminal.

800
161
1y 4m
MIT

Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)

306
41
79d
MIT

Me: "Please alert me whenever anything is persistently installed." BlockBlock: "You got it"

is the free macOS firewall that aims to block unauthorized (outgoing) network traffic. ![Open-Source Software][OSS Icon] ![Freeware][Freeware Icon]

Windows-based defenses

Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.

1.64K
194
22d
GPL-3.0

The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.

72
17
3y 4m
CC0-1.0

Bloodhound for Blue and Purple Teams

405
50
76d
GPL-3.0

Scans for accessibility tools backdoors via RDP

261
57
2y 11m
GPL-3.0

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber

1.28K
258
2y 5m
n/a

Log newly created WMI consumers and processes to the Windows Application event log

101
19
3y 3d
n/a

Free and open source general purpose Windows application sandboxing utility.

Audit a Windows host's root certificate store against Microsoft's Certificate Trust List (CTL).