Awesome Cybersecurity Blue Team

Curated collection of information security themed Ansible roles that are both vetted and actively maintained.

Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.

Scriptable PDF file analyzer.

Graphical generalized workflow (automation) builder for IT professionals and blue teamers.

Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.

Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.

Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

Discover vulnerabilities across a codebase by performing queries against code as though it were data.

Application vulnerability management tool built for DevOps and continuous security integration.

Pentest applications during routine continuous integration build pipelines.

copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.

An encrypted datastore secure enough to hold environment and application secrets.

Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.

Tools for binary instrumentation, analysis, and modification, useful for binary patching.

Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.

Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.

Instrumentation framework for building dynamic analysis tools.

Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.

Both a library and a command line tool (oscap) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.

Unified toolset and framework for policy across the cloud native stack.

Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.

Locally checks for signs of a rootkit on GNU/Linux systems.

Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.

Intrusion prevention software framework that protects computer servers from brute-force attacks.

Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).

A Rootkit Hunter for Linux

SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Advanced memory forensics framework.

Memory analysis framework,

Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Protects ports via Single Packet Authorization in your firewall.

is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.

Firewall and Router FreeBSD distribution.

Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.

Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.

Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

Library of simple, automatable tests to execute for testing security controls.

Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.

Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.

Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.

Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

Powerful network analysis framework focused on security monitoring, formerly known as Bro.

netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.

OSSIM provides all of the features that a security professional needs from a SIEM offering – event collection, normalization, and correlation.

Prelude is a Universal "Security Information & Event Management" (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".

Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.

Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.

Popular network and service monitoring solution and reporting platform.

Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).

Mature, enterprise-level platform to monitor large-scale IT environments.

Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.

Open source software solution for collecting, storing, distributing and sharing cyber security indicators.

Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework.

Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure.

Free tool to automate the issuance and renewal of TLS certificates from the LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.

Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (.onion domains) to enhance publisher privacy and service availability.

Me: "Please alert me whenever anything is persistently installed." BlockBlock: "You got it"

is the free macOS firewall that aims to block unauthorized (outgoing) network traffic. ![Open-Source Software][OSS Icon] ![Freeware][Freeware Icon]

Free and open source general purpose Windows application sandboxing utility.

Audit a Windows host's root certificate store against Microsoft's Certificate Trust List (CTL).