User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Cybersecurity Blue Team

๐Ÿ›ก๏ธ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Dec. 2, 2020, 9:06 a.m.

Thank you meitar & contributors
View Topic on GitHub:
meitar/awesome-cybersecurity-blueteam

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Awesome Cybersecurity Blue Team

Automation

Automated Encryption Framework

332
58
12d
n/a

Dshell is a network forensic analysis framework.

5.28K
1.17K
44d
n/a

Curated collection of information security themed Ansible roles that are both vetted and actively maintained.

Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.

Code libraries and bindings

Modular file scanning/analysis framework

489
116
1y 10m
MPL-2.0

PowerShell Module to interact with VirusTotal

81
26
4y 114d
n/a

An easy-to-use and lightweight API wrapper for the Censys Search Engine

182
45
7d
Apache-2.0

A high level C++ network packet sniffing and crafting library.

250
79
4m
n/a

Pythonic interface to the Internet Storm Center / DShield API.

20
10
4y 45d
BSD-3-Clause

Minimal, consistent Python API for building integrations with malware sandboxes.

92
28
56d
GPL-2.0

OASIS TC Open Repository: Python APIs for STIX 2

180
65
12d
BSD-3-Clause

Security Orchestration, Automation, and Response (SOAR)

Graphical generalized workflow (automation) builder for IT professionals and blue teamers.

Cloud platform security

MKIT is a Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.

320
17
5m
MIT

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.

2.84K
534
1d
n/a

Multi-Cloud Security Auditing Tool

2.52K
380
39d
GPL-2.0

Application Kernel for Containers

10.66K
800
5d
Apache-2.0

Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.

Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.

Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Communications security (COMSEC)

GPG Sync is designed to let users always have up-to-date public keys for other members of their organization

294
26
7m
GPL-3.0

Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

DevSecOps

Custom & better AppArmor profile generator for Docker containers.

865
63
76d
MIT

Safely store secrets in Git/Mercurial/Subversion

5.54K
312
13d
MIT

Vulnerability Static Analysis for Containers

7.2K
899
1d
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

8.41K
702
6m
Apache-2.0

Simple and flexible tool for managing secrets

5.64K
360
79d
MPL-2.0

A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI

5.51K
499
2d
Apache-2.0

Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

Discover vulnerabilities across a codebase by performing queries against code as though it were data.

Application vulnerability management tool built for DevOps and continuous security integration.

Pentest applications during routine continuous integration build pipelines.

copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).

Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.

An encrypted datastore secure enough to hold environment and application secrets.

Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.

Application or Binary Hardening

Tools for binary instrumentation, analysis, and modification, useful for binary patching.

Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.

Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.

Instrumentation framework for building dynamic analysis tools.

Compliance testing and reporting

Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.

Both a library and a command line tool (oscap) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s).

Fuzzing

A self-hosted Fuzzing-As-A-Service platform

1.16K
60
74d
MIT

Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale.

Policy enforcement

Tang binding daemon

171
30
4d
GPL-3.0

Unified toolset and framework for policy across the cloud native stack.

Honeypots

Canarytokens helps track activity and actions on your network.

584
106
22d
n/a

Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Tarpits

SSH tarpit that slowly sends an endless banner

3.98K
153
9m
Unlicense

Takes over unused IP addresses, and creates virtual servers that are attractive to worms, hackers, and other denizens of the Internet.

Host-based tools

The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.

795
180
10m
n/a

Locally checks for signs of a rootkit on GNU/Linux systems.

Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.

Intrusion prevention software framework that protects computer servers from brute-force attacks.

Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).

A Rootkit Hunter for Linux

Sandboxes

SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf.

Incident Response tools

Investigate malicious Windows logon by visualizing and analyzing Windows event log

1.57K
309
48d
n/a

Python installable command line utiltity for mitigation of host and key compromises.

250
56
2y 4m
MIT

Advanced memory forensics framework.

IR management consoles

Tools for the Computer Incident Response Team

120
24
3y 7m
MIT

Fast Incident Response

1.24K
425
89d
GPL-3.0

DPS' Lightweight Investigation Notebook

379
88
4y 110d
Apache-2.0

Memory analysis framework,

Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Evidence collection

AutoMacTC: Automated Mac Forensic Triage Collector

285
48
47d
n/a

OS X Auditor is a free Mac OS X computer forensics tool

3.09K
307
4m
n/a

A forensic evidence collection & analysis toolkit for OS X

1.76K
239
1y 5m
n/a

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

297
72
1y 6m
n/a

Remote Memory Acquisition Tool

164
33
2y 5m
MIT

Network perimeter defenses

First open-source DDoS protection system

284
98
2d
GPL-3.0

SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

459
41
26d
MIT

Protects ports via Single Packet Authorization in your firewall.

Firewall appliances or distributions

is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.

Firewall and Router FreeBSD distribution.

Operating System distributions

Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.

Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.

Phishing awareness and reporting

Certificate Transparency Log Monitor

471
58
5m
MPL-2.0

Phishing Campaign Toolkit

1.28K
378
11d
BSD-3-Clause

Outlook add-in companion to report suspicious mail easily

93
13
2y 25d
GPL-3.0

The Phishing Intelligence Engine - An Active Defense PowerShell Framework for Phishing Defense with Office 365

150
56
1y 7m
MIT

Swordphish Phishing Awareness Tool

171
35
1d
GPL-3.0

Scans SPF and DMARC records for issues that could allow email spoofing.

37
12
40d
MIT

Phishing catcher using Certstream

1.19K
251
8m
GPL-3.0

Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.

Preparedness training and wargaming

A toolset to make a system look as if it was the victim of an APT attack

1.28K
274
2y 5m
MIT

"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

750
138
6m
MIT

An information security preparedness tool to do adversarial simulation.

842
124
2y 5m
MIT

A utility to generate malicious network traffic and evaluate controls

503
93
10m
n/a

Virtual Machine for Adversary Emulation and Threat Hunting

947
150
4m
BSD-3-Clause

Library of simple, automatable tests to execute for testing security controls.

Endpoint Detection and Response (EDR)

Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.

Network Security Monitoring (NSM)

Protocol Analysis/Decoder Framework

437
105
1y 7m
n/a

Malicious traffic detection system

3.8K
728
1d
MIT

Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.

4.49K
843
1d
n/a

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

1.23K
203
42d
GPL-3.0

Respounder detects presence of responder in the network.

241
29
2y 9m
Apache-2.0

A tool to catch spoofed NBNS responses.

39
26
2y 5m
n/a

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]

1.55K
189
9d
Apache-2.0

Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

6.6K
671
1d
Apache-2.0

Visibility Across Space and Time

205
43
1d
BSD-3-Clause

Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.

Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.

Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

Powerful network analysis framework focused on security monitoring, formerly known as Bro.

netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.

Security Information and Event Management (SIEM)

OSSIM provides all of the features that a security professional needs from a SIEM offering โ€“ event collection, normalization, and correlation.

Prelude is a Universal "Security Information & Event Management" (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".

Service and performance monitoring

SQL powered operating system instrumentation, monitoring, and analytics.

17.38K
2.07K
2d
n/a

Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.

Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.

Popular network and service monitoring solution and reporting platform.

Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).

Mature, enterprise-level platform to monitor large-scale IT environments.

Threat hunting

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

547
136
3y 76d
BSD-3-Clause
753
124
106d
GPL-3.0

GRR Rapid Response: remote live forensics for incident response

3.64K
662
1d
Apache-2.0

The Hunting ELK

2.6K
511
14d
GPL-3.0

MozDef: Mozilla Enterprise Defense Platform

2.05K
328
16d
MPL-2.0

Powershell Threat Hunting Module

203
54
4y 74d
Apache-2.0

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

407
103
3y 4m
Apache-2.0

PowerForensics provides an all in one platform for live disk forensic analysis

1.03K
248
2y 7m
MIT

Collecting & Hunting for IOCs with gusto and style

163
42
7m
MIT

Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Threat intelligence

Active Directory Control Paths auditing and graphing tools

477
85
11m
n/a

Credential Phish Analysis and Automation

83
26
2y 103d
GPL-3.0

Multithreaded threat Intelligence gathering built with Python3

136
25
2y 10m
MIT

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber

604
236
3y 4m
n/a

Tool to gather Threat Intelligence indicators from publicly available sources

604
171
4y 4m
GPL-3.0

Extract and aggregate threat intelligence.

414
82
29d
GPL-2.0

Binary analysis and management framework

1.36K
358
5m
n/a

Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.

Open source software solution for collecting, storing, distributing and sharing cyber security indicators.

Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework.

Tor Onion service defenses

Vanguards help guard you from getting vanned...

83
12
54d
MIT

Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure.

Transport-layer defenses

A MITM (monster-in-the-middle) detection tool. Used to build MALCOLM:

458
45
9m
BSD-3-Clause

Free tool to automate the issuance and renewal of TLS certificates from the LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.

OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.

Tor

Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (.onion domains) to enhance publisher privacy and service availability.

macOS-based defenses

A binary authorization system for macOS

3.31K
229
15d
Apache-2.0

Easily configure macOS security settings from the terminal.

762
149
1y 58d
MIT

Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)

297
41
5m
MIT

Me: "Please alert me whenever anything is persistently installed." BlockBlock: "You got it"

is the free macOS firewall that aims to block unauthorized (outgoing) network traffic. ![Open-Source Software][OSS Icon] ![Freeware][Freeware Icon]

Windows-based defenses

Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.

1.56K
184
25d
GPL-3.0

The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.

69
17
3y 53d
CC0-1.0

Scans for accessibility tools backdoors via RDP

256
56
2y 8m
GPL-3.0

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber

1.27K
256
2y 82d
n/a

Log newly created WMI consumers and processes to the Windows Application event log

99
19
2y 9m
n/a

Free and open source general purpose Windows application sandboxing utility.

Audit a Windows host's root certificate store against Microsoft's Certificate Trust List (CTL).