Your first time on this page? Allow me to give some explanations.
Awesome Cybersecurity Blue Team
🛡️ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you meitar & contributors
View Topic on GitHub:
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Awesome Cybersecurity Blue Team
Automated Encryption Framework
Dshell is a network forensic analysis framework.
Curated collection of information security themed Ansible roles that are both vetted and actively maintained.
Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
Code libraries and bindings
Modular file scanning/analysis framework
PowerShell Module to interact with VirusTotal
An easy-to-use and lightweight API wrapper for the Censys Search Engine
A high level C++ network packet sniffing and crafting library.
Pythonic interface to the Internet Storm Center / DShield API.
Minimal, consistent Python API for building integrations with malware sandboxes.
OASIS TC Open Repository: Python APIs for STIX 2
Security Orchestration, Automation, and Response (SOAR)
Cloud platform security
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls listed here https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf and more than 100 additional checks that help on GDPR, HIPAA and other security requirements.
Multi-Cloud Security Auditing Tool
Application Kernel for Containers
Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.
heavy_dollar_sign: - Open-source service monitoring system and time series database
MKIT is a Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
Utility that exposes the expiry of TLS certificates as Prometheus metrics
Kubernetes security tool for policy enforcement
Export Kubernetes events to multiple destinations with routing and filtering
Communications security (COMSEC)
GPG Sync is designed to let users always have up-to-date public keys for other members of their organization
Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.
img src="https://raw.githubusercontent.com/humanetech-community/awesome-humane-tech/main/logo/github.svg?sanitize=true" width="16"/>](https://github.com/globaleaks/GlobaLeaks) - Software intended to enable Secure and Anonymous Whistleblowing initiatives.
Custom & better AppArmor profile generator for Docker containers.
Safely store secrets in Git/Mercurial/Subversion
Vulnerability Static Analysis for Containers
Prevents you from committing secrets and credentials into git repositories
Simple and flexible tool for managing secrets
A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI
Successor of zendesk/helm-secrets - A helm plugin that help manage secrets with Git workflow and store them anywhere
Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.
Discover vulnerabilities across a codebase by performing queries against code as though it were data.
Application vulnerability management tool built for DevOps and continuous security integration.
Pentest applications during routine continuous integration build pipelines.
copyright: - Vulnerability scanner for dependencies of node.js apps (free for Open Source Projects).
Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.
An encrypted datastore secure enough to hold environment and application secrets.
Application or Binary Hardening
Tools for binary instrumentation, analysis, and modification, useful for binary patching.
Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.
Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.
Compliance testing and reporting
Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.
A self-hosted Fuzzing-As-A-Service platform
GitHub App to set and enforce security policies
Tang binding daemon
Supply chain security
Chart signing and verification with GnuPG for Helm.
Notary is a project that allows anyone to have trust over arbitrary collections of data
Canarytokens helps track activity and actions on your network.
SSH tarpit that slowly sends an endless banner
The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.
Intrusion prevention software framework that protects computer servers from brute-force attacks.
Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).
Unprivileged sandboxing tool
Identity and AuthN/AuthZ
Incident Response tools
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Python installable command line utiltity for mitigation of host and key compromises.
IR management consoles
Tools for the Computer Incident Response Team
Fast Incident Response
DPS' Lightweight Investigation Notebook
AutoMacTC: Automated Mac Forensic Triage Collector
OS X Auditor is a free Mac OS X computer forensics tool
A forensic evidence collection & analysis toolkit for OS X
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Remote Memory Acquisition Tool
Network perimeter defenses
First open-source DDoS protection system
SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
Firewall appliances or distributions
is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.
Operating System distributions
Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools.
Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management.
Phishing awareness and reporting
Certificate Transparency Log Monitor
Phishing Campaign Toolkit
Outlook add-in companion to report suspicious mail easily
The Phishing Intelligence Engine - An Active Defense PowerShell Framework for Phishing Defense with Office 365
Swordphish Phishing Awareness Tool
Scans SPF and DMARC records for issues that could allow email spoofing.
Phishing catcher using Certstream
Preparedness training and wargaming
A toolset to make a system look as if it was the victim of an APT attack
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
An information security preparedness tool to do adversarial simulation.
A utility to generate malicious network traffic and evaluate controls
Virtual Machine for Adversary Emulation and Threat Hunting
Library of simple, automatable tests to execute for testing security controls.
nginx Docker image secure by default.
Endpoint Detection and Response (EDR)
Network Security Monitoring (NSM)
Protocol Analysis/Decoder Framework
Malicious traffic detection system
Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Respounder detects presence of responder in the network.
A tool to catch spoofed NBNS responses.
Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]
Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Visibility Across Space and Time
Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.
Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.
Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.
Powerful network analysis framework focused on security monitoring, formerly known as Bro.
netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.
Security Information and Event Management (SIEM)
OSSIM provides all of the features that a security professional needs from a SIEM offering – event collection, normalization, and correlation.
Prelude is a Universal "Security Information & Event Management" (SIEM) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless".
Service and performance monitoring
SQL powered operating system instrumentation, monitoring, and analytics.
Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.
Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.
Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
GRR Rapid Response: remote live forensics for incident response
The Hunting ELK
MozDef: Mozilla Enterprise Defense Platform
Powershell Threat Hunting Module
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
PowerForensics provides an all in one platform for live disk forensic analysis
Collecting & Hunting for IOCs with gusto and style
Active Directory Control Paths auditing and graphing tools
Credential Phish Analysis and Automation
Multithreaded threat Intelligence gathering built with Python3
Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Tool to gather Threat Intelligence indicators from publicly available sources
Generic Signature Format for SIEM Systems
🚌 Threat Bus – A threat intelligence dissemination layer for open-source security tools.
Extract and aggregate threat intelligence.
Binary analysis and management framework
The pattern matching swiss knife
Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.
Open source software solution for collecting, storing, distributing and sharing cyber security indicators.
Threat signature packages and collections
Indicators of Compromises (IOC) of our various investigations
Repository of yara rules
Tor Onion service defenses
Vanguards help guard you from getting vanned...
A private network system that uses WireGuard under the hood.
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
A MITM (monster-in-the-middle) detection tool. Used to build MALCOLM:
A scalable overlay networking tool with a focus on performance, simplicity and security
Free tool to automate the issuance and renewal of TLS certificates from the LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.
OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.
Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (
.onion domains) to enhance publisher privacy and service availability.
A binary authorization system for macOS
Easily configure macOS security settings from the terminal.
Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)
Me: "Please alert me whenever anything is persistently installed." BlockBlock: "You got it"
Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.
The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
Bloodhound for Blue and Purple Teams
Scans for accessibility tools backdoors via RDP
Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
Log newly created WMI consumers and processes to the Windows Application event log
Free and open source general purpose Windows application sandboxing utility.