Your first time on this page? Allow me to give some explanations.
Awesome Cybersecurity Blue Team
🛡️ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.
Thank you fabacab & contributors
View Topic on GitHub:
Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.
Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.
Awesome Cybersecurity Blue Team
Automated Encryption Framework
Dshell is a network forensic analysis framework.
Code libraries and bindings
Modular file scanning/analysis framework
PowerShell Module to interact with VirusTotal
An easy-to-use and lightweight API wrapper for Censys APIs.
A high level C++ network packet sniffing and crafting library.
Pythonic interface to the Internet Storm Center / DShield API.
Minimal, consistent Python API for building integrations with malware sandboxes.
OASIS TC Open Repository: Python APIs for STIX 2
Security Orchestration, Automation, and Response (SOAR)
Cloud platform security
AWS Identity and Access Management Visualizer and Anomaly Finder
A tool for quickly evaluating IAM permissions in AWS.
Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls and many more additional checks that help on GDPR, HIPAA and other security frameworks.
Multi-Cloud Security Auditing Tool
Application Kernel for Containers
MKIT is a Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
A Kubernetes controller and tool for one-way encrypted Secrets
Utility that exposes the expiry of TLS certificates as Prometheus metrics
Kubernetes security tool for policy enforcement
Export Kubernetes events to multiple destinations with routing and filtering
Communications security (COMSEC)
GPG Sync is designed to let users always have up-to-date public keys for other members of their organization
Custom & better AppArmor profile generator for Docker containers.
Safely store secrets in Git/Mercurial/Subversion
Vulnerability Static Analysis for Containers
Prevents you from committing secrets and credentials into git repositories
Simple and flexible tool for managing secrets
Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues
A helm plugin that help manage secrets with Git workflow and store them anywhere
Application or Binary Hardening
Compliance testing and reporting
Compare the contents of your hosted and proxy repositories for coordinate collisions
Mitigate security concerns of Dependency Confusion supply chain security risks
A self-hosted Fuzzing-As-A-Service platform
GitHub App to set and enforce security policies
Tang binding daemon
Supply chain security
Chart signing and verification with GnuPG for Helm.
Notary is a project that allows anyone to have trust over arbitrary collections of data
Canarytokens helps track activity and actions on your network.
A modular OSINT honeypot for blue teamers
SSH tarpit that slowly sends an endless banner
The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
Unprivileged sandboxing tool
Identity and AuthN/AuthZ
Incident Response tools
Investigate malicious Windows logon by visualizing and analyzing Windows event log
Python installable command line utiltity for mitigation of host and key compromises.
IR management consoles
Tools for the Computer Incident Response Team
Fast Incident Response
DPS' Lightweight Investigation Notebook
AutoMacTC: Automated Mac Forensic Triage Collector
OS X Auditor is a free Mac OS X computer forensics tool
A forensic evidence collection & analysis toolkit for OS X
A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
Remote Memory Acquisition Tool
Network perimeter defenses
First open-source DDoS protection system
SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
Firewall appliances or distributions
Operating System distributions
Phishing awareness and reporting
Certificate Transparency Log Monitor
Phishing Campaign Toolkit
Outlook add-in companion to report suspicious mail easily
The Phishing Intelligence Engine - An Active Defense PowerShell Framework for Phishing Defense with Office 365
Swordphish Phishing Awareness Tool
Scans SPF and DMARC records for issues that could allow email spoofing.
Phishing catcher using Certstream
Preparedness training and wargaming
A toolset to make a system look as if it was the victim of an APT attack
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
An information security preparedness tool to do adversarial simulation.
A utility to safely generate malicious network traffic patterns and evaluate controls.
Virtual Machine for Adversary Emulation and Threat Hunting
🛡️ Make your web services secure by default !
Graph-based security analysis for everyone
Endpoint Detection and Response (EDR)
Network Security Monitoring (NSM)
Protocol Analysis/Decoder Framework
Malicious traffic detection system
Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Respounder detects presence of responder in the network.
A tool to catch spoofed NBNS responses.
Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]
Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
Visibility Across Space and Time – The network telemetry engine for data-driven security investigations.
Security Information and Event Management (SIEM)
Service and performance monitoring
SQL powered operating system instrumentation, monitoring, and analytics.
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
GRR Rapid Response: remote live forensics for incident response
The Hunting ELK
DEPRECATED - MozDef: Mozilla Enterprise Defense Platform
Powershell Threat Hunting Module
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
PowerForensics provides an all in one platform for live disk forensic analysis
Collecting & Hunting for IOCs with gusto and style
Credential Phish Analysis and Automation
Multithreaded threat Intelligence gathering built with Python3
Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber
Tool to gather Threat Intelligence indicators from publicly available sources
Generic Signature Format for SIEM Systems
🚌 Threat Bus – A threat intelligence dissemination layer for open-source security tools.
Extract and aggregate threat intelligence.
Binary analysis and management framework
The pattern matching swiss knife
HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a small MD5 fingerprint.
Threat signature packages and collections
Indicators of Compromises (IOC) of our various investigations
Repository of yara rules
Tor Onion service defenses
Vanguards help guard you from getting vanned...
A MITM (monster-in-the-middle) detection tool. Used to build MALCOLM:
LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.
Overlay and Virtual Private Networks (VPNs)
Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
A private network system that uses WireGuard under the hood.
A scalable overlay networking tool with a focus on performance, simplicity and security
A binary authorization system for macOS
Easily configure macOS security settings from the terminal.
Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)
Scan files or process memory for CobaltStrike beacons and parse their configuration
Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.
The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.
Scans for accessibility tools backdoors via RDP
Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber
Log newly created WMI consumers and processes to the Windows Application event log