User Experience on mobile might not be great yet, but I'm working on it.

Your first time on this page? Allow me to give some explanations.

Awesome Cybersecurity Blue Team

๐Ÿ›ก๏ธ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

Here you can see meta information about this topic like the time we last updated this page, the original creator of the awesome list and a link to the original GitHub repository.

Last Update: Sept. 25, 2022, 10:06 p.m.

Thank you fabacab & contributors
View Topic on GitHub:
fabacab/awesome-cybersecurity-blueteam

Search for resources by name or description.
Simply type in what you are looking for and the results will be filtered on the fly.

Further filter the resources on this page by type (repository/other resource), number of stars on GitHub and time of last commit in months.

Awesome Cybersecurity Blue Team

Automation

Code libraries and bindings

Modular file scanning/analysis framework

524
121
2y 11m
MPL-2.0

PowerShell Module to interact with VirusTotal

95
28
2y 8m
n/a

An easy-to-use and lightweight API wrapper for Censys APIs.

247
58
10m
Apache-2.0

A high level C++ network packet sniffing and crafting library.

272
83
2y 73d
n/a

Pythonic interface to the Internet Storm Center / DShield API.

22
11
2y 104d
BSD-3-Clause

Minimal, consistent Python API for building integrations with malware sandboxes.

107
34
1y 4m
GPL-2.0

OASIS TC Open Repository: Python APIs for STIX 2

231
77
1y 2d
BSD-3-Clause

Security Orchestration, Automation, and Response (SOAR)

Cloud platform security

AWS Identity and Access Management Visualizer and Anomaly Finder

237
36
12m
n/a

A tool for quickly evaluating IAM permissions in AWS.

857
125
11m
AGPL-3.0

Prowler is a security tool to perform AWS security best practices assessments, audits, incident response, continuous monitoring, hardening and forensics readiness. It contains all CIS controls and many more additional checks that help on GDPR, HIPAA and other security frameworks.

4.16K
773
10m
n/a

Multi-Cloud Security Auditing Tool

3.67K
559
11m
GPL-2.0

Application Kernel for Containers

13.08K
1.1K
1d
Apache-2.0

Distributed monitoring

Kubernetes

MKIT is a Managed Kubernetes Inspection Tool that validates several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.

355
21
1y 10d
MIT

A Kubernetes controller and tool for one-way encrypted Secrets

4.55K
410
7m
Apache-2.0

Utility that exposes the expiry of TLS certificates as Prometheus metrics

83
11
2y 107d
MIT

Kubernetes security tool for policy enforcement

404
55
10m
Apache-2.0
122
23
2y 81d
Apache-2.0

Export Kubernetes events to multiple destinations with routing and filtering

685
133
11m
Apache-2.0

Service meshes

Communications security (COMSEC)

GPG Sync is designed to let users always have up-to-date public keys for other members of their organization

311
30
1y 96d
GPL-3.0

DevSecOps

Custom & better AppArmor profile generator for Docker containers.

962
79
2y 9d
MIT

Safely store secrets in Git/Mercurial/Subversion

5.99K
342
1y 4m
MIT

Vulnerability Static Analysis for Containers

8.26K
1.01K
10m
Apache-2.0

Prevents you from committing secrets and credentials into git repositories

9.54K
902
10m
Apache-2.0

Simple and flexible tool for managing secrets

8.52K
494
11m
MPL-2.0

Scanner for vulnerabilities in container images, file systems, and Git repositories, as well as for configuration issues

8.94K
823
10m
Apache-2.0

A helm plugin that help manage secrets with Git workflow and store them anywhere

406
47
10m
Apache-2.0

Application or Binary Hardening

Compliance testing and reporting

Dependency confusion

Dependency Combobulator

20
0
10m
Apache-2.0

Compare the contents of your hosted and proxy repositories for coordinate collisions

56
5
1y 4m
n/a

Mitigate security concerns of Dependency Confusion supply chain security risks

12
0
1y 55d
n/a

Fuzzing

Policy enforcement

GitHub App to set and enforce security policies

735
50
11m
Apache-2.0

Tang binding daemon

239
44
11m
GPL-3.0

Supply chain security

Chart signing and verification with GnuPG for Helm.

19
6
2y 7m
n/a

Notary is a project that allows anyone to have trust over arbitrary collections of data

2.69K
485
11m
Apache-2.0

Honeypots

Canarytokens helps track activity and actions on your network.

815
142
10m
n/a

A modular OSINT honeypot for blue teamers

231
33
1y 82d
GPL-3.0

Tarpits

SSH tarpit that slowly sends an endless banner

4.81K
206
11m
Unlicense

Host-based tools

Sandboxes

Identity and AuthN/AuthZ

Incident Response tools

Investigate malicious Windows logon by visualizing and analyzing Windows event log

1.87K
363
11m
n/a

Python installable command line utiltity for mitigation of host and key compromises.

286
59
1y 65d
MIT

IR management consoles

Tools for the Computer Incident Response Team

130
27
5y 5m
MIT

Fast Incident Response

1.34K
443
1y 83d
GPL-3.0

DPS' Lightweight Investigation Notebook

395
92
6y 31d
Apache-2.0

Evidence collection

AutoMacTC: Automated Mac Forensic Triage Collector

354
57
1y 88d
n/a

OS X Auditor is a free Mac OS X computer forensics tool

3.1K
308
2y 61d
n/a

A forensic evidence collection & analysis toolkit for OS X

1.84K
248
3y 100d
n/a

A Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

346
87
1y 7m
n/a

Remote Memory Acquisition Tool

188
40
2y 4d
MIT

Network perimeter defenses

First open-source DDoS protection system

646
151
11m
GPL-3.0

SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

949
66
11m
MIT

Firewall appliances or distributions

Operating System distributions

Phishing awareness and reporting

Certificate Transparency Log Monitor

527
64
1y 40d
MPL-2.0

Phishing Campaign Toolkit

1.56K
451
1y 4m
BSD-3-Clause

Outlook add-in companion to report suspicious mail easily

109
12
3y 10m
GPL-3.0

The Phishing Intelligence Engine - An Active Defense PowerShell Framework for Phishing Defense with Office 365

161
57
2y 5m
MIT

Swordphish Phishing Awareness Tool

187
40
11m
GPL-3.0

Scans SPF and DMARC records for issues that could allow email spoofing.

59
18
1y 5m
MIT

Phishing catcher using Certstream

1.32K
300
10m
GPL-3.0

Preparedness training and wargaming

A toolset to make a system look as if it was the victim of an APT attack

1.63K
332
1y 10d
MIT

"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.

814
142
2y 4m
MIT

An information security preparedness tool to do adversarial simulation.

906
135
3y 5m
MIT

A utility to safely generate malicious network traffic patterns and evaluate controls.

585
103
10m
n/a

Virtual Machine for Adversary Emulation and Threat Hunting

1.03K
169
2y 75d
BSD-3-Clause

Security configurations

๐Ÿ›ก๏ธ Make your web services secure by default !

2.32K
129
11m
AGPL-3.0

Security monitoring

Graph-based security analysis for everyone

99
3
7m
MPL-2.0

Endpoint Detection and Response (EDR)

Network Security Monitoring (NSM)

Protocol Analysis/Decoder Framework

450
117
2y 6m
n/a

Malicious traffic detection system

4.2K
804
10m
MIT

Arkime (formerly Moloch) is an open source, large scale, full packet capturing, indexing, and database system.

4.96K
909
10m
n/a

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

1.66K
274
11m
GPL-3.0

Respounder detects presence of responder in the network.

267
32
3y 104d
Apache-2.0

A tool to catch spoofed NBNS responses.

46
25
4y 106d
n/a

Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at [email protected]

1.65K
218
1y 62d
Apache-2.0

Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

7.24K
779
11m
Apache-2.0

Visibility Across Space and Time โ€“ The network telemetry engine for data-driven security investigations.

325
57
10m
n/a

Security Information and Event Management (SIEM)

Service and performance monitoring

SQL powered operating system instrumentation, monitoring, and analytics.

18.38K
2.22K
10m
n/a

Threat hunting

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

585
154
3y 39d
BSD-3-Clause
1.25K
218
11m
GPL-3.0

GRR Rapid Response: remote live forensics for incident response

3.93K
702
1y 18d
Apache-2.0

The Hunting ELK

3.05K
593
1y 4m
GPL-3.0

DEPRECATED - MozDef: Mozilla Enterprise Defense Platform

2.16K
349
10m
MPL-2.0

Powershell Threat Hunting Module

219
57
6y 6d
Apache-2.0

PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

427
104
5y 60d
Apache-2.0

PowerForensics provides an all in one platform for live disk forensic analysis

1.13K
262
1y 7m
MIT

Collecting & Hunting for IOCs with gusto and style

181
47
1y 56d
MIT

Threat intelligence

Credential Phish Analysis and Automation

86
26
4y 36d
GPL-3.0

Multithreaded threat Intelligence gathering built with Python3

148
28
4y 8m
MIT

Provides situational awareness of Industrial Control Systems (ICS) and Supervisory Control and Data Acquisition (SCADA) networks in support of network security assessments. #nsacyber

670
256
2y 7m
n/a

Tool to gather Threat Intelligence indicators from publicly available sources

615
174
3y 6m
GPL-3.0

Generic Signature Format for SIEM Systems

4.26K
1.25K
10m
n/a

๐ŸšŒ Threat Bus โ€“ A threat intelligence dissemination layer for open-source security tools.

181
7
10m
BSD-3-Clause

Extract and aggregate threat intelligence.

505
108
1y 54d
GPL-2.0

Binary analysis and management framework

1.44K
365
1y 7m
n/a

The pattern matching swiss knife

5.09K
1.07K
10m
BSD-3-Clause

Fingerprinting

HASSH is a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations. The fingerprints can be easily stored, searched and shared in the form of a small MD5 fingerprint.

448
66
5m
BSD-3-Clause

Threat signature packages and collections

Indicators of Compromises (IOC) of our various investigations

1.09K
209
11m
BSD-2-Clause

Repository of yara rules

2.8K
749
11m
GPL-2.0

Tor Onion service defenses

Vanguards help guard you from getting vanned...

110
17
11m
MIT

Transport-layer defenses

A MITM (monster-in-the-middle) detection tool. Used to build MALCOLM:

518
49
2y 4m
BSD-3-Clause

LetsEncrypt Root CA with plugins that configure various Web and e-mail server software.

Overlay and Virtual Private Networks (VPNs)

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2

16.68K
4.61K
10m
n/a

A private network system that uses WireGuard under the hood.

2.62K
84
12m
MIT

A scalable overlay networking tool with a focus on performance, simplicity and security

8.23K
560
10m
MIT

macOS-based defenses

A binary authorization system for macOS

3.9K
273
3d
Apache-2.0

Easily configure macOS security settings from the terminal.

965
240
2y 11m
MIT

Firewall and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers with Anti-Virus On-Demand and On-Access Scanning (PF, squid, privoxy, hphosts, dshield, emergingthreats, hostsfile, PAC file, clamav)

326
43
1y 4m
MIT

Windows-based defenses

Scan files or process memory for CobaltStrike beacons and parse their configuration

626
82
1y 38d
MIT

Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.

2.02K
223
11m
GPL-3.0

The opposite of Ruler, provides blue teams with the ability to detect Ruler usage against Exchange.

74
16
4y 11m
CC0-1.0

Scans for accessibility tools backdoors via RDP

271
66
4y 6m
GPL-3.0

Configuration guidance for implementing the Windows 10 and Windows Server 2016 DoD Secure Host Baseline settings. #nsacyber

1.32K
265
4y 15d
n/a

Log newly created WMI consumers and processes to the Windows Application event log

107
22
4y 7m
n/a

Active Directory

Active Directory Control Paths auditing and graphing tools

531
94
1y 9m
n/a

Bloodhound for Blue and Purple Teams

565
69
1y 6d
GPL-3.0