awesome-cybersecurity-blueteam

Cybersecurity toolkit

A curated collection of resources and tools for cybersecurity blue teams to identify and monitor security flaws in information technology systems

computer🛡️ A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.

GitHub

4k stars
171 watching
684 forks
last commit: 4 months ago
Linked from 6 awesome lists

awesome-listblue-teamcomputer-securitycybersecuritydefensive-securityinfosecsecurity

Awesome Cybersecurity Blue Team / Automation and Convention

Ansible Lockdown Curated collection of information security themed Ansible roles that are both vetted and actively maintained
Clevis 934 14 days ago Plugable framework for automated decryption, often used as a Tang client
DShell 5,454 7 months ago Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures
Dev-Sec.io Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations
Password Manager Resources 4,235 10 days ago Collaborative, crowd-sourced data and code to make password management better
peepdf Scriptable PDF file analyzer
PyREBox Python-scriptable reverse engineering sandbox, based on QEMU
Watchtower Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience

Awesome Cybersecurity Blue Team / Automation and Convention / Code libraries and bindings

MultiScanner 617 about 5 years ago File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output
Posh-VirusTotal 119 almost 5 years ago PowerShell interface to VirusTotal.com APIs
censys-python 403 8 days ago Python wrapper to the Censys REST API
libcrafter 300 over 1 year ago High level C++ network packet sniffing and crafting library
python-dshield 28 over 1 year ago Pythonic interface to the Internet Storm Center/DShield API
python-sandboxapi 137 10 months ago Minimal, consistent Python API for building integrations with malware sandboxes
python-stix2 371 4 days ago Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks

Awesome Cybersecurity Blue Team / Automation and Convention / Security Orchestration, Automation, and Response (SOAR)

Shuffle Graphical generalized workflow (automation) builder for IT professionals and blue teamers

Awesome Cybersecurity Blue Team / Cloud platform security

Aaia 288 5 months ago Helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j
Falco Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics
Kata Containers Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense
Principal Mapper (PMapper) 1,431 4 months ago Quickly evaluate IAM permissions in AWS via script and library capable of identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization
Prowler 10,839 6 days ago Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening
Scout Suite 6,730 about 2 months ago Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments
gVisor 15,851 5 days ago Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel

Awesome Cybersecurity Blue Team / Cloud platform security / Distributed monitoring

Cortex Provides horizontally scalable, highly available, multi-tenant, long term storage for Prometheus
Jaeger Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems
OpenTelemetry Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects)
Prometheus Open-source systems monitoring and alerting toolkit originally built at SoundCloud
Zipkin Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures

Awesome Cybersecurity Blue Team / Cloud platform security / Kubernetes

KubeSec Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service
Kyverno Policy engine designed for Kubernetes
Linkerd Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself
Managed Kubernetes Inspection Tool (MKIT) 401 about 3 years ago Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster
Polaris Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster
Sealed Secrets 7,705 7 days ago Kubernetes controller and tool for one-way encrypted Secrets
certificate-expiry-monitor 164 over 2 years ago Utility that exposes the expiry of TLS certificates as Prometheus metrics
k-rail 443 almost 2 years ago Workload policy enforcement tool for Kubernetes
kube-forensics 221 5 months ago Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis
kube-hunter Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster
kubernetes-event-exporter 1,043 about 2 years ago Allows exporting the often missed Kubernetes events to various outputs so that they can be used for observability or alerting purposes

Awesome Cybersecurity Blue Team / Cloud platform security / Service meshes

Consul Solution to connect and configure applications across dynamic, distributed infrastructure and, with Consul Connect, enabling secure service-to-service communication with automatic TLS encryption and identity-based authorization
Istio Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data

Awesome Cybersecurity Blue Team / Communications security (COMSEC)

GPG Sync 345 almost 2 years ago Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team
Geneva (Genetic Evasion) Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content
GlobaLeaks Free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform
SecureDrop Open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources
Teleport Allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments

Awesome Cybersecurity Blue Team / DevSecOps

Bane 1,183 about 4 years ago Custom and better AppArmor profile generator for Docker containers
BlackBox 6,687 about 2 months ago Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG
Checkov Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration
Cilium Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes
Clair 10,359 8 days ago Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images
CodeQL Discover vulnerabilities across a codebase by performing queries against code as though it were data
DefectDojo Application vulnerability management tool built for DevOps and continuous security integration
Gauntlt Pentest applications during routine continuous integration build pipelines
Git Secrets 12,442 7 months ago Prevents you from committing passwords and other sensitive information to a git repository
SOPS 17,010 10 days ago Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP
Snyk Finds and fixes vulnerabilities and license violations in open source dependencies and container images
SonarQube Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities
Trivy 23,679 7 days ago Simple and comprehensive vulnerability scanner for containers and other artifacts, suitable for use in continuous integration pipelines
Vault Tool for securely accessing secrets such as API keys, passwords, or certificates through a unified interface
git-crypt Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out
helm-secrets 1,534 6 days ago Helm plugin that helps manage secrets with Git workflow and stores them anywhere, backed by SOPS
terrascan Static code analyzer for Infrastructure as Code tools that helps detect compliance and security violations to mitigate risk before provisioning cloud native resources
tfsec Static analysis security scanner for your Terraform code designed to run locally and in CI pipelines

Awesome Cybersecurity Blue Team / DevSecOps / Application or Binary Hardening

DynInst Tools for binary instrumentation, analysis, and modification, useful for binary patching
DynamoRIO Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine
Egalito Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research
Valgrind Instrumentation framework for building dynamic analysis tools

Awesome Cybersecurity Blue Team / DevSecOps / Compliance testing and reporting

Chef InSpec Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance
OpenSCAP Base Both a library and a command line tool ( ) used to evaluate a system against SCAP baseline profiles to report on the security posture of the scanned system(s)

Awesome Cybersecurity Blue Team / DevSecOps / Dependency confusion

Dependency Combobulator 88 11 months ago Open source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks
Confusion checker 63 over 3 years ago Script to check if you have artifacts containing the same name between your repositories
snync 40 about 2 years ago Prevent and detect if you're vulnerable to dependency confusion supply chain security attacks

Awesome Cybersecurity Blue Team / DevSecOps / Fuzzing

Atheris Coverage-guided Python fuzzing engine based off of libFuzzer that supports fuzzing of Python code but also native extensions written for CPython
FuzzBench Free service that evaluates fuzzers on a wide variety of real-world benchmarks, at Google scale
OneFuzz 2,821 about 1 year ago Self-hosted Fuzzing-as-a-Service (FaaS) platform

Awesome Cybersecurity Blue Team / DevSecOps / Policy enforcement

AllStar 1,256 6 days ago GitHub App installed on organizations or repositories to set and enforce security policies
Conftest Utility to help you write tests against structured configuration data
Open Policy Agent (OPA) Unified toolset and framework for policy across the cloud native stack
Regula Checks infrastructure as code templates (Terraform, CloudFormation, K8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego
Tang 515 9 days ago Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network

Awesome Cybersecurity Blue Team / DevSecOps / Supply chain security

Grafeas Open artifact metadata API to audit and govern your software supply chain
Helm GPG (GnuPG) Plugin 26 almost 5 years ago Chart signing and verification with GnuPG for Helm
Notary 3,235 4 months ago Aims to make the internet more secure by making it easy for people to publish and verify content
in-toto Framework to secure the integrity of software supply chains

Awesome Cybersecurity Blue Team / Honeypots

CanaryTokens 1,754 7 days ago Self-hostable honeytoken generator and reporting dashboard; demo version available at
Kushtaka Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams
Manuka 329 over 1 year ago Open-sources intelligence (OSINT) honeypot that monitors reconnaissance attempts by threat actors and generates actionable intelligence for Blue Teamers

Awesome Cybersecurity Blue Team / Honeypots / Tarpits

Endlessh 7,320 6 months ago SSH tarpit that slowly sends an endless banner
LaBrea Program that answers ARP requests for unused IP space, creating the appearance of fake machines that answer further requests very slowly in order to slow down scanners, worms, etcetera

Awesome Cybersecurity Blue Team / Host-based tools

Artillery 1,007 almost 3 years ago Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems
Crowd Inspect Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network
Fail2ban Intrusion prevention software framework that protects computer servers from brute-force attacks
Open Source HIDS SECurity (OSSEC) Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS)
Rootkit Hunter (rkhunter) POSIX-compliant Bash script that scans a host for various signs of malware
Shufflecake Plausible deniability for multiple hidden filesystems on Linux
USB Keystroke Injection Protection 518 over 1 year ago Daemon for blocking USB keystroke injection devices on Linux systems
chkrootkit Locally checks for signs of a rootkit on GNU/Linux systems

Awesome Cybersecurity Blue Team / Host-based tools / Sandboxes

Bubblewrap 3,966 22 days ago Sandboxing tool for use by unprivileged Linux users capable of restricting access to parts of the operating system or user data
Dangerzone Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF
Firejail SUID program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces and seccomp-bpf

Awesome Cybersecurity Blue Team / Identity and AuthN/AuthZ

Gluu Server Central authentication and authorization for Web and mobile applications with a Free and Open Source Software cloud-native community distribution

Awesome Cybersecurity Blue Team / Incident Response tools

LogonTracer 2,735 5 months ago Investigate malicious Windows logon by visualizing and analyzing Windows event log
Volatility Advanced memory forensics framework
aws_ir 344 over 3 years ago Automates your incident response with zero security preparedness assumptions

Awesome Cybersecurity Blue Team / Incident Response tools / IR management consoles

CIRTKit 142 over 7 years ago Scriptable Digital Forensics and Incident Response (DFIR) toolkit built on Viper
Fast Incident Response (FIR) 1,734 22 days ago Cybersecurity incident management platform allowing for easy creation, tracking, and reporting of cybersecurity incidents
Rekall Advanced forensic and incident response framework
TheHive Scalable, free Security Incident Response Platform designed to make life easier for SOCs, CSIRTs, and CERTs, featuring tight integration with MISP
threat_note 423 11 months ago Web application built by Defense Point Security to allow security researchers the ability to add and retrieve indicators related to their research

Awesome Cybersecurity Blue Team / Incident Response tools / Evidence collection

AutoMacTC 532 over 2 years ago Modular, automated forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis
OSXAuditor 3,128 over 4 years ago Free macOS computer forensics tool
OSXCollector 1,875 over 5 years ago Forensic evidence collection & analysis toolkit for macOS
ir-rescue 465 almost 4 years ago Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response
Margarita Shotgun 242 about 4 years ago Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition
Untitled Goose Tool 913 about 2 months ago Assists incident response teams by exporting cloud artifacts from Azure/AzureAD/M365 environments in order to run a full investigation despite lacking in logs ingested by a SIEM

Awesome Cybersecurity Blue Team / Network perimeter defenses

Gatekeeper 1,341 about 2 months ago First open source Distributed Denial of Service (DDoS) protection system
fwknop Protects ports via Single Packet Authorization in your firewall
ssh-audit 3,417 about 1 month ago Simple tool that makes quick recommendations for improving an SSH server's security posture

Awesome Cybersecurity Blue Team / Network perimeter defenses / Firewall appliances or distributions

IPFire Hardened GNU/Linux based router and firewall distribution forked from IPCop
OPNsense Hardened FreeBSD based firewall and routing platform forked from pfSense
pfSense FreeBSD firewall and router distribution forked from m0n0wall

Awesome Cybersecurity Blue Team / Operating System distributions

Computer Aided Investigative Environment (CAINE) Italian GNU/Linux live distribution that pre-packages numerous digital forensics and evidence collection tools
Security Onion Free and open source GNU/Linux distribution for intrusion detection, enterprise security monitoring, and log management
Qubes OS Desktop environment built atop the Xen hypervisor project that runs each end-user program in its own virtual machine intended to provide strict security controls to constrain the reach of any successful malware exploit

Awesome Cybersecurity Blue Team / Phishing awareness and reporting

CertSpotter 979 about 1 month ago Certificate Transparency log monitor from SSLMate that alerts you when a SSL/TLS certificate is issued for one of your domains
Gophish Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing
King Phisher 2,269 4 months ago Tool for testing and promoting user awareness by simulating real world phishing attacks
NotifySecurity 130 about 2 years ago Outlook add-in used to help your users to report suspicious e-mails to security teams
Phishing Intelligence Engine (PIE) 180 over 4 years ago Framework that will assist with the detection and response to phishing attacks
Swordphish 220 2 months ago Platform allowing to create and manage (fake) phishing campaigns intended to train people in identifying suspicious mails
mailspoof 127 almost 2 years ago Scans SPF and DMARC records for issues that could allow email spoofing
phishing_catcher 1,712 3 months ago Configurable script to watch for issuances of suspicious TLS certificates by domain name in the Certificate Transparency Log (CTL) using the service

Awesome Cybersecurity Blue Team / Preparedness training and wargaming

APTSimulator 2,470 over 1 year ago Toolset to make a system look as if it was the victim of an APT attack
Atomic Red Team Library of simple, automatable tests to execute for testing security controls
BadBlood Fills a test (non-production) Windows Domain with data that enables security analysts and engineers to practice using tools to gain an understanding and prescribe to securing Active Directory
Caldera Scalable, automated, and extensible adversary emulation platform developed by MITRE
Drool Replay DNS traffic from packet capture files and send it to a specified server, such as for simulating DDoS attacks on the DNS and measuring normal DNS querying
DumpsterFire 996 over 4 years ago Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events for Blue Team drills and sensor/alert mapping
Infection Monkey Open-source breach and attack simulation (BAS) platform that helps you validate existing controls and identify how attackers might exploit your current network security gaps
Metta 1,101 over 5 years ago Automated information security preparedness tool to do adversarial simulation
Network Flight Simulator (flightsim) 1,260 8 months ago Utility to generate malicious network traffic and help security teams evaluate security controls and audit their network visibility
RedHunt OS 1,247 over 4 years ago Ubuntu-based Open Virtual Appliance ( ) preconfigured with several threat emulation tools as well as a defender's toolkit
Stratus Red Team Emulate offensive attack techniques in a granular and self-contained manner against a cloud environment; think "Atomic Red Team™ for the cloud."
tcpreplay Suite of free Open Source utilities for editing and replaying previously captured network traffic originally designed to replay malicious traffic patterns to Intrusion Detection/Prevention Systems

Awesome Cybersecurity Blue Team / Preparedness training and wargaming / Post-engagement analysis and reporting

RedEye Analytic tool to assist both Red and Blue teams with visualizing and reporting command and control activities, replay and demonstrate attack paths, and more clearly communicate remediation recommendations to stakeholders

Awesome Cybersecurity Blue Team / Security configurations

Bunkerized-nginx 6,540 6 days ago Docker image of an NginX configuration and scripts implementing many defensive techniques for Web sites

Awesome Cybersecurity Blue Team / Security monitoring

Crossfeed Continuously enumerates and monitors an organization’s public-facing attack surface in order to discover assets and flag potential security flaws
Starbase 337 11 months ago Collects assets and relationships from services and systems into an intuitive graph view to offer graph-based security analysis for everyone

Awesome Cybersecurity Blue Team / Security monitoring / Endpoint Detection and Response (EDR)

Wazuh Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS

Awesome Cybersecurity Blue Team / Security monitoring / Network Security Monitoring (NSM)

Arkime 6,334 7 days ago Augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access
ChopShop 489 almost 2 years ago Framework to aid analysts in the creation and execution of pynids-based decoders and detectors of APT tradecraft
Maltrail 6,535 4 days ago Malicious network traffic detection system
OwlH Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles
Real Intelligence Threat Analysis (RITA) 194 8 days ago Open source framework for network traffic analysis that ingests Zeek logs and detects beaconing, DNS tunneling, and more
Respounder 314 over 5 years ago Detects the presence of the Responder LLMNR/NBT-NS/MDNS poisoner on a network
Snort Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers
SpoofSpotter 49 over 6 years ago Catch spoofed NetBIOS Name Service (NBNS) responses and alert to an email or log file
Stenographer 1,789 over 3 years ago Full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes
Suricata Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua
Tsunami 8,274 2 months ago General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence
VAST 645 6 days ago Free and open-source network telemetry engine for data-driven security investigations
Wireshark Free and open-source packet analyzer useful for network troubleshooting or forensic netflow analysis
Zeek Powerful network analysis framework focused on security monitoring, formerly known as Bro
netsniff-ng Free and fast GNU/Linux networking toolkit with numerous utilities such as a connection tracking tool ( ), traffic generator ( ), and autonomous system (AS) trace route utility ( )

Awesome Cybersecurity Blue Team / Security monitoring / Security Information and Event Management (SIEM)

AlienVault OSSIM Single-server open source SIEM platform featuring asset discovery, asset inventorying, behavioral monitoring, and event correlation, driven by AlienVault Open Threat Exchange (OTX)
Prelude SIEM OSS Open source, agentless SIEM with a long history and several commercial variants featuring security event collection, normalization, and alerting from arbitrary log input and numerous popular monitoring tools

Awesome Cybersecurity Blue Team / Security monitoring / Service and performance monitoring

Icinga Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools
Locust Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users
Nagios Popular network and service monitoring solution and reporting platform
OpenNMS Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc)
osquery 21,887 11 days ago Operating system instrumentation framework for macOS, Windows, and Linux, exposing the OS as a high-performance relational database that can be queried with a SQL-like syntax
Zabbix Mature, enterprise-level platform to monitor large-scale IT environments

Awesome Cybersecurity Blue Team / Security monitoring / Threat hunting

CimSweep 649 over 5 years ago Suite of CIM/WMI-based tools enabling remote incident response and hunting operations across all versions of Windows
DeepBlueCLI 2,188 about 1 year ago PowerShell module for hunt teaming via Windows Event logs
GRR Rapid Response 4,783 about 2 months ago Incident response framework focused on remote live forensics consisting of a Python agent installed on assets and Python-based server infrastructure enabling analysts to quickly triage attacks and perform analysis remotely
Hunting ELK (HELK) 3,768 6 months ago All-in-one Free Software threat hunting stack based on Elasticsearch, Logstash, Kafka, and Kibana with various built-in integrations for analytics including Jupyter Notebook
Logging Made Easy (LME) Free and open logging and protective monitoring solution serving
MozDef 2,168 about 3 years ago Automate the security incident handling process and facilitate the real-time activities of incident handlers
PSHunt 279 about 8 years ago PowerShell module designed to scan remote endpoints for indicators of compromise or survey them for more comprehensive information related to state of those systems
PSRecon 479 over 7 years ago PSHunt-like tool for analyzing remote Windows systems that also produces a self-contained HTML report of its findings
PowerForensics 1,385 about 1 year ago All in one PowerShell-based platform to perform live hard disk forensic analysis
Redline Freeware endpoint auditing and analysis tool that provides host-based investigative capabilities, offered by FireEye, Inc
rastrea2r 238 over 3 years ago Multi-platform tool for triaging suspected IOCs on many endpoints simultaneously and that integrates with antivirus consoles

Awesome Cybersecurity Blue Team / Threat intelligence

AttackerKB Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue
DATA 96 about 6 years ago Credential phish analysis and automation tool that can accept suspected phishing URLs directly or trigger on observed network traffic containing such a URL
Forager 171 almost 7 years ago Multi-threaded threat intelligence gathering built with Python3 featuring simple text-based configuration and data storage for ease of use and data portability
GRASSMARLIN 941 over 4 years ago Provides IP network situational awareness of industrial control systems (ICS) and Supervisory Control and Data Acquisition (SCADA) by passively mapping, accounting for, and reporting on your ICS/SCADA network topology and endpoints
MLSec Combine 655 over 5 years ago Gather and combine multiple threat intelligence feed sources into one customizable, standardized CSV-based format
Malware Information Sharing Platform and Threat Sharing (MISP) Open source software solution for collecting, storing, distributing and sharing cyber security indicators
Open Source Vulnerabilities (OSV) Vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source
Sigma 8,371 7 days ago Generic signature format for SIEM systems, offering an open signature format that allows you to describe relevant log events in a straightforward manner
Threat Bus 258 over 1 year ago Threat intelligence dissemination layer to connect security tools through a distributed publish/subscribe message broker
ThreatIngestor 831 10 months ago Extendable tool to extract and aggregate IOCs from threat feeds including Twitter, RSS feeds, or other sources
Unfetter Identifies defensive gaps in security posture by leveraging Mitre's ATT&CK framework
Viper 1,539 over 1 year ago Binary analysis and management framework enabling easy organization of malware and exploit samples
YARA 8,300 about 2 months ago Tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples, described as "the pattern matching swiss army knife" for file patterns and signatures

Awesome Cybersecurity Blue Team / Threat intelligence / Fingerprinting

HASSH 532 8 months ago Network fingerprinting standard which can be used to identify specific client and server SSH implementations
JA3 Extracts SSL/TLS handshake settings for fingerprinting and communicating about a given TLS implementation

Awesome Cybersecurity Blue Team / Threat intelligence / Threat signature packages and collections

ESET's Malware IoCs 1,647 9 days ago Indicators of Compromises (IOCs) derived from ESET's various investigations
FireEye's Red Team Tool Countermeasures 2,650 9 months ago Collection of Snort and YARA rules to detect attacks carried out with FireEye's own Red Team tools, first released after FireEye disclosed a breach in December 2020
FireEye's Sunburst Countermeasures 561 over 1 year ago Collection of IoC in various languages for detecting backdoored SolarWinds Orion NMS activities and related vulnerabilities
YARA Rules 4,178 7 months ago Project covering the need for IT security researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible

Awesome Cybersecurity Blue Team / Tor Onion service defenses

OnionBalance Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure
Vanguards 218 5 months ago Version 3 Onion service guard discovery attack mitigation script (intended for eventual inclusion in Tor core)

Awesome Cybersecurity Blue Team / Transport-layer defenses

Certbot Free tool to automate the issuance and renewal of TLS certificates from the with plugins that configure various Web and e-mail server software
MITMEngine 808 7 months ago Golang library for server-side detection of TLS interception events
Tor Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services ( domains) to enhance publisher privacy and service availability

Awesome Cybersecurity Blue Team / Transport-layer defenses / Overlay and Virtual Private Networks (VPNs)

Firezone Self-hosted VPN server built on WireGuard that supports MFA and SSO
Headscale 23,430 8 days ago Open source, self-hosted implementation of the Tailscale control server
IPsec VPN Server Auto Setup Scripts 25,337 7 days ago Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2
Innernet 5,006 28 days ago Free Software private network system that uses WireGuard under the hood, made to be self-hosted
Nebula 14,583 6 days ago Completely open source and self-hosted, scalable overlay networking tool with a focus on performance, simplicity, and security, inspired by tinc
OpenVPN Longstanding Free Software traditional SSL/TLS-based virtual private network
OpenZITI Open source initiative focused on bringing Zero Trust to any application via an overlay network, tunelling applications, and numerous SDKs
Tailscale Managed freemium mesh VPN service built on top of WireGuard
WireGuard Extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography
tinc Free Software mesh VPN implemented entirely in userspace that supports expandable network space, bridged ethernet segments, and more

Awesome Cybersecurity Blue Team / macOS-based defenses

BlockBlock Monitors common persistence locations and alerts whenever a persistent component is added, which helps to detect and prevent malware installation
LuLu Free macOS firewall
Santa 4,437 about 2 months ago Keep track of binaries that are naughty or nice in an allow/deny-listing system for macOS
Stronghold 1,102 about 5 years ago Easily configure macOS security settings from the terminal
macOS Fortress 422 almost 3 years ago Automated configuration of kernel-level, OS-level, and client-level security features including privatizing proxying and anti-virus scanning for macOS

Awesome Cybersecurity Blue Team / Windows-based defenses

CobaltStrikeScan 900 over 3 years ago Scan files or process memory for Cobalt Strike beacons and parse their configuration
HardenTools 2,931 8 months ago Utility that disables a number of risky Windows features
NotRuler 91 about 7 years ago Detect both client-side rules and VBScript enabled forms used by the attack tool when attempting to compromise a Microsoft Exchange server
Sandboxie Free and open source general purpose Windows application sandboxing utility
Sigcheck Audit a Windows host's root certificate store against Microsoft's
Sticky Keys Slayer 328 over 6 years ago Establishes a Windows RDP session from a list of hostnames and scans for accessibility tools backdoors, alerting if one is discovered
Windows Secure Host Baseline 1,558 almost 2 years ago Group Policy objects, compliance checks, and configuration tools that provide an automated and flexible approach for securely deploying and maintaining the latest releases of Windows 10
WMI Monitor 124 over 6 years ago Log newly created WMI consumers and processes to the Windows Application event log

Awesome Cybersecurity Blue Team / Windows-based defenses / Active Directory

Active Directory Control Paths 654 almost 4 years ago Visualize and graph Active Directory permission configs ("control relations") to audit questions such as "Who can read the CEO's email?" and similar
PingCastle Active Directory vulnerability detection and reporting tool
PlumHound 1,121 about 2 months ago More effectively use BloodHoundAD in continual security life-cycles by utilizing its pathfinding engine to identify Active Directory security vulnerabilities

Backlinks from these awesome lists:

More related projects: