Cybersecurity Blue Team

File analysis framework written in Python that assists in evaluating a set of files by automatically running a suite of tools against them and aggregating the output.

PowerShell interface to VirusTotal.com APIs.

Python wrapper to the Censys REST API.

High level C++ network packet sniffing and crafting library.

Pythonic interface to the Internet Storm Center/DShield API.

Minimal, consistent Python API for building integrations with malware sandboxes.

Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.

Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.

Kubernetes controller and tool for one-way encrypted Secrets.

Utility that exposes the expiry of TLS certificates as Prometheus metrics.

Workload policy enforcement tool for Kubernetes.

Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.

Allows exporting the often missed Kubernetes events to various outputs so that they can be used for observability or alerting purposes.

Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.

Open source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks.

Script to check if you have artifacts containing the same name between your repositories.

Prevent and detect if you're vulnerable to dependency confusion supply chain security attacks.

Self-hosted Fuzzing-as-a-Service (FaaS) platform.

GitHub App installed on organizations or repositories to set and enforce security policies.

Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network.

Chart signing and verification with GnuPG for Helm.

Aims to make the internet more secure by making it easy for people to publish and verify content.

SSH tarpit that slowly sends an endless banner.

Sandboxing tool for use by unprivileged Linux users capable of restricting access to parts of the operating system or user data.

Scriptable Digital Forensics and Incident Response (DFIR) toolkit built on Viper.

Cybersecurity incident management platform allowing for easy creation, tracking, and reporting of cybersecurity incidents.

Web application built by Defense Point Security to allow security researchers the ability to add and retrieve indicators related to their research.

Modular, automated forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis.

Free macOS computer forensics tool.

Forensic evidence collection & analysis toolkit for macOS.

Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.

Assists incident response teams by exporting cloud artifacts from Azure/AzureAD/M365 environments in order to run a full investigation despite lacking in logs ingested by a SIEM.

Analytic tool to assist both Red and Blue teams with visualizing and reporting command and control activities, replay and demonstrate attack paths, and more clearly communicate remediation recommendations to stakeholders.

Augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.

Framework to aid analysts in the creation and execution of pynids-based decoders and detectors of APT tradecraft.

Malicious network traffic detection system.

Open source framework for network traffic analysis that ingests Zeek logs and detects beaconing, DNS tunneling, and more.

Detects the presence of the Responder LLMNR/NBT-NS/MDNS poisoner on a network.

Catch spoofed NetBIOS Name Service (NBNS) responses and alert to an email or log file.

Full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes.

General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

Free and open-source network telemetry engine for data-driven security investigations.

General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

Operating system instrumentation framework for macOS, Windows, and Linux, exposing the OS as a high-performance relational database that can be queried with a SQL-like syntax.

Suite of CIM/WMI-based tools enabling remote incident response and hunting operations across all versions of Windows.

PowerShell module for hunt teaming via Windows Event logs.

Incident response framework focused on remote live forensics consisting of a Python agent installed on assets and Python-based server infrastructure enabling analysts to quickly triage attacks and perform analysis remotely.

All-in-one Free Software threat hunting stack based on Elasticsearch, Logstash, Kafka, and Kibana with various built-in integrations for analytics including Jupyter Notebook.

Automate the security incident handling process and facilitate the real-time activities of incident handlers.

PowerShell module designed to scan remote endpoints for indicators of compromise or survey them for more comprehensive information related to state of those systems.

PSHunt-like tool for analyzing remote Windows systems that also produces a self-contained HTML report of its findings.

All in one PowerShell-based platform to perform live hard disk forensic analysis.

Multi-platform tool for triaging suspected IOCs on many endpoints simultaneously and that integrates with antivirus consoles.

Network fingerprinting standard which can be used to identify specific client and server SSH implementations.

Indicators of Compromises (IOCs) derived from ESET's various investigations.

Collection of Snort and YARA rules to detect attacks carried out with FireEye's own Red Team tools, first released after FireEye disclosed a breach in December 2020.

Collection of IoC in various languages for detecting backdoored SolarWinds Orion NMS activities and related vulnerabilities.

Project covering the need for IT security researchers to have a single repository where different Yara signatures are compiled, classified and kept as up to date as possible.

Open source, self-hosted implementation of the Tailscale control server.

Scripts to build your own IPsec VPN server, with IPsec/L2TP, Cisco IPsec and IKEv2.

Free Software private network system that uses WireGuard under the hood, made to be self-hosted.

Completely open source and self-hosted, scalable overlay networking tool with a focus on performance, simplicity, and security, inspired by tinc.

Open source initiative focused on bringing Zero Trust to any application via an overlay network, tunelling applications, and numerous SDKs.

Visualize and graph Active Directory permission configs ("control relations") to audit questions such as "Who can read the CEO's email?" and similar.

More effectively use BloodHoundAD in continual security life-cycles by utilizing its pathfinding engine to identify Active Directory security vulnerabilities.