Security Tools#

Reference of offensive and defensive security tools by category. The catalog below is the working set most pen-testers, red teamers, blue teamers, and detection engineers reach for. For hardware, see Hacking Hardware and SDR Hardware. For techniques, see Hacking.

Use offensive entries only against systems you own, lab targets, CTF ranges, or scoped engagements with written authorization.

Reconnaissance#

Tool

Notes

nmap

The reference port + service scanner; NSE scripts.

masscan

Fast asynchronous port scanner; whole-internet capable.

zmap

Internet-scale single-port scanner.

rustscan

Wraps nmap with rust-async port discovery.

naabu

ProjectDiscovery’s fast port scanner.

dnsx, alterx

DNS pivots + permutation.

amass, subfinder

Subdomain enumeration.

assetfinder

Subdomain discovery (Tomnomnom).

httpx (PD)

HTTP probe + tech-stack fingerprint.

gowitness, aquatone

Screenshot-the-web at scale.

katana, gospider, h akrawler

web crawlers.

ffuf, gobuster, dir search

directory / file fuzzing.

wfuzz

older fuzzer.

nuclei

templated vulnerability scanner.

ChaosDB

ProjectDiscovery’s daily-scanned subdomain feed.

shodan / censys

internet-wide scan engines.

Vulnerability scanning#

Tool

Notes

Nessus / Tenable

commercial; the SOC standard.

Qualys

commercial.

Rapid7 InsightVM

commercial.

OpenVAS / Greenbone

OSS scanner.

Nuclei

templated; complements heavy scanners.

sqlmap

SQL-injection automation.

WPScan

WordPress.

Joomscan

Joomla.

Droopescan

Drupal / Joomla / SilverStripe.

JoomlaVS, CMSeek

multi-CMS scan.

Nikto

legacy web vuln scanner.

Vulners

vuln-search engine wrapped as a CLI.

Trivy / Grype

container + dependency CVE scanning.

Snyk

commercial dep + container.

Dependency-Track

OSS SBOM + CVE.

DefectDojo

OSS vuln-management platform.

Exploitation frameworks#

Tool

Notes

Metasploit Framewor k

the standard OSS exploitation platform.

Cobalt Strike

commercial; the most-abused legitimate red-team tool.

Sliver

OSS C2 / post-ex; modern Cobalt Strike-class.

Mythic

OSS C2 platform.

Havoc

OSS C2.

Brute Ratel C4

commercial C2; leaked builds in the wild.

Empire (BC-Sec)

PowerShell / Python C2; resurrected.

PowerSploit

PowerShell post-exploitation.

Veil-Evasion

AV-evasion payload generator.

Donut

position-independent shellcode loader.

TheHive Project

IR / CTI platform.

Web application#

Tool

Notes

Burp Suite

PortSwigger; the standard interception proxy + scanner.

OWASP ZAP

OSS proxy + scanner.

Caido

modern Burp alternative.

mitmproxy

scriptable HTTPS proxy.

ffuf, gobuster

content / param fuzzing.

sqlmap

SQLi automation.

XSStrike

XSS detection.

Commix

command-injection.

NoSQLMap

NoSQL injection.

nuclei

template-driven scanning.

JWT_Tool / jwt.io

JWT analysis.

sqlmap-tamper

evasion scripts.

Postman / Insomnia

API testing.

gitleaks, truffleho

g secret discovery in code.

Network / wireless#

Tool

Notes

Wireshark / tshark

packet capture + analysis.

tcpdump

CLI capture.

Aircrack-ng

WiFi cracking suite.

hcxdumptool / hcxto ols

PMKID + handshake capture.

Bettercap

network-layer MITM.

Responder

NTLM / LLMNR / NBNS poisoning.

Impacket

Python network protocols (psexec, smbexec, ntlmrelayx, secretsdump, GetNPUsers, GetUserSPNs).

Kismet

wireless capture + IDS.

Reaver / Bully

WPS attacks.

Pixiewps

offline WPS PIN crack.

hostapd-wpe

rogue AP for EAP capture.

mdk4

WiFi stress / deauth.

PRET

printer exploitation.

Frida + objection

mobile dynamic analysis.

Ettercap

classic LAN MITM.

Credential cracking#

Tool

Notes

hashcat

GPU-accelerated; the dominant cracker.

John the Ripper

CPU-friendly; many formats.

hydra

online password brute-force.

medusa

parallel online cracker.

ncrack

Nmap-team online cracker.

patator

generic brute-forcer.

CeWL

wordlist generation from web.

crunch

wordlist permutation.

hashID / hash-ident ifier

hash-format detection.

John –wordlist + r ules

rule-driven mutations.

Active Directory / Windows#

Tool

Notes

BloodHound

AD attack-path analysis.

SharpHound / azured og

BloodHound collectors.

PowerView

classic AD enumeration.

Rubeus

Kerberos abuse (kerberoasting / ASREP / S4U / pass-the-ticket).

Mimikatz

Windows credential dump (LSASS, DPAPI, SAM, ticket abuse).

Pypykatz

Python pure-impl mimikatz.

secretsdump

Impacket; credential extraction.

CrackMapExec / nxc

Network-wide enumeration + abuse.

NetExec

modern CME fork.

Impacket suite

see Network section.

SharpDPAPI

DPAPI offline + online.

DonPAPI

DPAPI cred-collection.

ROADtools, ROADreco

n Azure AD enumeration.

AzureHound

BloodHound collector for Azure.

AADInternals

Azure AD attack toolkit.

Stormspotter

Azure attack surface.

PingCastle

AD audit (free + paid).

ADRecon

AD reporting.

Cloud (AWS / GCP / Azure)#

Tool

Notes

Pacu

AWS exploitation framework.

ScoutSuite

multi-cloud security scanner.

Prowler

AWS / GCP / Azure benchmark scanner.

CloudSploit

multi-cloud audit.

PMapper

AWS IAM relationship analysis.

Cartography

multi-asset graph (Lyft).

Stratus Red Team

cloud attack emulation (DataDog).

GCPBucketBrute

open GCS bucket scanner.

S3Scanner

open S3 bucket scanner.

trufflehog

secret discovery (also cloud).

gitleaks

secret discovery.

checkov, tfsec, KIC S

IaC scanning.

Aikido / Wiz / Orca

commercial CSPM.

Reverse engineering#

Tool

Notes

Ghidra

NSA-released open-source decompiler / disassembler.

IDA Pro / Free

Hex-Rays; commercial leader.

Binary Ninja

commercial alternative; Python / Rust scriptable.

radare2 / cutter

OSS multi-arch RE.

angr

symbolic execution framework (Python).

Frida

dynamic instrumentation.

gdb / pwndbg / GEF

/ pwntools debugging + exploit dev.

x64dbg

Windows usermode debugger.

objdump, readelf, n m

classic binutils.

otool

macOS Mach-O.

peda

gdb plugin.

ReClass.NET

struct reverse-engineering.

binwalk

firmware analysis.

Forensics / IR#

See Digital Forensics for the deeper catalog. Highlights:

  • Volatility 3, KAPE, Velociraptor, GRR, Autopsy, Sleuth Kit, bulk_extractor, plaso, log2timeline.

  • Cellebrite, Magnet AXIOM (mobile / commercial).

  • SOF-ELK, TheHive, Cortex (analyst platforms).

Defensive (blue team)#

Tool

Notes

Wazuh

OSS XDR / SIEM.

Elastic Stack (ELK)

Logstash / Beats / Elasticsearch / Kibana.

Splunk

commercial SIEM.

Microsoft Sentinel

Azure-native SIEM (KQL).

Chronicle / SecOps

Google.

QRadar

IBM.

LimaCharlie

OSS-friendly XDR.

osquery

Facebook-released; queryable host telemetry.

Sysmon (Windows)

deep process / file / network telemetry.

Auditbeat

Linux audit shipping.

auditd

Linux kernel audit.

Velociraptor

OSS DFIR + endpoint hunting.

GRR

Google Rapid Response.

Suricata, Zeek

network IDS / NSM.

Snort

classic IDS (see IDS Rules).

Falco

Linux runtime detection (eBPF-based).

Tetragon

Cilium-driven runtime detection (eBPF).

ClamAV

OSS antivirus.

YARA

pattern matching (YARA).

Sigma rules

SIEM-agnostic detection (Sigma).

Atomic Red Team

ATT&CK-mapped test scripts.

Caldera

MITRE adversary emulation.

Threat hunting#

Tool

Notes

HELK

hunting ELK stack (Roberto Rodriguez).

Mordor

attack data sets for testing.

Elastic Detection R ules

open detections.

Sigma + sigma-cli

convert detections to backend.

Hunting Maturity Mo del

framework.

Atomic Red Team

execute ATT&CK techniques.

Mythic Caldera

adversary emulation.

APT Simulator

Florian Roth’s lateral-movement simulator.

SAST / DAST / SCA#

Tool

Notes

Semgrep

SAST; rules in YAML.

Bandit

Python SAST.

Brakeman

Ruby on Rails SAST.

SpotBugs / FindSecB ugs

Java SAST.

SonarQube

multi-language SAST + coverage.

CodeQL

GitHub-owned semantic analysis.

PVS-Studio

commercial SAST.

Snyk Code

commercial SAST.

Checkmarx

commercial SAST.

Veracode

commercial SAST + DAST.

Burp Suite Enterpri

se / DAST see Web app.

Acunetix, Netsparke r

commercial DAST.

OWASP ZAP

OSS DAST.

Trivy, Grype, Snyk

SCA / container.

Dependabot, Renovat e

dependency upgrades.

References#