Open-Source Cybersecurity Tools Catalog

This full reference catalog is generated from community-maintained cybersecurity lists and normalized into a single taxonomy. Use it for deep research, broad market scanning, and long-form side-by-side comparison when you need maximum coverage in one place.

Read This Page Effectively

If you prefer faster navigation, start with the Open-Source Cybersecurity Tools Hub, which breaks content into category-specific pages.

Use these evaluation criteria when comparing tools:

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Category Index

• AI / LLM Security (1) | Category page
• Application Security (8) | Category page
• Blue Team (46) | Category page
• CTF & Training (83) | Category page
• Cloud Security (50) | Category page
• Container & Kubernetes Security (7) | Category page
• Deception & Honeypots (251) | Category page
• Digital Forensics & DFIR (145) | Category page
• Email Security (10) | Category page
• Endpoint Security (56) | Category page
• Fuzzing & Software Assurance (127) | Category page
• GRC & Compliance (7) | Category page
• General Security (28) | Category page
• Hacking (30) | Category page
• Identity & Access Security (6) | Category page
• Incident Response (174) | Category page
• Malware Analysis (13) | Category page
• Malware Analysis & Reverse Engineering (425) | Category page
• Mobile Security (12) | Category page
• Network Security Monitoring (398) | Category page
• OSINT & Reconnaissance (1254) | Category page
• OT / ICS / IoT Security (5) | Category page
• Penetration Testing & Red Team (337) | Category page
• Perimeter / Zero Trust Security (7) | Category page
• SIEM & Log Management (54) | Category page
• SOAR & Automation (43) | Category page
• SOC Operations (182) | Category page
• Secrets & Credential Security (9) | Category page
• Security Awareness & Training (7) | Category page
• Supply Chain Security (7) | Category page
• Threat Detection (116) | Category page
• Threat Intelligence (110) | Category page
• Vulnerability Management (78) | Category page
• Web & API Security (264) | Category page

AI / LLM Security

This category contains 1 documented tools. It focuses on capabilities used for model red teaming, prompt injection defense, and AI governance controls. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Open category-focused page

shellfirm

• Website: https://github.com/kaplanelad/shellfirm
• Model: Open Source
• Category: AI / LLM Security
• Source Lists: Awesome Security

What it does: shellfirm is used in ai / llm security programs to support model red teaming, prompt injection defense, and AI governance controls. Source summaries describe it as: It is a handy utility to help avoid running dangerous commands with an extra approval step. You will immediately get a small prompt challenge that will double verify your action when risky patterns are detected.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Terminal.

Back to Category Index

Application Security

This category contains 8 documented tools. It focuses on capabilities used for secure SDLC controls, code scanning, and dependency risk management. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Open category-focused page

AppSec

• Website: https://github.com/paragonie/awesome-appsec
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome Forensics

What it does: AppSec is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Online Resources > Other Lists Online.

Back to Category Index

CakeFuzzer

• Website: https://github.com/Zigrin-Security/CakeFuzzer
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Security

What it does: CakeFuzzer is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: The ultimate web application security testing tool for CakePHP-based web applications. CakeFuzzer employs a predefined set of attacks that are randomly modified before execution. Leveraging its deep understanding of the Cake PHP framework, Cake Fuzzer launches attacks on all potential application entry points.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Scanning / Pentesting.

Back to Category Index

Insider CLI

• Website: https://github.com/insidersec/insider
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Security

What it does: Insider CLI is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: A open source Static Application Security Testing tool (SAST) written in GoLang for Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C# and Javascript (Node.js).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Development.

Back to Category Index

Node.js Secure Coding: Defending Against Command Injection Vulnerabilities

• Website: https://www.nodejs-security.com
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Security

What it does: Node.js Secure Coding: Defending Against Command Injection Vulnerabilities is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Learn secure coding conventions in Node.js by executing command injection attacks on real-world npm packages and analyzing vulnerable code.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > EBooks.

Back to Category Index

Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities

• Website: https://www.nodejs-security.com/book/path-traversal
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Security

What it does: Node.js Secure Coding: Prevention and Exploitation of Path Traversal Vulnerabilities is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Master secure coding in Node.js with real-world vulnerable dependencies and experience firsthand secure coding techniques against Path Traversal vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > EBooks.

Back to Category Index

OWASP

• Website: http://www.owasp.org
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Security

What it does: OWASP is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Organization.

Back to Category Index

Portswigger

• Website: https://portswigger.net
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Security

What it does: Portswigger is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: PortSwigger offers tools for web application security, testing & scanning. Choose from a wide range of security tools & identify the very latest vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Organization.

Back to Category Index

Scanmycode CE (Community Edition)

• Website: https://github.com/marcinguy/scanmycode-ce
• Model: Open Source
• Category: Application Security
• Source Lists: Awesome Security

What it does: Scanmycode CE (Community Edition) is used in application security programs to support secure SDLC controls, code scanning, and dependency risk management. Source summaries describe it as: Code Scanning/SAST/Static Analysis/Linting using many tools/Scanners with One Report. Currently supports: PHP, Java, Scala, Python, Ruby, Javascript, GO, Secret Scanning, Dependency Confusion, Trojan Source, Open Source and Proprietary Checks (total ca. 1000 checks).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Scanning / Pentesting.

Back to Category Index

Blue Team

This category contains 46 documented tools. It focuses on capabilities used for baseline hardening, monitoring integration, and defense-in-depth validation. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Open category-focused page

AllStar

• Website: https://github.com/ossf/allstar
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: AllStar is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: GitHub App installed on organizations or repositories to set and enforce security policies.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Policy enforcement.

Back to Category Index

blackbox

• Website: https://github.com/StackExchange/blackbox
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: blackbox is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Bubblewrap

• Website: https://github.com/containers/bubblewrap
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Bubblewrap is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Sandboxing tool for use by unprivileged Linux users capable of restricting access to parts of the operating system or user data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools > Sandboxes.

Back to Category Index

CanaryTokens

• Website: https://github.com/thinkst/canarytokens
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Honeypots

What it does: CanaryTokens is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Self-hostable honeytoken generator and reporting dashboard; demo version available at .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Honeypots.

Back to Category Index

chkrootkit

• Website: http://chkrootkit.org/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: chkrootkit is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Locally checks for signs of a rootkit on GNU/Linux systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Category Index

CodeQL

• Website: https://securitylab.github.com/tools/codeql
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: CodeQL is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Discover vulnerabilities across a codebase by performing queries against code as though it were data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Conftest

• Website: https://conftest.dev/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Conftest is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Utility to help you write tests against structured configuration data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Policy enforcement.

Back to Category Index

Crossfeed

• Website: https://docs.crossfeed.cyber.dhs.gov/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Crossfeed is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Continuously enumerates and monitors an organization’s public-facing attack surface in order to discover assets and flag potential security flaws.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring.

Back to Category Index

Dangerzone

• Website: https://dangerzone.rocks/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Dangerzone is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools > Sandboxes.

Back to Category Index

DeepBlueCLI

• Website: https://github.com/sans-blue-team/DeepBlueCLI
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: DeepBlueCLI is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A PowerShell Module for Hunt Teaming via Windows Event Logs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Category Index

DynamoRIO

• Website: https://dynamorio.org/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: DynamoRIO is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Runtime code manipulation system that supports code transformations on any part of a program, while it executes, implemented as a process-level virtual machine.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Application or Binary Hardening.

Back to Category Index

DynInst

• Website: https://dyninst.org/dyninst
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: DynInst is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Tools for binary instrumentation, analysis, and modification, useful for binary patching.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Application or Binary Hardening.

Back to Category Index

Egalito

• Website: https://egalito.org/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Egalito is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Binary recompiler and instrumentation framework that can fully disassemble, transform, and regenerate ordinary Linux binaries designed for binary hardening and security research.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Application or Binary Hardening.

Back to Category Index

Endlessh

• Website: https://github.com/skeeto/endlessh
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Honeypots

What it does: Endlessh is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: SSH tarpit that slowly sends an endless banner. ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Honeypots > Tarpits.

Back to Category Index

Fail2ban

• Website: https://www.fail2ban.org/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Fail2ban is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Intrusion prevention software framework that protects computer servers from brute-force attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Category Index

Git Secrets

• Website: https://github.com/awslabs/git-secrets
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Git Secrets is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Prevents you from committing passwords and other sensitive information to a git repository.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

git-crypt

• Website: https://www.agwa.name/projects/git-crypt/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: git-crypt is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Transparent file encryption in git; files which you choose to protect are encrypted when committed, and decrypted when checked out.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

GlobaLeaks

• Website: https://www.globaleaks.org/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: GlobaLeaks is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Free, open source software enabling anyone to easily set up and maintain a secure whistleblowing platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Communications security (COMSEC).

Back to Category Index

GPG Sync

• Website: https://github.com/firstlookmedia/gpgsync
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: GPG Sync is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Centralize and automate OpenPGP public key distribution, revocation, and updates amongst all members of an organization or team.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Communications security (COMSEC).

Back to Category Index

HardenTools

• Website: https://github.com/securitywithoutborders/hardentools
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: HardenTools is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Utility that disables a number of risky Windows features.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses.

Back to Category Index

Headscale

• Website: https://github.com/juanfont/headscale
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Headscale is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Open source, self-hosted implementation of the Tailscale control server.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses > Overlay and Virtual Private Networks (VPNs).

Back to Category Index

helm-secrets

• Website: https://github.com/jkroepke/helm-secrets
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: helm-secrets is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Helm plugin that helps manage secrets with Git workflow and stores them anywhere, backed by SOPS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Icinga

• Website: https://icinga.com/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Icinga is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Modular redesign of Nagios with pluggable user interfaces and an expanded set of data connectors, collectors, and reporting tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Service and performance monitoring.

Back to Category Index

LaBrea

• Website: http://labrea.sourceforge.net/labrea-info.html
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Honeypots

What it does: LaBrea is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Program that answers ARP requests for unused IP space, creating the appearance of fake machines that answer further requests very slowly in order to slow down scanners, worms, etcetera.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Honeypots > Tarpits.

Back to Category Index

Locust

• Website: https://locust.io/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Locust is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Open source load testing tool in which you can define user behaviour with Python code and swarm your system with millions of simultaneous users.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Service and performance monitoring.

Back to Category Index

Logging Made Easy (LME)

• Website: https://www.cisa.gov/resources-tools/services/logging-made-easy
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Logging Made Easy (LME) is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Free and open logging and protective monitoring solution serving.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Category Index

MITMEngine

• Website: https://github.com/cloudflare/mitmengine
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: MITMEngine is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Golang library for server-side detection of TLS interception events.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses.

Back to Category Index

Nebula

• Website: https://github.com/slackhq/nebula
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Nebula is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Completely open source and self-hosted, scalable overlay networking tool with a focus on performance, simplicity, and security, inspired by tinc.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses > Overlay and Virtual Private Networks (VPNs).

Back to Category Index

NotRuler

• Website: https://github.com/sensepost/notruler
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: NotRuler is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Detect both client-side rules and VBScript enabled forms used by the attack tool when attempting to compromise a Microsoft Exchange server.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses.

Back to Category Index

OnionBalance

• Website: https://onionbalance.readthedocs.io/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: OnionBalance is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Provides load-balancing while also making Onion services more resilient and reliable by eliminating single points-of-failure.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Tor Onion service defenses.

Back to Category Index

Open Source HIDS SECurity (OSSEC)

• Website: https://www.ossec.net/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Open Source HIDS SECurity (OSSEC) is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Fully open source and free, feature-rich, Host-based Instrusion Detection System (HIDS).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Category Index

osquery

• Website: https://github.com/facebook/osquery
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: osquery is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Operating system instrumentation framework for macOS, Windows, and Linux, exposing the OS as a high-performance relational database that can be queried with a SQL-like syntax.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Service and performance monitoring.

Back to Category Index

PlumHound

• Website: https://github.com/PlumHound/PlumHound
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: PlumHound is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: More effectively use BloodHoundAD in continual security life-cycles by utilizing its pathfinding engine to identify Active Directory security vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses > Active Directory.

Back to Category Index

PSHunt

• Website: https://github.com/Infocyte/PSHunt
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: PSHunt is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: PowerShell module designed to scan remote endpoints for indicators of compromise or survey them for more comprehensive information related to state of those systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Category Index

Sandboxie

• Website: https://www.sandboxie.com/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Cyber Security Tools

What it does: Sandboxie is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Free and open source general purpose Windows application sandboxing utility.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses.

Back to Category Index

Santa

• Website: https://github.com/google/santa
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Santa is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Keep track of binaries that are naughty or nice in an allow/deny-listing system for macOS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > macOS-based defenses.

Back to Category Index

SecureDrop

• Website: https://securedrop.org/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: SecureDrop is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Open source whistleblower submission system that media organizations and NGOs can install to securely accept documents from anonymous sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Communications security (COMSEC).

Back to Category Index

Shufflecake

• Website: https://shufflecake.net/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Shufflecake is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Plausible deniability for multiple hidden filesystems on Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Category Index

SonarQube

• Website: https://sonarqube.org
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: SonarQube is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Continuous inspection tool that provides detailed reports during automated testing and alerts on newly introduced security vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Starbase

• Website: https://github.com/JupiterOne/starbase
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Starbase is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Collects assets and relationships from services and systems into an intuitive graph view to offer graph-based security analysis for everyone.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring.

Back to Category Index

Sticky Keys Slayer

• Website: https://github.com/linuz/Sticky-Keys-Slayer
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Sticky Keys Slayer is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Establishes a Windows RDP session from a list of hostnames and scans for accessibility tools backdoors, alerting if one is discovered.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses.

Back to Category Index

Stronghold

• Website: https://github.com/alichtman/stronghold
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Stronghold is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Easily configure macOS security settings from the terminal.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > macOS-based defenses.

Back to Category Index

USB Keystroke Injection Protection

• Website: https://github.com/google/ukip
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: USB Keystroke Injection Protection is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Daemon for blocking USB keystroke injection devices on Linux systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Category Index

Valgrind

• Website: https://www.valgrind.org/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Valgrind is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Instrumentation framework for building dynamic analysis tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Application or Binary Hardening.

Back to Category Index

Vanguards

• Website: https://github.com/mikeperry-tor/vanguards
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Vanguards is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Version 3 Onion service guard discovery attack mitigation script (intended for eventual inclusion in Tor core).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Tor Onion service defenses.

Back to Category Index

Zabbix

• Website: https://www.zabbix.com/
• Model: Open Source
• Category: Blue Team
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Zabbix is used in blue team programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Mature, enterprise-level platform to monitor large-scale IT environments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Service and performance monitoring.

Back to Category Index

CTF & Training

This category contains 83 documented tools. It focuses on capabilities used for baseline hardening, monitoring integration, and defense-in-depth validation. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Open category-focused page

Parrot Security OS

• Website: https://www.parrotsec.org
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome Cyber Security Tools, Awesome CTF

What it does: Parrot Security OS is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Security-oriented Linux distribution designed for security experts and developers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Operating Systems.

Back to Category Index

AperiSolve

• Website: https://aperisolve.fr/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: AperiSolve is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Aperi'Solve is a platform which performs layer analysis on image (open-source).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

BackBox

• Website: https://backbox.org/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: BackBox is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Based on Ubuntu.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Operating Systems.

Back to Category Index

Backdoor

• Website: https://backdoor.sdslabs.co/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Backdoor is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Security Platform by SDSLabs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Bettercap

• Website: https://github.com/bettercap/bettercap
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Bettercap is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Framework to perform MITM (Man in the Middle) attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Attacks.

Back to Category Index

bi0s Wiki

• Website: https://teambi0s.gitlab.io/bi0s-wiki/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: bi0s Wiki is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Wiki from team bi0s.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wikis.

Back to Category Index

BinUtils

• Website: http://www.gnu.org/software/binutils/binutils.html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: BinUtils is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Collection of binary tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Boomerang

• Website: https://github.com/BoomerangDecompiler/boomerang
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Boomerang is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Decompile x86/SPARC/PowerPC/ST-20 binaries to C.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Convert

• Website: http://www.imagemagick.org/script/convert.php
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Convert is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Convert images b/w formats and apply filters.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

CryptoHack

• Website: https://cryptohack.org/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: CryptoHack is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Fun cryptography challenges.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

CSWSH

• Website: http://cow.cat/cswsh.html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: CSWSH is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Cross-Site WebSocket Hijacking Tester.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Services.

Back to Category Index

ctf_import

• Website: https://github.com/docileninja/ctf_import
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: ctf_import is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: run basic functions from stripped binaries cross platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

CTFd

• Website: https://github.com/isislab/CTFd
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: CTFd is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Platform to host jeopardy style CTFs from ISISLab, NYU Tandon.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Platforms.

Back to Category Index

CyberChef

• Website: https://gchq.github.io/CyberChef
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: CyberChef is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Web app for analysing and decoding data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Crypto.

Back to Category Index

Damn Vulnerable Web Application

• Website: http://www.dvwa.co.uk/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Damn Vulnerable Web Application is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: PHP/MySQL web application that is damn vulnerable.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

demovfuscator

• Website: https://github.com/kirschju/demovfuscator
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: demovfuscator is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A work-in-progress deobfuscator for movfuscated binaries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

DLLInjector

• Website: https://github.com/OpenSecurityResearch/dllinjector
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: DLLInjector is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Inject dlls in processes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Exploits.

Back to Category Index

Exif

• Website: http://manpages.ubuntu.com/manpages/trusty/man1/exif.1.html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Exif is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Shows EXIF information in JPEG files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Exiftool

• Website: https://linux.die.net/man/1/exiftool
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Exiftool is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Read and write meta information in files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Exiv2

• Website: http://www.exiv2.org/manpage.html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Exiv2 is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Image metadata manipulation tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

FeatherDuster

• Website: https://github.com/nccgroup/featherduster
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: FeatherDuster is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: An automated, modular cryptanalysis tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Crypto.

Back to Category Index

Fedora Security Lab

• Website: https://labs.fedoraproject.org/security/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Fedora Security Lab is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Based on Fedora.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Operating Systems.

Back to Category Index

Frida

• Website: https://github.com/frida/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Frida is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Dynamic Code Injection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

GDB

• Website: https://www.gnu.org/software/gdb/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: GDB is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: The GNU project debugger.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Gracker

• Website: https://github.com/Samuirai/gracker
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Gracker is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Binary challenges having a slow learning curve, and write-ups for each level.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Hackbar

• Website: https://addons.mozilla.org/en-US/firefox/addon/hackbartool/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Hackbar is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Firefox addon for easy web exploitation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Web.

Back to Category Index

Hash Extender

• Website: https://github.com/iagox86/hash_extender
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Hash Extender is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A utility tool for performing hash length extension attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Crypto.

Back to Category Index

Hone Your Ninja Skills

• Website: https://honeyourskills.ninja/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Hone Your Ninja Skills is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Web challenges starting from basic ones.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Hydra

• Website: https://tools.kali.org/password-attacks/hydra
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Hydra is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A parallelized login cracker which supports numerous protocols to attack.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Bruteforcers.

Back to Category Index

Image Steganography

• Website: https://sourceforge.net/projects/image-steg/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Image Steganography is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Embeds text and files in images with optional encryption. Easy-to-use UI.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Image Steganography Online

• Website: https://incoherency.co.uk/image-steganography
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Image Steganography Online is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: This is a client-side Javascript tool to steganographically hide images inside the lower "bits" of other images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

ImageMagick

• Website: http://www.imagemagick.org/script/index.php
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: ImageMagick is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Tool for manipulating images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

IO

• Website: http://io.netgarage.org/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: IO is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Wargame for binary challenges.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

John The Jumbo

• Website: https://github.com/magnumripper/JohnTheRipper
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: John The Jumbo is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Community enhanced version of John the Ripper.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Bruteforcers.

Back to Category Index

LazyKali

• Website: https://github.com/jlevitsk/lazykali
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: LazyKali is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A 2016 refresh of LazyKali which simplifies install of tools and configuration.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Starter Packs.

Back to Category Index

libformatstr

• Website: https://github.com/hellman/libformatstr
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: libformatstr is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Simplify format string exploitation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Exploits.

Back to Category Index

Metasploit JavaScript Obfuscator

• Website: https://github.com/rapid7/metasploit-framework/wiki/How-to-obfuscate-JavaScript-in-Metasploit
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Metasploit JavaScript Obfuscator is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Web.

Back to Category Index

Nozzlr

• Website: https://github.com/intrd/nozzlr
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Nozzlr is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Nozzlr is a bruteforce framework, trully modular and script-friendly.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Bruteforcers.

Back to Category Index

one_gadget

• Website: https://github.com/david942j/one_gadget
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: one_gadget is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A tool to find the one gadget execve('/bin/sh', NULL, NULL) call.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Exploits.

Back to Category Index

Outguess

• Website: https://www.freebsd.org/cgi/man.cgi?query=outguess+&apropos=0&sektion=0&manpath=FreeBSD+Ports+5.1-RELEASE&format=html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Outguess is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Universal steganographic tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Over The Wire

• Website: http://overthewire.org/wargames/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Over The Wire is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Wargame maintained by OvertheWire Community.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Patator

• Website: https://github.com/lanjelot/patator
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Patator is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Patator is a multi-purpose brute-forcer, with a modular design.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Bruteforcers.

Back to Category Index

PentesterLab

• Website: https://pentesterlab.com/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: PentesterLab is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Variety of VM and online challenges (paid).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Pentoo

• Website: http://www.pentoo.ch/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Pentoo is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Based on Gentoo.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Operating Systems.

Back to Category Index

Pin

• Website: https://software.intel.com/en-us/articles/pin-a-dynamic-binary-instrumentation-tool
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Pin is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A dynamic binary instrumentaion tool by Intel.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

PinCTF

• Website: https://github.com/ChrisTheCoolHut/PinCTF
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: PinCTF is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A tool which uses intel pin for Side Channel Analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

PkCrack

• Website: https://www.unix-ag.uni-kl.de/~conrad/krypto/pkcrack.html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: PkCrack is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A tool for Breaking PkZip-encryption.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Crypto.

Back to Category Index

Pngtools

• Website: https://packages.debian.org/sid/pngtools
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Pngtools is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: For various analysis related to PNGs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

PWN Challenge

• Website: http://pwn.eonew.cn/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: PWN Challenge is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Binary Exploitation Wargame.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Pwnable.tw

• Website: https://pwnable.tw/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Pwnable.tw is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Binary wargame.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Pwnable.xyz

• Website: https://pwnable.xyz/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Pwnable.xyz is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Binary Exploitation Wargame.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Qira

• Website: https://github.com/BinaryAnalysisPlatform/qira
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Qira is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: QEMU Interactive Runtime Analyser.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Exploits.

Back to Category Index

QuipQuip

• Website: https://quipqiup.com
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: QuipQuip is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: An online tool for breaking substitution ciphers or vigenere ciphers (without key).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Crypto.

Back to Category Index

Request Bin

• Website: https://requestbin.com/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Request Bin is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Lets you inspect http requests to a particular url.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Services.

Back to Category Index

Revelo

• Website: http://www.kahusecurity.com/posts/revelo_javascript_deobfuscator.html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Revelo is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Analyze obfuscated Javascript code.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Reversin.kr

• Website: http://reversing.kr/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Reversin.kr is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Reversing challenge.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

ROP Gadget

• Website: https://github.com/JonathanSalwan/ROPgadget
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: ROP Gadget is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Framework for ROP exploitation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Exploits.

Back to Category Index

ROP Wargames

• Website: https://github.com/xelenonz/game
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: ROP Wargames is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ROP Wargames.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

RSATool

• Website: https://github.com/ius/rsatool
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: RSATool is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Generate private key with knowledge of p and q.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Crypto.

Back to Category Index

SANS HHC

• Website: https://holidayhackchallenge.com/past-challenges/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: SANS HHC is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Challenges with a holiday theme.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Category Index

Scorebot

• Website: https://github.com/legitbs/scorebot
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Scorebot is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Platform for CTFs by Legitbs (Defcon).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Platforms.

Back to Category Index

SecGen

• Website: https://github.com/cliffe/SecGen
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: SecGen is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Security Scenario Generator. Creates randomly vulnerable virtual machines.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Platforms.

Back to Category Index

SmartDeblur

• Website: https://github.com/Y-Vladimir/SmartDeblur
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: SmartDeblur is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Used to deblur and fix defocused images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Steganabara

• Website: https://www.openhub.net/p/steganabara
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Steganabara is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Tool for stegano analysis written in Java.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

SteganographyOnline

• Website: https://stylesuxx.github.io/steganography/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: SteganographyOnline is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Online steganography encoder and decoder.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Stegbreak

• Website: https://linux.die.net/man/1/stegbreak
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Stegbreak is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Launches brute-force dictionary attacks on JPG image.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

stegextract

• Website: https://github.com/evyatarmeged/stegextract
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: stegextract is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Detect hidden files and text in images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Steghide

• Website: http://steghide.sourceforge.net/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Steghide is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Hide data in various kind of images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

StegOnline

• Website: https://georgeom.net/StegOnline/upload
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: StegOnline is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Conduct a wide range of image steganography operations, such as concealing/revealing files hidden within bits (open-source).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Stegsolve

• Website: http://www.caesum.com/handbook/Stegsolve.jar
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Stegsolve is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Apply various steganography techniques to images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Steganography.

Back to Category Index

Triton

• Website: https://github.com/JonathanSalwan/Triton/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Triton is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Dynamic Binary Analysis (DBA) framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Turbo Intruder

• Website: https://portswigger.net/research/turbo-intruder-embracing-the-billion-request-attack
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Turbo Intruder is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Burp Suite extension for sending large numbers of HTTP requests.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Bruteforcers.

Back to Category Index

Uglify

• Website: https://github.com/mishoo/UglifyJS
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Uglify is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Create > Web.

Back to Category Index

Uncompyle

• Website: https://github.com/gstarnberger/uncompyle
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Uncompyle is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Decompile Python 2.7 binaries (.pyc).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

URIX OS

• Website: http://urix.us/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: URIX OS is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Based on openSUSE.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Operating Systems.

Back to Category Index

Wifislax

• Website: http://www.wifislax.com/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Wifislax is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Based on Slackware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Operating Systems.

Back to Category Index

WinDbg

• Website: http://www.windbg.org/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: WinDbg is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Windows debugger distributed by Microsoft.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Xocopy

• Website: http://reverse.lostrealm.com/tools/xocopy.html
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Xocopy is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Program that can copy executables with execute, but no read permission.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

XSSer

• Website: http://xsser.sourceforge.net/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: XSSer is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Automated XSS testor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Web.

Back to Category Index

Xxxswf

• Website: https://bitbucket.org/Alexander_Hanel/xxxswf
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Xxxswf is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A Python script for analyzing Flash files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Yersinia

• Website: https://github.com/tomac/yersinia
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Yersinia is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Attack various protocols on layer 2.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Attacks.

Back to Category Index

Z3

• Website: https://github.com/Z3Prover/z3
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF

What it does: Z3 is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A theorem prover from Microsoft Research.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.

Back to Category Index

Zsteg

• Website: https://github.com/zed-0xff/zsteg/
• Model: Open Source
• Category: CTF & Training
• Source Lists: Awesome CTF, Awesome Forensics

What it does: Zsteg is used in ctf & training programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: A steganographic coder for WAV files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Steganography.

Back to Category Index

Cloud Security

This category contains 50 documented tools. It focuses on capabilities used for multi-cloud posture monitoring, workload protection, and misconfiguration control. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Open category-focused page

Aaia

• Website: https://github.com/rams3sh/Aaia
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Aaia is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.

Back to Category Index

Afterglow Cloud

• Website: https://github.com/ayrus/afterglow-cloud
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Honeypots

What it does: Afterglow Cloud is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

attack_range

• Website: https://github.com/splunk/attack_range
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Threat Detection

What it does: attack_range is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Tools.

Back to Category Index

AWS Security Fundamentals

• Website: https://aws.amazon.com/fr/training/digital/aws-security-fundamentals/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: AWS Security Fundamentals is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Category Index

aws-vault

• Website: https://github.com/99designs/aws-vault
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security

What it does: aws-vault is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Store AWS credentials in the OSX Keychain or an encrypted file.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.

Back to Category Index

Azure AD Internals suite

• Website: https://aadinternals.com/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: Azure AD Internals suite is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: , ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Category Index

Azure Security

• Website: https://www.manning.com/books/azure-security-2
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security

What it does: Azure Security is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A practical guide to the native security services of Microsoft Azure.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > EBooks.

Back to Category Index

BlueTeam Lab

• Website: https://github.com/op7ic/BlueTeam.Lab
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Threat Detection, Awesome Forensics

What it does: BlueTeam Lab is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Blue Team detection lab created with Terraform and Ansible in Azure.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Labs.

Back to Category Index

chamber

• Website: https://github.com/segmentio/chamber
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security

What it does: chamber is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Store secrets using AWS KMS and SSM Parameter Store.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.

Back to Category Index

Checkov

• Website: https://www.checkov.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Checkov is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Cloud Access Security Broker

• Website: https://www.gartner.com/en/information-technology/glossary/cloud-access-security-brokers-casbs
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: Cloud Access Security Broker is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: , if company's IT environment uses a lot of external services like SaaS/IaaS:.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Category Index

Cloud Active Defense

• Website: https://github.com/SAP/cloud-active-defense?tab=readme-ov-file
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Honeypots

What it does: Cloud Active Defense is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Cloud active defense lets you deploy decoys right into your cloud applications, putting adversaries into a dilemma: to hack or not to hack?.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

confidant

• Website: https://github.com/lyft/confidant
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security

What it does: confidant is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Stores secrets in AWS DynamoDB, encrypted at rest and integrates with IAM.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.

Back to Category Index

Consul

• Website: https://consul.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Consul is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Solution to connect and configure applications across dynamic, distributed infrastructure and, with Consul Connect, enabling secure service-to-service communication with automatic TLS encryption and identity-based authorization.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Service meshes.

Back to Category Index

Cortex

• Website: https://cortexmetrics.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Cortex is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Provides horizontally scalable, highly available, multi-tenant, long term storage for Prometheus.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.

Back to Category Index

credstash

• Website: https://github.com/fugue/credstash
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security

What it does: credstash is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Store secrets using AWS KMS and DynamoDB.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.

Back to Category Index

CrowdStrike Reporting Tool for Azure

• Website: https://github.com/CrowdStrike/CRT
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: CrowdStrike Reporting Tool for Azure is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Category Index

GCP Security Analytics

• Website: https://github.com/GoogleCloudPlatform/security-analytics
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Threat Detection

What it does: GCP Security Analytics is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Detection Rules.

Back to Category Index

Gluu Server

• Website: https://gluu.org/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Gluu Server is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Central authentication and authorization for Web and mobile applications with a Free and Open Source Software cloud-native community distribution.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Identity and AuthN/AuthZ.

Back to Category Index

gVisor

• Website: https://github.com/google/gvisor
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: gVisor is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.

Back to Category Index

Infection Monkey

• Website: https://github.com/guardicore/monkey
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security, Awesome Threat Detection

What it does: Infection Monkey is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: An open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Tools.

Back to Category Index

Istio

• Website: https://istio.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Istio is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Service meshes.

Back to Category Index

Jaeger

• Website: https://www.jaegertracing.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Jaeger is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.

Back to Category Index

k-rail

• Website: https://github.com/cruise-automation/k-rail
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: k-rail is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Workload policy enforcement tool for Kubernetes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

Kata Containers

• Website: https://katacontainers.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Kata Containers is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.

Back to Category Index

kube-hunter

• Website: https://kube-hunter.aquasec.com/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing

What it does: kube-hunter is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

kubernetes-event-exporter

• Website: https://github.com/opsgenie/kubernetes-event-exporter
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: kubernetes-event-exporter is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Allows exporting the often missed Kubernetes events to various outputs so that they can be used for observability or alerting purposes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

KubeSec

• Website: https://kubesec.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: KubeSec is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

Kyverno

• Website: https://kyverno.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Kyverno is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Policy engine designed for Kubernetes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

Linkerd

• Website: https://linkerd.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Linkerd is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

M365/Azure compromise asssessment SOP

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/sop_M365_compromise_assessment.md
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: M365/Azure compromise asssessment SOP is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Category Index

Managed Kubernetes Inspection Tool (MKIT)

• Website: https://github.com/darkbitio/mkit
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Managed Kubernetes Inspection Tool (MKIT) is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

Microsoft Azure Sentinel

• Website: https://azure.microsoft.com/en-us/products/microsoft-sentinel/#overview
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: Microsoft Azure Sentinel is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: , , , .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.

Back to Category Index

Open Policy Agent (OPA)

• Website: https://www.openpolicyagent.org/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Open Policy Agent (OPA) is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Unified toolset and framework for policy across the cloud native stack.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Policy enforcement.

Back to Category Index

OpenTelemetry

• Website: https://opentelemetry.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: OpenTelemetry is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.

Back to Category Index

Polaris

• Website: https://polaris.docs.fairwinds.com/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Polaris is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

Principal Mapper (PMapper)

• Website: https://github.com/nccgroup/PMapper
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Principal Mapper (PMapper) is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Quickly evaluate IAM permissions in AWS via script and library capable of identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.

Back to Category Index

Prometheus

• Website: https://prometheus.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Prometheus is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open-source systems monitoring and alerting toolkit originally built at SoundCloud.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.

Back to Category Index

Prowler

• Website: https://github.com/toniblyx/prowler
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Prowler is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.

Back to Category Index

Regula

• Website: https://regula.dev/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Regula is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Checks infrastructure as code templates (Terraform, CloudFormation, K8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Policy enforcement.

Back to Category Index

Scout Suite

• Website: https://github.com/nccgroup/ScoutSuite
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team, Awesome SOC

What it does: Scout Suite is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Category Index

Sealed Secrets

• Website: https://github.com/bitnami-labs/sealed-secrets
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Sealed Secrets is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Kubernetes controller and tool for one-way encrypted Secrets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.

Back to Category Index

Selefra

• Website: https://github.com/selefra/selefra
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security

What it does: Selefra is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > DevOps.

Back to Category Index

Sentinel Attack

• Website: https://github.com/BlueTeamLabs/sentinel-attack
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Threat Detection

What it does: Sentinel Attack is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Category Index

Sops

• Website: https://github.com/mozilla/sops
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: Sops is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

terrascan

• Website: https://runterrascan.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: terrascan is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Static code analyzer for Infrastructure as Code tools that helps detect compliance and security violations to mitigate risk before provisioning cloud native resources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Thor Cloud lite

• Website: https://www.nextron-systems.com/2023/10/30/introducing-thor-cloud-lite-seamless-on-demand-security-scanning-made-easy/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: Thor Cloud lite is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Category Index

Threat Matrix for Azure Storage services

• Website: https://microsoft.github.io/Threat-matrix-for-storage-services/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome SOC

What it does: Threat Matrix for Azure Storage services is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Category Index

Varna

• Website: https://github.com/endgameinc/varna
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Threat Detection

What it does: Varna is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A quick & cheap AWS CloudTrail Monitoring with Event Query Language (EQL).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Category Index

Zipkin

• Website: https://zipkin.io/
• Model: Open Source
• Category: Cloud Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Zipkin is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.

Back to Category Index

Container & Kubernetes Security

This category contains 7 documented tools. It focuses on capabilities used for image integrity checks, cluster policy enforcement, and runtime threat detection. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Open category-focused page

Bane

• Website: https://github.com/genuinetools/bane
• Model: Open Source
• Category: Container & Kubernetes Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Bane is used in container & kubernetes security programs to support image integrity checks, cluster policy enforcement, and runtime threat detection. Source summaries describe it as: Custom and better AppArmor profile generator for Docker containers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Bunkerized-nginx

• Website: https://github.com/bunkerity/bunkerized-nginx
• Model: Open Source
• Category: Container & Kubernetes Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Bunkerized-nginx is used in container & kubernetes security programs to support image integrity checks, cluster policy enforcement, and runtime threat detection. Source summaries describe it as: Docker image of an NginX configuration and scripts implementing many defensive techniques for Web sites.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security configurations.

Back to Category Index

Clair

• Website: https://github.com/coreos/clair
• Model: Open Source
• Category: Container & Kubernetes Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Clair is used in container & kubernetes security programs to support image integrity checks, cluster policy enforcement, and runtime threat detection. Source summaries describe it as: Static analysis tool to probe for vulnerabilities introduced via application container (e.g., Docker) images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

DShield docker

• Website: https://github.com/xme/dshield-docker
• Model: Open Source
• Category: Container & Kubernetes Security
• Source Lists: Awesome Honeypots

What it does: DShield docker is used in container & kubernetes security programs to support image integrity checks, cluster policy enforcement, and runtime threat detection. Source summaries describe it as: Docker container running cowrie with DShield output enabled.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Oriana

• Website: https://github.com/mvelazc0/Oriana
• Model: Open Source
• Category: Container & Kubernetes Security
• Source Lists: Awesome Threat Detection

What it does: Oriana is used in container & kubernetes security programs to support image integrity checks, cluster policy enforcement, and runtime threat detection. Source summaries describe it as: Lateral movement and threat hunting tool for Windows environments built on Django comes Docker ready.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Category Index

Snyk

• Website: https://snyk.io/
• Model: Open Source
• Category: Container & Kubernetes Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Snyk is used in container & kubernetes security programs to support image integrity checks, cluster policy enforcement, and runtime threat detection. Source summaries describe it as: Finds and fixes vulnerabilities and license violations in open source dependencies and container images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Category Index

Teleport

• Website: https://goteleport.com/
• Model: Open Source
• Category: Container & Kubernetes Security
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Teleport is used in container & kubernetes security programs to support image integrity checks, cluster policy enforcement, and runtime threat detection. Source summaries describe it as: Allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Communications security (COMSEC).

Back to Category Index

Deception & Honeypots

This category contains 251 documented tools. It focuses on capabilities used for early attacker interaction detection and high-confidence alerting. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Open category-focused page

Acapulco

• Website: https://github.com/hgascon/acapulco
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Acapulco is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Automated Attack Community Graph Construction.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

ADBHoney

• Website: https://github.com/huuck/ADBHoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ADBHoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction honeypot that simulates an Android device running Android Debug Bridge (ADB) server process.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Afterglow

• Website: http://afterglow.sourceforge.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Afterglow is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

AMTHoneypot

• Website: https://github.com/packetflare/amthoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: AMTHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot for Intel's AMT Firmware Vulnerability CVE-2017-5689.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Amun

• Website: http://amunhoney.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Amun is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Vulnerability emulation honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Antivmdetect

• Website: https://github.com/nsmfoo/antivmdetection
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Antivmdetect is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Script to create templates to use with VirtualBox to make VM detection harder.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

arctic-swallow

• Website: https://github.com/ajackal/arctic-swallow
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: arctic-swallow is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Artemnesia VoIP

• Website: http://artemisa.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Artemnesia VoIP is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Artillery

• Website: https://github.com/BinaryDefense/artillery
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Artillery is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Category Index

Artillery

• Website: https://github.com/trustedsec/artillery/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Artillery is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Bait and Switch

• Website: http://baitnswitch.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Bait and Switch is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Redirects all hostile traffic to a honeypot that is partially mirroring your production system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

basic-auth-pot (bap)

• Website: https://github.com/bjeborn/basic-auth-pot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: basic-auth-pot (bap) is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: HTTP Basic Authentication honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

beelzebub

• Website: https://github.com/mariocandela/beelzebub
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: beelzebub is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A secure honeypot framework, extremely easy to configure by yaml 🚀.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Bifrozt

• Website: https://github.com/Ziemeck/bifrozt-ansible
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Bifrozt is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Automatic deploy bifrozt with ansible.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Blacknet

• Website: https://github.com/morian/blacknet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Blacknet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Multi-head SSH honeypot system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Bluepot

• Website: https://github.com/andrewmichaelsmith/bluepot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Bluepot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

bwpot

• Website: https://github.com/graneed/bwpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: bwpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Breakable Web applications honeyPot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

canarytokendetector

• Website: https://github.com/referefref/canarytokendetector
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: canarytokendetector is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Tool for detection and nullification of Thinkst CanaryTokens.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Capture BAT

• Website: https://www.honeynet.org/node/315
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture BAT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Capture-HPC

• Website: https://projects.honeynet.org/capture-hpc
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture-HPC is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High interaction client honeypot (also called honeyclient).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Capture-HPC-Linux

• Website: https://redmine.honeynet.org/projects/linux-capture-hpc/wiki
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture-HPC-Linux is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Capture-HPC-NG

• Website: https://github.com/CERT-Polska/HSN-Capture-HPC-NG
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Capture-HPC-NG is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

CC2ASN

• Website: http://www.cc2asn.com/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: CC2ASN is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple lookup service for AS-numbers and prefixes belonging to any given country in the world.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

ciscoasa_honeypot

• Website: https://github.com/cymmetria/ciscoasa_honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ciscoasa_honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A low interaction honeypot for the Cisco ASA component capable of detecting CVE-2018-0101, a DoS and remote code execution vulnerability.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Conpot

• Website: https://github.com/mushorg/conpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Conpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: ICS/SCADA honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Category Index

Cowrie

• Website: https://github.com/micheloosterhof/cowrie
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis

What it does: Cowrie is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH honeypot, based.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Category Index

Cowrie

• Website: https://github.com/cowrie/cowrie
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Cowrie is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Cowrie SSH Honeypot (based on kippo).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

cowrie2neo

• Website: https://github.com/xlfe/cowrie2neo
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: cowrie2neo is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Parse cowrie honeypot logs into a neo4j database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Damn Simple Honeypot (DSHP)

• Website: https://github.com/naorlivne/dshp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Damn Simple Honeypot (DSHP) is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot framework with pluggable handlers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

DAVIX

• Website: https://www.secviz.org/node/89
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DAVIX is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: The DAVIX Live CD.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

dcept

• Website: https://github.com/secureworks/dcept
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dcept is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Tool for deploying and detecting use of Active Directory honeytokens.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

ddospot

• Website: https://github.com/aelth/ddospot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ddospot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: NTP, DNS, SSDP, Chargen and generic UDP-based amplification DDoS honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Deception Toolkit

• Website: http://www.all.net/dtk/dtk.html
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Deception Toolkit is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Deception-as-Detection

• Website: https://github.com/0x4D31/deception-as-detection
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Threat Detection

What it does: Deception-as-Detection is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Deception based detection techniques mapped to the MITRE’s ATT&CK framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Category Index

Delilah

• Website: https://github.com/SecurityTW/delilah
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Delilah is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Elasticsearch Honeypot written in Python (originally from Novetta).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

dhp

• Website: https://github.com/ciscocsirt/dhp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dhp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple Docker Honeypot server emulating small snippets of the Docker HTTP API.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

dicompot

• Website: https://github.com/nsmfoo/dicompot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dicompot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: DICOM Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Dionaea

• Website: https://github.com/DinoTools/dionaea
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Dionaea is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot designed to trap malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Category Index

DionaeaFR

• Website: https://github.com/rubenespadas/DionaeaFR
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DionaeaFR is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Front Web to Dionaea low-interaction honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

django-admin-honeypot

• Website: https://github.com/dmpayton/django-admin-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: django-admin-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Fake Django admin login screen to notify admins of attempted unauthorized access.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Django-kippo

• Website: https://github.com/jedie/django-kippo
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Django-kippo is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Django App for kippo SSH Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

dnsMole

• Website: https://code.google.com/archive/p/dns-mole/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: dnsMole is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Analyses DNS traffic and potentionaly detect botnet command and control server activity, along with infected hosts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Docker honeynet

• Website: https://github.com/sreinhardt/Docker-Honeynet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Docker honeynet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Several Honeynet tools set up for Docker containers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Dockerized Thug

• Website: https://hub.docker.com/r/honeynet/thug/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Dockerized Thug is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Dockerized to analyze malicious web content.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Dockerpot

• Website: https://github.com/mrschyte/dockerpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Dockerpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Docker based honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

DolosHoneypot

• Website: https://github.com/Marist-Innovation-Lab/DolosHoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DolosHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SDN (software defined networking) honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Droidbox

• Website: https://code.google.com/archive/p/droidbox/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Droidbox is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

drupo

• Website: https://github.com/d1str0/drupot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: drupo is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Drupal Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

DShield Web Honeypot Project

• Website: https://sites.google.com/site/webhoneypotsite/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: DShield Web Honeypot Project is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Elastic honey

• Website: https://github.com/jordan-wright/elastichoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Elastic honey is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple Elasticsearch Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

ElasticPot

• Website: https://gitlab.com/bontchev/elasticpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ElasticPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: An Elasticsearch Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Ensnare

• Website: https://github.com/ahoernecke/ensnare
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Ensnare is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Easy to deploy Ruby honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

EoHoneypotBundle

• Website: https://github.com/eymengunay/EoHoneypotBundle
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: EoHoneypotBundle is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot type for Symfony2 forms.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

ESPot

• Website: https://github.com/mycert/ESPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ESPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Express honeypot

• Website: https://github.com/christophe77/express-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Express honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RFI & LFI honeypot using nodeJS and express.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

fapro

• Website: https://github.com/fofapro/fapro
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: fapro is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Fake Protocol Server.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

galah

• Website: https://github.com/0x4D31/galah
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: galah is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: an LLM-powered web honeypot using the OpenAI API.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

GasPot

• Website: https://github.com/sjhilt/GasPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: GasPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Veeder Root Gaurdian AST, common in the oil and gas industry.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

GenAIPot

• Website: https://github.com/ls1911/GenAIPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: GenAIPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: The first A.I based open source honeypot. supports POP3 and SMTP protocols and generates content using A.I based on user description.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Ghost-usb

• Website: https://github.com/honeynet/ghost-usb-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Ghost-usb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot for malware that propagates via USB storage devices.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Glastopf

• Website: https://github.com/mushorg/glastopf
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Glastopf is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Web application honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Category Index

Glastopf Analytics

• Website: https://github.com/katkad/Glastopf-Analytics
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Glastopf Analytics is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Easy honeypot statistics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

glutton

• Website: https://github.com/mushorg/glutton
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: glutton is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: All eating honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

go-emulators

• Website: https://github.com/kingtuna/go-emulators
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go-emulators is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot Golang emulators.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

go-HoneyPot

• Website: https://github.com/Mojachieee/go-HoneyPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go-HoneyPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot server written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

go-sshoney

• Website: https://github.com/ashmckenzie/go-sshoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go-sshoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

go0r

• Website: https://github.com/fzerorubigd/go0r
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: go0r is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple ssh honeypot in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

gohoney

• Website: https://github.com/PaulMaddox/gohoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: gohoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH honeypot written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Google Hack Honeypot

• Website: http://ghh.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Google Hack Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Designed to provide reconnaissance against attackers that use search engines as a hacking tool against your resources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

gridpot

• Website: https://github.com/sk4ld/gridpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: gridpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open source tools for realistic-behaving electric grid honeynets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Helix

• Website: https://github.com/Zeerg/helix-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Helix is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: K8s API Honeypot with Active Defense Capabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HellPot

• Website: https://github.com/yunginnanet/HellPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HellPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot that tries to crash the bots and clients that visit it's location.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Heralding

• Website: https://github.com/johnnykv/heralding
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Heralding is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Credentials catching honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Hexgolems - Pint Debugger Backend

• Website: https://github.com/hexgolems/pint
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Hexgolems - Pint Debugger Backend is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Debugger backend and LUA wrapper for PIN.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Hexgolems - Schem Debugger Frontend

• Website: https://github.com/hexgolems/schem
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Hexgolems - Schem Debugger Frontend is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Debugger frontend.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HIHAT

• Website: http://hihat.sourceforge.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HIHAT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Transform arbitrary PHP applications into web-based high-interaction Honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

hived

• Website: https://github.com/sahilm/hived
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: hived is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Golang-based honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeeepi

• Website: https://redmine.honeynet.org/projects/honeeepi/wiki
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeeepi is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot sensor on a Raspberry Pi based on a customized Raspbian OS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honey_ports

• Website: https://github.com/run41/honey_ports
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honey_ports is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Very simple but effective docker deployed honeypot to detect port scanning in your environment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeyalarmg2

• Website: https://github.com/schmalle/honeyalarmg2
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyalarmg2 is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simplified UI for showing honeypot alarms.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

Honeybits

• Website: https://github.com/0x4D31/honeybits
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeybits is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple tool designed to enhance the effectiveness of your traps by spreading breadcrumbs and honeytokens across your production servers and workstations to lure the attacker toward your honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyBOT

• Website: http://www.atomicsoftwaresolutions.com/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyBOT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyBrid

• Website: http://honeybrid.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyBrid is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyC

• Website: https://projects.honeynet.org/honeyc
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyC is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeycomb

• Website: http://www.icir.org/christian/honeycomb/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeycomb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Automated signature creation using honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeycomb

• Website: http://www.honeyd.org/tools.php
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeycomb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Category Index

honeycomb_plugins

• Website: https://github.com/Cymmetria/honeycomb_plugins
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeycomb_plugins is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Plugin repository for Honeycomb, the honeypot framework by Cymmetria.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeyd

• Website: http://www.honeyd.org/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis

What it does: Honeyd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Create a virtual honeynet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Category Index

Honeyd

• Website: https://github.com/provos/honeyd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: See .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeyd-Viz

• Website: https://bruteforcelab.com/honeyd-viz
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyd-Viz is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Category Index

Honeyd2MySQL

• Website: https://bruteforcelab.com/honeyd2mysql
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyd2MySQL is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Category Index

honeydet

• Website: https://github.com/referefref/honeydet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeydet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Signature based honeypot detector tool written in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyDrive

• Website: https://bruteforce.gr/honeydrive/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Malware Analysis

What it does: HoneyDrive is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot bundle Linux distro.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Honeypots.

Back to Category Index

HoneyDrive

• Website: https://bruteforcelab.com/honeydrive
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyDrive is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeydsum.pl

• Website: https://github.com/DataSoft/Honeyd/blob/master/scripts/misc/honeydsum-v0.3/honeydsum.pl
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeydsum.pl is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Category Index

honeyfs

• Website: https://github.com/referefref/honeyfs
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyfs is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Tool to create artificial file systems for medium/high interaction honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeygrove

• Website: https://github.com/UHH-ISS/honeygrove
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeygrove is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Multi-purpose modular honeypot based on Twisted.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeyhttpd

• Website: https://github.com/bocajspear1/honeyhttpd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyhttpd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python-based web server honeypot builder.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeyku

• Website: https://github.com/0x4D31/honeyku
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyku is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Heroku-based web honeypot that can be used to create and monitor fake HTTP endpoints (i.e. honeytokens).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeymail

• Website: https://github.com/sec51/honeymail
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeymail is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SMTP honeypot written in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyMalt

• Website: https://github.com/SneakersInc/HoneyMalt
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyMalt is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Maltego tranforms for mapping Honeypot systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

HoneyMap

• Website: https://github.com/fw42/honeymap
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyMap is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Real-time websocket stream of GPS events on a fancy SVG world map.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

Honeymole

• Website: https://web.archive.org/web/20100326040550/http://www.honeynet.org.pt:80/index.php/HoneyMole
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeymole is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Deploy multiple sensors that redirect traffic to a centralized collection of honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeyntp

• Website: https://github.com/fygrave/honeyntp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyntp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: NTP logger/honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeyperl

• Website: https://sourceforge.net/projects/honeyperl/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyperl is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot software based in Perl with plugins developed for many functions like : wingates, telnet, squid, smtp, etc.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeyport

• Website: https://github.com/securitygeneration/Honeyport
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyport is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple honeyport written in Bash and Python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeypot

• Website: https://github.com/jadb/honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: The Project Honey Pot un-official PHP SDK.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeypot (Dionaea and kippo) setup script

• Website: https://github.com/andrewmichaelsmith/honeypot-setup-script/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeypot (Dionaea and kippo) setup script is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Guides.

Back to Category Index

Honeypot-32764

• Website: https://github.com/knalli/honeypot-for-tcp-32764
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeypot-32764 is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot for router backdoor (TCP 32764).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeypot-camera

• Website: https://github.com/alexbredo/honeypot-camera
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot-camera is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Observation camera honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeypot-ftp

• Website: https://github.com/alexbredo/honeypot-ftp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot-ftp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: FTP Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeypot.go

• Website: https://github.com/mdp/honeypot.go
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypot.go is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SSH Honeypot written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeypotDisplay

• Website: https://github.com/Joss-Steward/honeypotDisplay
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypotDisplay is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Flask website which displays data gathered from an SSH Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

honeypotpi

• Website: https://github.com/free5ty1e/honeypotpi
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypotpi is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Script for turning a Raspberry Pi into a HoneyPot Pi.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Guides.

Back to Category Index

honeypots

• Website: https://github.com/qeeqbox/honeypots
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeypots is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: 25 different honeypots in a single pypi package! (dns, ftp, httpproxy, http, https, imap, mysql, pop3, postgres, redis, smb, smtp, socks5, ssh, telnet, vnc, mssql, elastic, ldap, ntp, memcache, snmp, oracle, sip and irc).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyPress

• Website: https://github.com/kungfuguapo/HoneyPress
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyPress is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python based WordPress honeypot in a Docker container.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeyprint

• Website: https://github.com/glaslos/honeyprint
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyprint is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Printer honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeysnap

• Website: https://projects.honeynet.org/honeysnap/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeysnap is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeyssh

• Website: https://github.com/ppacher/honeyssh
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyssh is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Credential dumping SSH honeypot with statistics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyStats

• Website: https://sourceforge.net/projects/honeystats/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyStats is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Statistical view of the recorded activity on a Honeynet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

HoneyThing

• Website: https://github.com/omererdem/honeything
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyThing is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: TR-069 Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

honeyup

• Website: https://github.com/LogoiLab/honeyup
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: honeyup is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: An uploader honeypot designed to look like poor website security.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Honeyview

• Website: http://honeyview.sourceforge.net/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeyview is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeyd Tools.

Back to Category Index

Honeywall

• Website: https://projects.honeynet.org/honeywall/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Honeywall is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyWeb

• Website: https://code.google.com/archive/p/gsoc-honeyweb/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyWeb is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Web interface created to manage and remotely share Honeyclients resources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HoneyWRT

• Website: https://github.com/CanadianJeff/honeywrt
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HoneyWRT is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction Python honeypot designed to mimic services or ports that might get targeted by attackers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HonnyPotter

• Website: https://github.com/MartinIngesen/HonnyPotter
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HonnyPotter is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: WordPress login honeypot for collection and analysis of failed login attempts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Hontel

• Website: https://github.com/stamparm/hontel
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Hontel is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Telnet Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

hornet

• Website: https://github.com/czardoz/hornet
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: hornet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Medium interaction SSH honeypot that supports multiple virtual hosts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

HpfeedsHoneyGraph

• Website: https://github.com/yuchincheng/HpfeedsHoneyGraph
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HpfeedsHoneyGraph is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Visualization app to visualize hpfeeds logs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

HPfriends

• Website: http://hpfriends.honeycloud.net/#/home
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: HPfriends is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot data-sharing platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

hpfriends - real-time social data-sharing

• Website: https://heipei.io/sigint-hpfriends/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: hpfriends - real-time social data-sharing is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Presentation about HPFriends feed system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

imap-honey

• Website: https://github.com/yvesago/imap-honey
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: imap-honey is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: IMAP honeypot written in Golang.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

IMHoneypot

• Website: https://github.com/mushorg/imhoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: IMHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

IPP Honey

• Website: https://gitlab.com/bontchev/ipphoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: IPP Honey is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A honeypot for the Internet Printing Protocol.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

ipv6-attack-detector

• Website: https://github.com/mzweilin/ipv6-attack-detector/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: ipv6-attack-detector is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Google Summer of Code 2012 project, supported by The Honeynet Project organization.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Kako

• Website: https://github.com/darkarnium/kako
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kako is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypots for a number of well known and deployed embedded device vulnerabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Kippo stats

• Website: https://github.com/mfontani/kippo-stats
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo stats is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Mojolicious app to display statistics for your kippo SSH honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

Kippo-Graph

• Website: https://bruteforcelab.com/kippo-graph
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo-Graph is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Full featured script to visualize statistics from a Kippo SSH honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Category Index

Kippo-Malware

• Website: https://bruteforcelab.com/kippo-malware
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo-Malware is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python script that will download all malicious files stored as URLs in a Kippo SSH honeypot database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Kippo2ElasticSearch

• Website: https://bruteforcelab.com/kippo2elasticsearch
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo2ElasticSearch is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python script to transfer data from a Kippo SSH honeypot MySQL database to an ElasticSearch instance (server or cluster).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

kippo_detect

• Website: https://github.com/andrew-morris/kippo_detect
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: kippo_detect is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Offensive component that detects the presence of the kippo honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Kippo_JunOS

• Website: https://github.com/gregcmartin/Kippo_JunOS
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kippo_JunOS is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Kippo configured to be a backdoored netscreen.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Kojoney2

• Website: https://github.com/madirish/kojoney2
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Kojoney2 is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction SSH honeypot written in Python and based on Kojoney by Jose Antonio Coret.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Kushtaka

• Website: https://kushtaka.org
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Kushtaka is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Sustainable all-in-one honeypot and honeytoken orchestrator for under-resourced blue teams.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Honeypots.

Back to Category Index

Laravel Application Honeypot

• Website: https://github.com/msurguy/Honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Laravel Application Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple spam prevention package for Laravel applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Log4Pot

• Website: https://github.com/thomaspatzke/Log4Pot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Log4Pot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A honeypot for the Log4Shell vulnerability (CVE-2021-44228).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Longitudinal Analysis of SSH Cowrie Honeypot Logs

• Website: https://github.com/deroux/longitudinal-analysis-cowrie
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Longitudinal Analysis of SSH Cowrie Honeypot Logs is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python based command line tool to analyze cowrie logs over time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Lophiid

• Website: https://github.com/mrheinen/lophiid/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Lophiid is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Distributed web application honeypot to interact with large scale exploitation attempts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Lyrebird

• Website: https://hub.docker.com/r/lyrebird/honeypot-base/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Lyrebird is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modern high-interaction honeypot framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Mail::SMTP::Honeypot

• Website: https://metacpan.org/pod/release/MIKER/Mail-SMTP-Honeypot-0.11/Honeypot.pm
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Mail::SMTP::Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Perl module that appears to provide the functionality of a standard SMTP server.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Mailoney

• Website: https://github.com/phin3has/mailoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Mailoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: SMTP honeypot written in python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Malbait

• Website: https://github.com/batchmcnulty/Malbait
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Malbait is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple TCP/UDP honeypot implemented in Perl.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Manuka

• Website: https://github.com/spaceraccoon/manuka
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Manuka is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open-sources intelligence (OSINT) honeypot that monitors reconnaissance attempts by threat actors and generates actionable intelligence for Blue Teamers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Honeypots.

Back to Category Index

Manuka

• Website: https://github.com/andrewmichaelsmith/manuka
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Manuka is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Docker based honeypot (Dionaea and Kippo).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

medpot

• Website: https://github.com/schmalle/medpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: medpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: HL7 / FHIR honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

MICROS honeypot

• Website: https://github.com/Cymmetria/micros_honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MICROS honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction honeypot to detect CVE-2018-2636 in the Oracle Hospitality Simphony component of Oracle Hospitality Applications (MICROS).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

miniprint

• Website: https://github.com/sa7mon/miniprint
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: miniprint is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A medium interaction printer honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

MockSSH

• Website: https://github.com/ncouture/MockSSH
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MockSSH is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Mock an SSH server and define all commands it supports (Python, Twisted).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

modpot

• Website: https://github.com/referefref/modpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: modpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modpot is a modular web application honeypot framework and management application written in Golang and making use of gin framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

MongoDB-HoneyProxy

• Website: https://github.com/Plazmaz/MongoDB-HoneyProxy
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MongoDB-HoneyProxy is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: MongoDB honeypot proxy.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

MonkeySpider

• Website: http://monkeyspider.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MonkeySpider is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

MTPot

• Website: https://github.com/Cymmetria/MTPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MTPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Open Source Telnet Honeypot, focused on Mirai malware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

mysql-honeypotd

• Website: https://github.com/sjinks/mysql-honeypotd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: mysql-honeypotd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low interaction MySQL honeypot written in C.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

MysqlPot

• Website: https://github.com/schmalle/MysqlPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: MysqlPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: MySQL honeypot, still very early stage.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

node-ftp-honeypot

• Website: https://github.com/christophe77/node-ftp-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: node-ftp-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: FTP server honeypot in JS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Nodepot

• Website: https://github.com/schmalle/Nodepot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Nodepot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: NodeJS web application honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

NoSQLpot

• Website: https://github.com/torque59/nosqlpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: NoSQLpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Honeypot framework built on a NoSQL-style database.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

NOVA

• Website: https://github.com/DataSoft/Nova
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: NOVA is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Uses honeypots as detectors, looks like a complete system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

OpenCanary

• Website: https://github.com/thinkst/opencanary
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: OpenCanary is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modular and decentralised honeypot daemon that runs several canary versions of services that alerts when a service is (ab)used.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

owa-honeypot

• Website: https://github.com/joda32/owa-honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: owa-honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: A basic flask based Outlook Web Honey pot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

PasitheaHoneypot

• Website: https://github.com/Marist-Innovation-Lab/PasitheaHoneypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: PasitheaHoneypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RestAPI honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

PayloadsAllTheThings - Web Cache Deception

• Website: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Web%20Cache%20Deception
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Web Security

What it does: PayloadsAllTheThings - Web Cache Deception is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Written by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Introduction > Web Cache Poisoning.

Back to Category Index

peepdf

• Website: https://github.com/jesparza/peepdf
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots, Awesome Cyber Security Tools

What it does: peepdf is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Powerful Python tool to analyze PDF documents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Static Analysis > PDF.

Back to Category Index

pghoney

• Website: https://github.com/betheroot/pghoney
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: pghoney is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Low-interaction Postgres Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

PHARM

• Website: http://www.nepenthespharm.com/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: PHARM is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Manage, report, and analyze your distributed Nepenthes instances.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

PhoneyC

• Website: https://github.com/honeynet/phoneyc
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: PhoneyC is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Python honeyclient (later replaced by Thug).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

phpmyadmin_honeypot

• Website: https://github.com/gfoss/phpmyadmin_honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: phpmyadmin_honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Simple and effective phpMyAdmin honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

portlurker

• Website: https://github.com/bartnv/portlurker
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: portlurker is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Port listener in Rust with protocol guessing and safe string display.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

potd

• Website: https://github.com/lnslbrty/potd
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: potd is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Highly scalable low- to medium-interaction SSH/TCP honeypot designed for OpenWrt/IoT devices leveraging several Linux kernel features, such as namespaces, seccomp and thread capabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Pwnypot

• Website: https://github.com/shjalayeri/pwnypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Pwnypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High Interaction Client Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

pyrdp

• Website: https://github.com/gosecure/pyrdp
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: pyrdp is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Python-Honeypot

• Website: https://github.com/OWASP/Python-Honeypot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Python-Honeypot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: OWASP Honeypot, Automated Deception Framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Quechua

• Website: https://bitbucket.org/zaccone/quechua
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Quechua is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

rdppot

• Website: https://github.com/kryptoslogic/rdppot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: rdppot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: RDP honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

RDPy

• Website: https://github.com/citronneur/rdpy
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: RDPy is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Microsoft Remote Desktop Protocol (RDP) honeypot implemented in Python.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

RedisHoneyPot

• Website: https://github.com/cypwnpwnsocute/RedisHoneyPot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: RedisHoneyPot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: High Interaction Honeypot Solution for Redis protocol.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Rumal

• Website: https://github.com/thugs-rumal/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Rumal is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Thug's Rumāl: a Thug's dress and weapon.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

SCADA honeynet

• Website: http://scadahoneynet.sourceforge.net
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: SCADA honeynet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Building Honeypots for Industrial Networks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

scada-honeynet

• Website: http://www.digitalbond.com/blog/2007/07/24/scada-honeynet-article-in-infragard-publication/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: scada-honeynet is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Mimics many of the services from a popular PLC and better helps SCADA researchers understand potential risks of exposed control system devices.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

SentryPeer

• Website: https://github.com/SentryPeer/SentryPeer
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: SentryPeer is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Protect your SIP Servers from bad actors.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Servletpot

• Website: https://github.com/schmalle/servletpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Servletpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Web application Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Shadow Daemon

• Website: https://shadowd.zecure.org/overview/introduction/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shadow Daemon is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl, and Python apps.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Shelia

• Website: https://www.cs.vu.nl/~herbertb/misc/shelia/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shelia is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Client-side honeypot for attack detection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Shiva

• Website: https://github.com/shiva-spampot/shiva
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shiva is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Spam Honeypot with Intelligent Virtual Analyzer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running

• Website: https://www.pentestpartners.com/security-blog/shiva-the-spam-honeypot-tips-and-tricks-for-getting-it-up-and-running/
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: Shiva The Spam Honeypot Tips And Tricks For Getting It Up And Running is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

shockpot

• Website: https://github.com/threatstream/shockpot
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots

What it does: shockpot is used in deception & honeypots programs to support early attacker interaction detection and high-confidence alerting. Source summaries describe it as: WebApp Honeypot for detecting Shell Shock exploit attempts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Category Index

Shockpot-Frontend

• Website: https://github.com/GovCERT-CZ/Shockpot-Frontend
• Model: Open Source
• Category: Deception & Honeypots
• Source Lists: Awesome Honeypots