Open-Source Cybersecurity Tools: Cloud Security
← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas
This category contains 50 documented tools. It focuses on capabilities used for multi-cloud posture monitoring, workload protection, and misconfiguration control. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.
Category Evaluation Checklist
- Coverage depth against your highest-priority threats and compliance obligations.
- Operational overhead for deployment, tuning, and long-term maintenance.
- Signal quality versus analyst workload and false-positive pressure.
- Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
- Governance readiness including auditability, ownership clarity, and change control.
Jump by Name
A | B | C | G | I | J | K | L | M | O | P | R | S | T | V | Z
Letter A
This letter section contains 7 tools.
Aaia
- Website: https://github.com/rams3sh/Aaia
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Aaia is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.
Afterglow Cloud
- Website: https://github.com/ayrus/afterglow-cloud
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Honeypots
What it does: Afterglow Cloud is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.
attack_range
- Website: https://github.com/splunk/attack_range
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Threat Detection
What it does: attack_range is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Tools.
AWS Security Fundamentals
- Website: https://aws.amazon.com/fr/training/digital/aws-security-fundamentals/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: AWS Security Fundamentals is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.
aws-vault
- Website: https://github.com/99designs/aws-vault
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security
What it does: aws-vault is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Store AWS credentials in the OSX Keychain or an encrypted file.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.
Azure AD Internals suite
- Website: https://aadinternals.com/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: Azure AD Internals suite is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: , ,.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.
Azure Security
- Website: https://www.manning.com/books/azure-security-2
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security
What it does: Azure Security is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A practical guide to the native security services of Microsoft Azure.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > EBooks.
Letter B
This letter section contains 1 tools.
BlueTeam Lab
- Website: https://github.com/op7ic/BlueTeam.Lab
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Threat Detection, Awesome Forensics
What it does: BlueTeam Lab is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Blue Team detection lab created with Terraform and Ansible in Azure.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Labs.
Letter C
This letter section contains 9 tools.
chamber
- Website: https://github.com/segmentio/chamber
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security
What it does: chamber is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Store secrets using AWS KMS and SSM Parameter Store.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.
Checkov
- Website: https://www.checkov.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Checkov is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.
Cloud Access Security Broker
- Website: https://www.gartner.com/en/information-technology/glossary/cloud-access-security-brokers-casbs
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: Cloud Access Security Broker is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: , if company's IT environment uses a lot of external services like SaaS/IaaS:.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.
Cloud Active Defense
- Website: https://github.com/SAP/cloud-active-defense?tab=readme-ov-file
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Honeypots
What it does: Cloud Active Defense is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Cloud active defense lets you deploy decoys right into your cloud applications, putting adversaries into a dilemma: to hack or not to hack?.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.
confidant
- Website: https://github.com/lyft/confidant
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security
What it does: confidant is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Stores secrets in AWS DynamoDB, encrypted at rest and integrates with IAM.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.
Consul
- Website: https://consul.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Consul is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Solution to connect and configure applications across dynamic, distributed infrastructure and, with Consul Connect, enabling secure service-to-service communication with automatic TLS encryption and identity-based authorization.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Service meshes.
Cortex
- Website: https://cortexmetrics.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Cortex is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Provides horizontally scalable, highly available, multi-tenant, long term storage for Prometheus.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.
credstash
- Website: https://github.com/fugue/credstash
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security
What it does: credstash is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Store secrets using AWS KMS and DynamoDB.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Datastores.
CrowdStrike Reporting Tool for Azure
- Website: https://github.com/CrowdStrike/CRT
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: CrowdStrike Reporting Tool for Azure is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.
Letter G
This letter section contains 3 tools.
GCP Security Analytics
- Website: https://github.com/GoogleCloudPlatform/security-analytics
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Threat Detection
What it does: GCP Security Analytics is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Community Security Analytics provides a set of community-driven audit & threat queries for Google Cloud.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Detection Rules.
Gluu Server
- Website: https://gluu.org/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Gluu Server is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Central authentication and authorization for Web and mobile applications with a Free and Open Source Software cloud-native community distribution.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Identity and AuthN/AuthZ.
gVisor
- Website: https://github.com/google/gvisor
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: gVisor is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.
Letter I
This letter section contains 2 tools.
Infection Monkey
- Website: https://github.com/guardicore/monkey
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security, Awesome Threat Detection
What it does: Infection Monkey is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: An open source Breach and Attack Simulation (BAS) tool that assesses the resiliency of private and public cloud environments to post-breach attacks and lateral movement.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Threat Simulation Tools.
Istio
- Website: https://istio.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Istio is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open platform for providing a uniform way to integrate microservices, manage traffic flow across microservices, enforce policies and aggregate telemetry data.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Service meshes.
Letter J
This letter section contains 1 tools.
Jaeger
- Website: https://www.jaegertracing.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Jaeger is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Distributed tracing platform backend used for monitoring and troubleshooting microservices-based distributed systems.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.
Letter K
This letter section contains 6 tools.
k-rail
- Website: https://github.com/cruise-automation/k-rail
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: k-rail is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Workload policy enforcement tool for Kubernetes.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
Kata Containers
- Website: https://katacontainers.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Kata Containers is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Secure container runtime with lightweight virtual machines that feel and perform like containers, but provide stronger workload isolation using hardware virtualization technology as a second layer of defense.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.
kube-hunter
- Website: https://kube-hunter.aquasec.com/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing
What it does: kube-hunter is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open-source tool that runs a set of tests ("hunters") for security issues in Kubernetes clusters from either outside ("attacker's view") or inside a cluster.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
kubernetes-event-exporter
- Website: https://github.com/opsgenie/kubernetes-event-exporter
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: kubernetes-event-exporter is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Allows exporting the often missed Kubernetes events to various outputs so that they can be used for observability or alerting purposes.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
KubeSec
- Website: https://kubesec.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: KubeSec is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Static analyzer of Kubernetes manifests that can be run locally, as a Kuberenetes admission controller, or as its own cloud service.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
Kyverno
- Website: https://kyverno.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Kyverno is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Policy engine designed for Kubernetes.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
Letter L
This letter section contains 1 tools.
Linkerd
- Website: https://linkerd.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Linkerd is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Ultra light Kubernetes-specific service mesh that adds observability, reliability, and security to Kubernetes applications without requiring any modification of the application itself.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
Letter M
This letter section contains 3 tools.
M365/Azure compromise asssessment SOP
- Website: https://github.com/cyb3rxp/awesome-soc/blob/main/sop_M365_compromise_assessment.md
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: M365/Azure compromise asssessment SOP is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).
Managed Kubernetes Inspection Tool (MKIT)
- Website: https://github.com/darkbitio/mkit
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Managed Kubernetes Inspection Tool (MKIT) is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Query and validate several common security-related configuration settings of managed Kubernetes cluster objects and the workloads/resources running inside the cluster.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
Microsoft Azure Sentinel
- Website: https://azure.microsoft.com/en-us/products/microsoft-sentinel/#overview
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: Microsoft Azure Sentinel is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: , , , .
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.
Letter O
This letter section contains 2 tools.
Open Policy Agent (OPA)
- Website: https://www.openpolicyagent.org/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Open Policy Agent (OPA) is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Unified toolset and framework for policy across the cloud native stack.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Policy enforcement.
OpenTelemetry
- Website: https://opentelemetry.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: OpenTelemetry is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Observability framework for cloud-native software, comprising a collection of tools, APIs, and SDKs for exporting application performance metrics to a tracing backend (formerly maintained by the OpenTracing and OpenCensus projects).
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.
Letter P
This letter section contains 4 tools.
Polaris
- Website: https://polaris.docs.fairwinds.com/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Polaris is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Validates Kubernetes best practices by running tests against code commits, a Kubernetes admission request, or live resources already running in a cluster.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
Principal Mapper (PMapper)
- Website: https://github.com/nccgroup/PMapper
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Principal Mapper (PMapper) is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Quickly evaluate IAM permissions in AWS via script and library capable of identifying risks in the configuration of AWS Identity and Access Management (IAM) for an AWS account or an AWS organization.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.
Prometheus
- Website: https://prometheus.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Prometheus is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open-source systems monitoring and alerting toolkit originally built at SoundCloud.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.
Prowler
- Website: https://github.com/toniblyx/prowler
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Prowler is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Tool based on AWS-CLI commands for Amazon Web Services account security assessment and hardening.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.
Letter R
This letter section contains 1 tools.
Regula
- Website: https://regula.dev/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Regula is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Checks infrastructure as code templates (Terraform, CloudFormation, K8s manifests) for AWS, Azure, Google Cloud, and Kubernetes security and compliance using Open Policy Agent/Rego.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Policy enforcement.
Letter S
This letter section contains 5 tools.
Scout Suite
- Website: https://github.com/nccgroup/ScoutSuite
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team, Awesome SOC
What it does: Scout Suite is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.
Sealed Secrets
- Website: https://github.com/bitnami-labs/sealed-secrets
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Sealed Secrets is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Kubernetes controller and tool for one-way encrypted Secrets.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Kubernetes.
Selefra
- Website: https://github.com/selefra/selefra
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security
What it does: Selefra is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: An open-source policy-as-code software that provides analytics for multi-cloud and SaaS.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > DevOps.
Sentinel Attack
- Website: https://github.com/BlueTeamLabs/sentinel-attack
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Threat Detection
What it does: Sentinel Attack is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A repository of Azure Sentinel alerts and hunting queries leveraging sysmon and the MITRE ATT&CK framework.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.
Sops
- Website: https://github.com/mozilla/sops
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Security, Awesome Cybersecurity Blue Team
What it does: Sops is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Editor of encrypted files that supports YAML, JSON, ENV, INI and binary formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, and PGP.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.
Letter T
This letter section contains 3 tools.
terrascan
- Website: https://runterrascan.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: terrascan is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Static code analyzer for Infrastructure as Code tools that helps detect compliance and security violations to mitigate risk before provisioning cloud native resources.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.
Thor Cloud lite
- Website: https://www.nextron-systems.com/2023/10/30/introducing-thor-cloud-lite-seamless-on-demand-security-scanning-made-easy/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: Thor Cloud lite is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: ;.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.
Threat Matrix for Azure Storage services
- Website: https://microsoft.github.io/Threat-matrix-for-storage-services/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome SOC
What it does: Threat Matrix for Azure Storage services is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).
Letter V
This letter section contains 1 tools.
Varna
- Website: https://github.com/endgameinc/varna
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Threat Detection
What it does: Varna is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: A quick & cheap AWS CloudTrail Monitoring with Event Query Language (EQL).
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.
Letter Z
This letter section contains 1 tools.
Zipkin
- Website: https://zipkin.io/
- Model: Open Source
- Category: Cloud Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Zipkin is used in cloud security programs to support multi-cloud posture monitoring, workload protection, and misconfiguration control. Source summaries describe it as: Distributed tracing system backend that helps gather timing data needed to troubleshoot latency problems in service architectures.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security > Distributed monitoring.