Open-Source Cybersecurity Tools: Email Security
← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas
This category contains 10 documented tools. It focuses on capabilities used for phishing prevention, impersonation defense, and mailbox incident response. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.
Category Evaluation Checklist
- Coverage depth against your highest-priority threats and compliance obligations.
- Operational overhead for deployment, tuning, and long-term maintenance.
- Signal quality versus analyst workload and false-positive pressure.
- Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
- Governance readiness including auditability, ownership clarity, and change control.
Jump by Name
Letter A
This letter section contains 1 tools.
Active Directory Control Paths
- Website: https://github.com/ANSSI-FR/AD-control-paths
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Active Directory Control Paths is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Visualize and graph Active Directory permission configs ("control relations") to audit questions such as "Who can read the CEO's email?" and similar.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Windows-based defenses > Active Directory.
Letter G
This letter section contains 1 tools.
Gophish
- Website: https://getgophish.com/
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Security, Awesome Cybersecurity Blue Team, Awesome Penetration Testing
What it does: Gophish is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Social Engineering > Social Engineering Tools.
Letter K
This letter section contains 1 tools.
King Phisher
- Website: https://github.com/securestate/king-phisher
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing
What it does: King Phisher is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Phishing campaign toolkit used for creating and managing multiple simultaneous phishing attacks with custom email and server content.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Social Engineering > Social Engineering Tools.
Letter M
This letter section contains 1 tools.
mailspoof
- Website: https://github.com/serain/mailspoof
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: mailspoof is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Scans SPF and DMARC records for issues that could allow email spoofing.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Phishing awareness and reporting.
Letter N
This letter section contains 1 tools.
NotifySecurity
- Website: https://github.com/certsocietegenerale/NotifySecurity
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: NotifySecurity is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Outlook add-in used to help your users to report suspicious e-mails to security teams.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Phishing awareness and reporting.
Letter O
This letter section contains 1 tools.
OpenNMS
- Website: https://opennms.org/
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: OpenNMS is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Free and feature-rich networking monitoring system supporting multiple configurations, a variety of alerting mechanisms (email, XMPP, SMS), and numerous data collection methods (SNMP, HTTP, JDBC, etc).
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Service and performance monitoring.
Letter P
This letter section contains 1 tools.
Phishing Intelligence Engine (PIE)
- Website: https://github.com/LogRhythm-Labs/PIE
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Phishing Intelligence Engine (PIE) is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Framework that will assist with the detection and response to phishing attacks.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Phishing awareness and reporting.
Letter S
This letter section contains 3 tools.
Secure Email Gateway
- Website: https://www.proofpoint.com/fr/threat-reference/email-gateway
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome SOC
What it does: Secure Email Gateway is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: ** (SEG):.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.
Sublime Detection Rules
- Website: https://github.com/sublime-security/sublime-rules
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Threat Detection
What it does: Sublime Detection Rules is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Email attack detection, response, and hunting rules.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Detection Rules.
Swordphish
- Website: https://github.com/certsocietegenerale/swordphish-awareness
- Model: Open Source
- Category: Email Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Swordphish is used in email security programs to support phishing prevention, impersonation defense, and mailbox incident response. Source summaries describe it as: Platform allowing to create and manage (fake) phishing campaigns intended to train people in identifying suspicious mails.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Phishing awareness and reporting.