Open-Source Cybersecurity Tools: Endpoint Security
← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas
This category contains 56 documented tools. It focuses on capabilities used for process telemetry analysis, malware containment, and endpoint hardening. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.
Category Evaluation Checklist
- Coverage depth against your highest-priority threats and compliance obligations.
- Operational overhead for deployment, tuning, and long-term maintenance.
- Signal quality versus analyst workload and false-positive pressure.
- Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
- Governance readiness including auditability, ownership clarity, and change control.
Jump by Name
A | C | D | E | F | G | H | J | K | L | M | O | P | Q | R | S | T | U | V | W | X | Z
Letter A
This letter section contains 8 tools.
Amber
- Website: https://github.com/EgeBalci/amber
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: Amber is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Reflective PE packer for converting native PE files to position-independent shellcode.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anti-virus Evasion Tools.
AMExtractor
- Website: https://github.com/ir193/AMExtractor
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: AMExtractor is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: AMExtractor can dump out the physical content of your Android device even without kernel source code.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Android Storage Extractor
- Website: https://github.com/51j0/Android-Storage-Extractor
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: Android Storage Extractor is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A tool to extract local data storage of an Android application in one click.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
android-security-awesome
- Website: https://github.com/ashishb/android-security-awesome
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Penetration Testing, Awesome Forensics
What it does: android-security-awesome is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A collection of android security related resources. A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis and reverse engineering of android apps.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Online Resources > Other Lists Online.
AntiVirus Evasion Tool (AVET)
- Website: https://github.com/govolution/avet
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: AntiVirus Evasion Tool (AVET) is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Post-process exploits containing executable files targeted for Windows machines to avoid being recognized by antivirus software.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anti-virus Evasion Tools.
Apktool
- Website: https://github.com/iBotPeaches/Apktool
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Cyber Security Tools
What it does: Apktool is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A tool for reverse engineering Android apk files.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
auditd configuration
- Website: https://github.com/Neo23x0/auditd
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: auditd configuration is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring > Configuration.
AV / EP / EPP / EDR / XDR
- Website: https://usa.kaspersky.com/blog/introducing-kedr-optimum/27062/?reseller=usa_regular-sm_acq_ona_smm__onl_b2c_lii_post_sm-team_&utmsource=linkedin&utm_medium=social&utm_campaign=us_regular-sm_en0177&utm_content=sm-post&utm_term=us_linkedin_organic_pmgk1776sk4g1qp
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome SOC
What it does: AV / EP / EPP / EDR / XDR is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.
Letter C
This letter section contains 2 tools.
CIMSweep
- Website: https://github.com/mattifestation/CimSweep
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome SOC
What it does: CIMSweep is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: , , but it relies on CrowdStrike EDR, but it needs an agent to be installed.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.
ClamAv
- Website: http://www.clamav.net/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Malware Analysis
What it does: ClamAv is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: ClamAV® is an open-source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Anti-Virus / Anti-Malware.
Letter D
This letter section contains 2 tools.
DocBleach
- Website: https://github.com/docbleach/DocBleach
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: DocBleach is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: An open-source Content Disarm & Reconstruct software sanitizing Office, PDF and RTF Documents.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Content Disarm & Reconstruct.
dotPeek
- Website: https://www.jetbrains.com/decompiler/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Cyber Security Tools, Awesome Hacking
What it does: dotPeek is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Free-of-charge standalone tool based on ReSharper's bundled decompiler.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.
Letter E
This letter section contains 2 tools.
Endpoint Detection and Response
- Website: https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome SOC
What it does: Endpoint Detection and Response is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: **:.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.
enjarify
- Website: https://github.com/Storyyeller/enjarify
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: enjarify is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A tool for translating Dalvik bytecode to equivalent Java bytecode.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Letter F
This letter section contains 3 tools.
Fastfinder
- Website: https://github.com/codeyourweb/fastfinder
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Forensics
What it does: Fastfinder is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Fast customisable cross-platform suspicious file finder. Supports md5/sha1/sha256 hashs, litteral/wildcard strings, regular expressions and YARA rules. Can easily be packed to be deployed on any windows / linux host.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Anti-Virus / Anti-Malware.
Fleet device management
- Website: https://github.com/fleetdm/fleet
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: Fleet device management is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Fleet is the lightweight, programmable telemetry platform for servers and workstations. Get comprehensive, customizable data from all your devices and operating systems.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Configuration Management.
frida
- Website: https://github.com/frida/frida
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: frida is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Letter G
This letter section contains 3 tools.
go-audit
- Website: https://github.com/slackhq/go-audit
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: go-audit is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: An alternative to the Linux auditd daemon.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring.
google-authenticator
- Website: https://github.com/google/google-authenticator
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: google-authenticator is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module (PAM). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication (OATH) (which is unrelated to OAuth). These implementations support the HMAC-Based One-time Password (HOTP) algorithm specified in RFC 4226 and the Time-based One-time Password (TOTP) algorithm specified in RFC 6238.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Authentication.
GraphQL Voyager
- Website: https://graphql-kit.com/graphql-voyager/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: GraphQL Voyager is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Represent any GraphQL API as an interactive graph, letting you explore data models from any Web site with a GraphQL query endpoint.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT) > Web application and resource analysis tools.
Letter H
This letter section contains 2 tools.
hardened_malloc
- Website: https://github.com/GrapheneOS/hardened_malloc
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: hardened_malloc is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Hardened allocator designed for modern systems. It has integration into Android's Bionic libc and can be used externally with musl and glibc as a dynamic library for use on other Linux-based platforms. It will gain more portability / integration over time.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Hyperion
- Website: http://nullsecurity.net/tools/binary.html
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: Hyperion is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Runtime encryptor for 32-bit portable executables ("PE .exes").
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anti-virus Evasion Tools.
Letter J
This letter section contains 1 tools.
jadx
- Website: https://github.com/skylot/jadx
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Cyber Security Tools, Awesome Hacking, Awesome CTF
What it does: jadx is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Command line and GUI tools for produce Java source code from Android Dex and Apk files.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Letter K
This letter section contains 1 tools.
Kolide Fleet
- Website: https://github.com/kolide/fleet
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: Kolide Fleet is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A flexible control server for osquery fleets.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring.
Letter L
This letter section contains 2 tools.
LiME
- Website: https://github.com/504ensicsLabs/LiME.git
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Incident Response, Awesome Forensics
What it does: LiME is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.
Linux Malware Detect
- Website: https://www.rfxn.com/projects/linux-malware-detect/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: Linux Malware Detect is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A malware scanner for Linux designed around the threats faced in shared hosted environments.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Anti-Virus / Anti-Malware.
Letter M
This letter section contains 4 tools.
macOS Fortress
- Website: https://github.com/essandess/macOS-Fortress
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: macOS Fortress is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Automated configuration of kernel-level, OS-level, and client-level security features including privatizing proxying and anti-virus scanning for macOS.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > macOS-based defenses.
Maigret
- Website: https://github.com/soxoj/maigret
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome OSINT
What it does: Maigret is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Maigret collect a dossier on a person by username only, checking for accounts on a huge number of sites and gathering all the available information from web pages.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Forensics.
mig
- Website: http://mig.mozilla.org/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: mig is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Forensics.
Mobile Security Wiki
- Website: https://mobilesecuritywiki.com/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: Mobile Security Wiki is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A collection of mobile security resources.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Letter O
This letter section contains 3 tools.
osquery-configuration
- Website: https://github.com/palantir/osquery-configuration
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: osquery-configuration is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A repository for using osquery for incident detection and response.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring > Configuration.
OSSEC
- Website: https://github.com/ossec/ossec-hids
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: OSSEC is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: An open-source Host-based Intrusion Detection System (HIDS).
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring.
OWASP Mobile Security Testing Guide
- Website: https://github.com/OWASP/owasp-mstg
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: OWASP Mobile Security Testing Guide is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A comprehensive manual for mobile app security testing and reverse engineering.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Letter P
This letter section contains 2 tools.
peCloakCapstone
- Website: https://github.com/v-p-b/peCloakCapstone
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: peCloakCapstone is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Multi-platform fork of the peCloak.py automated malware antivirus evasion tool.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anti-virus Evasion Tools.
POFR
- Website: https://github.com/gmagklaras/pofr
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Forensics
What it does: POFR is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: The Penguin OS Flight Recorder collects, stores and organizes for further analysis process execution, file access and network/socket endpoint data from the Linux Operating System.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Live Forensics.
Letter Q
This letter section contains 1 tools.
Quark-Engine
- Website: https://github.com/quark-engine/quark-engine
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Malware Analysis
What it does: Quark-Engine is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: An Obfuscation-Neglect Android Malware Scoring System.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Detection and Classification.
Letter R
This letter section contains 3 tools.
reFlutter
- Website: https://github.com/ptswarm/reFlutter
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: reFlutter is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Flutter Reverse Engineering Framework.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Rekall
- Website: https://github.com/google/rekall
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Forensics
What it does: Rekall is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Memory Forensics.
rkhunter
- Website: http://rkhunter.sourceforge.net/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Cybersecurity Blue Team
What it does: rkhunter is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: POSIX-compliant Bash script that scans a host for various signs of malware.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Anti-Virus / Anti-Malware.
Letter S
This letter section contains 7 tools.
Sekoia XDR
- Website: https://www.sekoia.io/en/product/xdr/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome SOC
What it does: Sekoia XDR is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: ,.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.
Shellter
- Website: https://www.shellterproject.com/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: Shellter is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anti-virus Evasion Tools.
Splunking the Endpoint: Threat Hunting with Sysmon
- Website: https://medium.com/@haggis_m/splunking-the-endpoint-threat-hunting-with-sysmon-9dd956e3e1bd
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: Splunking the Endpoint: Threat Hunting with Sysmon is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Windows > Sysmon.
Stegcloak
- Website: https://github.com/kurolabs/stegcloak
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: Stegcloak is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Securely assign Digital Authenticity to any written text.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Authentication.
Sysdig
- Website: https://github.com/draios/sysdig
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: Sysdig is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: A tool for deep Linux system visibility, with native support for containers. Think about sysdig as strace + tcpdump + htop + iftop + lsof + ...awesome sauce.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring.
Sysmon for Linux
- Website: https://github.com/Sysinternals/SysmonForLinux
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: Sysmon for Linux is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring.
sysmon-DFIR
- Website: https://github.com/MHaggis/sysmon-dfir
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: sysmon-DFIR is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Sources, configuration and how to detect evil things utilizing Microsoft Sysmon.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring > Configuration.
Letter T
This letter section contains 1 tools.
Themis
- Website: https://github.com/cossacklabs/themis
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: Themis is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: High-level multi-platform cryptographic framework for protecting sensitive data: secure messaging with forward secrecy and secure data storage (AES256GCM), suits for building end-to-end encrypted applications.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
Letter U
This letter section contains 2 tools.
UDcide
- Website: https://github.com/UDcide/udcide
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security
What it does: UDcide is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Android Malware Behavior Editor.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Mobile / Android / iOS.
UniByAv
- Website: https://github.com/Mr-Un1k0d3r/UniByAv
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: UniByAv is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Simple obfuscator that takes raw shellcode and generates Anti-Virus friendly executables by using a brute-forcable, 32-bit XOR key.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anti-virus Evasion Tools.
Letter V
This letter section contains 2 tools.
Veil
- Website: https://www.veil-framework.com/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Penetration Testing
What it does: Veil is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Generate metasploit payloads that bypass common anti-virus solutions.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anti-virus Evasion Tools.
Volatility
- Website: https://github.com/volatilityfoundation/volatility
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Incident Response, Awesome CTF, Awesome Forensics
What it does: Volatility is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Python based memory extraction and analysis framework.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.
Letter W
This letter section contains 2 tools.
Wazuh
- Website: https://wazuh.com/
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Wazuh is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Open source, multiplatform agent-based security monitoring based on a fork of OSSEC HIDS.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Endpoint Detection and Response (EDR).
WithSecure Elements EDR
- Website: https://www.withsecure.com/us-en/solutions/software-and-services/elements-endpoint-detection-and-response
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome SOC
What it does: WithSecure Elements EDR is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: ;.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.
Letter X
This letter section contains 1 tools.
XDR Gartner market guide
- Website: https://www.trellix.com/fr-fr/solutions/gartner-report-market-guide-xdr.html
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome SOC
What it does: XDR Gartner market guide is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.
Letter Z
This letter section contains 2 tools.
Zeek Agent
- Website: https://github.com/zeek/zeek-agent
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome Threat Detection
What it does: Zeek Agent is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: An endpoint monitoring agent that provides host activity to Zeek.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring.
Zscaler Global Threat Map Dashboard
- Website: https://threatlabz.zscaler.com/cloud-insights/threat-map-dashboard
- Model: Open Source
- Category: Endpoint Security
- Source Lists: Awesome OSINT
What it does: Zscaler Global Threat Map Dashboard is used in endpoint security programs to support process telemetry analysis, malware containment, and endpoint hardening. Source summaries describe it as: Illustrates those we've seen in the past 24 hours, consisting of threats detected by our antivirus engines, malware and advanced persistent threats.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Live Cyber Threat Maps.