Open-Source Cybersecurity Tools: Incident Response

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 174 documented tools. It focuses on capabilities used for containment coordination, evidence collection, and post-incident timeline reconstruction. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

# | 1 | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | R | S | T | U | V | W | X | Y | Z

Letter

This letter section contains 1 tools.

CIRCL

• Website: https://www.circl.lu/services
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Cyber Security Tools

What it does: CIRCL is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Computer Incident Response Center Luxembourg; provides threat intelligence feeds and malware analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Threat Intelligence.

Back to Name Jump

Letter 1

This letter section contains 1 tools.

11 strategies for a world-class SOC

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/11-strategies-of-a-world-class-cybersecurity-operations-center.pdf
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: 11 strategies for a world-class SOC is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: , Strategy 3: Build a SOC Structure to Match Your Organizational Needs, pages 101-123.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Fundamental concepts > Concepts, tools, missions, attack lifecycle, red/blue/purple teams > MITRE references:.

Back to Name Jump

Letter A

This letter section contains 14 tools.

AccessData FTK Imager

• Website: http://accessdata.com/product-download/?/support/adownloads#FTKImager
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: AccessData FTK Imager is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Disk Image Creation Tools.

Back to Name Jump

AChoir

• Website: https://github.com/OMENScan/AChoir
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Malware Analysis, Awesome Incident Response

What it does: AChoir is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Acquire

• Website: https://github.com/fox-it/acquire
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Acquire is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container. This makes Acquire an excellent tool to, among others, speedup the process of digital forensic triage. It uses to gather that information from the raw disk, if possible.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

APTSimulator

• Website: https://github.com/NextronSystems/APTSimulator
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: APTSimulator is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

Art of Memory Forensics

• Website: https://www.amazon.com/Art-Memory-Forensics-Detecting-Malware/dp/1118825098/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Art of Memory Forensics is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Detecting Malware and Threats in Windows, Linux, and Mac Memory.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

artifactcollector

• Website: https://github.com/forensicanalysis/artifactcollector
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: artifactcollector is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: The artifactcollector project provides a software that collects forensic artifacts on systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

Atomic Red Team (ART)

• Website: https://github.com/redcanaryco/atomic-red-team
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: Atomic Red Team (ART) is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Small and highly portable detection tests mapped to the MITRE ATT&CK Framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

Aurora Incident Response

• Website: https://github.com/cyb3rfox/Aurora-Incident-Response
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Aurora Incident Response is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Platform developed to build easily a detailed timeline of an incident.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Timeline Tools.

Back to Name Jump

AutoMacTC

• Website: https://github.com/CrowdStrike/automactc
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Cybersecurity Blue Team

What it does: AutoMacTC is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Modular, automated forensic triage collection framework designed to access various forensic artifacts on macOS, parse them, and present them in formats viable for analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > Evidence collection.

Back to Name Jump

AutoTTP

• Website: https://github.com/jymcheong/AutoTTP
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: AutoTTP is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

AVML

• Website: https://github.com/microsoft/avml
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: AVML is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A portable volatile memory acquisition tool for Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

Awesome Forensics

• Website: https://github.com/cugu/awesome-forensics
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Awesome Forensics is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A curated list of awesome forensic analysis tools and resources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Lists.

Back to Name Jump

aws_ir

• Website: https://github.com/ThreatResponse/aws_ir
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Cybersecurity Blue Team

What it does: aws_ir is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Automates your incident response with zero security preparedness assumptions.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools.

Back to Name Jump

Azure AD Incident Response Powershell

• Website: https://github.com/reprise99/kql-for-dfir/tree/main/Azure%20Active%20Directory
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: Azure AD Incident Response Powershell is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Letter B

This letter section contains 3 tools.

Belkasoft Evidence Center

• Website: https://belkasoft.com/ec
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Belkasoft Evidence Center is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

Belkasoft Live RAM Capturer

• Website: http://belkasoft.com/ram-capturer
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Belkasoft Live RAM Capturer is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Imaging Tools.

Back to Name Jump

Bitscout

• Website: https://github.com/vitaly-kamluk/bitscout
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Bitscout is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics (or perhaps any other task of your choice). It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Disk Image Creation Tools.

Back to Name Jump

Letter C

This letter section contains 18 tools.

Caldera

• Website: https://github.com/mitre/caldera
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: Caldera is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge (ATT&CK™) project.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

CAPA

• Website: https://github.com/mandiant/capa
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: CAPA is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

CAPEv2

• Website: https://github.com/kevoreilly/CAPEv2
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: CAPEv2 is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Malware Configuration And Payload Extraction.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

CCF-VM

• Website: https://github.com/rough007/CCF-VM
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: CCF-VM is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: CyLR CDQR Forensics Virtual Machine (CCF-VM): An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Distributions.

Back to Name Jump

CIFv2

• Website: https://github.com/csirtgadgets/massive-octo-spice
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Security, Awesome Malware Analysis

What it does: CIFv2 is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification (incident response), detection (IDS) and mitigation (null route).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Open Source Threat Intelligence > Tools.

Back to Name Jump

CimSweep

• Website: https://github.com/PowerShellMafia/CimSweep
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: CimSweep is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Name Jump

CIRTkit

• Website: https://github.com/byt3smith/CIRTKit
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: CIRTkit is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

CIRTKit

• Website: https://github.com/opensourcesec/CIRTKit
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Cybersecurity Blue Team

What it does: CIRTKit is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Scriptable Digital Forensics and Incident Response (DFIR) toolkit built on Viper.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > IR management consoles.

Back to Name Jump

Cold Disk Quick Response

• Website: https://github.com/rough007/CDQR
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Cold Disk Quick Response is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Streamlined list of parsers to quickly analyze a forensic image file (dd, E01, .vmdk, etc) and output nine reports.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

Computer Aided Investigative Environment (CAINE)

• Website: http://www.caine-live.net/index.html
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Computer Aided Investigative Environment (CAINE) is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Contains numerous tools that help investigators during their analysis, including forensic evidence collection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Distributions.

Back to Name Jump

Crowd Response

• Website: http://www.crowdstrike.com/community-tools/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Crowd Response is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Cuckoo

• Website: https://github.com/cuckoosandbox/cuckoo
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cyber Security Tools

What it does: Cuckoo is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Open Source Highly configurable sandboxing tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Cuckoo-modified

• Website: https://github.com/spender-sandbox/cuckoo-modified
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Cuckoo-modified is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Heavily modified Cuckoo fork developed by community.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Cutter

• Website: https://github.com/rizinorg/cutter
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Cutter is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free and Open Source Reverse Engineering Platform powered by rizin.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Cyber Triage

• Website: http://www.cybertriage.com
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Cyber Triage is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Cyber Triage has a lightweight collection tool that is free to use. It collects source files (such as registry hives and event logs), but also parses them on the live host so that it can also collect the executables that the startup items, scheduled, tasks, etc. refer to. It's output is a JSON file that can be imported into the free version of Cyber Triage. Cyber Triage is made by Sleuth Kit Labs, which also makes Autopsy.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

CyberCPR

• Website: https://www.cybercpr.com
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: CyberCPR is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.

Back to Name Jump

CyLR

• Website: https://github.com/orlikoski/CyLR
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Hacking

What it does: CyLR is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

Cyphon

• Website: https://medevel.com/cyphon/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Cyphon is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.

Back to Name Jump

Letter D

This letter section contains 13 tools.

DFIR ORC

• Website: https://dfir-orc.github.io/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: DFIR ORC is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: DFIR ORC is a collection of specialized tools dedicated to reliably parse and collect critical artifacts such as the MFT, registry hives or event logs. DFIR ORC collects data, but does not analyze it: it is not meant to triage machines. It provides a forensically relevant snapshot of machines running Microsoft Windows. The code can be found on .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

DFIRTrack

• Website: https://github.com/dfirtrack/dfirtrack
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: DFIRTrack is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Incident Response tracking application handling one or more incidents via cases and tasks with a lot of affected systems and artifacts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.

Back to Name Jump

DFTimewolf

• Website: https://github.com/log2timeline/dftimewolf
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: DFTimewolf is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Framework for orchestrating forensic collection, processing and data export using GRR and Rekall.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.

Back to Name Jump

Didier Stevens Suite

• Website: https://github.com/DidierStevens/DidierStevensSuite
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Didier Stevens Suite is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Tool collection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Lists.

Back to Name Jump

Diffy

• Website: https://github.com/Netflix-Skunkworks/diffy
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Diffy is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: DFIR tool developed by Netflix's SIRT that allows an investigator to quickly scope a compromise across cloud instances (Linux instances on AWS, currently) during an incident and efficiently triaging those instances for followup actions by showing differences against a baseline.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats

• Website: https://www.amazon.com/Digital-Forensics-Incident-Response-techniques/dp/183864900X
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Digital Forensics and Incident Response: Incident response techniques and procedures to respond to modern cyber threats is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: by Gerard Johansen.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

Digital Forensics Artifact Knowledge Base

• Website: https://github.com/ForensicArtifacts/artifacts-kb
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Digital Forensics Artifact Knowledge Base is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Digital Forensics Artifact Knowledge Base.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Knowledge Bases.

Back to Name Jump

Digital Forensics Discord Server

• Website: https://discordapp.com/invite/JUqe9Ek
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Digital Forensics Discord Server is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Community of 8,000+ working professionals from Law Enforcement, Private Sector, and Forensic Vendors. Additionally, plenty of students and hobbyists! Guide .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Communities.

Back to Name Jump

Digital Forensocs Incident Response Git

• Website: https://github.com/soufianetahiri/Digital-Forensics-Incident-Response
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: Digital Forensocs Incident Response Git is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Dissect

• Website: https://github.com/fox-it/dissect
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Dissect is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

domfind

• Website: https://github.com/diogo-fernan/domfind
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: domfind is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Python DNS crawler for finding identical domain names under different TLDs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Doorman

• Website: https://github.com/mwielgoszewski/doorman
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Doorman is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

DumpsterFire

• Website: https://github.com/TryCatchHCF/DumpsterFire
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: DumpsterFire is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

Letter E

This letter section contains 1 tools.

Eric Zimmerman Tools

• Website: https://ericzimmerman.github.io/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Eric Zimmerman Tools is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: An updated list of forensic tools created by Eric Zimmerman, an instructor for SANS institute.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Lists.

Back to Name Jump

Letter F

This letter section contains 4 tools.

FastIR Collector

• Website: https://github.com/SekoiaLab/Fastir_Collector
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: FastIR Collector is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Tool that collects different artifacts on live Windows systems and records the results in csv files. With the analyses of these artifacts, an early compromise can be detected.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

FastIR Collector Linux

• Website: https://github.com/SekoiaLab/Fastir_Collector_Linux
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: FastIR Collector Linux is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: FastIR for Linux collects different artifacts on live Linux and records the results in CSV files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Evidence Collection.

Back to Name Jump

Fenrir

• Website: https://github.com/Neo23x0/Fenrir
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Fenrir is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Scanner Tools.

Back to Name Jump

Forensic Artifacts

• Website: https://github.com/ForensicArtifacts/artifacts
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics, Awesome SOC

What it does: Forensic Artifacts is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

Letter G

This letter section contains 3 tools.

GetData Forensic Imager

• Website: http://www.forensicimager.com/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: GetData Forensic Imager is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Disk Image Creation Tools.

Back to Name Jump

grr

• Website: https://github.com/google/grr
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team, Awesome Forensics

What it does: grr is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Incident response framework focused on remote live forensics consisting of a Python agent installed on assets and Python-based server infrastructure enabling analysts to quickly triage attacks and perform analysis remotely.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Name Jump

Guymager

• Website: http://guymager.sourceforge.net
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Guymager is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free forensic imager for media acquisition on Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Disk Image Creation Tools.

Back to Name Jump

Letter H

This letter section contains 4 tools.

HELK

• Website: https://github.com/Cyb3rWard0g/HELK
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: HELK is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Hindsight

• Website: https://github.com/obsidianforensics/hindsight
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Hindsight is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Internet history forensics for Google Chrome/Chromium.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Hoarder

• Website: https://github.com/muteb/Hoarder
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Hoarder is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Collecting the most valuable artifacts for forensics or incident response investigations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

How Dropbox Security builds tools for threat detection and incident response

• Website: https://dropbox.tech/security/how-dropbox-security-builds-better-tools-for-threat-detection-and-incident-response
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Threat Detection

What it does: How Dropbox Security builds tools for threat detection and incident response is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Letter I

This letter section contains 18 tools.

imagemounter

• Website: https://github.com/ralphje/imagemounter
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: imagemounter is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Command line utility and Python package to ease the (un)mounting of forensic disk images.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Improving Social Maturity of Cybersecurity Incident Response Teams

• Website: https://edu.anarcho-copy.org/Against%20Security%20-%20Self%20Security/GMU_Cybersecurity_Incident_Response_Team_social_maturity_handbook.pdf
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: Improving Social Maturity of Cybersecurity Incident Response Teams is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

Incident Response & Computer Forensics, 3rd ed

• Website: https://www.google.fr/books/edition/Incident_Response_Computer_Forensics_Thi/LuWINQEACAAJ?hl=fr
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: Incident Response & Computer Forensics, 3rd ed is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Incident Response & Computer Forensics, Third Edition

• Website: https://www.amazon.com/Incident-Response-Computer-Forensics-Third/dp/0071798684/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Incident Response & Computer Forensics, Third Edition is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: The definitive guide to incident response.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

Incident response reference guide

• Website: https://www.linkedin.com/posts/the-cyber-security-hub_incident-response-reference-guide-activity-7033563558642642944-0zav?utm_source=share&utm_medium=member_desktop
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: Incident response reference guide is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

Incident Response Techniques for Ransomware Attacks

• Website: https://www.amazon.com/Incident-Response-Techniques-Ransomware-Attacks/dp/180324044X
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Incident Response Techniques for Ransomware Attacks is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A great guide to build an incident response strategy for ransomware attacks. By Oleg Skulkin.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

Incident Response with Threat Intelligence

• Website: https://www.amazon.com/Incident-response-Threat-Intelligence-intelligence-based/dp/1801072957
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Incident Response with Threat Intelligence is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Great reference to build an incident response plan based also on Threat Intelligence. By Roberto Martinez.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

Intelligence-Driven Incident Response

• Website: https://www.amazon.com/Intelligence-Driven-Incident-Response-Outwitting-Adversary-ebook-dp-B074ZRN5T7/dp/B074ZRN5T7
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Intelligence-Driven Incident Response is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: By Scott J. Roberts, Rebekah Brown.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

Introduction to DFIR

• Website: https://medium.com/@sroberts/introduction-to-dfir-d35d5de4c180/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Introduction to DFIR is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: By Scott J. Roberts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

Invoke-LiveResponse

• Website: https://github.com/mgreen27/Invoke-LiveResponse
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Invoke-LiveResponse is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Invoke-LiveResponse is a live response tool for targeted collection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

IOC Finder

• Website: https://www.fireeye.com/services/freeware/ioc-finder.html
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: IOC Finder is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise (IOCs). Support for Windows only. No longer maintained. Only fully supported up to Windows 7 / Windows Server 2008 R2.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

IR lessons on cloud ID compromise

• Website: https://www.microsoft.com/en-us/security/blog/2023/12/05/microsoft-incident-response-lessons-on-preventing-cloud-identity-compromise/?msockid=07788c7fcb0c689a2a5d98f6ca0169fb
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: IR lessons on cloud ID compromise is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

IR Mitigations tasks

• Website: https://board.flexibleir.com/b/VtdssIfCJ6Z2LYLED/1
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: IR Mitigations tasks is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

ir-rescue

• Website: https://github.com/diogo-fernan/ir-rescue
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Security, Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: ir-rescue is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: ir-rescue is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > Evidence collection.

Back to Name Jump

IREC

• Website: https://binalyze.com/products/irec-free/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: IREC is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

IRIS

• Website: https://github.com/dfir-iris/iris-web
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: IRIS is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: IRIS is a web collaborative platform for incident response analysts allowing to share investigations at a technical level.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

IRM

• Website: https://github.com/certsocietegenerale/IRM
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: IRM is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Incident Response Methodologies by CERT Societe Generale.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Playbooks.

Back to Name Jump

IRTriage

• Website: https://github.com/AJMartel/IRTriage
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: IRTriage is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Incident Response Triage - Windows Evidence Collection for Forensic Analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Letter J

This letter section contains 1 tools.

Joe Sandbox (Community)

• Website: https://www.joesandbox.com/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome SOC

What it does: Joe Sandbox (Community) is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities; providing comprehensive and detailed analysis reports.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Letter K

This letter section contains 4 tools.

Kansa

• Website: https://github.com/davehull/Kansa/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Kansa is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Modular incident response framework in PowerShell.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

KAPE

• Website: https://www.kroll.com/en/services/cyber-risk/incident-response-litigation-support/kroll-artifact-parser-extractor-kape
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: KAPE is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Kroll Artifact Parser and Extractor (KAPE) by Eric Zimmerman. A triage tool that finds the most prevalent digital artifacts and then parses them quickly. Great and thorough when time is of the essence.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Knockknock

• Website: https://objective-see.com/products/knockknock.html
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Knockknock is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Displays persistent items(scripts, commands, binaries, etc.) that are set to execute automatically on OSX.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > OSX Evidence Collection.

Back to Name Jump

Kuiper

• Website: https://github.com/DFIRKuiper/Kuiper
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Kuiper is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Digital Forensics Investigation Platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

Letter L

This letter section contains 5 tools.

Limacharlie

• Website: https://www.limacharlie.io/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Limacharlie is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Endpoint security platform composed of a collection of small projects all working together that gives you a cross-platform (Windows, OSX, Linux, Android and iOS) low-level environment for managing and pushing additional modules into memory to extend its functionality.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

Linux Memory Grabber

• Website: https://github.com/halpomeranz/lmg/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Linux Memory Grabber is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Script for dumping Linux memory and creating Volatility profiles.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Imaging Tools.

Back to Name Jump

List of various Security APIs

• Website: https://github.com/deralexxx/security-apis
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: List of various Security APIs is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Collective list of public JSON APIs for use in security.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Lists.

Back to Name Jump

Live Response Collection

• Website: https://www.brimorlabs.com/tools/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Live Response Collection is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

LOKI

• Website: https://github.com/Neo23x0/Loki
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Incident Response, Awesome Cyber Security Tools, Awesome Forensics, Awesome SOC

What it does: LOKI is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free IR scanner for scanning endpoint with yara rules and other indicators(IOCs).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Letter M

This letter section contains 17 tools.

macOS Artifact Parsing Tool (mac_apt)

• Website: https://github.com/ydkhatri/mac_apt
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: macOS Artifact Parsing Tool (mac_apt) is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > OSX Evidence Collection.

Back to Name Jump

Magnet ACQUIRE

• Website: https://www.magnetforensics.com/magnet-acquire/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Magnet ACQUIRE is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Disk Image Creation Tools.

Back to Name Jump

MAGNET DumpIt

• Website: https://github.com/MagnetForensics/dumpit-linux
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: MAGNET DumpIt is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Fast memory acquisition open source tool for Linux written in Rust. Generate full memory crash dumps of Linux machines.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Evidence Collection.

Back to Name Jump

MAGNET DumpIt

• Website: https://www.magnetforensics.com/resources/magnet-dumpit-for-windows
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: MAGNET DumpIt is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Imaging Tools.

Back to Name Jump

Magnet RAM Capture

• Website: https://www.magnetforensics.com/free-tool-magnet-ram-capture/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Magnet RAM Capture is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Imaging Tools.

Back to Name Jump

MalConfScan

• Website: https://github.com/JPCERTCC/MalConfScan
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: MalConfScan is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

Margarita Shotgun

• Website: https://github.com/ThreatResponse/margaritashotgun
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: Margarita Shotgun is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > Evidence collection.

Back to Name Jump

Meerkat

• Website: https://github.com/TonyPhipps/Meerkat
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Security, Awesome Incident Response

What it does: Meerkat is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: PowerShell-based Windows artifact collection for threat hunting and incident response.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Memoryze

• Website: https://www.fireeye.com/services/freeware/memoryze.html
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Memoryze is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

Metadefender Cloud

• Website: https://www.metadefender.com
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Metadefender Cloud is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free threat intelligence platform providing multiscanning, data sanitization and vulnerability assessment of files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Metta

• Website: https://github.com/uber-common/metta
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: Metta is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Automated information security preparedness tool to do adversarial simulation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

MFT Browser

• Website: https://github.com/kacos2000/MFT_Browser
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: MFT Browser is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: MFT directory tree reconstruction & record info.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Microsoft ProcDump

• Website: https://docs.microsoft.com/en-us/sysinternals/downloads/procdump
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Microsoft ProcDump is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Dumps any running Win32 processes memory image on the fly.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Process Dump Tools.

Back to Name Jump

Morgue

• Website: https://github.com/etsy/morgue
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Morgue is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: PHP Web app by Etsy for managing postmortems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Timeline Tools.

Back to Name Jump

MozDef

• Website: https://github.com/mozilla/MozDef
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: MozDef is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Automates the security incident handling process and facilitate the real-time activities of incident handlers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Name Jump

Munin

• Website: https://github.com/Neo23x0/munin
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Munin is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Online hash checker for VirusTotal and other services.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

MutableSecurity

• Website: https://github.com/MutableSecurity/mutablesecurity
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Security, Awesome Incident Response

What it does: MutableSecurity is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: CLI program for automating the setup, configuration, and use of cybersecurity solutions.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

Letter N

This letter section contains 3 tools.

Network Flight Simulator

• Website: https://github.com/alphasoc/flightsim
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: Network Flight Simulator is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

nightHawk

• Website: https://github.com/biggiesmallsAG/nightHawkResponse
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: nightHawk is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Application built for asynchronous forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

NST - Network Security Toolkit

• Website: https://sourceforge.net/projects/nst/files/latest/download?source=files
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: NST - Network Security Toolkit is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Distributions.

Back to Name Jump

Letter O

This letter section contains 8 tools.

Obsidian

• Website: https://obsidian.md
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome OSINT

What it does: Obsidian is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Knowledge base and note-taking tool ideal for OSINT case management.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Other Tools.

Back to Name Jump

Open Computer Forensics Architecture

• Website: http://sourceforge.net/projects/ocfa/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Open Computer Forensics Architecture is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

Orochi

• Website: https://github.com/LDO-CERT/orochi
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Orochi is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Orochi is an open source framework for collaborative forensic memory dump analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

OSForensics

• Website: http://www.osforensics.com/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: OSForensics is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Tool to acquire live memory on 32-bit and 64-bit systems. A dump of an individual process’s memory space or physical memory dump can be done.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Imaging Tools.

Back to Name Jump

osquery

• Website: https://osquery.io/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: osquery is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Easily ask questions about your Linux and macOS infrastructure using a SQL-like query language; the provided incident-response pack helps you detect and respond to breaches.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

OSX Auditor

• Website: https://github.com/jipegit/OSXAuditor
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Forensics

What it does: OSX Auditor is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > Evidence collection.

Back to Name Jump

OSX Collector

• Website: https://github.com/yelp/osxcollector
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: OSX Collector is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: OSX Auditor offshoot for live response.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > OSX Evidence Collection.

Back to Name Jump

OSXCollector

• Website: https://github.com/Yelp/osxcollector
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Cybersecurity Blue Team

What it does: OSXCollector is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Forensic evidence collection & analysis toolkit for macOS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > Evidence collection.

Back to Name Jump

Letter P

This letter section contains 10 tools.

PagerDuty Incident Response Documentation

• Website: https://response.pagerduty.com/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: PagerDuty Incident Response Documentation is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after. Source is available on .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Playbooks.

Back to Name Jump

PALADIN

• Website: https://sumuri.com/software/paladin/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: PALADIN is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Modified Linux distribution to perform various forensics task in a forensically sound manner. It comes with many open source forensics tools included.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Distributions.

Back to Name Jump

Panorama

• Website: https://github.com/AlmCo/Panorama
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Panorama is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Fast incident overview on live Windows systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Plaso

• Website: https://github.com/log2timeline/plaso
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Plaso is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: a Python-based backend engine for the tool log2timeline.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Timeline Tools.

Back to Name Jump

PMDump

• Website: http://www.ntsecurity.nu/toolbox/pmdump/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: PMDump is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Tool that lets you dump the memory contents of a process to a file without stopping the process.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Process Dump Tools.

Back to Name Jump

PowerForensics

• Website: https://github.com/Invoke-IR/PowerForensics
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Forensics

What it does: PowerForensics is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: All in one PowerShell-based platform to perform live hard disk forensic analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

PowerSponse

• Website: https://github.com/swisscom/PowerSponse
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: PowerSponse is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: PowerSponse is a PowerShell module focused on targeted containment and remediation during security incident response.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Practical Memory Forensics

• Website: https://www.amazon.com/Practical-Memory-Forensics-Jumpstart-effective/dp/1801070334
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Practical Memory Forensics is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: The definitive guide to practice memory forensics. By Svetlana Ostrovskaya and Oleg Skulkin.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Books.

Back to Name Jump

PSRecon

• Website: https://github.com/gfoss/PSRecon/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: PSRecon is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

PyaraScanner

• Website: https://github.com/nogoodconfig/pyarascanner
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: PyaraScanner is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Very simple multi-threaded many-rules to many-files YARA scanning Python script for malware zoos and IR.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Letter R

This letter section contains 10 tools.

Raccine

• Website: https://github.com/Neo23x0/Raccine
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Raccine is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A Simple Ransomware Protection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Radare2

• Website: https://github.com/radareorg/radare2
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Radare2 is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Reverse engineering framework and command-line toolset.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

RaQet

• Website: https://raqet.github.io/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: RaQet is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

rastrea2r

• Website: https://github.com/rastrea2r/rastrea2r
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: rastrea2r is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Multi-platform tool for triaging suspected IOCs on many endpoints simultaneously and that integrates with antivirus consoles.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Name Jump

RedHunt-OS

• Website: https://github.com/redhuntlabs/RedHunt-OS
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: RedHunt-OS is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A Virtual Machine for Adversary Emulation and Threat Hunting. RedHunt aims to be a one stop shop for all your threat emulation and threat hunting needs by integrating attacker's arsenal as well as defender's toolkit to actively identify the threats in your environment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.

Back to Name Jump

Redline

• Website: https://www.fireeye.com/services/freeware/redline.html
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: Redline is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Threat hunting.

Back to Name Jump

RegRipper

• Website: https://github.com/keydet89/RegRipper3.0
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: RegRipper is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Reverse.IT

• Website: https://www.reverse.it/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Reverse.IT is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Alternative domain for the Hybrid-Analysis tool provided by CrowdStrike.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Rizin

• Website: https://github.com/rizinorg/rizin
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Rizin is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: UNIX-like reverse engineering framework and command-line toolset.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

RTIR

• Website: https://www.bestpractical.com/rtir/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: RTIR is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Request Tracker for Incident Response (RTIR) is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.

Back to Name Jump

Letter S

This letter section contains 13 tools.

Sandia Cyber Omni Tracker (SCOT)

• Website: https://github.com/sandialabs/scot
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Sandia Cyber Omni Tracker (SCOT) is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.

Back to Name Jump

SANS Investigative Forensic Toolkit (SIFT) Workstation

• Website: http://digital-forensics.sans.org/community/downloads
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: SANS Investigative Forensic Toolkit (SIFT) Workstation is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Distributions.

Back to Name Jump

Scout2

• Website: https://nccgroup.github.io/Scout2/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Scout2 is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Security tool that lets Amazon Web Services administrators assess their environment's security posture.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Security Onion

• Website: https://github.com/Security-Onion-Solutions/security-onion
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: Security Onion is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: An open-source Linux distribution for threat hunting, security monitoring, and log management. It includes ELK, Snort, Suricata, Zeek, Wazuh, Sguil, and many other security tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Distributions.

Back to Name Jump

Slack DFIR channel

• Website: https://dfircommunity.slack.com
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Slack DFIR channel is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Slack DFIR Communitiy channel - .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Communities.

Back to Name Jump

SOC Multi-tool

• Website: https://github.com/zdhenard42/SOC-Multitool
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: SOC Multi-tool is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A powerful and user-friendly browser extension that streamlines investigations for security professionals.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

SOC/IR hierarchy of needs

• Website: https://github.com/swannman/ircapabilities
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: SOC/IR hierarchy of needs is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

SP800-86, integration forensics techniques into IR

• Website: https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-86.pdf
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome SOC

What it does: SP800-86, integration forensics techniques into IR is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

SPECTR3

• Website: https://github.com/alpine-sec/SPECTR3
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: SPECTR3 is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Acquire, triage and investigate remote evidence via portable iSCSI readonly access.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

Spyre

• Website: https://github.com/spyre-project/spyre
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Spyre is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Simple YARA-based IOC scanner written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Scanner Tools.

Back to Name Jump

sqhunter

• Website: https://github.com/0x4d31/sqhunter
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: sqhunter is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

sysmon-config

• Website: https://github.com/SwiftOnSecurity/sysmon-config
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: sysmon-config is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Sysmon configuration file template with default high-quality event tracing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring > Configuration.

Back to Name Jump

sysmon-modular

• Website: https://github.com/olafhartong/sysmon-modular
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: sysmon-modular is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A repository of sysmon configuration modules. It also includes a of Sysmon configurations to MITRE ATT&CK techniques.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Endpoint Monitoring > Configuration.

Back to Name Jump

Letter T

This letter section contains 10 tools.

TAPIR

• Website: https://github.com/tap-ir/tapir
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Forensics

What it does: TAPIR is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: TAPIR (Trustable Artifacts Parser for Incident Response) is a multi-user, client/server, incident response framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

The Appliance for Digital Investigation and Analysis (ADIA)

• Website: https://forensics.cert.org/#ADIA
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: The Appliance for Digital Investigation and Analysis (ADIA) is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 (32-bit) and x86_64 (64-bit) versions are available.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Linux Distributions.

Back to Name Jump

The ESF Playground

• Website: https://themittenmac.com/the-esf-playground/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: The ESF Playground is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A tool to view the events in Apple Endpoint Security Framework (ESF) in real time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > OSX Evidence Collection.

Back to Name Jump

The Future of Incident Response

• Website: https://www.youtube.com/watch?v=bDcx4UNpKNc
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome OSINT, Awesome Threat Detection, Awesome Web Security

What it does: The Future of Incident Response is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Videos.

Back to Name Jump

The Sleuth Kit & Autopsy

• Website: http://www.sleuthkit.org
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: The Sleuth Kit & Autopsy is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

TheHive

• Website: https://thehive-project.org/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome SOC

What it does: TheHive is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > IR management consoles.

Back to Name Jump

Threat.Zone

• Website: https://app.threat.zone
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Threat.Zone is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Cloud based threat analysis platform which include sandbox, CDR and interactive analysis for researchers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

threat_note

• Website: https://github.com/defpoint/threat_note
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Cybersecurity Blue Team

What it does: threat_note is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Web application built by Defense Point Security to allow security researchers the ability to add and retrieve indicators related to their research.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools > IR management consoles.

Back to Name Jump

Timesketch

• Website: https://github.com/google/timesketch
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics

What it does: Timesketch is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Open source tool for collaborative forensic timeline analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Timeline Tools.

Back to Name Jump

traceroute-circl

• Website: https://github.com/CIRCL/traceroute-circl
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: traceroute-circl is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Response Center Luxembourg.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

Letter U

This letter section contains 1 tools.

UAC

• Website: https://github.com/tclahr/uac
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Forensics, Awesome SOC

What it does: UAC is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Evidence Collection.

Back to Name Jump

Letter V

This letter section contains 5 tools.

Valkyrie Comodo

• Website: https://valkyrie.comodo.com
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Valkyrie Comodo is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Valkyrie uses run-time behavior and hundreds of features from a file to perform analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Velociraptor

• Website: https://github.com/Velocidex/velociraptor
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection, Awesome Forensics

What it does: Velociraptor is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

Viper

• Website: https://github.com/viper-framework/viper
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Cybersecurity Blue Team

What it does: Viper is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Binary analysis and management framework enabling easy organization of malware and exploit samples.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Volatility

• Website: https://www.volatilityfoundation.org/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Cyber Security Tools

What it does: Volatility is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Advanced memory forensics framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Incident Response tools.

Back to Name Jump

Volatility 3

• Website: https://github.com/volatilityfoundation/volatility3
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Volatility 3 is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: The volatile memory extraction framework (successor of Volatility).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

Letter W

This letter section contains 3 tools.

Windows Events Attack Samples

• Website: https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response, Awesome Threat Detection

What it does: Windows Events Attack Samples is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: A repo of Windows event samples (EVTX) associated with ATT&CK techniques ().

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Knowledge Bases.

Back to Name Jump

Windows Registry Knowledge Base

• Website: https://github.com/libyal/winreg-kb
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Windows Registry Knowledge Base is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Windows Registry Knowledge Base.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Knowledge Bases.

Back to Name Jump

WindowsSCOPE

• Website: http://www.windowsscope.com/windowsscope-cyber-forensics/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: WindowsSCOPE is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.

Back to Name Jump

Letter X

This letter section contains 2 tools.

X-Ray 2.0

• Website: https://www.raymond.cc/blog/xray/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: X-Ray 2.0 is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Windows utility (poorly maintained or no longer maintained) to submit virus samples to AV vendors.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Other Tools.

Back to Name Jump

X-Ways Forensics

• Website: http://www.x-ways.net/forensics/
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: X-Ways Forensics is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump

Letter Y

This letter section contains 1 tools.

Yomi

• Website: https://yomi.yoroi.company
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Yomi is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Free MultiSandbox managed and hosted by Yoroi.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Sandboxing/Reversing Tools.

Back to Name Jump

Letter Z

This letter section contains 1 tools.

Zentral

• Website: https://github.com/zentralopensource/zentral
• Model: Open Source
• Category: Incident Response
• Source Lists: Awesome Incident Response

What it does: Zentral is used in incident response programs to support containment coordination, evidence collection, and post-incident timeline reconstruction. Source summaries describe it as: Combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.

Back to Name Jump