Open-Source Cybersecurity Tools: Network Security Monitoring

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 398 documented tools. It focuses on capabilities used for traffic inspection, anomaly detection, and packet-level investigations. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

# | A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Z

Letter

This letter section contains 2 tools.

Aircrack-ng

• Website: https://www.aircrack-ng.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cyber Security Tools

What it does: Aircrack-ng is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Suite of tools for wireless network security.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Penetration Testing.

Back to Name Jump

Fakenet-NG

• Website: https://github.com/mandiant/flare-fakenet-ng
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cyber Security Tools

What it does: Fakenet-NG is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fake network environment for malware analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Dynamic Analysis Tools.

Back to Name Jump

Letter A

This letter section contains 17 tools.

ACLight

• Website: https://github.com/cyberark/ACLight
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: ACLight is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Script for advanced discovery of sensitive Privileged Accounts - includes Shadow Admins.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

AIEngine

• Website: https://bitbucket.org/camp0/aiengine
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: AIEngine is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS(Network Intrusion Detection System) functionality, DNS domain classification, network collector, network forensics and many others.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

Aircrack-ng

• Website: http://www.aircrack-ng.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking, Awesome CTF

What it does: Aircrack-ng is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Aircrack is 802.11 WEP and WPA-PSK keys cracking program.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Airgeddon

• Website: https://github.com/v1s1t0r1sh3r3/airgeddon
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Airgeddon is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Multi-use bash script for Linux systems to audit wireless networks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Amass

• Website: https://github.com/owasp-amass/amass
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome OSINT

What it does: Amass is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: The amass tool searches Internet data sources, performs brute force subdomain enumeration, searches web archives, and uses machine learning to generate additional subdomain name guesses. DNS name resolution is performed across many public servers so the authoritative server will see the traffic coming from different locations. Written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Amass

• Website: https://github.com/OWASP/Amass
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: Amass is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: In-depth subdomain enumeration tool that performs scraping, recursive brute forcing, crawling of web archives, name altering and reverse DNS sweeping.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

Amun

• Website: https://github.com/zeroq/amun
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Amun is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Amun Python-based low-interaction Honeypot.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

Anevicon

• Website: https://github.com/rozgo/anevicon
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing

What it does: Anevicon is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: The most powerful UDP-based load generator, written in Rust.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

Apache Spot (incubating)

• Website: https://github.com/apache/incubator-spot
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Apache Spot (incubating) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Apache Spot is open source software for leveraging insights from flow and packet analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Big Data.

Back to Name Jump

AQUATONE

• Website: https://github.com/michenriksen/aquatone
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Web Security

What it does: AQUATONE is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

Arachni

• Website: http://www.arachni-scanner.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Arachni is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Scriptable framework for evaluating the security of web applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Argos

• Website: http://www.few.vu.nl/argos/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Argos is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Emulator for capturing zero-day attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

Arkime

• Website: https://github.com/arkime/arkime
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: Arkime is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

ASlookup

• Website: https://aslookup.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: ASlookup is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: a useful tool for exploring autonomous systems and all related info (CIDR, ASN, Org...).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

authoscope

• Website: https://github.com/kpcyrd/authoscope
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: authoscope is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Scriptable network authentication cracker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Web Exploitation.

Back to Name Jump

Automated Whitebox Fuzz Testing, 2008

• Website: https://www.ndss-symposium.org/wp-content/uploads/2017/09/Automated-Whitebox-Fuzz-Testing-paper-Patrice-Godefroid.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Automated Whitebox Fuzz Testing, 2008 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Awesome PCAP Tools

• Website: https://github.com/caesar0301/awesome-pcaptools
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Malware Analysis

What it does: Awesome PCAP Tools is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A collection of tools developed by other researchers in the Computer Science area to process network traces.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Other Awesome Lists > Other Security Awesome Lists.

Back to Name Jump

Letter B

This letter section contains 16 tools.

badtouch

• Website: https://github.com/kpcyrd/badtouch
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: badtouch is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Scriptable network authentication cracker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Web > Tools.

Back to Name Jump

BetterCAP

• Website: https://www.bettercap.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: BetterCAP is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Modular, portable and easily extensible MITM framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

BGP.he.net

• Website: https://bgp.he.net
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: BGP.he.net is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free BGP and network intelligence toolkit.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Speciality Search Engines.

Back to Name Jump

BGP.tools

• Website: https://bgp.tools
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: BGP.tools is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Modern BGP toolkit for network reconnaissance and analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Speciality Search Engines.

Back to Name Jump

Bgpview.io

• Website: https://bgpview.io
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Bgpview.io is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: The website bgpview.io allows you to look up detailed information about ASNs, IPs, and BGP routes on the internet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

bittwist

• Website: http://bittwist.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: bittwist is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Simple yet powerful libpcap-based Ethernet packet generator useful in simulating networking traffic or scenario, testing firewall, IDS, and IPS, and troubleshooting various network problems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

Bluesky

• Website: https://bsky.app
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Bluesky is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Decentralized social network built on the AT Protocol.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Major Social Networks.

Back to Name Jump

Boofuzz

• Website: https://github.com/jtpereyda/boofuzz
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Boofuzz is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fuzzing engine and fuzz testing framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

BoopSuite

• Website: https://github.com/MisterBianco/BoopSuite
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: BoopSuite is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Suite of tools written in Python for wireless auditing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

BoxyHQ

• Website: https://github.com/retracedhq/retraced
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: BoxyHQ is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source API for security and compliance audit logging.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.

Back to Name Jump

Brim

• Website: https://github.com/brimsec/brim
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Brim is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A desktop application to efficiently search large packet captures and Zeek logs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Bro

• Website: https://www.bro.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: Bro is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Protocol analyzer that operates at incredible.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Bro-Osquery

• Website: https://svs.informatik.uni-hamburg.de/publications/2018/2018-05-31-Haas-QueryCon-Bro-Osquery.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Bro-Osquery is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Large-Scale Host and Network Monitoring Using Open-Source Software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

BroYara

• Website: https://github.com/hempnall/broyara
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: BroYara is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Use Yara rules from Bro.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Bully

• Website: http://git.kali.org/gitweb/?p=packages/bully.git;a=summary
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Bully is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Implementation of the WPS brute force attack, written in C.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

BunkerWeb

• Website: https://github.com/bunkerity/bunkerweb
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: BunkerWeb is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: BunkerWeb is a full-featured open-source web server with ModeSecurity WAF, HTTPS with transparent Let's Encrypt renewal, automatic ban of strange behaviors based on HTTP codes, bot and bad IPs block, connection limits, state-of-the-art security presets, Web UI and much more.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Web Application Firewall.

Back to Name Jump

Letter C

This letter section contains 23 tools.

CapTipper

• Website: https://github.com/omriher/CapTipper
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: CapTipper is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Malicious HTTP traffic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Censys

• Website: https://www.censys.io/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Censys is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Collects data on hosts and websites through daily ZMap and ZGrab scans.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT) > Network device discovery tools.

Back to Name Jump

Center for International Earth Science Information Network

• Website: http://www.ciesin.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Center for International Earth Science Information Network is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Data and Statistics.

Back to Name Jump

chopshop

• Website: https://github.com/MITRECND/chopshop
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Cybersecurity Blue Team

What it does: chopshop is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Framework to aid analysts in the creation and execution of pynids-based decoders and detectors of APT tradecraft.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

cicd-goat

• Website: https://github.com/cider-security-research/cicd-goat
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: cicd-goat is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

Cilium

• Website: https://cilium.io/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Cilium is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source software for transparently securing the network connectivity between application services deployed using Linux container management platforms like Docker and Kubernetes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps.

Back to Name Jump

cirt-fuzzer

• Website: http://www.cirt.dk/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: cirt-fuzzer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A simple TCP/UDP protocol fuzzer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

CloudFail

• Website: https://github.com/m0rtem/CloudFail
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: CloudFail is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Unmask server IP addresses hidden behind Cloudflare by searching old database records and detecting misconfigured DNS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

CloudShark

• Website: https://www.cloudshark.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: CloudShark is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Web-based tool for packet analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

cms-explorer

• Website: https://code.google.com/archive/p/cms-explorer/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: cms-explorer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Reveal the specific modules, plugins, components and themes that various websites powered by content management systems are running.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, 2019

• Website: https://daramg.gift/paper/han-ndss2019.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: CodeAlchemist: Semantics-Aware Code Generation to Find Vulnerabilities in JavaScript Engines, 2019 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Cognito Scanner

• Website: https://github.com/padok-team/cognito-scanner
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Cognito Scanner is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: CLI tool to pentest Cognito AWS instance. It implements three attacks: unwanted account creation, account oracle and identity pool escalation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Community Honey Network

• Website: https://communityhoneynetwork.readthedocs.io/en/stable/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Community Honey Network is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: CHN aims to make deployments honeypots and honeypot management tools easy and flexible. The default deployment method uses Docker Compose and Docker to deploy with a few simple commands.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

COMODO automated sandbox

• Website: https://help.comodo.com/topic-72-1-451-4768-.html
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: COMODO automated sandbox is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

Conpot

• Website: http://conpot.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Honeypots

What it does: Conpot is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: ICS/SCADA Honeypot. Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of very big giants.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection, 2022

• Website: https://www.ndss-symposium.org/wp-content/uploads/2022-296-paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Context-Sensitive and Directional Concurrency Fuzzing for Data-Race Detection, 2022 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Cowpatty

• Website: https://github.com/joswr1ght/cowpatty
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Cowpatty is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Brute-force dictionary attack against WPA-PSK.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

CrackMapExec

• Website: https://github.com/byt3bl33d3r/CrackMapExec
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: CrackMapExec is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Swiss army knife for pentesting networks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Crowd Inspect

• Website: https://www.crowdstrike.com/resources/community-tools/crowdinspect-tool/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Crowd Inspect is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Host-based tools.

Back to Name Jump

CrowdSec

• Website: https://github.com/crowdsecurity/crowdsec
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome OSINT

What it does: CrowdSec is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: CrowdSec is a free, modern & collaborative behavior detection engine, coupled with a global IP reputation network. It stacks on Fail2Ban's philosophy but is IPV6 compatible and 60x faster (Go vs Python), uses Grok patterns to parse logs and YAML scenario to identify behaviors. CrowdSec is engineered for modern Cloud / Containers / VM based infrastructures (by decoupling detection and remediation). Once detected, you can remedy threats with various bouncers (firewall block, nginx http 403, Captchas, etc.) while the aggressive IPs can be sent to CrowdSec for curation before being shared among all users to further strengthen the community.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

CryptoLyzer

• Website: https://gitlab.com/coroner/cryptolyzer
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: CryptoLyzer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fast and flexible server cryptographic (TLS/SSL/SSH/HTTP) settings analyzer library for Python with CLI.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Transport Layer Security Tools.

Back to Name Jump

Cuckoo Sandbox

• Website: http://www.cuckoosandbox.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Cuckoo Sandbox is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

Cyware Threat Response Docker

• Website: https://hub.docker.com/r/cylabs/cy-threat-response
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Cyware Threat Response Docker is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

Letter D

This letter section contains 23 tools.

D(HE)ater

• Website: https://github.com/Balasys/dheater
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: D(HE)ater is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: D(HE)ater sends forged cryptographic handshake messages to enforce the Diffie-Hellman key exchange.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

Damn Vulnerable Web Application (DVWA)

• Website: https://hub.docker.com/r/citizenstig/dvwa/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: Damn Vulnerable Web Application (DVWA) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Intentionally Vulnerable Systems > Intentionally Vulnerable Systems as Docker Containers.

Back to Name Jump

Deepfence PacketStreamer

• Website: https://github.com/deepfence/PacketStreamer
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Deepfence PacketStreamer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: High-performance remote packet capture and collection tool, distributed tcpdump for cloud native environments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Full Packet Capture / Forensic.

Back to Name Jump

Deepfence SecretScanner

• Website: https://github.com/deepfence/SecretScanner
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Deepfence SecretScanner is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Find secrets and passwords in container images and file systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Deepfence ThreatMapper

• Website: https://github.com/deepfence/ThreatMapper
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Deepfence ThreatMapper is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Apache v2, powerful runtime vulnerability scanner for kubernetes, virtual machines and serverless.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

DELTA: A Security Assessment Framework for Software-Defined Networks, 2017

• Website: https://www.ndss-symposium.org/wp-content/uploads/2017/09/ndss201702A-1LeePaper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: DELTA: A Security Assessment Framework for Software-Defined Networks, 2017 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Denyhosts

• Website: http://denyhosts.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Denyhosts is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Thwart SSH dictionary based attacks and brute force attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

DNS Rebind Toolkit

• Website: https://github.com/brannondorsey/dns-rebind-toolkit
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Web Security

What it does: DNS Rebind Toolkit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network (LAN) by.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > DNS Rebinding.

Back to Name Jump

dnscat2

• Website: https://github.com/iagox86/dnscat2
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome CTF

What it does: dnscat2 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Tool designed to create an encrypted command and control channel over the DNS protocol, which is an effective tunnel out of almost every network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Exfiltration Tools.

Back to Name Jump

dnschef

• Website: https://github.com/iphelix/dnschef
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: dnschef is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Highly configurable DNS proxy for pentesters.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

DNSDumpster

• Website: https://dnsdumpster.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome OSINT

What it does: DNSDumpster is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: is a website that will help you discover hosts related to a specific domain.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

dnsenum

• Website: https://github.com/fwaeytens/dnsenum/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Cyber Security Tools

What it does: dnsenum is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

dnsmap

• Website: https://github.com/makefu/dnsmap/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: dnsmap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Passive DNS network mapper.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

dnsrecon

• Website: https://github.com/darkoperator/dnsrecon/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Cyber Security Tools

What it does: dnsrecon is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Perform DNS enumeration using direct queries and brute forcing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

dnstracer

• Website: http://www.mavetju.org/unix/dnstracer.php
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: dnstracer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Determines where a given DNS server gets its information from, and follows the chain of DNS servers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

Docker Bench for Security

• Website: https://hub.docker.com/r/diogomonica/docker-bench-security/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Hacking

What it does: Docker Bench for Security is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

docker-metasploit

• Website: https://hub.docker.com/r/remnux/metasploit/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: docker-metasploit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

dorothy2

• Website: https://github.com/m4rco-/dorothy2
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: dorothy2 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Malware/botnet analysis framework written in Ruby.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

DPDK

• Website: http://dpdk.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: DPDK is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: DPDK is a set of libraries and drivers for fast packet processing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Fast Packet Processing.

Back to Name Jump

Driller: Augmenting Fuzzing Through Selective Symbolic Execution, 2016

• Website: https://cancer.shtech.org/wiki/uploads/2016---NDSS---driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Driller: Augmenting Fuzzing Through Selective Symbolic Execution, 2016 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Drool

• Website: https://www.dns-oarc.net/tools/drool
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Drool is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Replay DNS traffic from packet capture files and send it to a specified server, such as for simulating DDoS attacks on the DNS and measuring normal DNS querying.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Preparedness training and wargaming.

Back to Name Jump

Dshell

• Website: https://github.com/USArmyResearchLab/Dshell
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team, Awesome Penetration Testing

What it does: Dshell is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Protocol Analyzers and Sniffers.

Back to Name Jump

dsniff

• Website: https://www.monkey.org/~dugsong/dsniff/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: dsniff is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Collection of tools for network auditing and pentesting.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Letter E

This letter section contains 8 tools.

Earthcam

• Website: http://www.earthcam.com
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Earthcam is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: EarthCam is the leading network of live streaming webcams for tourism and entertainment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Video Search and Other Video Tools.

Back to Name Jump

EMS: History-Driven Mutation for Coverage-based Fuzzing, 2022

• Website: https://www.ndss-symposium.org/wp-content/uploads/2022-162-paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: EMS: History-Driven Mutation for Coverage-based Fuzzing, 2022 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing, 2018

• Website: https://lifeasageek.github.io/papers/han:meds.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Enhancing Memory Error Detection for Large-Scale Applications and Fuzz Testing, 2018 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Epstein Exposed

• Website: https://epsteinexposed.com
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Epstein Exposed is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Comprehensive searchable database of 2M+ DOJ Epstein case documents, 1,700+ persons, flight logs, emails, and network graph visualization.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Document and Slides Search.

Back to Name Jump

Ettercap

• Website: http://www.ettercap-project.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Ettercap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Comprehensive, mature suite for machine-in-the-middle attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

European Union Agency for Network and Information Security

• Website: https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: European Union Agency for Network and Information Security is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: ENISA Cyber Security Training material.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Security Education Courses.

Back to Name Jump

evilgrade

• Website: https://github.com/infobyte/evilgrade
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: evilgrade is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Modular framework to take advantage of poor upgrade implementations by injecting fake updates.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

Exonera Tor

• Website: https://exonerator.torproject.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Exonera Tor is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A database of IP addresses that have been part of the Tor network. It answers the question whether there was a Tor relay running on a given IP address on a given date.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

Letter F

This letter section contains 18 tools.

FakeNet-NG

• Website: https://github.com/fireeye/flare-fakenet-ng
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: FakeNet-NG is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Next generation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Falco

• Website: https://falco.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: Falco is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Cloud platform security.

Back to Name Jump

FATT

• Website: https://github.com/0x4D31/fatt
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: FATT is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

Favocado: Fuzzing Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021

• Website: https://www.ndss-symposium.org/wp-content/uploads/ndss2021_6A-2_24224_paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Favocado: Fuzzing Binding Code of JavaScript Engines Using Semantically Correct Test Cases, 2021 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Fibratus

• Website: https://github.com/rabbitstack/fibratus
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Incident Response, Awesome Honeypots, Awesome Penetration Testing, Awesome CTF

What it does: Fibratus is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Windows Evidence Collection.

Back to Name Jump

Fiddler

• Website: https://www.telerik.com/fiddler
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing

What it does: Fiddler is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free cross-platform web debugging proxy with user-friendly companion tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Web Exploitation > Intercepting Web proxies.

Back to Name Jump

fierce

• Website: https://github.com/mschwager/fierce
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: fierce is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Python3 port of the original fierce.pl DNS reconnaissance tool for locating non-contiguous IP space.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

Finding Evil on the Network Using JA3/S and HASSH

• Website: https://engineering.salesforce.com/finding-evil-on-the-network-using-ja3-s-and-hassh-11431a8606e4
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Finding Evil on the Network Using JA3/S and HASSH is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

Finding The Real Origin IPs Hiding Behind CloudFlare or TOR

• Website: https://www.secjuice.com/finding-real-ips-of-origin-servers-behind-cloudflare-or-tor/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Web Security

What it does: Finding The Real Origin IPs Hiding Behind CloudFlare or TOR is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Written by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Miscellaneous.

Back to Name Jump

Fing

• Website: https://www.fing.com/products/fing-app/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Fing is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network scanning and host enumeration app that performs NetBIOS, UPnP, Bonjour, SNMP, and various other advanced device fingerprinting techniques.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Android Utilities.

Back to Name Jump

FingerprinTLS

• Website: https://github.com/LeeBrotherston/tls-fingerprinting
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: FingerprinTLS is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A TLS fingerprinting method.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

Finshir

• Website: https://github.com/isgasho/finshir
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Finshir is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A coroutines-driven Low & Slow traffic generator, written in Rust.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Firesheep

• Website: https://codebutler.github.io/firesheep/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: Firesheep is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free program for HTTP session hijacking attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

Firezone

• Website: https://github.com/firezone/firezone
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Firezone is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open-source VPN server and egress firewall for Linux built on WireGuard that makes it simple to manage secure remote access to your company’s private networks. Firezone is easy to set up (all dependencies are bundled thanks to Chef Omnibus), secure, performant, and self hostable.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > VPN.

Back to Name Jump

Flare

• Website: https://github.com/austin-taylor/flare
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Flare is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: An analytical framework for network traffic and behavioral analytics.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Fluxion

• Website: https://github.com/FluxionNetwork/fluxion
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Fluxion is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Suite of automated social engineering based WPA attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

friTap

• Website: https://github.com/fkie-cad/friTap
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: friTap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Intercept SSL/TLS connections with frida; Allows TLS key extraction and decryption of TLS payload as PCAP in real time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

fwknop

• Website: https://www.cipherdyne.org/fwknop/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: fwknop is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Protects ports via Single Packet Authorization in your firewall.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Network perimeter defenses.

Back to Name Jump

Letter G

This letter section contains 5 tools.

Gatekeeper

• Website: https://github.com/AltraMayor/gatekeeper
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Gatekeeper is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: First open source Distributed Denial of Service (DDoS) protection system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Network perimeter defenses.

Back to Name Jump

Geneva (Genetic Evasion)

• Website: https://censorship.ai/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Geneva (Genetic Evasion) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Novel experimental genetic algorithm that evolves packet-manipulation-based censorship evasion strategies against nation-state level censors to increase availability of otherwise blocked content.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Communications security (COMSEC).

Back to Name Jump

Gephi

• Website: https://gephi.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Gephi is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: is an open-source graph and network visualization software.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Social Network Analysis.

Back to Name Jump

Glastopf

• Website: http://glastopf.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Glastopf is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

GQUIC Protocol Analyzer for Zeek

• Website: https://github.com/salesforce/GQUIC_Protocol_Analyzer
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: GQUIC Protocol Analyzer for Zeek is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

Letter H

This letter section contains 20 tools.

Habu

• Website: https://github.com/portantier/habu
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking

What it does: Habu is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Python utility implementing a variety of network attacks, such as ARP poisoning, DHCP starvation, and more.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

Hack+

• Website: http://hack.plus
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: Hack+ is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: An Intelligent network of bots that fetch the latest InfoSec content.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: CTF > General.

Back to Name Jump

Hacking-Lab

• Website: https://hacking-lab.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome CTF

What it does: Hacking-Lab is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Ethical hacking, computer network and security challenge platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Name Jump

hadoop-pcap

• Website: https://github.com/RIPE-NCC/hadoop-pcap
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: hadoop-pcap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Hadoop library to read packet capture (PCAP) files.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Big Data.

Back to Name Jump

Haka

• Website: http://www.haka-security.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: Haka is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: An open source security oriented.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Hale

• Website: https://github.com/pjlantz/Hale
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Honeypots

What it does: Hale is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Botnet command and control monitor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Hfinger

• Website: https://github.com/CERT-Polska/hfinger
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Hfinger is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fingerprinting HTTP requests.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

HFL: Hybrid Fuzzing on the Linux Kernel, 2020

• Website: https://www.unexploitable.systems/publication/kimhfl/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: HFL: Hybrid Fuzzing on the Linux Kernel, 2020 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

HFlow2

• Website: https://projects.honeynet.org/hflow
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: HFlow2 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Data coalesing tool for honeynet/network analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HOIC

• Website: https://sourceforge.net/projects/high-orbit-ion-cannon/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: HOIC is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Updated version of Low Orbit Ion Cannon, has 'boosters' to get around common counter measures.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

HoneyDrive

• Website: http://bruteforce.gr/honeydrive
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: HoneyDrive is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

HoneyPy

• Website: https://github.com/foospidy/HoneyPy
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Honeypots

What it does: HoneyPy is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: HoneyPy is a low to medium interaction honeypot. It is intended to be easy to: deploy, extend functionality with plugins, and apply custom configurations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

Honeysink

• Website: http://www.honeynet.org/node/773
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Honeysink is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source network sinkhole that provides a mechanism for detection and prevention of malicious traffic on a given network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HoneySpider Network

• Website: https://github.com/CERT-Polska/hsn2-bundle
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: HoneySpider Network is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Highly-scalable system integrating multiple client honeypots to detect malicious websites.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

honeytrap

• Website: https://github.com/tillmannw/honeytrap
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: honeytrap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Low-interaction honeypot and network security tool written to catch attacks against TCP and UDP services.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

HonSSH

• Website: https://github.com/tnich/honssh
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Honeypots

What it does: HonSSH is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: HonSSH is a high-interaction Honey Pot solution. HonSSH will sit between an attacker and a honey pot, creating two separate SSH connections between them.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing, 2020

• Website: https://www.researchgate.net/publication/339164746_HotFuzz_Discovering_Algorithmic_Denial-of-Service_Vulnerabilities_Through_Guided_Micro-Fuzzing
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: HotFuzz: Discovering Algorithmic Denial-of-Service Vulnerabilities Through Guided Micro-Fuzzing, 2020 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

hping3

• Website: https://github.com/antirez/hping
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: hping3 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network tool able to send custom TCP/IP packets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

HTTPReplay

• Website: https://github.com/jbremer/httpreplay
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: HTTPReplay is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Library for parsing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

HYPER-CUBE: High-Dimensional Hypervisor Fuzzing, 2020

• Website: https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2020/02/07/Hyper-Cube-NDSS20.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: HYPER-CUBE: High-Dimensional Hypervisor Fuzzing, 2020 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Letter I

This letter section contains 16 tools.

IKEForce

• Website: https://github.com/SpiderLabs/ikeforce
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: IKEForce is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Command line IPSEC VPN brute forcing tool for Linux that allows group name/ID enumeration and XAUTH brute forcing capabilities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

imalse

• Website: https://github.com/hbhzwj/imalse
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: imalse is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Integrated MALware Simulator and Emulator.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

impacket

• Website: https://github.com/CoreSecurity/impacket
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: impacket is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Collection of Python classes for working with network protocols.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Impost

• Website: http://impost.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Impost is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

INetSim

• Website: http://www.inetsim.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: INetSim is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network service emulation, useful when.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Infection Monkey

• Website: https://www.guardicore.com/infectionmonkey/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Infection Monkey is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open-source breach and attack simulation (BAS) platform that helps you validate existing controls and identify how attackers might exploit your current network security gaps.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Preparedness training and wargaming.

Back to Name Jump

infernal-twin

• Website: https://github.com/entropy1337/infernal-twin
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: infernal-twin is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Automated wireless hacking tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Innernet

• Website: https://github.com/tonarino/innernet
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Innernet is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free Software private network system that uses WireGuard under the hood, made to be self-hosted.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses > Overlay and Virtual Private Networks (VPNs).

Back to Name Jump

INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing, 2018

• Website: https://www.ndss-symposium.org/wp-content/uploads/2018/07/bar2018_14_Hsu_paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: INSTRIM: Lightweight Instrumentation for Coverage-guided Fuzzing, 2018 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

• Website: https://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Research Papers.

Back to Name Jump

Intercepter-NG

• Website: http://sniff.su/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Intercepter-NG is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Multifunctional network toolkit.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Into the Borg – SSRF inside Google production network

• Website: https://opnsec.com/2018/07/into-the-borg-ssrf-inside-google-production-network/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Web Security

What it does: Into the Borg – SSRF inside Google production network is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Written by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tricks > SSRF.

Back to Name Jump

IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing, 2018

• Website: http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2018/02/ndss2018_01A-1_Chen_paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: IoTFuzzer: Discovering Memory Corruptions in IoT Through App-based Fuzzing, 2018 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

IPFire

• Website: https://www.ipfire.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: IPFire is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Hardened GNU/Linux based router and firewall distribution forked from IPCop.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Network perimeter defenses > Firewall appliances or distributions.

Back to Name Jump

ISP.Tools

• Website: https://www.isp.tools
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: ISP.Tools is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Is a free platform offering network diagnostic tools (ping, traceroute, MTR, DNS, WHOIS, HTTP, etc.) tailored for ISPs and infrastructure professionals.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

IVRE

• Website: https://github.com/ivre/ivre
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: IVRE is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network recon framework, published by @cea-sec & @ANSSI-FR. Build your own, self-hosted and fully-controlled alternatives to Criminalip / Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

Letter J

This letter section contains 6 tools.

JA3

• Website: https://github.com/salesforce/ja3
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: JA3 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A method for profiling SSL/TLS Clients and Servers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

JARM

• Website: https://github.com/salesforce/jarm
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: JARM is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: An active Transport Layer Security (TLS) server fingerprinting tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

JCS

• Website: https://github.com/TheM4hd1/JCS
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: JCS is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Joomla Vulnerability Component Scanner with automatic database updater from exploitdb and packetstorm.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Joebox Cloud

• Website: https://jbxcloud.joesecurity.org/login
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Joebox Cloud is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Analyzes the behavior of malicious files including PEs, PDFs, DOCs, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspicious activities.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

joomscan

• Website: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: joomscan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Joomla vulnerability scanner.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Joy

• Website: https://github.com/cisco/joy
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Joy is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring.

Back to Name Jump

Letter K

This letter section contains 8 tools.

Kaitai Struct

• Website: http://kaitai.io/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing

What it does: Kaitai Struct is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Debugging and Reverse Engineering.

Back to Name Jump

Kali

• Website: https://www.kali.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Cyber Security Tools, Awesome CTF

What it does: Kali is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner), Wireshark (a packet analyzer), John the Ripper (a password cracker), and Aircrack-ng (a software suite for penetration-testing wireless LANs).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Operating System Distributions.

Back to Name Jump

KFSensor

• Website: http://www.keyfocus.net/kfsensor/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: KFSensor is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Windows based honeypot Intrusion Detection System (IDS).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Kismet

• Website: https://kismetwireless.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Kismet is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Wireless network detector, sniffer, and IDS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Kismet

• Website: https://github.com/kismetwireless/kismet
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Forensics

What it does: Kismet is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A passive wireless sniffer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Network Forensics.

Back to Name Jump

Kojoney

• Website: http://kojoney.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Honeypots

What it does: Kojoney is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

KRACK Detector

• Website: https://github.com/securingsam/krackdetector
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: KRACK Detector is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Detect and prevent KRACK attacks in your network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

krackattacks-scripts

• Website: https://github.com/vanhoefm/krackattacks-scripts
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: krackattacks-scripts is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: WPA2 Krack attack scripts.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Letter L

This letter section contains 10 tools.

Laika BOSS

• Website: https://github.com/lmco/laikaboss
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Forensics

What it does: Laika BOSS is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Laika is an object scanner and intrusion detection system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Frameworks.

Back to Name Jump

Lambda-Proxy

• Website: https://github.com/puresec/lambda-proxy
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Lambda-Proxy is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Utility for testing SQL Injection vulnerabilities on AWS Lambda serverless functions.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

LAN Turtle

• Website: https://lanturtle.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: LAN Turtle is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Covert "USB Ethernet Adapter" that provides remote access, network intelligence gathering, and MITM capabilities when installed in a local network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Physical Access Tools.

Back to Name Jump

Legion

• Website: https://github.com/GoVanguard/legion
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing

What it does: Legion is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Graphical semi-automated discovery and reconnaissance framework based on Python 3 and forked from SPARTA.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

libemu

• Website: https://github.com/buffer/libemu
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: libemu is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Shellcode emulation library, useful for shellcode detection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications, 2019

• Website: https://www.ndss-symposium.org/wp-content/uploads/2019/02/ndss2019_08-4_Zhang_paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Life after Speech Recognition: Fuzzing Semantic Misinterpretation for Voice Assistant Applications, 2019 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Live HTTP headers

• Website: https://addons.mozilla.org/en-US/firefox/addon/http-header-live/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Live HTTP headers is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Live HTTP headers is a free firefox addon to see your browser requests in real time. It shows the entire headers of the requests and can be used to find the security loopholes in implementations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Sniffer.

Back to Name Jump

Lonkero

• Website: https://github.com/bountyyfi/lonkero
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Lonkero is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Enterprise-grade web vulnerability scanner with 60+ attack modules, built in Rust for penetration testing and security assessments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Low Orbit Ion Canon (LOIC)

• Website: https://github.com/NewEraCracker/LOIC
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Low Orbit Ion Canon (LOIC) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source network stress tool written for Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

Lynis

• Website: https://cisofy.com/lynis/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing

What it does: Lynis is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: an open source security auditing tool for Linux/Unix.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

Letter M

This letter section contains 23 tools.

Mail.Ru Social Network Search

• Website: https://go.mail.ru/search_social
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Mail.Ru Social Network Search is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Real-Time Search, Social Media Search, and General Social Media Tools.

Back to Name Jump

Malcolm

• Website: https://github.com/idaholab/Malcolm
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: Malcolm is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Malcolm is a powerful, easily.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Malcom

• Website: https://github.com/tomchop/malcom
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: Malcom is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Malware Communications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

mallory

• Website: https://github.com/justmao945/mallory
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: mallory is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: HTTP/HTTPS proxy over SSH.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

Maltrail

• Website: https://github.com/stamparm/maltrail
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Cybersecurity Blue Team

What it does: Maltrail is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Malicious network traffic detection system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

Mass Scan

• Website: https://github.com/robertdavidgraham/masscan
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking, Awesome CTF

What it does: Mass Scan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

Masscanned

• Website: https://github.com/ivre/masscanned
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Masscanned is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Let's be scanned. A low-interaction honeypot focused on network scanners and bots. It integrates very well with IVRE to build a self-hosted alternative to GreyNoise.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Matano

• Website: https://github.com/matanolabs/matano
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Incident Response, Awesome Threat Detection

What it does: Matano is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: An open source security lake platform (SIEM alternative) for threat hunting, detection and response on AWS. Matano lets you write advanced detections as code (using python) to correlate and alert on threats in realtime.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Detection, Alerting and Automation Platforms.

Back to Name Jump

Memcrashed

• Website: https://github.com/649/Memcrashed-DDoS-Exploit
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Memcrashed is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

Mercury

• Website: https://github.com/cisco/mercury
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Mercury is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network fingerprinting and packet metadata capture.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

Metasploit Framework

• Website: https://github.com/rapid7/metasploit-framework
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Hacking

What it does: Metasploit Framework is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

mhn-core-docker

• Website: https://github.com/MattCarothers/mhn-core-docker
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: mhn-core-docker is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Core elements of the Modern Honey Network implemented in Docker.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

MITMf

• Website: https://github.com/byt3bl33d3r/MITMf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: MITMf is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Framework for Man-In-The-Middle attacks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

mitmproxy

• Website: https://mitmproxy.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Honeypots, Awesome Penetration Testing

What it does: mitmproxy is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Web Exploitation > Intercepting Web proxies.

Back to Name Jump

mitmsocks4j

• Website: https://github.com/Akdeniz/mitmsocks4j
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: mitmsocks4j is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Man-in-the-middle SOCKS Proxy for Java.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing, 2022

• Website: https://www.ndss-symposium.org/wp-content/uploads/2022-314-paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: MobFuzz: Adaptive Multi-objective Optimization in Gray-box Fuzzing, 2022 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Modern Honey Network

• Website: https://github.com/threatstream/mhn
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Modern Honey Network is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Modern Honeynet Network

• Website: http://threatstream.github.io/mhn/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Modern Honeynet Network is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Streamlines deployment and management of secure honeypots.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Moloch

• Website: https://github.com/aol/moloch
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Malware Analysis

What it does: Moloch is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Moloch is an open source, large scale IPv4 packet capturing (PCAP), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Simple security is implemented by using HTTPS and HTTP digest password support or by using apache in front. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Full Packet Capture / Forensic.

Back to Name Jump

Monit

• Website: https://linoxide.com/monitoring-2/monit-linux/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome CTF

What it does: Monit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A linux tool to check a host on the network (and other non-network activities).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Networking.

Back to Name Jump

monsoon

• Website: https://github.com/RedTeamPentesting/monsoon
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: monsoon is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Very flexible and fast interactive HTTP enumeration/fuzzing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer, 2020

• Website: https://www.usenix.org/conference/usenixsecurity20/presentation/lee-suyoung
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Montage: A Neural Network Language Model-Guided JavaScript Engine Fuzzer, 2020 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > USENIX Security.

Back to Name Jump

Morpheus

• Website: https://github.com/r00t-3xp10it/morpheus
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Morpheus is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Automated ettercap TCP/IP Hijacking tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

Letter N

This letter section contains 28 tools.

Nachricht

• Website: https://nachricht.co/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Nachricht is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: With Nachricht.co you can send self-destructive and encrypted one-way messages over the Internet. You don't even need to miss out the messenger or social network of your choice. We are an independent, secure and fully free service!.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Pastebins.

Back to Name Jump

Nagios

• Website: https://nagios.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Nagios is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Popular network and service monitoring solution and reporting platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Service and performance monitoring.

Back to Name Jump

Ncrack

• Website: https://nmap.org/ncrack/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Ncrack is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: High-speed network authentication cracking tool built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Nessus

• Website: https://www.tenable.com/products/nessus-vulnerability-scanner
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Nessus is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Commercial vulnerability management, configuration, and compliance assessment platform, sold by Tenable.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners.

Back to Name Jump

Netcap

• Website: https://github.com/dreadl0ck/netcap
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Netcap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A framework for secure and scalable network traffic analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring.

Back to Name Jump

netdiscover

• Website: https://github.com/netdiscover-scanner/netdiscover
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: netdiscover is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network address discovery scanner, based on ARP sweeps, developed mainly for those wireless networks without a DHCP server.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

netmap

• Website: http://info.iet.unipi.it/~luigi/netmap/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: netmap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: netmap is a framework for high speed packet I/O. Together with its companion VALE software switch, it is implemented as a single kernel module and available for FreeBSD, Linux and now also Windows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Fast Packet Processing.

Back to Name Jump

Netresec's PCAP repo list

• Website: https://www.netresec.com/?page=PcapFiles
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection, Awesome Forensics

What it does: Netresec's PCAP repo list is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A list of public packet capture repositories, which are freely available on the Internet.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

netsniff-ng

• Website: http://netsniff-ng.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: netsniff-ng is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

netsniff-ng

• Website: https://github.com/netsniff-ng/netsniff-ng
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: netsniff-ng is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Swiss army knife for network sniffing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Protocol Analyzers and Sniffers.

Back to Name Jump

Netsparker Application Security Scanner

• Website: https://www.netsparker.com/pricing/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Netsparker Application Security Scanner is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Application security scanner to automatically find security flaws.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners.

Back to Name Jump

Network Forensics: Tracking Hackers through Cyberspace

• Website: https://www.pearson.com/en-us/subject-catalog/p/Davidoff-Network-Forensics-Tracking-Hackers-through-Cyberspace/P200000009228
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Forensics

What it does: Network Forensics: Tracking Hackers through Cyberspace is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Learn to recognize hackers’ tracks and uncover network-based evidence.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Books.

Back to Name Jump

Network Security Toolkit (NST)

• Website: http://networksecuritytoolkit.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Network Security Toolkit (NST) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fedora-based GNU/Linux bootable live Operating System designed to provide easy access to best-of-breed open source network security applications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Operating System Distributions.

Back to Name Jump

Network-segmentation-cheat-sheet

• Website: https://github.com/sergiomarotco/Network-segmentation-cheat-sheet
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome SOC

What it does: Network-segmentation-cheat-sheet is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: This project was created to publish the best practices for segmentation of the corporate network of any company. In general, the schemes in this project are suitable for any company.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT achitecture of a SOC > Disconnect (as much as possible) SOC from monitored environment > Enclave:.

Back to Name Jump

NetworkMiner

• Website: http://www.netresec.com/?page=NetworkMiner
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Hacking, Awesome CTF

What it does: NetworkMiner is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A Network Forensic Analysis Tool (NFAT).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Netz

• Website: https://github.com/spectralops/netz
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Hacking

What it does: Netz is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Discover internet-wide misconfigurations, using zgrab2 and others.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Netzob

• Website: https://github.com/netzob/netzob
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Netzob is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Reverse engineering, traffic generation and fuzzing of communication protocols.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Protocol Analyzers and Sniffers.

Back to Name Jump

NexFil

• Website: https://github.com/thewhiteh4t/nexfil
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: NexFil is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: checks username from almost all social network sites.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Username Check.

Back to Name Jump

Nexpose

• Website: https://www.rapid7.com/products/nexpose/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Nexpose is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Commercial vulnerability and risk management assessment engine that integrates with Metasploit, sold by Rapid7.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners.

Back to Name Jump

ngrep

• Website: http://ngrep.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: ngrep is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.

Back to Name Jump

ngrep

• Website: https://github.com/jpr5/ngrep
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: ngrep is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Search through network traffic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Nikto

• Website: https://github.com/sullo/nikto
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Nikto is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Noisy but fast black box web server and web application vulnerability scanner.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Nipe

• Website: https://github.com/GouveaHeitor/nipe
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking, Awesome CTF

What it does: Nipe is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Script to redirect all traffic from the machine to the Tor network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Anonymity Tools > Tor Tools.

Back to Name Jump

Nmap

• Website: https://nmap.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Cyber Security Tools, Awesome Hacking, Awesome CTF

What it does: Nmap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Nmap is a free and open source utility for network discovery and security auditing.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization, 2020

• Website: https://www.ndss-symposium.org/wp-content/uploads/2020/02/24422.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Not All Coverage Measurements Are Equal: Fuzzing by Coverage Accounting for Input Prioritization, 2020 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

ntopng

• Website: http://www.ntop.org/products/traffic-analysis/ntop/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: ntopng is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Ntopng is a network traffic probe that shows the network usage, similar to what the popular top Unix command does.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.

Back to Name Jump

ntopng

• Website: https://github.com/ntop/ntopng
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: ntopng is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A web-based network traffic monitoring tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring.

Back to Name Jump

nuclei

• Website: https://github.com/projectdiscovery/nuclei
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Web Security

What it does: nuclei is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Letter O

This letter section contains 21 tools.

official Kali Linux

• Website: https://hub.docker.com/r/kalilinux/kali-linux-docker/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: official Kali Linux is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

official OWASP ZAP

• Website: https://github.com/zaproxy/zaproxy
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Hacking

What it does: official OWASP ZAP is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

official WPScan

• Website: https://hub.docker.com/r/wpscanteam/wpscan/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Hacking

What it does: official WPScan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

Open Data Network

• Website: http://www.opendatanetwork.com
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Open Data Network is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Data and Statistics.

Back to Name Jump

OpenFlow Honeypot (OFPot)

• Website: https://github.com/upa/ofpot
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: OpenFlow Honeypot (OFPot) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Redirects traffic for unused IPs to a honeypot, built on POX.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

opensnitch

• Website: https://github.com/evilsocket/opensnitch
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: opensnitch is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: OpenSnitch is a GNU/Linux port of the Little Snitch application firewall.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.

Back to Name Jump

OpenVAS

• Website: http://www.openvas.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing

What it does: OpenVAS is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners.

Back to Name Jump

OpenVPN

• Website: https://openvpn.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Cybersecurity Blue Team

What it does: OpenVPN is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: OpenVPN is an open source software application that implements virtual private network (VPN) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses > Overlay and Virtual Private Networks (VPNs).

Back to Name Jump

OpenZITI

• Website: https://openziti.github.io/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: OpenZITI is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source initiative focused on bringing Zero Trust to any application via an overlay network, tunelling applications, and numerous SDKs.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses > Overlay and Virtual Private Networks (VPNs).

Back to Name Jump

OPNsense

• Website: https://opnsense.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: OPNsense is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Network perimeter defenses > Firewall appliances or distributions.

Back to Name Jump

ORA

• Website: http://www.casos.cs.cmu.edu/projects/ora/software.php
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: ORA is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Social Network Analysis.

Back to Name Jump

oregano

• Website: https://github.com/nametoolong/oregano
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: oregano is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Python module that runs as a machine-in-the-middle (MITM) accepting Tor client requests.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

Osintgraph

• Website: https://github.com/XD-MHLOO/Osintgraph
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Osintgraph is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Tool that maps your target’s Instagram data and relationships in Neo4j for social network analysis.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > Social Media Tools > ↑ Instagram.

Back to Name Jump

ovizart

• Website: https://github.com/oguzy/ovizart
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: ovizart is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Visual analysis for network traffic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Data Tools.

Back to Name Jump

OWASP Juice Shop

• Website: https://hub.docker.com/r/bkimminich/juice-shop
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: OWASP Juice Shop is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

OWASP Mutillidae II Web Pen-Test Practice Application

• Website: https://hub.docker.com/r/citizenstig/nowasp/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: OWASP Mutillidae II Web Pen-Test Practice Application is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Intentionally Vulnerable Systems > Intentionally Vulnerable Systems as Docker Containers.

Back to Name Jump

OWASP NodeGoat

• Website: https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: OWASP NodeGoat is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Intentionally Vulnerable Systems > Intentionally Vulnerable Systems as Docker Containers.

Back to Name Jump

OWASP Security Shepherd

• Website: https://hub.docker.com/r/ismisepaul/securityshepherd/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: OWASP Security Shepherd is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Intentionally Vulnerable Systems > Intentionally Vulnerable Systems as Docker Containers.

Back to Name Jump

OWASP WebGoat Project docker image

• Website: https://hub.docker.com/r/danmx/docker-owasp-webgoat/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Hacking

What it does: OWASP WebGoat Project docker image is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

OWASP WrongSecrets

• Website: https://hub.docker.com/r/jeroenwillemsen/wrongsecrets
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: OWASP WrongSecrets is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

OwlH

• Website: https://www.owlh.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: OwlH is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Helps manage network IDS at scale by visualizing Suricata, Zeek, and Moloch life cycles.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

Letter P

This letter section contains 27 tools.

Packet Squirrel

• Website: https://www.hak5.org/gear/packet-squirrel
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Packet Squirrel is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Ethernet multi-tool designed to enable covert remote access, painless packet captures, and secure VPN connections with the flip of a switch.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Physical Access Tools.

Back to Name Jump

Packet Storm

• Website: https://packetstormsecurity.com/files/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Packet Storm is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Compendium of exploits, advisories, tools, and other security-related resources aggregated from across the industry.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Vulnerability Databases.

Back to Name Jump

PACKET_MMAP/TPACKET/AF_PACKET

• Website: https://elixir.bootlin.com/linux/latest/source/Documentation/networking/packet_mmap.rst
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: PACKET_MMAP/TPACKET/AF_PACKET is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: It's fine to use PACKET_MMAP to improve the performance of the capture and transmission process in Linux.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Fast Packet Processing.

Back to Name Jump

PacketTotal

• Website: https://packettotal.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing

What it does: PacketTotal is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Simple, free, high-quality packet capture file analysis facilitating the quick detection of network-borne malware (using Zeek and Suricata IDS signatures under the hood).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT).

Back to Name Jump

padding-oracle-attacker

• Website: https://github.com/KishanBagaria/padding-oracle-attacker
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome CTF

What it does: padding-oracle-attacker is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: padding-oracle-attacker is a CLI tool and library to execute padding oracle attacks (which decrypts data encrypted in CBC mode) easily, with support for concurrent network requests and an elegant UI.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Web > Scanning / Pentesting.

Back to Name Jump

Paros

• Website: http://sourceforge.net/projects/paros/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: Paros is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A Java-based HTTP/HTTPS proxy for assessing web application vulnerability.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

Passive Network Audit Framework (pnaf)

• Website: https://github.com/jusafing/pnaf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Passive Network Audit Framework (pnaf) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Framework that combines multiple passive and automated analysis techniques in order to provide a security assessment of network platforms.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

passivedns-client

• Website: https://github.com/chrislee35/passivedns-client
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: passivedns-client is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Library and query tool for querying several passive DNS providers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

PCAP-ATTACK

• Website: https://github.com/sbousseaden/PCAP-ATTACK
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: PCAP-ATTACK is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A repo of PCAP samples for different ATT&CK techniques.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Dataset.

Back to Name Jump

PcapViz

• Website: https://github.com/mateuszk87/PcapViz
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: PcapViz is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network topology and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary, 2019

• Website: https://people.cs.kuleuven.be/~stijn.volckaert/papers/2019_NDSS_PeriScope.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: PeriScope: An Effective Probing and Fuzzing Framework for the Hardware-OS Boundary, 2019 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

PETEP

• Website: https://github.com/Warxim/petep
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking

What it does: PETEP is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Extensible TCP/UDP proxy with GUI for traffic analysis & modification with SSL/TLS support.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

PF_RING

• Website: http://www.ntop.org/products/packet-capture/pf_ring/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: PF_RING is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: PF_RING is a new type of network socket that dramatically improves the packet capture speed.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Fast Packet Processing.

Back to Name Jump

PF_RING ZC (Zero Copy)

• Website: http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: PF_RING ZC (Zero Copy) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: PF_RING ZC (Zero Copy) is a flexible packet processing framework that allows you to achieve 1/10 Gbit line rate packet processing (both RX and TX) at any packet size. It implements zero copy operations including patterns for inter-process and inter-VM (KVM) communications.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Fast Packet Processing.

Back to Name Jump

PFQ

• Website: https://github.com/pfq/PFQ
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: PFQ is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: PFQ is a functional networking framework designed for the Linux operating system that allows efficient packets capture/transmission (10G and beyond), in-kernel functional processing and packets steering across sockets/end-points.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Fast Packet Processing.

Back to Name Jump

pfSense

• Website: https://www.pfsense.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: pfSense is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: FreeBSD firewall and router distribution forked from m0n0wall.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Network perimeter defenses > Firewall appliances or distributions.

Back to Name Jump

PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021

• Website: https://beerkay.github.io/papers/Berkay2021PGFuzzNDSS.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: PGFUZZ: Policy-Guided Fuzzing for Robotic Vehicles, 2021 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

pig

• Website: https://github.com/rafael-santiago/pig
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: pig is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: GNU/Linux packet crafting tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

pivotsuite

• Website: https://github.com/RedTeamOperations/PivotSuite
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: pivotsuite is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Portable, platform independent and powerful network pivoting toolkit.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Pompem

• Website: https://github.com/rfunix/Pompem
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Pompem is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Pompem is an open source tool, which is designed to automate the search for exploits in major databases. Developed in Python, has a system of advanced search, thus facilitating the work of pentesters and ethical hackers. In its current version, performs searches in databases: Exploit-db, 1337day, Packetstorm Security.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Postman

• Website: https://chrome.google.com/webstore/detail/postman/fhbjgbiflinjbdggehcddcbncdddomop?hl=en
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome CTF

What it does: Postman is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Add on for chrome for debugging network requests.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Web.

Back to Name Jump

Praeda

• Website: http://h.foofus.net/?page_id=218
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Praeda is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Automated multi-function printer data harvester for gathering usable data during security assessments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Printer Exploitation Toolkit (PRET)

• Website: https://github.com/RUB-NDS/PRET
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Printer Exploitation Toolkit (PRET) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Tool for printer security testing capable of IP and USB connectivity, fuzzing, and exploitation of PostScript, PJL, and PCL printer language features.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

PSKracker

• Website: https://github.com/soxrok2212/PSKracker
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: PSKracker is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Collection of WPA/WPA2/WPS default algorithms, password generators, and PIN generators written in C.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

pwnagotchi

• Website: https://github.com/evilsocket/pwnagotchi
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: pwnagotchi is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Deep reinforcement learning based AI that learns from the Wi-Fi environment and instruments BetterCAP in order to maximize the WPA key material captured.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Pylibemu

• Website: https://github.com/buffer/pylibemu
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Pylibemu is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Libemu Cython wrapper.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

Python ICAP Yara

• Website: https://github.com/RamadhanAmizudin/python-icap-yara
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: Python ICAP Yara is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: An.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

Letter Q

This letter section contains 1 tools.

QueenSono

• Website: https://github.com/ariary/QueenSono
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: QueenSono is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Client/Server Binaries for data exfiltration with ICMP. Useful in a network where ICMP protocol is less monitored than others (which is a common case).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Exfiltration Tools.

Back to Name Jump

Letter R

This letter section contains 15 tools.

Radware Live Cyber Threat Map

• Website: https://livethreatmap.radware.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Radware Live Cyber Threat Map is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Radware's Live Threat Map presents near real-time information about cyberattacks as they occur, based on our global threat deception network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Live Cyber Threat Maps.

Back to Name Jump

RDFP

• Website: https://github.com/yahoo/rdfp
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: RDFP is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Zeek Remote desktop fingerprinting script based on (Fingerprint All The Things).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

Real Intelligence Threat Analysis (RITA)

• Website: https://github.com/activecm/rita
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Real Intelligence Threat Analysis (RITA) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source framework for network traffic analysis that ingests Zeek logs and detects beaconing, DNS tunneling, and more.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

Reaver

• Website: https://code.google.com/archive/p/reaver-wps
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Reaver is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Brute force attack against WiFi Protected Setup.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Recog

• Website: https://github.com/rapid7/recog
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Recog is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A framework for identifying products, services, operating systems, and hardware by matching fingerprints against data returned from various network probes.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring > Fingerprinting Tools.

Back to Name Jump

REDQUEEN: Fuzzing with Input-to-State Correspondence, 2019

• Website: https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2018/12/17/NDSS19-Redqueen.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: REDQUEEN: Fuzzing with Input-to-State Correspondence, 2019 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021

• Website: https://www.cs.ucr.edu/~heng/pubs/afl-hier.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Reinforcement Learning-based Hierarchical Seed Scheduling for Greybox Fuzzing, 2021 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Respounder

• Website: https://github.com/codeexpress/respounder
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Respounder is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Detects the presence of the Responder LLMNR/NBT-NS/MDNS poisoner on a network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

RFISandbox

• Website: https://monkey.org/~jose/software/rfi-sandbox/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: RFISandbox is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: PHP 5.x script sandbox built on top of .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Network and Artifact Analysis.

Back to Name Jump

routersploit

• Website: https://github.com/reverse-shell/routersploit
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: routersploit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source exploitation framework similar to Metasploit but dedicated to embedded devices.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

rshijack

• Website: https://github.com/kpcyrd/rshijack
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: rshijack is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: TCP connection hijacker, Rust rewrite of shijack.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

rspamd

• Website: https://github.com/rspamd/rspamd
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: rspamd is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fast, free and open-source spam filtering system.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Anti-Spam.

Back to Name Jump

RustNet

• Website: https://github.com/domcyrus/rustnet
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Forensics

What it does: RustNet is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A cross-platform network monitoring terminal UI providing real-time visibility into network connections.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Network Forensics.

Back to Name Jump

RustScan

• Website: https://github.com/RustScan/RustScan
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: RustScan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Faster Nmap scanning with Rust. Take a 17 minute Nmap scan down to 19 seconds.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

RustScan

• Website: https://github.com/rustscan/rustscan
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking

What it does: RustScan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Extremely fast port scanner built with Rust, designed to scan all ports in a couple of seconds and utilizes nmap to perform port enumeration in a fraction of the time.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

Letter S

This letter section contains 45 tools.

s7scan

• Website: https://github.com/klsecservices/s7scan
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: s7scan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Scanner for enumerating Siemens S7 PLCs on a TCP/IP or LLC network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Industrial Control and SCADA Systems.

Back to Name Jump

Scammer-List

• Website: https://scammerlist.now.sh/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Scammer-List is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A free open source AI based Scam and Spam Finder with a free API.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Anti-Spam.

Back to Name Jump

ScanCannon

• Website: https://github.com/johnnyxmas/ScanCannon
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: ScanCannon is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: POSIX-compliant BASH script to quickly enumerate large networks by calling masscan to quickly identify open ports and then nmap to gain details on the systems/services on those ports.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

scanless

• Website: https://github.com/vesche/scanless
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: scanless is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Utility for using websites to perform port scans on your behalf so as not to reveal your own IP.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

scapy

• Website: https://github.com/gpotter2/awesome-scapy
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: scapy is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Scapy: the python-based interactive packet manipulation program & library.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

scapy

• Website: https://github.com/secdev/scapy
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: scapy is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Python-based interactive packet manipulation program and library.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

Scapy

• Website: https://github.com/secdev/awesome-scapy
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: Scapy is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A Python tool and library for low level packet creation and manipulation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

Search Abuseipdb

• Website: https://github.com/oseasfr/search-abuseipdb
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Search Abuseipdb is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Tool to query IPs, ranges and ASN blocks in AbuseIPDB via API with CIDR notation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Speciality Search Engines.

Back to Name Jump

SecApps

• Website: https://secapps.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: SecApps is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: In-browser web application security testing suite.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

SecTools

• Website: http://sectools.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking

What it does: SecTools is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Top 125 Network Security Tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Online Resources > Other Lists Online.

Back to Name Jump

Security Ninjas

• Website: https://hub.docker.com/r/opendns/security-ninjas/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Hacking

What it does: Security Ninjas is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Docker Images for Penetration Testing & Security.

Back to Name Jump

SecurityTrails

• Website: https://securitytrails.com/dns-trails
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: SecurityTrails is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: API to search current and historical DNS records, current and historical WHOIS, technologies used by sites and whois search for phone, email, address, IPs etc.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Domain and IP Research.

Back to Name Jump

Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators, 2022

• Website: https://www.ndss-symposium.org/wp-content/uploads/2022-345-paper.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Semantic-Informed Driver Fuzzing Without Both the Hardware Devices and the Emulators, 2022 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing, 2019

• Website: https://www.cs.ucr.edu/~heng/pubs/digfuzz_ndss19.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Send Hardest Problems My Way: Probabilistic Path Prioritization for Hybrid Fuzzing, 2019 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

SendMeSpamIDS.py

• Website: https://github.com/johestephan/VerySimpleHoneypot
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: SendMeSpamIDS.py is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Simple SMTP fetch all IDS and analyzer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Sentinel Visualizer

• Website: http://www.fmsasg.com
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Sentinel Visualizer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Social Network Analysis.

Back to Name Jump

Shodan

• Website: https://www.shodan.io/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome OSINT, Awesome Hacking, Awesome Web Security

What it does: Shodan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Shodan is a search engine for the IOT(Internet of Things) that allows you to search variety of servers that are connected to the internet using various searching filters.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT) > Network device discovery tools.

Back to Name Jump

SigPloit

• Website: https://github.com/SigPloiter/SigPloit
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: SigPloit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Signaling security testing framework dedicated to telecom security for researching vulnerabilites in the signaling protocols used in mobile (cellular phone) operators.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

SIREN

• Website: https://github.com/blaverick62/SIREN
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: SIREN is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Semi-Intelligent HoneyPot Network - HoneyNet Intelligent Virtual Environment.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

skipfish

• Website: https://www.kali.org/tools/skipfish/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: skipfish is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Performant and adaptable active web application security reconnaissance tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

SlowLoris

• Website: https://github.com/gkbrk/slowloris
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: SlowLoris is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: DoS tool that uses low bandwidth on the attacking side.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

Smart Install Exploitation Tool (SIET)

• Website: https://github.com/Sab0tag3d/SIET
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Smart Install Exploitation Tool (SIET) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Scripts for identifying Cisco Smart Install-enabled switches on a network and then manipulating them.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

smbmap

• Website: https://github.com/ShawnDEvans/smbmap
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: smbmap is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Handy SMB enumeration tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

sniffglue

• Website: https://github.com/kpcyrd/sniffglue
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking

What it does: sniffglue is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Secure multithreaded packet sniffer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Protocol Analyzers and Sniffers.

Back to Name Jump

Snort

• Website: https://www.snort.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome OSINT

What it does: Snort is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS)created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest [pieces of] open source software of all time".

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

Snort

• Website: https://snort.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: Snort is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Widely-deployed, Free Software IPS capable of real-time packet analysis, traffic logging, and custom rule-based triggers.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

snort

• Website: https://github.com/snort3/snort3
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: snort is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open Source Intrusion Prevention System.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

Spam Scanner

• Website: https://github.com/spamscanner
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Spam Scanner is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Anti-Spam Scanning Service and Anti-Spam API by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Anti-Spam.

Back to Name Jump

SpamAssassin

• Website: https://spamassassin.apache.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: SpamAssassin is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A powerful and popular email spam filter employing a variety of detection technique.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Anti-Spam.

Back to Name Jump

SPARTA

• Website: https://sparta.secforce.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: SPARTA is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Graphical interface offering scriptable, configurable access to existing network infrastructure scanning and enumeration tools.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

SQLmate

• Website: https://github.com/UltimateHackers/sqlmate
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: SQLmate is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Friend of sqlmap that identifies SQLi vulnerabilities based on a given dork and (optional) website.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Squey

• Website: https://squey.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Forensics

What it does: Squey is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Network Forensics.

Back to Name Jump

Squidmagic

• Website: https://github.com/ch3k1/squidmagic
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: Squidmagic is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: squidmagic is a tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

SSH MITM

• Website: https://github.com/jtesta/ssh-mitm
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome Hacking

What it does: SSH MITM is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Intercept SSH connections with a proxy; all plaintext passwords and sessions are logged to disk.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

ssh-audit

• Website: https://github.com/jtesta/ssh-audit
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing

What it does: ssh-audit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: SSH server & client auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Secure Shell Tools.

Back to Name Jump

SSHGuard

• Website: http://www.sshguard.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: SSHGuard is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A software to protect services in addition to SSH, written in C.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

SSLyze

• Website: https://github.com/nabla-c0d3/sslyze
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: SSLyze is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fast and comprehensive TLS/SSL configuration analyzer to help identify security mis-configurations.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Transport Layer Security Tools.

Back to Name Jump

Stealth

• Website: https://fbb-git.gitlab.io/stealth/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Stealth is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: File integrity checker that leaves virtually no sediment. Controller runs from another machine, which makes it hard for an attacker to know that the file system is being checked at defined pseudo random intervals over SSH. Highly recommended for small to medium deployments.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

stenographer

• Website: https://github.com/google/stenographer
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Incident Response, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: stenographer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

subbrute

• Website: https://github.com/TheRook/subbrute
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: subbrute is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: DNS meta-query spider that enumerates DNS records, and subdomains.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Reconnaissance Tools.

Back to Name Jump

Sublist3r

• Website: https://github.com/aboul3la/Sublist3r
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cyber Security Tools, Awesome Web Security

What it does: Sublist3r is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Sublist3r is a multi-threaded sub-domain enumeration tool for penetration testers by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Penetration Testing > Information Gathering > Passive Information Gathering.

Back to Name Jump

Substation

• Website: https://github.com/brexhq/substation
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Threat Detection

What it does: Substation is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Substation is a cloud native data pipeline and transformation toolkit written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Detection, Alerting and Automation Platforms.

Back to Name Jump

Suricata

• Website: http://suricata-ids.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Suricata is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF and its supporting vendors.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > IDS / IPS / Host IDS / Host IPS.

Back to Name Jump

Suricata

• Website: https://suricata-ids.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: Suricata is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free, cross-platform, IDS/IPS with on- and off-line analysis modes and deep packet inspection capabilities that is also scriptable with Lua.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

sylkie

• Website: https://dlrobertson.github.io/sylkie/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: sylkie is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Command line tool and library for testing networks for common address spoofing security vulnerabilities in IPv6 networks using the Neighbor Discovery Protocol.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Proxies and Machine-in-the-Middle (MITM) Tools.

Back to Name Jump

Letter T

This letter section contains 26 tools.

T-Pot Honeypot Distro

• Website: http://dtag-dev-sec.github.io/mediator/feature/2017/11/07/t-pot-17.10.html
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: T-Pot Honeypot Distro is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: T-Pot is based on the network installer of Ubuntu Server 16/17.x LTS. The honeypot daemons as well as other support components being used have been containerized using docker. This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment. Installation over vanilla Ubuntu - - This script will install T-Pot 16.04/17.10 on a fresh Ubuntu 16.04.x LTS (64bit). It is intended to be used on hosted servers, where an Ubuntu base image is given and there is no ability to install custom ISO images. Successfully tested on vanilla Ubuntu 16.04.3 in VMware.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Honey Pot / Honey Net.

Back to Name Jump

T50

• Website: https://gitlab.com/fredericopissarra/t50/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: T50 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Faster network stress tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

Tang

• Website: https://github.com/latchset/tang
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Tang is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Server for binding data to network presence; provides data to clients only when they are on a certain (secured) network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > DevSecOps > Policy enforcement.

Back to Name Jump

Tcpdump

• Website: http://www.tcpdump.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis, Awesome Penetration Testing, Awesome Hacking

What it does: Tcpdump is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Protocol Analyzers and Sniffers.

Back to Name Jump

tcpflow

• Website: https://github.com/simsong/tcpflow
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: tcpflow is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: tcpflow is a program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Full Packet Capture / Forensic.

Back to Name Jump

tcpick

• Website: http://tcpick.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: tcpick is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Trach and reassemble TCP streams.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

tcpreplay

• Website: https://tcpreplay.appneta.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing

What it does: tcpreplay is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Suite of free Open Source utilities for editing and replaying previously captured network traffic originally designed to replay malicious traffic patterns to Intrusion Detection/Prevention Systems.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

tcpxtract

• Website: http://tcpxtract.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: tcpxtract is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Extract files from network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Network.

Back to Name Jump

TerraSigma

• Website: https://github.com/Khadinxc/TerraSigma
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: TerraSigma is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A repository of all SIGMA rules converted to Microsoft Sentinel Terraform Scheduled analytic resources. The repository runs on a weekly schedule to update the repository and align with the up to date version of the SIGMA rules repository. Proper entity mapping is completed for the rules to ensure the repo is plug-and-play.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Monitoring / Logging.

Back to Name Jump

testssl.sh

• Website: https://github.com/drwetter/testssl.sh
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: testssl.sh is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Transport Layer Security Tools.

Back to Name Jump

tgcd

• Website: http://tgcd.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: tgcd is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Exfiltration Tools.

Back to Name Jump

THC Hydra

• Website: https://github.com/vanhauser-thc/thc-hydra
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: THC Hydra is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Online password cracking tool with built-in support for many network protocols, including HTTP, SMB, FTP, telnet, ICQ, MySQL, LDAP, IMAP, VNC, and more.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

The Art of Network Penetration Testing, 2020

• Website: https://www.manning.com/books/the-art-of-network-penetration-testing
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: The Art of Network Penetration Testing, 2020 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Books.

Back to Name Jump

The Practice of Network Security Monitoring

• Website: https://nostarch.com/nsm
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Forensics

What it does: The Practice of Network Security Monitoring is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Understanding Incident Detection and Response.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Resources > Books.

Back to Name Jump

tinc

• Website: https://tinc-vpn.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: tinc is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free Software mesh VPN implemented entirely in userspace that supports expandable network space, bridged ethernet segments, and more.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses > Overlay and Virtual Private Networks (VPNs).

Back to Name Jump

TL:DR: VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%)

• Website: https://voidsec.com/vpn-leak/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Web Security

What it does: TL:DR: VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%) is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Written by .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Miscellaneous.

Back to Name Jump

TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior

• Website: https://dl.acm.org/doi/pdf/10.1145/3355369.3355601
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: TLS Beyond the Browser: Combining End Host and Network Data to Understand Application Behavior is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

TLS Fingerprints

• Website: https://tlsfingerprint.io/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: TLS Fingerprints is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: collected from the University of Colorado Boulder campus network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources > Fingerprinting.

Back to Name Jump

tls_prober

• Website: https://github.com/WestpointLtd/tls_prober
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: tls_prober is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Fingerprint a server's SSL/TLS implementation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Transport Layer Security Tools.

Back to Name Jump

tlsmate

• Website: https://gitlab.com/guballa/tlsmate
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: tlsmate is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Framework to create arbitrary TLS test cases. Comes with a TLS server scanner plugin.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Transport Layer Security Tools.

Back to Name Jump

Tor

• Website: https://torproject.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team

What it does: Tor is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Censorship circumvention and anonymizing overlay network providing distributed, cryptographically verified name services (.onion domains) to enhance publisher privacy and service availability.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Transport-layer defenses.

Back to Name Jump

TorForge

• Website: https://github.com/jery0843/torforge
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: TorForge is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Advanced transparent Tor proxy with kernel-level iptables routing, post-quantum encryption (Kyber768), kill switch, steganography mode, and AI-powered circuit selection.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > VPN.

Back to Name Jump

TraceWrangler

• Website: https://www.tracewrangler.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: TraceWrangler is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network capture file toolkit that can edit and merge pcap or pcapng files with batch editing features.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

Tracexploit

• Website: https://code.google.com/archive/p/tracexploit/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Tracexploit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Replay network packets.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

Tsunami

• Website: https://github.com/google/tsunami-security-scanner
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing

What it does: Tsunami is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

tsurugi

• Website: https://tsurugi-linux.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Forensics

What it does: tsurugi is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: heavily customized Linux distribution that designed to support DFIR investigations, malware analysis and OSINT activities. It is based on Ubuntu 20.04(64-bit with a 5.15.12 custom kernel).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Scanning / Pentesting.

Back to Name Jump

Letter U

This letter section contains 3 tools.

UFONet

• Website: https://github.com/epsylon/ufonet
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: UFONet is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Abuses OSI layer 7 HTTP to create/manage 'zombies' and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > DDoS Tools.

Back to Name Jump

Unfetter

• Website: https://github.com/unfetter-analytic/unfetter
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Unfetter is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: A reference implementation provides a framework for collecting events (process creation, network connections, Window Event Logs, etc.) from a client machine and performing CAR analytics to detect potential adversary activity.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.

Back to Name Jump

Use Python & Pandas to Create a D3 Force Directed Network Diagram

• Website: http://www.austintaylor.io/d3/python/pandas/2016/02/01/create-d3-chart-python-force-directed/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Use Python & Pandas to Create a D3 Force Directed Network Diagram is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Resources.

Back to Name Jump

Letter V

This letter section contains 10 tools.

VAST

• Website: https://github.com/tenzir/vast
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team, Awesome Threat Detection

What it does: VAST is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Open source security data pipeline engine for structured event data, supporting high-volume telemetry ingestion, compaction, and retrieval; purpose-built for security content execution, guided threat hunting, and large-scale investigation.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

VesselFinder

• Website: https://www.vesselfinder.com
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: VesselFinder is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: a FREE AIS vessel tracking web site. VesselFinder displays real time ship positions and marine traffic detected by global AIS network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Maritime.

Back to Name Jump

VirusBay

• Website: https://beta.virusbay.io/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Malware Analysis

What it does: VirusBay is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Community-Based malware repository and social network.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Malware Analysis > Malware Collection > Malware Corpora.

Back to Name Jump

Visual Investigative Scenarios

• Website: https://vis.occrp.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Visual Investigative Scenarios is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Social Network Analysis.

Back to Name Jump

Vulnerability as a service: Heartbleed

• Website: https://hub.docker.com/r/hmlio/vaas-cve-2014-0160/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: Vulnerability as a service: Heartbleed is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Intentionally Vulnerable Systems > Intentionally Vulnerable Systems as Docker Containers.

Back to Name Jump

Vulnerability as a service: Shellshock

• Website: https://hub.docker.com/r/hmlio/vaas-cve-2014-6271/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: Vulnerability as a service: Shellshock is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Intentionally Vulnerable Systems > Intentionally Vulnerable Systems as Docker Containers.

Back to Name Jump

Vulnerable WordPress Installation

• Website: https://hub.docker.com/r/wpscanteam/vulnerablewordpress/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Penetration Testing, Awesome Hacking

What it does: Vulnerable WordPress Installation is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Intentionally Vulnerable Systems > Intentionally Vulnerable Systems as Docker Containers.

Back to Name Jump

VulnHub

• Website: https://www.vulnhub.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome CTF

What it does: VulnHub is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: VM-based for practical in digital security, computer application & network administration.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Resources > Wargames.

Back to Name Jump

Vuls

• Website: https://github.com/future-architect/vuls
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Vuls is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Agentless vulnerability scanner for GNU/Linux and FreeBSD, written in Go.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners.

Back to Name Jump

Vuzzer: Application-aware evolutionary fuzzing, 2017

• Website: https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/vuzzer-application-aware-evolutionary-fuzzing/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: Vuzzer: Application-aware evolutionary fuzzing, 2017 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

Letter W

This letter section contains 17 tools.

w3af

• Website: https://github.com/andresriancho/w3af
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing, Awesome CTF

What it does: w3af is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Web application attack and audit framework.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Wapiti

• Website: http://wapiti.sourceforge.net/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Wapiti is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Black box web application vulnerability scanner with built-in fuzzer.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

wazuh

• Website: https://github.com/wazuh/wazuh
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Threat Detection

What it does: wazuh is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Wazuh is a free and open source XDR platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. Great tool foor all kind of deployments, it includes SIEM capabitilies (indexing + searching + WUI).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Security Information & Event Management.

Back to Name Jump

WebReaver

• Website: https://www.webreaver.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: WebReaver is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Commercial, graphical web application vulnerability scanner designed for macOS.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices, 2018

• Website: http://s3.eurecom.fr/docs/ndss18_muench.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: What You Corrupt Is Not What You Crash: Challenges in Fuzzing Embedded Devices, 2018 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

WhoisDomBot

• Website: https://t.me/WhoisDomBot
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: WhoisDomBot is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Whois lookup for domains/IPs + dig/trace.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > Social Media Tools > ↑ Telegram.

Back to Name Jump

Wifi Jammer

• Website: https://n0where.net/wifijammer/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Hacking

What it does: Wifi Jammer is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Free program to jam all wifi clients in range.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Network > Tools.

Back to Name Jump

WiFi Pineapple

• Website: https://www.wifipineapple.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: WiFi Pineapple is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Wireless auditing and penetration testing platform.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

wifi-arsenal

• Website: https://github.com/0x90/wifi-arsenal
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: wifi-arsenal is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Resources for Wi-Fi Pentesting.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

WiFi-Pumpkin

• Website: https://github.com/P0cL4bs/WiFi-Pumpkin
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: WiFi-Pumpkin is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Framework for rogue Wi-Fi access point attack.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

Wifite

• Website: https://github.com/derv82/wifite
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Wifite is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Automated wireless attack tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Wireless Network Tools.

Back to Name Jump

WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021

• Website: https://taesoo.kim/pubs/2021/jung:winnie.pdf
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Fuzzing

What it does: WINNIE : Fuzzing Windows Applications with Harness Synthesis and Fast Cloning, 2021 is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Fuzzing > Papers > The Network and Distributed System Security Symposium (NDSS).

Back to Name Jump

WireEdit

• Website: https://wireedit.com/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: WireEdit is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Full stack WYSIWYG pcap editor (requires a free license to edit packets).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools > Network Traffic Replay and Editing Tools.

Back to Name Jump

wireshark

• Website: https://www.wireshark.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Malware Analysis, Awesome Cybersecurity Blue Team, Awesome Penetration Testing, Awesome Cyber Security Tools, Awesome Hacking, Awesome CTF, Awesome Forensics

What it does: wireshark is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

Wireshark Extensions

• Website: https://www.honeynet.org/project/WiresharkExtensions
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Honeypots

What it does: Wireshark Extensions is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Apply Snort IDS rules and signatures against packet capture files using Wireshark.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Contents > Honeypots.

Back to Name Jump

WPScan

• Website: https://wpscan.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: WPScan is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Black box WordPress vulnerability scanner.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Vulnerability Scanners > Web Vulnerability Scanners.

Back to Name Jump

Wynyard Group

• Website: https://wynyardgroup.com
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome OSINT

What it does: Wynyard Group is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Social Network Analysis.

Back to Name Jump

Letter X

This letter section contains 1 tools.

Xplico

• Website: http://www.xplico.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security

What it does: Xplico is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool (NFAT).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Network > Full Packet Capture / Forensic.

Back to Name Jump

Letter Z

This letter section contains 9 tools.

Zarp

• Website: https://github.com/hatRiot/zarp
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Penetration Testing

What it does: Zarp is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Network attack tool centered around the exploitation of local networks.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Network Tools.

Back to Name Jump

Zeek

• Website: https://zeek.org/
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Security, Awesome Cybersecurity Blue Team

What it does: Zeek is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Security monitoring > Network Security Monitoring (NSM).

Back to Name Jump

Zeek

• Website: https://github.com/zeek/zeek
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection

What it does: Zeek is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: (formerly Bro) - A network security monitoring tool.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Network Monitoring.

Back to Name Jump

Zeek

• Website: https://www.zeek.org
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome CTF

What it does: Zeek is used in network security monitoring programs to support traffic inspection, anomaly detection, and packet-level investigations. Source summaries describe it as: An open-source network security monitor.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Networking.

Back to Name Jump

Zeek Analysis Tools (ZAT)

• Website: https://github.com/SuperCowPowers/zat
• Model: Open Source
• Category: Network Security Monitoring
• Source Lists: Awesome Threat Detection