Open-Source Cybersecurity Tools: SOAR & Automation
← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas
This category contains 43 documented tools. It focuses on capabilities used for incident playbook execution, enrichment automation, and response task orchestration. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.
Category Evaluation Checklist
- Coverage depth against your highest-priority threats and compliance obligations.
- Operational overhead for deployment, tuning, and long-term maintenance.
- Signal quality versus analyst workload and false-positive pressure.
- Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
- Governance readiness including auditability, ownership clarity, and change control.
Jump by Name
# | A | C | D | E | F | I | L | M | P | R | S | V | W | X | Z
Letter
This letter section contains 1 tools.
autosecure
- Website: https://github.com/vincentkoc/autosecure
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cyber Security Tools
What it does: autosecure is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Threat-feed IP block automation for Linux and macOS firewalls.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Malware Analysis > Threat Intelligence.
Letter A
This letter section contains 2 tools.
Ansible Lockdown
- Website: https://ansiblelockdown.io/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Ansible Lockdown is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Curated collection of information security themed Ansible roles that are both vetted and actively maintained.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention.
automation
- Website: https://megamorf.gitlab.io/2020/07/19/automating-the-windows-sandbox/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome SOC
What it does: automation is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: .
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.
Letter C
This letter section contains 4 tools.
Catalyst
- Website: https://github.com/SecurityBrewery/catalyst
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Incident Response, Awesome Forensics
What it does: Catalyst is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: A free SOAR system that helps to automate alert handling and incident response processes.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.
censys-python
- Website: https://github.com/censys/censys-python
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: censys-python is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Python wrapper to the Censys REST API.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Code libraries and bindings.
Clevis
- Website: https://github.com/latchset/clevis
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Clevis is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Plugable framework for automated decryption, often used as a Tang client.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention.
CORTEX XSOAR
- Website: https://www.paloaltonetworks.com/cortex/xsoar
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Incident Response
What it does: CORTEX XSOAR is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Paloalto security orchestration, automation and response platform with full Incident lifecycle management and many integrations to enhance automations.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.
Letter D
This letter section contains 5 tools.
DATA
- Website: https://github.com/hadojae/DATA
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: DATA is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Credential phish analysis and automation tool that can accept suspected phishing URLs directly or trigger on observed network traffic containing such a URL.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Threat intelligence.
Decker
- Website: https://github.com/stevenaldinger/decker
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Penetration Testing
What it does: Decker is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Penetration testing orchestration and automation framework, which allows writing declarative, reusable configurations capable of ingesting variables and using outputs of tools it has run as inputs to others.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Multi-paradigm Frameworks.
Dev-Sec.io
- Website: https://dev-sec.io/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Dev-Sec.io is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention.
Dispatch
- Website: https://github.com/Netflix/dispatch
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Threat Detection
What it does: Dispatch is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: An open-source crisis management orchestration framework.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools.
dorks
- Website: https://github.com/USSCltd/dorks
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Penetration Testing
What it does: dorks is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Google hack database automation tool.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Penetration Testing > Open Sources Intelligence (OSINT) > Dorking tools.
Letter E
This letter section contains 1 tools.
ElastAlert
- Website: https://github.com/Yelp/elastalert
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Threat Detection
What it does: ElastAlert is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: A framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Detection, Alerting and Automation Platforms.
Letter F
This letter section contains 2 tools.
Falcon Orchestrator
- Website: https://github.com/CrowdStrike/falcon-orchestrator
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Incident Response
What it does: Falcon Orchestrator is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Extendable Windows-based application that provides workflow automation, case management and security response functionality.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > All-In-One Tools.
ForensicMiner
- Website: https://github.com/securityjoes/ForensicMiner
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Forensics
What it does: ForensicMiner is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Forensics > Tools > Acquisition.
Letter I
This letter section contains 1 tools.
IntelMQ
- Website: https://github.com/certtools/intelmq/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Security, Awesome Forensics
What it does: IntelMQ is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. .
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Threat Intelligence.
Letter L
This letter section contains 2 tools.
libcrafter
- Website: https://github.com/pellegre/libcrafter
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: libcrafter is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: High level C++ network packet sniffing and crafting library.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Code libraries and bindings.
LinkScope
- Website: https://accentusoft.com/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome OSINT
What it does: LinkScope is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: LinkScope is an open source intelligence (OSINT) graphical link analysis tool and automation platform for gathering and connecting information for investigative tasks.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Other Tools.
Letter M
This letter section contains 1 tools.
Market Guide for Security Orchestration, Automation and Response Solutions
- Website: https://fr.scribd.com/document/619736260/Gartner-Market-Guide-for-Security-Orchestration-Automation
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome SOC
What it does: Market Guide for Security Orchestration, Automation and Response Solutions is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).
Letter P
This letter section contains 8 tools.
Password Manager Resources
- Website: https://github.com/apple/password-manager-resources
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Password Manager Resources is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Collaborative, crowd-sourced data and code to make password management better.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention.
peepdf
- Website: https://eternal-todo.com/tools/peepdf-pdf-analysis-tool
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team, Awesome Penetration Testing
What it does: peepdf is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Python tool to explore PDF files in order to find out if the file can be harmful or not.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention.
PINCE
- Website: https://github.com/korcankaraokcu/PINCE
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome CTF
What it does: PINCE is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: GDB front-end/reverse engineering tool, focused on game-hacking and automation.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Solve > Reversing.
Posh-VirusTotal
- Website: https://github.com/darkoperator/Posh-VirusTotal
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Posh-VirusTotal is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: PowerShell interface to VirusTotal.com APIs.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Code libraries and bindings.
Pyba
- Website: https://github.com/fauvidoTechnologies/PyBrowserAutomation/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome OSINT
What it does: Pyba is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: A browser automation framework which requires low-code to search the web and perform OSINT using DFS and BFS modes, ideal for exploratory tasks.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Other Tools.
PyREBox
- Website: https://talosintelligence.com/pyrebox
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: PyREBox is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Python-scriptable reverse engineering sandbox, based on QEMU.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention.
python-dshield
- Website: https://github.com/rshipp/python-dshield
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: python-dshield is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Pythonic interface to the Internet Storm Center/DShield API.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Code libraries and bindings.
python-stix2
- Website: https://github.com/oasis-open/cti-python-stix2
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: python-stix2 is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Python APIs for serializing and de-serializing Structured Threat Information eXpression (STIX) JSON content, plus higher-level APIs for common tasks.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Code libraries and bindings.
Letter R
This letter section contains 2 tools.
Red Team Automation (RTA)
- Website: https://github.com/endgameinc/RTA
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Incident Response, Awesome Threat Detection
What it does: Red Team Automation (RTA) is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Adversary Emulation.
Rudder
- Website: http://www.rudder-project.org/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Security
What it does: Rudder is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Rudder is an easy to use, web-driven, role-based solution for IT Infrastructure Automation & Compliance. Automate common system administration tasks (installation, configuration); Enforce configuration over time (configuring once is good, ensuring that configuration is valid and automatically fixing it is better); Inventory of all managed nodes; Web interface to configure and manage nodes and their configuration; Compliance reporting, by configuration and/or by node.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Security > Endpoint > Configuration Management.
Letter S
This letter section contains 10 tools.
Security orchestration for dummies
- Website: https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/cortex-xsoar/Security-Orchestration-For-Dummies-Demisto-Special-Edition.pdf
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome SOC
What it does: Security orchestration for dummies is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).
Shuffle
- Website: https://github.com/frikky/Shuffle
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Incident Response
What it does: Shuffle is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: A general purpose security automation platform focused on accessibility.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.
Shuffle
- Website: https://shuffler.io/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Shuffle is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Graphical generalized workflow (automation) builder for IT professionals and blue teamers.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention > Security Orchestration, Automation, and Response (SOAR).
Shuffle
- Website: https://github.com/Shuffle/Shuffle
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Threat Detection
What it does: Shuffle is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: A general purpose security automation platform.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Detection, Alerting and Automation Platforms.
SOAR
- Website: https://soar.earth/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome OSINT
What it does: SOAR is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Geospatial Research and Mapping Tools.
SOAR
- Website: https://github.com/cyb3rxp/awesome-soc/blob/main/soar.md
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome SOC
What it does: SOAR is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Table of Content.
SOAR Data quadrant awards
- Website: https://swimlane.com/resources/reports/soar-quadrant/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome SOC
What it does: SOAR Data quadrant awards is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Source list entry describing this security tool and its use case.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.
Spiderfoot
- Website: http://www.spiderfoot.net/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Penetration Testing, Awesome Web Security
What it does: Spiderfoot is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Multi-source OSINT automation tool with a Web UI and report visualizations.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > Reconnaissance > OSINT - Open-Source Intelligence.
SpiderFoot
- Website: https://www.spiderfoot.net
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome OSINT
What it does: SpiderFoot is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: SpiderFoot is an open source intelligence (OSINT) automation platform with over 200 modules for threat intelligence, attack surface monitoring, security assessments and asset discovery.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome OSINT > ↑ Other Tools.
Sublime
- Website: https://github.com/sublime-security/sublime-platform
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Threat Detection
What it does: Sublime is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: An open platform for detection, response, and threat hunting in email environments. Sublime lets you write advanced detections as code to alert and remediate threats like phishing in real-time.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Threat Detection and Hunting > Tools > Detection, Alerting and Automation Platforms.
Letter V
This letter section contains 1 tools.
VolatilityBot
- Website: https://github.com/mkorman90/VolatilityBot
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Incident Response
What it does: VolatilityBot is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Memory Analysis Tools.
Letter W
This letter section contains 1 tools.
Watchtower
- Website: https://containrrr.dev/watchtower/
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Cybersecurity Blue Team
What it does: Watchtower is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Container-based solution for automating Docker container base image updates, providing an unattended upgrade experience.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Cybersecurity Blue Team > Automation and Convention.
Letter X
This letter section contains 1 tools.
XRay
- Website: https://github.com/evilsocket/xray
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Penetration Testing, Awesome Web Security
What it does: XRay is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: XRay is a tool for recon, mapping and OSINT gathering from public networks by .
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Web Security > Tools > Reconnaissance > OSINT - Open-Source Intelligence.
Letter Z
This letter section contains 1 tools.
Zenduty
- Website: https://www.zenduty.com
- Model: Open Source
- Category: SOAR & Automation
- Source Lists: Awesome Incident Response
What it does: Zenduty is used in soar & automation programs to support incident playbook execution, enrichment automation, and response task orchestration. Source summaries describe it as: Zenduty is a novel incident management platform providing end-to-end incident alerting, on-call management and response orchestration, giving teams greater control and automation over the incident management lifecycle.
Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.
Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.
Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Awesome Incident Response > IR Tools Collection > Incident Management.