Open-Source Cybersecurity Tools: SOC Operations

← Back to Open-Source Cybersecurity Tools Hub | Full Open Source Catalog | Main Atlas

This category contains 182 documented tools. It focuses on capabilities used for baseline hardening, monitoring integration, and defense-in-depth validation. Use this section when building shortlists, comparing operational tradeoffs, and mapping controls to detection/response ownership.

Category Evaluation Checklist

• Coverage depth against your highest-priority threats and compliance obligations.
• Operational overhead for deployment, tuning, and long-term maintenance.
• Signal quality versus analyst workload and false-positive pressure.
• Integration fit with SIEM, ticketing, identity, cloud, and engineering workflows.
• Governance readiness including auditability, ownership clarity, and change control.

Jump by Name

# | 1 | 2 | 3 | A | B | C | D | E | F | G | H | I | K | L | M | N | O | P | R | S | T | U | V | W | X | Y | Z

Letter

This letter section contains 1 tools.

"While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack... initial investigations suggest that an error in the implementation of our defences amplified the impact of the attack rather than mitigating it"

• Website: https://www.bbc.com/news/articles/c903e793w74o
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: "While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack... initial investigations suggest that an error in the implementation of our defences amplified the impact of the attack rather than mitigating it" is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Letter 1

This letter section contains 2 tools.

11 strategies for a world-class SOC

• Website: https://www.mitre.org/publications/technical-papers/11-strategies-world-class-cybersecurity-operations-center
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: 11 strategies for a world-class SOC is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

18 critical security controls

• Website: https://www.cisecurity.org/controls/cis-controls-list
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: 18 critical security controls is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Letter 2

This letter section contains 1 tools.

2024 SOC survey

• Website: https://swimlane.com/wp-content/uploads/SANS-SOC-Survey_2024.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: 2024 SOC survey is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

Letter 3

This letter section contains 1 tools.

365Inspect

• Website: https://github.com/soteria-security/365Inspect
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: 365Inspect is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Letter A

This letter section contains 10 tools.

AD decoy acounts

• Website: https://medium.com/securonix-tech-blog/detecting-ldap-enumeration-and-bloodhound-s-sharphound-collector-using-active-directory-decoys-dfc840f2f644
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: AD decoy acounts is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

AD post-compromise checklist

• Website: https://www.pwndefend.com/2021/09/15/post-compromise-active-directory-checklist/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: AD post-compromise checklist is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

ADRecon

• Website: https://github.com/tomwechsler/Active_Directory_Advanced_Threat_Hunting/blob/main/Different_hunting_methods/In-depth_investigation_active_directory.md
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: ADRecon is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

ADTrapper

• Website: https://github.com/MHaggis/ADTrapper
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: ADTrapper is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

AIL Framework

• Website: https://github.com/CIRCL/AIL-framework
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: AIL Framework is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

alerts

• Website: https://www.us-cert.gov/ncas/alerts.xml
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: alerts is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

All stories

• Website: https://www.darkreading.com/rss.xml
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: All stories is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Analyzing MITRE ATT&CK evaluations 2023

• Website: https://explore.bitdefender.com/epp-nurture-2023_2/blog-mitre-attck-evaluations-2023?cid=emm%7Cb%7Chubspot%7Cnrt-epp-2023&utm_campaign=nurture-epp-2023&utm_medium=email&_hsmi=280552612&utm_content=280552612&utm_source=hs_automation
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Analyzing MITRE ATT&CK evaluations 2023 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Antimalware check SOP

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/sop_malware_critical_controls.md
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Antimalware check SOP is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

ATT&CK: Getting started

• Website: https://attack.mitre.org/resources/getting-started/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: ATT&CK: Getting started is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Letter B

This letter section contains 9 tools.

Baseline Cyber Security Requirements for AI Models and Systems

• Website: https://www.etsi.org/deliver/etsi_en/304200_304299/304223/02.01.01_60/en_304223v020101p.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Baseline Cyber Security Requirements for AI Models and Systems is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

BEATS agents

• Website: https://www.elastic.co/beats/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: BEATS agents is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Best practices for AD disaster recovery

• Website: https://www.quest.com/webcast-ondemandt/best-practices-for-active-directory-disaster-recovery/?param=L4qcdiH1R46lWbN5Jxs%2fNN0Qky57LDYQTnsyaoWVqKYZTocd3n1RpFTyQegqps0MbW7yx4UWSKyVRVyz%2bwo0XRB2%2fXpFzrMZeOA%2fne%2f4Fm3oH5YJAnFCP%2fnRqs9Rq%2fRD0VTXvdBaojCx5J46htyILvanM5FhOVa7MCGDGYBcq6925YtpmANy9OA1%2fjdtlDrp
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Best practices for AD disaster recovery is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

BloodHound Community

• Website: https://github.com/SpecterOps/BloodHound
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: BloodHound Community is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Blue Team Notes

• Website: https://github.com/Purp1eW0lf/Blue-Team-Notes
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Blue Team Notes is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

BlueCoat Edge SWG

• Website: https://www.broadcom.com/products/cybersecurity/network/web-protection/proxy-sg-and-advanced-secure-gateway
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: BlueCoat Edge SWG is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , , .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Building a SOC

• Website: https://www.first.org/resources/guides/Factsheet_Building_a_SOC_start_small.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Building a SOC is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

Building a SOC

• Website: https://www.ncsc.gov.uk/collection/building-a-security-operations-centre
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Building a SOC is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

Business Impact Assessment

• Website: https://bia.cisecurity.org/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Business Impact Assessment is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Letter C

This letter section contains 26 tools.

Canary.tools

• Website: https://canary.tools/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Canary.tools is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

Cat-Scale

• Website: https://labs.withsecure.com/tools/cat-scale-linux-incident-response-collection
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Cat-Scale is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

CERT-FR

• Website: https://www.cert.ssi.gouv.fr/avis/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CERT-FR is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

CERT-in-a-box

• Website: https://www.first.org/resources/guides/cert-in-a-box.zip
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CERT-in-a-box is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

CERT-US

• Website: https://www.cisa.gov/uscert/ncas/alerts
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CERT-US is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Chapril

• Website: https://drop.chapril.org/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Chapril is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Name Jump

CIS

• Website: https://www.cisecurity.org/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CIS is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Harden SOC/CSIRT environment.

Back to Name Jump

CIS benchmarks

• Website: https://www.cisecurity.org/cis-benchmarks/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CIS benchmarks is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT achitecture of a SOC > Disconnect (as much as possible) SOC from monitored environment > Endpoints hardening:.

Back to Name Jump

CISA Thorium

• Website: https://github.com/cisagov/thorium?tab=readme-ov-file
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CISA Thorium is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

clean-up script

• Website: https://github.com/simeononsecurity/Windows-Optimize-Harden-Debloat
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: clean-up script is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Harden SOC/CSIRT environment.

Back to Name Jump

CloudFlare

• Website: https://www.cloudflare.com/plans/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CloudFlare is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

command line reference

• Website: https://cmd.ms/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: command line reference is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Community Yara rules

• Website: https://github.com/Neo23x0/signature-base
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Community Yara rules is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Compromise assessment methodology

• Website: https://evrenbey.medium.com/compromise-assessment-methodology-820910efb6a4
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Compromise assessment methodology is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Crowdsec

• Website: https://www.crowdsec.net/product/crowdsec-security-engine
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Crowdsec is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

CrowdStrike

• Website: https://www.crowdstrike.com/blog/feed
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CrowdStrike is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

CSIRT Services Framework

• Website: https://www.first.org/standards/frameworks/csirts/csirt_services_framework_v2.1
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CSIRT Services Framework is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

CSIRT, SOC, ISAC and PSIRT definitions

• Website: https://www.linkedin.com/pulse/csirt-soc-isac-psirt-definitions-vilius-benetis
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CSIRT, SOC, ISAC and PSIRT definitions is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

CTI Framework

• Website: https://www.cert.europa.eu/publications/threat-intelligence/cyber-threat-intelligence-framework/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CTI Framework is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

CTI's repo

• Website: https://github.com/chronicle/GCTI/tree/main/YARA
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CTI's repo is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Yara rules for Cobalt Strike and others.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

CVSS v4 specs

• Website: https://www.first.org/cvss/v4-0/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CVSS v4 specs is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Cyber Defense Incident Responder role

• Website: https://www.cisa.gov/cyber-defense-incident-responder
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Cyber Defense Incident Responder role is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

Cyber Threat readiness report 2023

• Website: https://swimlane.com/wp-content/uploads/Cyber-Threat-Readiness-Report-2023.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Cyber Threat readiness report 2023 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

CyberChef

• Website: https://github.com/NextronSystems/CyberChef
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CyberChef is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Name Jump

CyberSecurity

• Website: https://medium.com/feed/tag/cybersecurity
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: CyberSecurity is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Cybersecurity business value benchmark

• Website: https://emtemp.gcom.cloud/ngw/globalassets/en/doc/documents/775537-gartner-cybersecurity-business-value-benchmark-1st-generation.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Cybersecurity business value benchmark is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Letter D

This letter section contains 5 tools.

Databreach reports

• Website: https://www.verizon.com/business/resources/reports/dbir/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Databreach reports is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Detection engineering

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/detection_engineering.md
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Detection engineering is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Table of Content.

Back to Name Jump

DeTTECT

• Website: https://github.com/rabobank-cdc/DeTTECT
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: DeTTECT is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

Diaries

• Website: https://isc.sans.edu/diary/0
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Diaries is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Digital Defense Report

• Website: https://www.microsoft.com/en-us/corporate-responsibility/cybersecurity/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Digital Defense Report is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Letter E

This letter section contains 2 tools.

EBIOS RM methodology

• Website: https://www.ssi.gouv.fr/guide/ebios-risk-manager-the-method/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: EBIOS RM methodology is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

EMCO Remote installer

• Website: https://emcosoftware.com/remote-installer
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: EMCO Remote installer is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Name Jump

Letter F

This letter section contains 5 tools.

FastIR

• Website: https://github.com/OWNsecurity/fastir_artifacts
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: FastIR is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , , ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

FireEye Flare-VM

• Website: https://github.com/mandiant/flare-vm
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: FireEye Flare-VM is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: framework to automate security tools installation on analysts workstations;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

forest is the AD security boundary

• Website: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: forest is the AD security boundary is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , for isolation purposes, in case of a global enterprise's IT compromise.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Harden SOC/CSIRT environment.

Back to Name Jump

Forrester wave for SSE

• Website: https://www.netskope.com/wp-content/uploads/2024/03/forrester-wave-sse-solutions-diagram-1340x1640-1.png
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Forrester wave for SSE is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Fundamental concepts

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/soc_basics.md
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Fundamental concepts is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Table of Content.

Back to Name Jump

Letter G

This letter section contains 11 tools.

Gartner magic quadrant

• Website: https://www.bitdefender.com/en-us/business/campaign/2025-gartner-magic-quadrant-for-epp-the-only-visionary
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gartner magic quadrant is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.

Back to Name Jump

Gartner magic quadrant

• Website: https://www.gartner.com/doc/reprints?id=1-2IYCQ1TR&ct=241001&st=sb
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gartner magic quadrant is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Gartner magic quadrant

• Website: https://www.sentinelone.com/lp/gartnermq/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gartner magic quadrant is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Gartner magic quadrant

• Website: https://www.netskope.com/wp-content/uploads/2025/05/2025-05-SSE-MQ-site-1040x1094-1-768x808.png
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gartner magic quadrant is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Gartner reviews and ratings

• Website: https://www.gartner.com/reviews/market/email-security
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gartner reviews and ratings is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Gartner reviews and ratings

• Website: https://www.gartner.com/reviews/market/data-loss-prevention
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gartner reviews and ratings is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

Gatewatcher

• Website: https://www.gatewatcher.com/en/our-solutions/trackwatch/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gatewatcher is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

GDPR cybersecurity implications (in French)

• Website: https://atelier-rgpd.cnil.fr/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: GDPR cybersecurity implications (in French) is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Gigamon

• Website: https://www.gigamon.com/products/access-traffic/network-taps.html
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Gigamon is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

GitLab

• Website: https://about.gitlab.com/handbook/engineering/security/security-operations/sirt/sec-incident-response.html
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: GitLab is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Name Jump

Good practice for incident management

• Website: https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Good practice for incident management is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

Letter H

This letter section contains 5 tools.

hardening tool

• Website: https://apps.microsoft.com/detail/9p7ggfl7dx57
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: hardening tool is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Harden SOC/CSIRT environment.

Back to Name Jump

How to be compliant with NIS2?

• Website: https://securenvoy.com/blog/how-to-be-compliant-with-new-nis-directive/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: How to be compliant with NIS2? is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

how to mange FP in a SOC?

• Website: https://www.idna.fr/2018/11/06/comment-gerer-les-faux-positifs-dans-un-soc/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: how to mange FP in a SOC? is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , in FR.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

How to set-up a CSIRT and SOC

• Website: https://www.enisa.europa.eu/publications/how-to-set-up-csirt-and-soc/at_download/fullReport
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: How to set-up a CSIRT and SOC is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

How will NIS2 impact your organization?

• Website: https://www.linkedin.com/pulse/how-eu-directive-nis2-impact-your-organization-anders-fleinert-larsen%3FtrackingId=Vq3GCGlOTXe1u0dllhn9MA%253D%253D/?_l=fr_FR
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: How will NIS2 impact your organization? is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Letter I

This letter section contains 6 tools.

IBM Resilient

• Website: https://www.ibm.com/qradar/security-qradar-soar?utm_content=SRCWW&p1=Search&p4=43700068028974608&p5=e&gclid=Cj0KCQjw9ZGYBhCEARIsAEUXITW2yUqAfNqWNeYXyENeUAoqLxV543LT0n2oYhYxEQ47Yjm7NfYTFHAaAtwpEALw_wcB&gclsrc=aw.ds
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: IBM Resilient is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , , ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.

Back to Name Jump

image

• Website: https://user-images.githubusercontent.com/16035152/202517740-812091b6-ff31-49cd-941e-3f6e4b4d140c.png
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: image is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Harden SOC/CSIRT environment.

Back to Name Jump

ImmuniWeb

• Website: https://www.immuniweb.com/websec/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: ImmuniWeb is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Intrinsec (in French)

• Website: https://www.intrinsec.com/monitoring-cyber/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Intrinsec (in French) is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

ISO 27035 Practical value for CSIRT and SOCs

• Website: https://www.first.org/resources/papers/conf2023/FIRSTCON23-TLPCLEAR-Benetis-ISO-27035-practical-value-for-CSIRTs-and-SOCs.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: ISO 27035 Practical value for CSIRT and SOCs is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

Isolate Tier 0 assets with group policy

• Website: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/initially-isolate-tier-0-assets-with-group-policy-to-start/ba-p/1184934
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Isolate Tier 0 assets with group policy is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

Letter K

This letter section contains 1 tools.

Krebs on security

• Website: https://krebsonsecurity.com/feed/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Krebs on security is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Letter L

This letter section contains 4 tools.

latest Forrester Wave about MTD

• Website: https://reprint.forrester.com/reports/the-forrester-wave-tm-mobile-threat-defense-solutions-q3-2024-fd48faab/index.html
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: latest Forrester Wave about MTD is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Licensing maps, eg. for Defender

• Website: https://m365maps.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Licensing maps, eg. for Defender is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: &.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

LinkedIn Information Security Community group

• Website: https://www.linkedin.com/groups/38412/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: LinkedIn Information Security Community group is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

List of trusted cybersecurity services providers

• Website: https://www.enisa.europa.eu/sites/default/files/2025-07/EU%20Cybersecurity%20Reserve%20companies.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: List of trusted cybersecurity services providers is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

Letter M

This letter section contains 14 tools.

Management

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/management.md
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Management is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Table of Content.

Back to Name Jump

Mappings explorer

• Website: https://center-for-threat-informed-defense.github.io/mappings-explorer/external/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Mappings explorer is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Michel De Crevoisier's Git

• Website: https://github.com/mdecrevoisier/SIGMA-detection-rules
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Michel De Crevoisier's Git is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Microsoft Defender

• Website: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows?view=o365-worldwide
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Microsoft Defender is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Microsoft Defender for Office365

• Website: https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-office-365
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Microsoft Defender for Office365 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Microsoft Developer virtual machines

• Website: https://developer.microsoft.com/en-us/windows/downloads/virtual-machines/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Microsoft Developer virtual machines is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Harden SOC/CSIRT environment.

Back to Name Jump

Microsoft Intune

• Website: https://docs.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Microsoft Intune is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

Microsoft MCAS

• Website: https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-defender-cloud-apps
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Microsoft MCAS is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Microsoft Sentinel queries

• Website: https://github.com/reprise99/Sentinel-Queries
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Microsoft Sentinel queries is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Microsoft SharePoint

• Website: https://www.microsoft.com/en-us/microsoft-365/sharepoint/collaboration
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Microsoft SharePoint is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , Wiki (choose the one you prefer, or ).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Name Jump

Mitre Engenuity Evaluations 2022 review

• Website: https://www.cybervigilance.uk/post/2022-mitre-att-ck-engenuity-results
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Mitre Engenuity Evaluations 2022 review is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

MMPC

• Website: https://blogs.technet.microsoft.com/mmpc/feed/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: MMPC is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

MS Sentinel architecture and recommendations for MSSP

• Website: https://myfabersecurity.com/2023/03/31/sentinel-poc-architecture-and-recommendations-for-mssps-part-1/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: MS Sentinel architecture and recommendations for MSSP is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Must read

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/README.md#must-read
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Must read is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Table of Content.

Back to Name Jump

Letter N

This letter section contains 4 tools.

NIS2 10 main requirements

• Website: https://nis2directive.eu/nis2-requirements/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: NIS2 10 main requirements is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

NIS2 technical implementation guidance

• Website: https://www.enisa.europa.eu/publications/nis2-technical-implementation-guidance
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: NIS2 technical implementation guidance is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

NIS2, how to address the security control gaps

• Website: https://event.on24.com/eventRegistration/console/apollox/mainEvent?simulive=y&eventid=4110743&sessionid=1&username=&partnerref=&format=fhvideo1&mobile=&flashsupportedmobiledevice=&helpcenter=&key=588150776CAE70D7F02ECF2848FF11FA&newConsole=true&nxChe=true&newTabCon=true&consoleEarEventConsole=false&text_language_id=en&playerwidth=748&playerheight=526&eventuserid=600843623&contenttype=A&mediametricsessionid=517006274&mediametricid=5797475&usercd=600843623&mode=launch
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: NIS2, how to address the security control gaps is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Nozomi Guardian

• Website: https://www.nozominetworks.com/products/guardian/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Nozomi Guardian is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

Letter O

This letter section contains 4 tools.

Olaf Hartong's config

• Website: https://github.com/olafhartong/sysmon-modular/blob/master/sysmonconfig.xml
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Olaf Hartong's config is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

OneTimeSecret

• Website: https://onetimesecret.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: OneTimeSecret is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Name Jump

OpenIOC format

• Website: https://github.com/fireeye/OpenIOC_1.1/blob/master/IOC_Terms_Defs.md
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: OpenIOC format is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

OSINTracker

• Website: https://app.osintracker.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: OSINTracker is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Other critical tools for a SOC and a CERT/CSIRT.

Back to Name Jump

Letter P

This letter section contains 7 tools.

PacketStorm Security

• Website: https://packetstorm.news/rss/news
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: PacketStorm Security is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

PAW Microsoft

• Website: https://docs.microsoft.com/en-us/security/compass/privileged-access-devices
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: PAW Microsoft is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

PhishLabs

• Website: https://www.phishlabs.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: PhishLabs is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

Powershell Hunter

• Website: https://github.com/MHaggis/PowerShell-Hunter/tree/main
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Powershell Hunter is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

ProofPoint

• Website: https://www.proofpoint.com/us/rss.xml
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: ProofPoint is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

PTES

• Website: http://www.pentest-standard.org/index.php/Main_Page
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: PTES is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Purple Team Assessment

• Website: https://www.fireeye.fr/content/dam/fireeye-www/regional/fr_FR/services/pdfs/ds-purple-team-assessment.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Purple Team Assessment is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

Letter R

This letter section contains 6 tools.

R 8596, Cybersecurity Framework Profile for Artificial Intelligence

• Website: https://csrc.nist.gov/pubs/ir/8596/iprd
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: R 8596, Cybersecurity Framework Profile for Artificial Intelligence is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

RACI template (in French)

• Website: https://github.com/cyberabdou/SOC/blob/77f01ba82c22cb11028cde4a862ae0bea4258378/SOC%20RACI.xlsx
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: RACI template (in French) is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Ransomware live feeds

• Website: https://ransomware.live/rss.xml
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Ransomware live feeds is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

RedTeam resources

• Website: https://github.com/J0hnbX/RedTeam-Resources
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: RedTeam resources is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

Resources inventory

• Website: https://inventory.raw.pm/resources.html
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Resources inventory is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

RFC2350

• Website: https://www.cert.ssi.gouv.fr/uploads/CERT-FR_RFC2350_EN.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: RFC2350 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: (CERT description).

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Letter S

This letter section contains 32 tools.

SaaS attack matrix

• Website: https://github.com/pushsecurity/saas-attacks#the-saas-attacks-matrix
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SaaS attack matrix is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

SANS SOC survey 2022

• Website: https://www.splunk.com/en_us/pdfs/resources/whitepaper/sans-soc-survey-2022.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SANS SOC survey 2022 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Schneier on Security

• Website: http://feeds.feedburner.com/schneier/excerpts
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Schneier on Security is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Secure Web Gateway

• Website: https://www.gartner.com/en/information-technology/glossary/secure-web-gateway
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Secure Web Gateway is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ** (SWG) / Security Service Edge:.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Secure your business with 365

• Website: https://learn.microsoft.com/en-us/microsoft-365/business-premium/secure-your-business-data?view=o365-worldwide
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Secure your business with 365 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

SecureList

• Website: https://securelist.com/feed/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SecureList is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Security 360

• Website: https://twitter.com/Shubham_pen/status/1655192003448020993?s=20
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Security 360 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Security advisories

• Website: https://cert.europa.eu/publications/security-advisories-rss
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Security advisories is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Security incident management according to ISO 27005

• Website: https://www.linkedin.com/pulse/security-incident-management-according-iso-27035-dipen-das-
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Security incident management according to ISO 27005 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a CERT/CSIRT.

Back to Name Jump

Semperis Directory Services Protector

• Website: https://www.semperis.com/active-directory-security/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Semperis Directory Services Protector is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Semperis Purple Knight

• Website: https://www.purple-knight.com/fr/?utm_source=gads&utm_medium=paidsearch&utm_campaign=pk_emea&gclid=Cj0KCQjw9ZGYBhCEARIsAEUXITV3yX7Nn6_GR-YVwiOANFvS9wsEQdTyUGHvMMirMzNQEoQ1Q3EQYIMaAjTgEALw_wcB
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Semperis Purple Knight is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: or.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

Semperis Purple Knight

• Website: https://www.purple-knight.com/active-directory-security-tool/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Semperis Purple Knight is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Sentinel data collection scenarios

• Website: https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-ama#how-collection-works-with-the-common-event-format-cef-via-ama-connector
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Sentinel data collection scenarios is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

SentinelOne

• Website: https://www.sentinelone.com/blog/active-edr-feature-spotlight/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SentinelOne is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , , , , , , ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump

SIFT Workstation

• Website: https://www.sans.org/tools/sift-workstation/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SIFT Workstation is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , or ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Sigma HQ (detection rules)

• Website: https://github.com/SigmaHQ/sigma/tree/master/rules
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Sigma HQ (detection rules) is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

SIRP

• Website: https://d3security.com/blog/whats-the-difference-between-soar-and-sao/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SIRP is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: **:.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.

Back to Name Jump

SIRP / SOA / TIP benefits

• Website: https://threatconnect.com/blog/realizing-the-benefits-of-security-orchestration-automation-and-response-soar/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SIRP / SOA / TIP benefits is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

SOC analyst interview questions

• Website: https://github.com/LetsDefend/SOC-Interview-Questions
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SOC analyst interview questions is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

SOC model guide

• Website: https://fr.scribd.com/document/732782046/Gartner-SOC-Model-Guide-2023
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SOC model guide is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

SOC Prime

• Website: https://tdm.socprime.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SOC Prime is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

SOC-CMM

• Website: https://www.soc-cmm.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SOC-CMM is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

SOCTOM

• Website: https://soc-cmm.com/downloads/SOCTOM%20whitepaper.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SOCTOM is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

SP800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations)

• Website: https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SP800-53 rev5 (Security and Privacy Controls for Information Systems and Organizations) is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

SP800-61 rev3, incident handling guide

• Website: https://csrc.nist.gov/pubs/sp/800/61/r3/ipd
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SP800-61 rev3, incident handling guide is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Splunk Security content (free detection rules for Splunk)

• Website: https://research.splunk.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Splunk Security content (free detection rules for Splunk) is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

State of Security 2023

• Website: https://www.splunk.com/en_us/pdfs/gated/ebooks/state-of-security-2023.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: State of Security 2023 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > For a SOC.

Back to Name Jump

STIX

• Website: https://oasis-open.github.io/cti-documentation/stix/intro.html
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: STIX is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

SwimLane

• Website: https://swimlane.com/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SwimLane is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.

Back to Name Jump

SwitchToOpen

• Website: https://github.com/CyberFlooD/SwitchToOpen
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: SwitchToOpen is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Sysinspector

• Website: https://www.eset.com/int/support/sysinspector/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Sysinspector is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Sysmon

• Website: https://learn.microsoft.com/fr-fr/sysinternals/downloads/sysmon
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Sysmon is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Letter T

This letter section contains 13 tools.

TaHiTI (threat hunting methodology)

• Website: https://www.betaalvereniging.nl/wp-content/uploads/TaHiTI-Threat-Hunting-Methodology-whitepaper.pdf
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: TaHiTI (threat hunting methodology) is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

TheRecord.media

• Website: https://therecord.media/subscribe
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: TheRecord.media is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: , &.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Threat landscape 2025

• Website: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2025
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Threat landscape 2025 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Threat Matrix for AI-systems

• Website: https://github.com/mitre/advmlthreatmatrix/blob/master/pages/adversarial-ml-threat-matrix.md#adversarial-ml-threat-matrix
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Threat Matrix for AI-systems is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Threat report

• Website: https://www.welivesecurity.com/en/eset-research/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Threat report is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Timesketch

• Website: https://timesketch.org/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Timesketch is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Tiny Check

• Website: https://github.com/KasperskyLab/TinyCheck
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Tiny Check is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

TIP

• Website: https://www.ssi.gouv.fr/en/actualite/opencti-the-open-source-solution-for-processing-and-sharing-threat-intelligence-knowledge/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: TIP is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: **:.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for a SOC/CSIRT.

Back to Name Jump

TLP

• Website: https://www.first.org/tlp/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: TLP is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: (intelligence sharing and confidentiality), and.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Tools inventory

• Website: https://inventory.raw.pm/tools.html
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Tools inventory is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Top 0days "in the wild"

• Website: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1746868651
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Top 0days "in the wild" is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

top 10

• Website: https://expertinsights.com/insights/the-top-dark-web-monitoring-solutions/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: top 10 is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > SOC sensors, nice to have.

Back to Name Jump

Turning threat reports into detection insights with AI

• Website: https://www.microsoft.com/en-us/security/blog/2026/01/29/turning-threat-reports-detection-insights-ai/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Turning threat reports into detection insights with AI is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Letter U

This letter section contains 1 tools.

Upcoming advisories

• Website: https://www.zerodayinitiative.com/rss/upcoming/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Upcoming advisories is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Letter V

This letter section contains 2 tools.

V1D1AN's Drawing: architecture of detection

• Website: https://github.com/V1D1AN/S1EM/wiki/Architecture-guide#the-architecture-of-detection
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: V1D1AN's Drawing: architecture of detection is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ,.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Velociraptor

• Website: https://docs.velociraptor.app/docs/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Velociraptor is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: ;.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Letter W

This letter section contains 7 tools.

Wazuh at the heart of a SOC architecture for public/critical infrastructures

• Website: https://medium.com/@ludovic.doamba/wazuh-at-the-heart-of-sovereign-soc-architecture-for-public-and-critical-infrastructures-f0d18562d14b
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Wazuh at the heart of a SOC architecture for public/critical infrastructures is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

We Live Security

• Website: http://feeds.feedburner.com/eset/blog?format=xml
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: We Live Security is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Web server compromise assessment SOP

• Website: https://github.com/cyb3rxp/awesome-soc/blob/main/sop_web_server_compromise_assessment.md
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Web server compromise assessment SOP is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

What is SecOps

• Website: https://www.sentinelone.com/cybersecurity-101/secops/?utm_content=white-paper&utm_medium=paid-display&utm_source=gdn-paid&utm_campaign=emea-t1-en-g-dsa&utm_term={demo-request}&utm_campaignid=19179764064&gclid=EAIaIQobChMItYzg5amQ_gIV6pBoCR1u0ACxEAAYAiAAEgJ1ofD_BwE
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: What is SecOps is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Must read > Globally (SOC and CERT/CSIRT).

Back to Name Jump

Windows 10 and Windows Server 2016 security auditing and monitoring reference

• Website: https://www.microsoft.com/en-us/download/details.aspx?id=52630
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Windows 10 and Windows Server 2016 security auditing and monitoring reference is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: .

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Must read.

Back to Name Jump

Windows Defender Offline

• Website: https://support.microsoft.com/en-us/windows/help-protect-my-pc-with-microsoft-defender-offline-9306d528-64bf-4668-5b80-ff533f183d6c
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Windows Defender Offline is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

WSTG

• Website: https://owasp.org/www-project-web-security-testing-guide/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: WSTG is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: To go further > Nice to read.

Back to Name Jump

Letter X

This letter section contains 1 tools.

Xposed

• Website: https://www.withsecure.com/en/expertise/podcasts
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Xposed is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: IT/security Watch > Recommended sources.

Back to Name Jump

Letter Y

This letter section contains 1 tools.

Yara rules repo

• Website: https://github.com/phbiohazard/Yara
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Yara rules repo is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical tools for CSIRT.

Back to Name Jump

Letter Z

This letter section contains 1 tools.

Zimperium MTD

• Website: https://www.zimperium.com/mtd/
• Model: Open Source
• Category: SOC Operations
• Source Lists: Awesome SOC

What it does: Zimperium MTD is used in soc operations programs to support baseline hardening, monitoring integration, and defense-in-depth validation. Source summaries describe it as: Source list entry describing this security tool and its use case.

Operational value: Security teams commonly use this capability to improve consistency between detection, investigation, and response decisions, especially when alerts, evidence collection, and triage ownership are distributed across multiple teams.

Typical deployment pattern: Implementations usually start with scoped pilot coverage, baseline logging/telemetry validation, and explicit runbook mapping so analysts understand when to escalate, contain, or defer.

Selection considerations: As an open-source option, teams usually evaluate maintainer activity, release cadence, and community response quality. Related source context: Mission-critical means (tools/sensors) > Critical sensors for a SOC.

Back to Name Jump