awesome-cybersecurity-blueteam

Helps in visualizing AWS IAM and Organizations in a graph format with help of Neo4j.

Utility that exposes the expiry of TLS certificates as Prometheus metrics.

Solution to connect and configure applications across dynamic, distributed infrastructure and, with Consul Connect, enabling secure service-to-service communication with automatic TLS encryption and identity-based authorization.

Provides horizontally scalable, highly available, multi-tenant, long term storage for Prometheus.

Behavioral activity monitor designed to detect anomalous activity in containerized applications, hosts, and network packet flows by auditing the Linux kernel and enriched by runtime data such as Kubernetes metrics.

Application kernel, written in Go, that implements a substantial portion of the Linux system surface to provide an isolation boundary between the application and the host kernel.

Visualize and graph Active Directory permission configs ("control relations") to audit questions such as "Who can read the CEO's email?" and similar.

Scan files or process memory for Cobalt Strike beacons and parse their configuration.

Utility that disables a number of risky Windows features.

Detect both client-side rules and VBScript enabled forms used by the

Active Directory vulnerability detection and reporting tool.

More effectively use BloodHoundAD in continual security life-cycles by utilizing its pathfinding engine to identify Active Directory security vulnerabilities.

Single-server open source SIEM platform featuring asset discovery, asset inventorying, behavioral monitoring, and event correlation, driven by AlienVault Open Threat Exchange (OTX).

Augments your current security infrastructure to store and index network traffic in standard PCAP format, providing fast, indexed access.

Framework to aid analysts in the creation and execution of pynids-based decoders and detectors of APT tradecraft.

Suite of CIM/WMI-based tools enabling remote incident response and hunting operations across all versions of Windows.

Continuously enumerates and monitors an organization’s public-facing attack surface in order to discover assets and flag potential security flaws.

PowerShell module for hunt teaming via Windows Event logs.

GitHub App installed on organizations or repositories to set and enforce security policies.

Coverage-guided Python fuzzing engine based off of libFuzzer that supports fuzzing of Python code but also native extensions written for CPython.

Custom and better AppArmor profile generator for Docker containers.

Safely store secrets in Git/Mercurial/Subversion by encrypting them "at rest" using GnuPG.

Static analysis for Terraform (infrastructure as code) to help detect CIS policy violations and prevent cloud security misconfiguration.

Language for describing security and compliance rules, which become automated tests that can be run against IT infrastructures to discover and report on non-compliance.

Curated collection of information security themed Ansible roles that are both vetted and actively maintained.

Python wrapper to the Censys REST API.

Plugable framework for automated decryption, often used as a Tang client.

Server hardening framework providing Ansible, Chef, and Puppet implementations of various baseline security configurations.

Extensible network forensic analysis framework written in Python that enables rapid development of plugins to support the dissection of network packet captures.

High level C++ network packet sniffing and crafting library.

Toolset to make a system look as if it was the victim of an APT attack.

Library of simple, automatable tests to execute for testing security controls.

Fills a test (non-production) Windows Domain with data that enables security analysts and engineers to practice using tools to gain an understanding and prescribe to securing Active Directory.

Scalable, automated, and extensible adversary emulation platform developed by MITRE.

Replay DNS traffic from packet capture files and send it to a specified server, such as for simulating DDoS attacks on the DNS and measuring normal DNS querying.

Modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events for Blue Team drills and sensor/alert mapping.

Combination honeypot, filesystem monitor, and alerting system designed to protect Linux and Windows operating systems.

Sandboxing tool for use by unprivileged Linux users capable of restricting access to parts of the operating system or user data.

Locally checks for signs of a rootkit on GNU/Linux systems.

Free tool for Windows systems aimed to alert you to the presence of malware that may be communicating over the network.

Take potentially dangerous PDFs, office documents, or images and convert them to a safe PDF.

Intrusion prevention software framework that protects computer servers from brute-force attacks.

Free and public crowdsourced vulnerability assessment platform to help prioritize high-risk patch application and combat vulnerability fatigue.

Credential phish analysis and automation tool that can accept suspected phishing URLs directly or trigger on observed network traffic containing such a URL.

Indicators of Compromises (IOCs) derived from ESET's various investigations.

Collection of Snort and YARA rules to detect attacks carried out with FireEye's own Red Team tools, first released after FireEye disclosed a breach in December 2020.

Collection of IoC in various languages for detecting backdoored SolarWinds Orion NMS activities and related vulnerabilities.

Multi-threaded threat intelligence gathering built with Python3 featuring simple text-based configuration and data storage for ease of use and data portability.